mirror of
https://github.com/genodelabs/genode.git
synced 2024-12-24 15:56:41 +00:00
parent
35c3acdf05
commit
93ab972ddc
Binary file not shown.
Binary file not shown.
3
tool/seccomp/.gitignore
vendored
Normal file
3
tool/seccomp/.gitignore
vendored
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
/seccomp_bpf_policy_arm.bin
|
||||||
|
/seccomp_bpf_policy_x86_32.bin
|
||||||
|
/seccomp_bpf_policy_x86_64.bin
|
@ -5,9 +5,11 @@ seccomp_bpf_filters: seccomp_bpf_policy_x86_32.bin seccomp_bpf_policy_x86_64.bin
|
|||||||
seccomp_bpf_policy_%.bin: seccomp_bpf_compiler_%.prg
|
seccomp_bpf_policy_%.bin: seccomp_bpf_compiler_%.prg
|
||||||
./$< > $@
|
./$< > $@
|
||||||
|
|
||||||
seccomp_bpf_compiler_%.prg: seccomp_bpf_compiler_%.cc
|
seccomp_bpf_compiler_%.prg: seccomp_bpf_compiler_%.cc seccomp_bpf_compiler.h
|
||||||
@g++ $< -o $@ -lseccomp
|
@g++ $< -o $@ -lseccomp
|
||||||
|
|
||||||
clean:
|
clean:
|
||||||
@rm seccomp_bpf_policy_*.bin 2> /dev/null; true
|
@rm seccomp_bpf_policy_*.bin 2> /dev/null; true
|
||||||
@rm seccomp_bpf_compiler_*.prg 2> /dev/null; true
|
@rm seccomp_bpf_compiler_*.prg 2> /dev/null; true
|
||||||
|
|
||||||
|
.PHONY: seccomp_bpf_filters
|
||||||
|
@ -140,6 +140,9 @@ class Filter
|
|||||||
/* The nmap syscall has a different name on different architectures
|
/* The nmap syscall has a different name on different architectures
|
||||||
* but it slould be save as it only uses an already open socket. */
|
* but it slould be save as it only uses an already open socket. */
|
||||||
_add_allow_rule(SCMP_SYS(mmap2));
|
_add_allow_rule(SCMP_SYS(mmap2));
|
||||||
|
|
||||||
|
/* returning from signal handlers is safe */
|
||||||
|
_add_allow_rule(SCMP_SYS(sigreturn));
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
case SCMP_ARCH_X86_64:
|
case SCMP_ARCH_X86_64:
|
||||||
@ -158,6 +161,9 @@ class Filter
|
|||||||
/* The nmap syscall has a different name on different architectures
|
/* The nmap syscall has a different name on different architectures
|
||||||
* but it slould be save as it only uses an already open socket. */
|
* but it slould be save as it only uses an already open socket. */
|
||||||
_add_allow_rule(SCMP_SYS(mmap));
|
_add_allow_rule(SCMP_SYS(mmap));
|
||||||
|
|
||||||
|
/* returning from signal handlers is safe */
|
||||||
|
_add_allow_rule(SCMP_SYS(rt_sigreturn));
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
case SCMP_ARCH_ARM:
|
case SCMP_ARCH_ARM:
|
||||||
@ -180,7 +186,7 @@ class Filter
|
|||||||
/* This syscall is only used on ARM. */
|
/* This syscall is only used on ARM. */
|
||||||
_add_allow_rule(SCMP_SYS(cacheflush));
|
_add_allow_rule(SCMP_SYS(cacheflush));
|
||||||
|
|
||||||
/* This syscall is only used on ARM. */
|
/* returning from signal handlers is safe */
|
||||||
_add_allow_rule(SCMP_SYS(sigreturn));
|
_add_allow_rule(SCMP_SYS(sigreturn));
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
@ -189,7 +195,7 @@ class Filter
|
|||||||
throw -104;
|
throw -104;
|
||||||
}
|
}
|
||||||
|
|
||||||
// build and export
|
/* build and export */
|
||||||
seccomp_export_bpf(_ctx, 1);
|
seccomp_export_bpf(_ctx, 1);
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
|
Loading…
Reference in New Issue
Block a user