diff options
Diffstat (limited to 'src/fseccomp/protocol.c')
-rw-r--r-- | src/fseccomp/protocol.c | 21 |
1 files changed, 17 insertions, 4 deletions
diff --git a/src/fseccomp/protocol.c b/src/fseccomp/protocol.c index 7a21eb2c2..b8b30f488 100644 --- a/src/fseccomp/protocol.c +++ b/src/fseccomp/protocol.c | |||
@@ -122,10 +122,23 @@ void protocol_build_filter(const char *prlist, const char *fname) { | |||
122 | 122 | ||
123 | // header | 123 | // header |
124 | struct sock_filter filter_start[] = { | 124 | struct sock_filter filter_start[] = { |
125 | VALIDATE_ARCHITECTURE, | 125 | #if defined __x86_64__ |
126 | EXAMINE_SYSCALL, | 126 | /* check for native arch */ |
127 | ONLY(SYS_socket), | 127 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), |
128 | EXAMINE_ARGUMENT(0) | 128 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1 + 2 + 1, 0), |
129 | /* i386 filter */ | ||
130 | EXAMINE_SYSCALL, // 1 | ||
131 | // checking SYS_socket only: filtering SYS_socketcall not possible with seccomp | ||
132 | ONLY(359), // 1 + 2 | ||
133 | BPF_JUMP(BPF_JMP+BPF_JA+BPF_K, (3 + 1 + 2), 0, 0), // 1 + 2 + 1 | ||
134 | #else | ||
135 | #warning 32 bit protocol filter not implemented yet for your architecture | ||
136 | #endif | ||
137 | VALIDATE_ARCHITECTURE, // 3 | ||
138 | EXAMINE_SYSCALL, // 3 + 1 | ||
139 | ONLY(SYS_socket), // 3 + 1 + 2 | ||
140 | |||
141 | EXAMINE_ARGUMENT(0) // 3 + 1 + 2 + 1 | ||
129 | }; | 142 | }; |
130 | memcpy(ptr, &filter_start[0], sizeof(filter_start)); | 143 | memcpy(ptr, &filter_start[0], sizeof(filter_start)); |
131 | ptr += sizeof(filter_start); | 144 | ptr += sizeof(filter_start); |