Improve seccomp support for non-x86 architectures

author: Topi Miettinen <toiwoton@gmail.com> 2017-09-02 14:05:31 +0300
committer: Topi Miettinen <toiwoton@gmail.com> 2017-09-02 14:05:31 +0300
commit: cb5d361a7b52844bb18346f1829b69b4b7084439 (patch)
tree: a5c75843eca9db0ee432dde47454f2ec06224fb8 /src/include/seccomp.h
parent: Workaround for build problems, but correct problem this time (diff)
download: firejail-cb5d361a7b52844bb18346f1829b69b4b7084439.tar.gz
firejail-cb5d361a7b52844bb18346f1829b69b4b7084439.tar.zst
firejail-cb5d361a7b52844bb18346f1829b69b4b7084439.zip
1 files changed, 56 insertions, 2 deletions
diff --git a/src/include/seccomp.h b/src/include/seccomp.h
index 2f2b2384d..133b6ce72 100644
--- a/src/include/seccomp.h
+++ b/src/include/seccomp.h
@@ -91,10 +91,64 @@ struct seccomp_data {
 #if defined(__i386__)
 # define ARCH_NR        AUDIT_ARCH_I386
+# define ARCH_32        AUDIT_ARCH_I386
+# define ARCH_64        AUDIT_ARCH_X86_64
 #elif defined(__x86_64__)
 # define ARCH_NR        AUDIT_ARCH_X86_64
+# define ARCH_32        AUDIT_ARCH_I386
+# define ARCH_64        AUDIT_ARCH_X86_64
+#elif defined(__aarch64__)
+# define ARCH_NR        AUDIT_ARCH_AARCH64
+# define ARCH_32        AUDIT_ARCH_ARM
+# define ARCH_64        AUDIT_ARCH_AARCH64
 #elif defined(__arm__)
 # define ARCH_NR        AUDIT_ARCH_ARM
+# define ARCH_32        AUDIT_ARCH_ARM
+# define ARCH_64        AUDIT_ARCH_AARCH64
+#elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI32
+# define ARCH_NR        AUDIT_ARCH_MIPS
+# define ARCH_32        AUDIT_ARCH_MIPS
+# define ARCH_64        AUDIT_ARCH_MIPS64
+#elif defined(__mips__) && __BYTE_ORDER == __LITTLE_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI32
+# define ARCH_NR        AUDIT_ARCH_MIPSEL
+# define ARCH_32        AUDIT_ARCH_MIPSEL
+# define ARCH_64        AUDIT_ARCH_MIPSEL64
+#elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI64
+# define ARCH_NR        AUDIT_ARCH_MIPS64
+# define ARCH_32        AUDIT_ARCH_MIPS
+# define ARCH_64        AUDIT_ARCH_MIPS64
+#elif defined(__mips__) && __BYTE_ORDER == __LITTLE_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI64
+# define ARCH_NR        AUDIT_ARCH_MIPSEL64
+# define ARCH_32        AUDIT_ARCH_MIPSEL
+# define ARCH_64        AUDIT_ARCH_MIPSEL64
+#elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_NABI32
+# define ARCH_NR        AUDIT_ARCH_MIPS64N32
+# define ARCH_32        AUDIT_ARCH_MIPS64N32
+# define ARCH_64        AUDIT_ARCH_MIPS64
+#elif defined(__mips__) && __BYTE_ORDER == __LITTLE_ENDIAN && _MIPS_SIM == _MIPS_SIM_NABI32
+# define ARCH_NR        AUDIT_ARCH_MIPSEL64N32
+# define ARCH_32        AUDIT_ARCH_MIPSEL64N32
+# define ARCH_64        AUDIT_ARCH_MIPSEL64
+#elif defined(__powerpc64__) && __BYTE_ORDER == __BIG_ENDIAN
+# define ARCH_NR        AUDIT_ARCH_PPC64
+# define ARCH_32        AUDIT_ARCH_PPC
+# define ARCH_64        AUDIT_ARCH_PPC64
+#elif defined(__powerpc64__) && __BYTE_ORDER == __LITTLE_ENDIAN
+# define ARCH_NR        AUDIT_ARCH_PPC64LE
+# define ARCH_32        AUDIT_ARCH_PPC
