Merge "Fix problem that we don't block syscalls below min value"
This commit is contained in:
Treehugger Robot
Gerrit Code Review
commit
4d099d1576
8 changed files with 12 additions and 11 deletions
|
|
@ -5,7 +5,7 @@
|
|||
|
||||
#include "seccomp_bpfs.h"
|
||||
const sock_filter arm64_filter[] = {
|
||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 5, 0, 25),
|
||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 5, 0, 26),
|
||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 203, 13, 0),
|
||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 101, 7, 0),
|
||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 43, 3, 0),
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
|
||||
#include "seccomp_bpfs.h"
|
||||
const sock_filter arm_filter[] = {
|
||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 0, 0, 123),
|
||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 0, 0, 124),
|
||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 143, 61, 0),
|
||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 74, 31, 0),
|
||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 41, 15, 0),
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
|
||||
#include "seccomp_bpfs.h"
|
||||
const sock_filter mips64_filter[] = {
|
||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 5000, 0, 77),
|
||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 5000, 0, 78),
|
||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 5168, 39, 0),
|
||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 5077, 19, 0),
|
||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 5034, 9, 0),
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
|
||||
#include "seccomp_bpfs.h"
|
||||
const sock_filter mips_filter[] = {
|
||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 4001, 0, 107),
|
||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 4001, 0, 108),
|
||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 4131, 53, 0),
|
||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 4064, 27, 0),
|
||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 4036, 13, 0),
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
|
||||
#include "seccomp_bpfs.h"
|
||||
const sock_filter x86_64_filter[] = {
|
||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 0, 0, 79),
|
||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 0, 0, 80),
|
||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 157, 39, 0),
|
||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 72, 19, 0),
|
||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 32, 9, 0),
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
|
||||
#include "seccomp_bpfs.h"
|
||||
const sock_filter x86_filter[] = {
|
||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 0, 0, 109),
|
||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 0, 0, 110),
|
||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 131, 55, 0),
|
||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 64, 27, 0),
|
||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 36, 13, 0),
|
||||
|
|
|
|||
|
|
@ -149,13 +149,14 @@ def convert_ranges_to_bpf(ranges):
|
|||
bpf[i] = statement.format(fail=str(len(bpf) - i),
|
||||
allow=str(len(bpf) - i - 1))
|
||||
|
||||
# Add check that we aren't off the bottom of the syscalls
|
||||
bpf.insert(0, BPF_JGE.format(ranges[0].begin, 0, str(len(bpf))) + ',')
|
||||
|
||||
# Add the allow calls at the end. If the syscall is not matched, we will
|
||||
# continue. This allows the user to choose to match further syscalls, and
|
||||
# also to choose the action when we want to block
|
||||
bpf.append(BPF_ALLOW + ",")
|
||||
|
||||
# Add check that we aren't off the bottom of the syscalls
|
||||
bpf.insert(0, BPF_JGE.format(ranges[0].begin, 0, str(len(bpf))) + ',')
|
||||
return bpf
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -113,13 +113,13 @@ ssize_t read(int, void*, size_t) all
|
|||
def test_convert_ranges_to_bpf(self):
|
||||
ranges = genseccomp.convert_NRs_to_ranges([("b", 2), ("a", 1)])
|
||||
bpf = genseccomp.convert_ranges_to_bpf(ranges)
|
||||
self.assertEquals(bpf, ['BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 1, 0, 1),',
|
||||
self.assertEquals(bpf, ['BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 1, 0, 2),',
|
||||
'BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 3, 1, 0), //a|b',
|
||||
'BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),'])
|
||||
|
||||
ranges = genseccomp.convert_NRs_to_ranges([("b", 3), ("a", 1)])
|
||||
bpf = genseccomp.convert_ranges_to_bpf(ranges)
|
||||
self.assertEquals(bpf, ['BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 1, 0, 3),',
|
||||
self.assertEquals(bpf, ['BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 1, 0, 4),',
|
||||
'BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 3, 1, 0),',
|
||||
'BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 2, 2, 1), //a',
|
||||
'BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 4, 1, 0), //b',
|
||||
|
|
@ -165,7 +165,7 @@ ssize_t read(int, void*, size_t) all
|
|||
|
||||
#include "seccomp_bpfs.h"
|
||||
const sock_filter arm_filter[] = {
|
||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 3, 0, 3),
|
||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 3, 0, 4),
|
||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 140, 1, 0),
|
||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 4, 2, 1), //read
|
||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 141, 1, 0), //_llseek
|
||||
|
|
|
|||
Loading…
Reference in a new issue