-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfilter.bpf
41 lines (32 loc) · 911 Bytes
/
filter.bpf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
# https://www.kernel.org/doc/Documentation/networking/filter.txt
ld [$$offsetof(struct seccomp_data, arch)$$]
jne #$AUDIT_ARCH_X86_64, bad
ld [$$offsetof(struct seccomp_data, nr)$$]
jge #$__X32_SYSCALL_BIT, bad
jeq #$__NR_brk, good
jeq #$__NR_openat, good
jeq #$__NR_read, good
jeq #$__NR_write, good
jeq #$__NR_close, good
jeq #$__NR_newfstatat, good
jeq #$__NR_fstat, good
jeq #$__NR_lseek, good
jeq #$__NR_unlink, good
jne #$__NR_fcntl, fcntl_end
ld [$$offsetof(struct seccomp_data, args[1])$$]
jeq #$F_GETFL, good
jmp bad
fcntl_end:
jeq #$__NR_getpid, good
jeq #$__NR_gettid, good
jeq #$__NR_rt_sigreturn, good
jeq #$__NR_rt_sigprocmask, good
jeq #$__NR_rt_sigaction, good
jeq #$__NR_getrandom, good
jeq #$__NR_exit_group, good
jeq #$__NR_exit, good
jeq #$__NR_tgkill, good
# required for tcc-style execution
jeq #$__NR_munmap, good
bad: ret #$SECCOMP_RET_KILL_THREAD
good: ret #$SECCOMP_RET_ALLOW