diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2017-09-02 14:05:31 +0300 |
---|---|---|
committer | Topi Miettinen <toiwoton@gmail.com> | 2017-09-02 14:05:31 +0300 |
commit | cb5d361a7b52844bb18346f1829b69b4b7084439 (patch) | |
tree | a5c75843eca9db0ee432dde47454f2ec06224fb8 /src/include | |
parent | Workaround for build problems, but correct problem this time (diff) | |
download | firejail-cb5d361a7b52844bb18346f1829b69b4b7084439.tar.gz firejail-cb5d361a7b52844bb18346f1829b69b4b7084439.tar.zst firejail-cb5d361a7b52844bb18346f1829b69b4b7084439.zip |
Improve seccomp support for non-x86 architectures
Diffstat (limited to 'src/include')
-rw-r--r-- | src/include/seccomp.h | 58 |
1 files changed, 56 insertions, 2 deletions
diff --git a/src/include/seccomp.h b/src/include/seccomp.h index 2f2b2384d..133b6ce72 100644 --- a/src/include/seccomp.h +++ b/src/include/seccomp.h | |||
@@ -91,10 +91,64 @@ struct seccomp_data { | |||
91 | 91 | ||
92 | #if defined(__i386__) | 92 | #if defined(__i386__) |
93 | # define ARCH_NR AUDIT_ARCH_I386 | 93 | # define ARCH_NR AUDIT_ARCH_I386 |
94 | # define ARCH_32 AUDIT_ARCH_I386 | ||
95 | # define ARCH_64 AUDIT_ARCH_X86_64 | ||
94 | #elif defined(__x86_64__) | 96 | #elif defined(__x86_64__) |
95 | # define ARCH_NR AUDIT_ARCH_X86_64 | 97 | # define ARCH_NR AUDIT_ARCH_X86_64 |
98 | # define ARCH_32 AUDIT_ARCH_I386 | ||
99 | # define ARCH_64 AUDIT_ARCH_X86_64 | ||
100 | #elif defined(__aarch64__) | ||
101 | # define ARCH_NR AUDIT_ARCH_AARCH64 | ||
102 | # define ARCH_32 AUDIT_ARCH_ARM | ||
103 | # define ARCH_64 AUDIT_ARCH_AARCH64 | ||
96 | #elif defined(__arm__) | 104 | #elif defined(__arm__) |
97 | # define ARCH_NR AUDIT_ARCH_ARM | 105 | # define ARCH_NR AUDIT_ARCH_ARM |
106 | # define ARCH_32 AUDIT_ARCH_ARM | ||
107 | # define ARCH_64 AUDIT_ARCH_AARCH64 | ||
108 | #elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI32 | ||
109 | # define ARCH_NR AUDIT_ARCH_MIPS | ||
110 | # define ARCH_32 AUDIT_ARCH_MIPS | ||
111 | # define ARCH_64 AUDIT_ARCH_MIPS64 | ||
112 | #elif defined(__mips__) && __BYTE_ORDER == __LITTLE_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI32 | ||
113 | # define ARCH_NR AUDIT_ARCH_MIPSEL | ||
114 | # define ARCH_32 AUDIT_ARCH_MIPSEL | ||
115 | # define ARCH_64 AUDIT_ARCH_MIPSEL64 | ||
116 | #elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI64 | ||
117 | # define ARCH_NR AUDIT_ARCH_MIPS64 | ||
118 | # define ARCH_32 AUDIT_ARCH_MIPS | ||
119 | # define ARCH_64 AUDIT_ARCH_MIPS64 | ||
120 | #elif defined(__mips__) && __BYTE_ORDER == __LITTLE_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI64 | ||
121 | # define ARCH_NR AUDIT_ARCH_MIPSEL64 | ||
122 | # define ARCH_32 AUDIT_ARCH_MIPSEL | ||
123 | # define ARCH_64 AUDIT_ARCH_MIPSEL64 | ||
124 | #elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_NABI32 | ||
125 | # define ARCH_NR AUDIT_ARCH_MIPS64N32 | ||
126 | # define ARCH_32 AUDIT_ARCH_MIPS64N32 | ||
127 | # define ARCH_64 AUDIT_ARCH_MIPS64 | ||
128 | #elif defined(__mips__) && __BYTE_ORDER == __LITTLE_ENDIAN && _MIPS_SIM == _MIPS_SIM_NABI32 | ||
129 | # define ARCH_NR AUDIT_ARCH_MIPSEL64N32 | ||
130 | # define ARCH_32 AUDIT_ARCH_MIPSEL64N32 | ||
131 | # define ARCH_64 AUDIT_ARCH_MIPSEL64 | ||
132 | #elif defined(__powerpc64__) && __BYTE_ORDER == __BIG_ENDIAN | ||
133 | # define ARCH_NR AUDIT_ARCH_PPC64 | ||
134 | # define ARCH_32 AUDIT_ARCH_PPC | ||
135 | # define ARCH_64 AUDIT_ARCH_PPC64 | ||
136 | #elif defined(__powerpc64__) && __BYTE_ORDER == __LITTLE_ENDIAN | ||
137 | # define ARCH_NR AUDIT_ARCH_PPC64LE | ||
138 | # define ARCH_32 AUDIT_ARCH_PPC | ||
139 | # define ARCH_64 AUDIT_ARCH_PPC64LE | ||
140 | #elif defined(__powerpc__) | ||
141 | # define ARCH_NR AUDIT_ARCH_PPC | ||
142 | # define ARCH_32 AUDIT_ARCH_PPC | ||
143 | # define ARCH_64 AUDIT_ARCH_PPC64LE | ||
144 | #elif defined(__s390x__) | ||
145 | # define ARCH_NR AUDIT_ARCH_S390X | ||
146 | # define ARCH_32 AUDIT_ARCH_S390 | ||
147 | # define ARCH_64 AUDIT_ARCH_S390X | ||
148 | #elif defined(__s390__) | ||
149 | # define ARCH_NR AUDIT_ARCH_S390 | ||
150 | # define ARCH_32 AUDIT_ARCH_S390 | ||
151 | # define ARCH_64 AUDIT_ARCH_S390X | ||
98 | #else | 152 | #else |
99 | # warning "Platform does not support seccomp filter yet" | 153 | # warning "Platform does not support seccomp filter yet" |
100 | # define ARCH_NR 0 | 154 | # define ARCH_NR 0 |
@@ -112,12 +166,12 @@ struct seccomp_data { | |||
112 | 166 | ||
113 | #define VALIDATE_ARCHITECTURE_64 \ | 167 | #define VALIDATE_ARCHITECTURE_64 \ |
114 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ | 168 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ |
115 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_X86_64, 1, 0), \ | 169 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_64, 1, 0), \ |
116 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) | 170 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) |
117 | 171 | ||
118 | #define VALIDATE_ARCHITECTURE_32 \ | 172 | #define VALIDATE_ARCHITECTURE_32 \ |
119 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ | 173 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ |
120 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_I386, 1, 0), \ | 174 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_32, 1, 0), \ |
121 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) | 175 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) |
122 | 176 | ||
123 | #if defined(__x86_64__) | 177 | #if defined(__x86_64__) |