logswan

Fast Web log analyzer using probabilistic data structures
Log | Files | Refs | README | LICENSE

seccomp.h (2277B)


      1 /*
      2  * Logswan 2.1.6
      3  * Copyright (c) 2015-2020, Frederic Cambus
      4  * https://www.logswan.org
      5  *
      6  * Created:      2015-05-31
      7  * Last Updated: 2020-06-24
      8  *
      9  * Logswan is released under the BSD 2-Clause license.
     10  * See LICENSE file for details.
     11  */
     12 
     13 #ifndef SECCOMP_H
     14 #define SECCOMP_H
     15 
     16 #include <stddef.h>
     17 #include <sys/prctl.h>
     18 #include <sys/socket.h>
     19 #include <sys/syscall.h>
     20 #include <linux/audit.h>
     21 #include <linux/filter.h>
     22 #include <linux/seccomp.h>
     23 
     24 #if defined(__i386__)
     25 #define SECCOMP_AUDIT_ARCH AUDIT_ARCH_I386
     26 #elif defined(__x86_64__)
     27 #define SECCOMP_AUDIT_ARCH AUDIT_ARCH_X86_64
     28 #elif defined(__aarch64__)
     29 #define SECCOMP_AUDIT_ARCH AUDIT_ARCH_AARCH64
     30 #else
     31 #error "Seccomp is only supported on i386, amd64, and arm64 architectures."
     32 #endif
     33 
     34 #define LOGSWAN_SYSCALL_ALLOW(syscall) \
     35 	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##syscall, 0, 1), \
     36 	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
     37 
     38 static struct sock_filter filter[] = {
     39 	/* Validate architecture */
     40 	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, arch)),
     41 	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SECCOMP_AUDIT_ARCH, 1, 0),
     42 	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL),
     43 
     44 	/* Load syscall */
     45 	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, nr)),
     46 
     47 	LOGSWAN_SYSCALL_ALLOW(brk),
     48 	LOGSWAN_SYSCALL_ALLOW(clock_gettime),	/* i386 glibc */
     49 	LOGSWAN_SYSCALL_ALLOW(close),
     50 	LOGSWAN_SYSCALL_ALLOW(dup),
     51 	LOGSWAN_SYSCALL_ALLOW(exit_group),
     52 	LOGSWAN_SYSCALL_ALLOW(fcntl),
     53 #if defined(__NR_fcntl64)
     54 	LOGSWAN_SYSCALL_ALLOW(fcntl64),		/* i386 musl */
     55 #endif
     56 	LOGSWAN_SYSCALL_ALLOW(fstat),
     57 #if defined(__NR_fstat64)
     58 	LOGSWAN_SYSCALL_ALLOW(fstat64),		/* i386 glibc */
     59 #endif
     60 	LOGSWAN_SYSCALL_ALLOW(ioctl),
     61 	LOGSWAN_SYSCALL_ALLOW(lseek),
     62 #if defined(__NR__llseek)
     63 	LOGSWAN_SYSCALL_ALLOW(_llseek),		/* i386 glibc */
     64 #endif
     65 #if defined(__NR_open)
     66 	LOGSWAN_SYSCALL_ALLOW(open),
     67 #endif
     68 	LOGSWAN_SYSCALL_ALLOW(openat),
     69 	LOGSWAN_SYSCALL_ALLOW(mmap),
     70 #if defined(__NR_mmap2)
     71 	LOGSWAN_SYSCALL_ALLOW(mmap2),		/* i386 glibc */
     72 #endif
     73 	LOGSWAN_SYSCALL_ALLOW(munmap),
     74 	LOGSWAN_SYSCALL_ALLOW(read),
     75 	LOGSWAN_SYSCALL_ALLOW(write),
     76 	LOGSWAN_SYSCALL_ALLOW(writev),
     77 
     78 	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
     79 };
     80 
     81 struct sock_fprog logswan = {
     82 	.len = sizeof(filter)/sizeof(filter[0]),
     83 	.filter = filter
     84 };
     85 
     86 #endif /* SECCOMP_H */