seccomp.hpp (2010B)
1 /* 2 * StatZone 1.1.1 3 * Copyright (c) 2012-2022, Frederic Cambus 4 * https://www.statdns.com 5 * 6 * Created: 2012-02-13 7 * Last Updated: 2021-03-30 8 * 9 * StatZone is released under the BSD 2-Clause license. 10 * See LICENSE file for details. 11 * 12 * SPDX-License-Identifier: BSD-2-Clause 13 */ 14 15 #ifndef SECCOMP_HPP 16 #define SECCOMP_HPP 17 18 #include <stddef.h> 19 #include <sys/prctl.h> 20 #include <sys/socket.h> 21 #include <sys/syscall.h> 22 #include <linux/audit.h> 23 #include <linux/filter.h> 24 #include <linux/seccomp.h> 25 26 #if defined(__i386__) 27 #define SECCOMP_AUDIT_ARCH AUDIT_ARCH_I386 28 #elif defined(__x86_64__) 29 #define SECCOMP_AUDIT_ARCH AUDIT_ARCH_X86_64 30 #elif defined(__arm__) 31 #define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARM 32 #elif defined(__aarch64__) 33 #define SECCOMP_AUDIT_ARCH AUDIT_ARCH_AARCH64 34 #else 35 #error "Seccomp is only supported on i386, x86_64, arm, and aarch64 architectures." 36 #endif 37 38 #define STATZONE_SYSCALL_ALLOW(syscall) \ 39 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##syscall, 0, 1), \ 40 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) 41 42 static struct sock_filter filter[] = { 43 /* Validate architecture */ 44 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, arch)), 45 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SECCOMP_AUDIT_ARCH, 1, 0), 46 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL), 47 48 /* Load syscall */ 49 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, nr)), 50 51 STATZONE_SYSCALL_ALLOW(brk), 52 STATZONE_SYSCALL_ALLOW(clock_gettime), /* i386 glibc */ 53 STATZONE_SYSCALL_ALLOW(close), 54 STATZONE_SYSCALL_ALLOW(exit_group), 55 STATZONE_SYSCALL_ALLOW(fstat), 56 #if defined(__NR_fstat64) 57 STATZONE_SYSCALL_ALLOW(fstat64), /* i386 glibc */ 58 #endif 59 STATZONE_SYSCALL_ALLOW(ioctl), 60 #if defined(__NR_open) 61 STATZONE_SYSCALL_ALLOW(open), 62 #endif 63 STATZONE_SYSCALL_ALLOW(openat), 64 STATZONE_SYSCALL_ALLOW(read), 65 STATZONE_SYSCALL_ALLOW(write), 66 STATZONE_SYSCALL_ALLOW(writev), 67 68 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) 69 }; 70 71 struct sock_fprog statzone = { 72 .len = sizeof(filter)/sizeof(filter[0]), 73 .filter = filter 74 }; 75 76 #endif /* SECCOMP_HPP */