seccomp.h (2060B)
1 /* 2 * bdf2sfd 1.1.7 3 * Copyright (c) 2019-2022, Frederic Cambus 4 * https://github.com/fcambus/bdf2sfd 5 * 6 * Created: 2019-11-21 7 * Last Updated: 2020-09-17 8 * 9 * bdf2sfd is released under the BSD 2-Clause license. 10 * See LICENSE file for details. 11 * 12 * SPDX-License-Identifier: BSD-2-Clause 13 */ 14 15 #ifndef SECCOMP_H 16 #define SECCOMP_H 17 18 #include <stddef.h> 19 #include <sys/prctl.h> 20 #include <sys/socket.h> 21 #include <sys/syscall.h> 22 #include <linux/audit.h> 23 #include <linux/filter.h> 24 #include <linux/seccomp.h> 25 26 #if defined(__i386__) 27 #define SECCOMP_AUDIT_ARCH AUDIT_ARCH_I386 28 #elif defined(__x86_64__) 29 #define SECCOMP_AUDIT_ARCH AUDIT_ARCH_X86_64 30 #elif defined(__arm__) 31 #define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARM 32 #elif defined(__aarch64__) 33 #define SECCOMP_AUDIT_ARCH AUDIT_ARCH_AARCH64 34 #else 35 #error "Seccomp is only supported on i386, x86_64, arm, and aarch64 architectures." 36 #endif 37 38 #define BDF2SFD_SYSCALL_ALLOW(syscall) \ 39 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##syscall, 0, 1), \ 40 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) 41 42 static struct sock_filter filter[] = { 43 /* Validate architecture */ 44 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, arch)), 45 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SECCOMP_AUDIT_ARCH, 1, 0), 46 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL), 47 48 /* Load syscall */ 49 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, nr)), 50 51 BDF2SFD_SYSCALL_ALLOW(brk), 52 BDF2SFD_SYSCALL_ALLOW(clock_gettime), /* i386 glibc */ 53 BDF2SFD_SYSCALL_ALLOW(close), 54 BDF2SFD_SYSCALL_ALLOW(exit_group), 55 BDF2SFD_SYSCALL_ALLOW(fstat), 56 #if defined(__NR_fstat64) 57 BDF2SFD_SYSCALL_ALLOW(fstat64), /* i386 glibc */ 58 #endif 59 BDF2SFD_SYSCALL_ALLOW(gettimeofday), /* i386 glibc */ 60 BDF2SFD_SYSCALL_ALLOW(ioctl), 61 #if defined(__NR_open) 62 BDF2SFD_SYSCALL_ALLOW(open), 63 #endif 64 BDF2SFD_SYSCALL_ALLOW(openat), 65 BDF2SFD_SYSCALL_ALLOW(read), 66 BDF2SFD_SYSCALL_ALLOW(write), 67 BDF2SFD_SYSCALL_ALLOW(writev), 68 69 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) 70 }; 71 72 struct sock_fprog bdf2sfd = { 73 .len = sizeof(filter)/sizeof(filter[0]), 74 .filter = filter 75 }; 76 77 #endif /* SECCOMP_H */