+# define ARCH_64        AUDIT_ARCH_PPC64LE
+#elif defined(__powerpc__)
+# define ARCH_NR        AUDIT_ARCH_PPC
+# define ARCH_32        AUDIT_ARCH_PPC
+# define ARCH_64        AUDIT_ARCH_PPC64LE
+#elif defined(__s390x__)
+# define ARCH_NR        AUDIT_ARCH_S390X
+# define ARCH_32        AUDIT_ARCH_S390
+# define ARCH_64        AUDIT_ARCH_S390X
+#elif defined(__s390__)
+# define ARCH_NR        AUDIT_ARCH_S390
+# define ARCH_32        AUDIT_ARCH_S390
+# define ARCH_64        AUDIT_ARCH_S390X
 #else
 # warning "Platform does not support seccomp filter yet"
 # define ARCH_NR        0
@@ -112,12 +166,12 @@ struct seccomp_data {
 #define VALIDATE_ARCHITECTURE_64 \
     BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \
-     BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_X86_64, 1, 0), \
+     BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_64, 1, 0), \
     BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
 #define VALIDATE_ARCHITECTURE_32 \
     BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \
-     BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_I386, 1, 0), \
+     BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_32, 1, 0), \
     BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
 #if defined(__x86_64__)
author	Topi Miettinen <toiwoton@gmail.com>	2017-09-02 14:05:31 +0300
committer	Topi Miettinen <toiwoton@gmail.com>	2017-09-02 14:05:31 +0300
commit	cb5d361a7b52844bb18346f1829b69b4b7084439 (patch)
tree	a5c75843eca9db0ee432dde47454f2ec06224fb8 /src/include/seccomp.h
parent	Workaround for build problems, but correct problem this time (diff)
download	firejail-cb5d361a7b52844bb18346f1829b69b4b7084439.tar.gz firejail-cb5d361a7b52844bb18346f1829b69b4b7084439.tar.zst firejail-cb5d361a7b52844bb18346f1829b69b4b7084439.zip

diff --git a/src/include/seccomp.h b/src/include/seccomp.h index 2f2b2384d..133b6ce72 100644 --- a/src/include/seccomp.h +++ b/src/include/seccomp.h
@@ -91,10 +91,64 @@ struct seccomp_data {
91		91
92	#if defined(__i386__)	92	#if defined(__i386__)
93	# define ARCH_NR AUDIT_ARCH_I386	93	# define ARCH_NR AUDIT_ARCH_I386
		94	# define ARCH_32 AUDIT_ARCH_I386
		95	# define ARCH_64 AUDIT_ARCH_X86_64
94	#elif defined(__x86_64__)	96	#elif defined(__x86_64__)
95	# define ARCH_NR AUDIT_ARCH_X86_64	97	# define ARCH_NR AUDIT_ARCH_X86_64
		98	# define ARCH_32 AUDIT_ARCH_I386
		99	# define ARCH_64 AUDIT_ARCH_X86_64
		100	#elif defined(__aarch64__)
		101	# define ARCH_NR AUDIT_ARCH_AARCH64
		102	# define ARCH_32 AUDIT_ARCH_ARM
		103	# define ARCH_64 AUDIT_ARCH_AARCH64
96	#elif defined(__arm__)	104	#elif defined(__arm__)
97	# define ARCH_NR AUDIT_ARCH_ARM	105	# define ARCH_NR AUDIT_ARCH_ARM
		106	# define ARCH_32 AUDIT_ARCH_ARM
		107	# define ARCH_64 AUDIT_ARCH_AARCH64
		108	#elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI32
		109	# define ARCH_NR AUDIT_ARCH_MIPS
		110	# define ARCH_32 AUDIT_ARCH_MIPS
		111	# define ARCH_64 AUDIT_ARCH_MIPS64
		112	#elif defined(__mips__) && __BYTE_ORDER == __LITTLE_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI32
		113	# define ARCH_NR AUDIT_ARCH_MIPSEL
		114	# define ARCH_32 AUDIT_ARCH_MIPSEL
		115	# define ARCH_64 AUDIT_ARCH_MIPSEL64
		116	#elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI64
		117	# define ARCH_NR AUDIT_ARCH_MIPS64
		118	# define ARCH_32 AUDIT_ARCH_MIPS
		119	# define ARCH_64 AUDIT_ARCH_MIPS64
		120	#elif defined(__mips__) && __BYTE_ORDER == __LITTLE_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI64
		121	# define ARCH_NR AUDIT_ARCH_MIPSEL64
		122	# define ARCH_32 AUDIT_ARCH_MIPSEL
		123	# define ARCH_64 AUDIT_ARCH_MIPSEL64
		124	#elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_NABI32
		125	# define ARCH_NR AUDIT_ARCH_MIPS64N32
		126	# define ARCH_32 AUDIT_ARCH_MIPS64N32
		127	# define ARCH_64 AUDIT_ARCH_MIPS64
		128	#elif defined(__mips__) && __BYTE_ORDER == __LITTLE_ENDIAN && _MIPS_SIM == _MIPS_SIM_NABI32
		129	# define ARCH_NR AUDIT_ARCH_MIPSEL64N32
		130	# define ARCH_32 AUDIT_ARCH_MIPSEL64N32
		131	# define ARCH_64 AUDIT_ARCH_MIPSEL64
		132	#elif defined(__powerpc64__) && __BYTE_ORDER == __BIG_ENDIAN
		133	# define ARCH_NR AUDIT_ARCH_PPC64
		134	# define ARCH_32 AUDIT_ARCH_PPC
		135	# define ARCH_64 AUDIT_ARCH_PPC64
		136	#elif defined(__powerpc64__) && __BYTE_ORDER == __LITTLE_ENDIAN
		137	# define ARCH_NR AUDIT_ARCH_PPC64LE
		138	# define ARCH_32 AUDIT_ARCH_PPC
		139	# define ARCH_64 AUDIT_ARCH_PPC64LE
		140	#elif defined(__powerpc__)
		141	# define ARCH_NR AUDIT_ARCH_PPC
		142	# define ARCH_32 AUDIT_ARCH_PPC
		143	# define ARCH_64 AUDIT_ARCH_PPC64LE
		144	#elif defined(__s390x__)
		145	# define ARCH_NR AUDIT_ARCH_S390X
		146	# define ARCH_32 AUDIT_ARCH_S390
		147	# define ARCH_64 AUDIT_ARCH_S390X
		148	#elif defined(__s390__)
		149	# define ARCH_NR AUDIT_ARCH_S390
		150	# define ARCH_32 AUDIT_ARCH_S390
		151	# define ARCH_64 AUDIT_ARCH_S390X
98	#else	152	#else
99	# warning "Platform does not support seccomp filter yet"	153	# warning "Platform does not support seccomp filter yet"
100	# define ARCH_NR 0	154	# define ARCH_NR 0
@@ -112,12 +166,12 @@ struct seccomp_data {
112		166
113	#define VALIDATE_ARCHITECTURE_64 \	167	#define VALIDATE_ARCHITECTURE_64 \
114	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \	168	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \
115	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_X86_64, 1, 0), \	169	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_64, 1, 0), \
116	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)	170	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
117		171
118	#define VALIDATE_ARCHITECTURE_32 \	172	#define VALIDATE_ARCHITECTURE_32 \
119	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \	173	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \
120	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_I386, 1, 0), \	174	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_32, 1, 0), \
121	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)	175	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
122		176
123	#if defined(__x86_64__)	177	#if defined(__x86_64__)