commit ac1eb3a6a09160770908d071507827387cc7f141
parent 58d137a3f438a73e45b7dbb8b9036edcb9d7f2a7
Author: Frederic Cambus <fred@statdns.com>
Date: Sat, 26 Oct 2019 19:23:53 +0200
Define and use the STATZONE_SYSCALL_ALLOW macro to make code more readable.
Diffstat:
1 file changed, 13 insertions(+), 18 deletions(-)
diff --git a/src/seccomp.h b/src/seccomp.h
@@ -18,30 +18,25 @@
#include <linux/filter.h>
#include <linux/seccomp.h>
+#define STATZONE_SYSCALL_ALLOW(syscall) \
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##syscall, 0, 1), \
+ BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
+
static struct sock_filter filter[] = {
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, nr)),
- BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_brk, 0, 1),
- BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
- BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_close, 0, 1),
- BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
- BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_exit_group, 0, 1),
- BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
- BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_fstat, 0, 1),
- BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
- BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_ioctl, 0, 1),
- BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
+ STATZONE_SYSCALL_ALLOW(brk),
+ STATZONE_SYSCALL_ALLOW(close),
+ STATZONE_SYSCALL_ALLOW(exit_group),
+ STATZONE_SYSCALL_ALLOW(fstat),
+ STATZONE_SYSCALL_ALLOW(ioctl),
#if defined(SYS_open)
- BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_open, 0, 1),
- BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
+ STATZONE_SYSCALL_ALLOW(open),
#else
- BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_openat, 0, 1),
- BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
+ STATZONE_SYSCALL_ALLOW(openat),
#endif
- BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_read, 0, 1),
- BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
- BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_writev, 0, 1),
- BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
+ STATZONE_SYSCALL_ALLOW(read),
+ STATZONE_SYSCALL_ALLOW(writev),
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
};
