Merge "Fix problem that we don't block syscalls below min value"
This commit is contained in:
Treehugger Robot
Gerrit Code Review
commit
4d099d1576
8 changed files with 12 additions and 11 deletions
|
|
@ -5,7 +5,7 @@
|
||||||
|
|
||||||
#include "seccomp_bpfs.h"
|
#include "seccomp_bpfs.h"
|
||||||
const sock_filter arm64_filter[] = {
|
const sock_filter arm64_filter[] = {
|
||||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 5, 0, 25),
|
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 5, 0, 26),
|
||||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 203, 13, 0),
|
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 203, 13, 0),
|
||||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 101, 7, 0),
|
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 101, 7, 0),
|
||||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 43, 3, 0),
|
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 43, 3, 0),
|
||||||
|
|
|
||||||
|
|
@ -5,7 +5,7 @@
|
||||||
|
|
||||||
#include "seccomp_bpfs.h"
|
#include "seccomp_bpfs.h"
|
||||||
const sock_filter arm_filter[] = {
|
const sock_filter arm_filter[] = {
|
||||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 0, 0, 123),
|
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 0, 0, 124),
|
||||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 143, 61, 0),
|
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 143, 61, 0),
|
||||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 74, 31, 0),
|
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 74, 31, 0),
|
||||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 41, 15, 0),
|
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 41, 15, 0),
|
||||||
|
|
|
||||||
|
|
@ -5,7 +5,7 @@
|
||||||
|
|
||||||
#include "seccomp_bpfs.h"
|
#include "seccomp_bpfs.h"
|
||||||
const sock_filter mips64_filter[] = {
|
const sock_filter mips64_filter[] = {
|
||||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 5000, 0, 77),
|
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 5000, 0, 78),
|
||||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 5168, 39, 0),
|
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 5168, 39, 0),
|
||||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 5077, 19, 0),
|
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 5077, 19, 0),
|
||||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 5034, 9, 0),
|
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 5034, 9, 0),
|
||||||
|
|
|
||||||
|
|
@ -5,7 +5,7 @@
|
||||||
|
|
||||||
#include "seccomp_bpfs.h"
|
#include "seccomp_bpfs.h"
|
||||||
const sock_filter mips_filter[] = {
|
const sock_filter mips_filter[] = {
|
||||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 4001, 0, 107),
|
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 4001, 0, 108),
|
||||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 4131, 53, 0),
|
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 4131, 53, 0),
|
||||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 4064, 27, 0),
|
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 4064, 27, 0),
|
||||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 4036, 13, 0),
|
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 4036, 13, 0),
|
||||||
|
|
|
||||||
|
|
@ -5,7 +5,7 @@
|
||||||
|
|
||||||
#include "seccomp_bpfs.h"
|
#include "seccomp_bpfs.h"
|
||||||
const sock_filter x86_64_filter[] = {
|
const sock_filter x86_64_filter[] = {
|
||||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 0, 0, 79),
|
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 0, 0, 80),
|
||||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 157, 39, 0),
|
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 157, 39, 0),
|
||||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 72, 19, 0),
|
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 72, 19, 0),
|
||||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 32, 9, 0),
|
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 32, 9, 0),
|
||||||
|
|
|
||||||
|
|
@ -5,7 +5,7 @@
|
||||||
|
|
||||||
#include "seccomp_bpfs.h"
|
#include "seccomp_bpfs.h"
|
||||||
const sock_filter x86_filter[] = {
|
const sock_filter x86_filter[] = {
|
||||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 0, 0, 109),
|
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 0, 0, 110),
|
||||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 131, 55, 0),
|
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 131, 55, 0),
|
||||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 64, 27, 0),
|
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 64, 27, 0),
|
||||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 36, 13, 0),
|
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 36, 13, 0),
|
||||||
|
|
|
||||||
|
|
@ -149,13 +149,14 @@ def convert_ranges_to_bpf(ranges):
|
||||||
bpf[i] = statement.format(fail=str(len(bpf) - i),
|
bpf[i] = statement.format(fail=str(len(bpf) - i),
|
||||||
allow=str(len(bpf) - i - 1))
|
allow=str(len(bpf) - i - 1))
|
||||||
|
|
||||||
# Add check that we aren't off the bottom of the syscalls
|
|
||||||
bpf.insert(0, BPF_JGE.format(ranges[0].begin, 0, str(len(bpf))) + ',')
|
|
||||||
|
|
||||||
# Add the allow calls at the end. If the syscall is not matched, we will
|
# Add the allow calls at the end. If the syscall is not matched, we will
|
||||||
# continue. This allows the user to choose to match further syscalls, and
|
# continue. This allows the user to choose to match further syscalls, and
|
||||||
# also to choose the action when we want to block
|
# also to choose the action when we want to block
|
||||||
bpf.append(BPF_ALLOW + ",")
|
bpf.append(BPF_ALLOW + ",")
|
||||||
|
|
||||||
|
# Add check that we aren't off the bottom of the syscalls
|
||||||
|
bpf.insert(0, BPF_JGE.format(ranges[0].begin, 0, str(len(bpf))) + ',')
|
||||||
return bpf
|
return bpf
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -113,13 +113,13 @@ ssize_t read(int, void*, size_t) all
|
||||||
def test_convert_ranges_to_bpf(self):
|
def test_convert_ranges_to_bpf(self):
|
||||||
ranges = genseccomp.convert_NRs_to_ranges([("b", 2), ("a", 1)])
|
ranges = genseccomp.convert_NRs_to_ranges([("b", 2), ("a", 1)])
|
||||||
bpf = genseccomp.convert_ranges_to_bpf(ranges)
|
bpf = genseccomp.convert_ranges_to_bpf(ranges)
|
||||||
self.assertEquals(bpf, ['BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 1, 0, 1),',
|
self.assertEquals(bpf, ['BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 1, 0, 2),',
|
||||||
'BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 3, 1, 0), //a|b',
|
'BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 3, 1, 0), //a|b',
|
||||||
'BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),'])
|
'BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),'])
|
||||||
|
|
||||||
ranges = genseccomp.convert_NRs_to_ranges([("b", 3), ("a", 1)])
|
ranges = genseccomp.convert_NRs_to_ranges([("b", 3), ("a", 1)])
|
||||||
bpf = genseccomp.convert_ranges_to_bpf(ranges)
|
bpf = genseccomp.convert_ranges_to_bpf(ranges)
|
||||||
self.assertEquals(bpf, ['BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 1, 0, 3),',
|
self.assertEquals(bpf, ['BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 1, 0, 4),',
|
||||||
'BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 3, 1, 0),',
|
'BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 3, 1, 0),',
|
||||||
'BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 2, 2, 1), //a',
|
'BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 2, 2, 1), //a',
|
||||||
'BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 4, 1, 0), //b',
|
'BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 4, 1, 0), //b',
|
||||||
|
|
@ -165,7 +165,7 @@ ssize_t read(int, void*, size_t) all
|
||||||
|
|
||||||
#include "seccomp_bpfs.h"
|
#include "seccomp_bpfs.h"
|
||||||
const sock_filter arm_filter[] = {
|
const sock_filter arm_filter[] = {
|
||||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 3, 0, 3),
|
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 3, 0, 4),
|
||||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 140, 1, 0),
|
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 140, 1, 0),
|
||||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 4, 2, 1), //read
|
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 4, 2, 1), //read
|
||||||
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 141, 1, 0), //_llseek
|
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 141, 1, 0), //_llseek
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue