1 files changed, 17 insertions, 4 deletions
diff --git a/src/fseccomp/protocol.c b/src/fseccomp/protocol.c
index 7a21eb2c2..b8b30f488 100644
--- a/src/fseccomp/protocol.c
+++ b/src/fseccomp/protocol.c
@@ -122,10 +122,23 @@ void protocol_build_filter(const char *prlist, const char *fname) {
        // header
        struct sock_filter filter_start[] = {
-                VALIDATE_ARCHITECTURE,
+#if defined __x86_64__
-                EXAMINE_SYSCALL,
+                /* check for native arch */
-                ONLY(SYS_socket),
+                BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))),
-                EXAMINE_ARGUMENT(0)
+                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1 + 2 + 1, 0),
+                /* i386 filter */
+                EXAMINE_SYSCALL, // 1
+                // checking SYS_socket only: filtering SYS_socketcall not possible with seccomp
+                ONLY(359), // 1 + 2
+                BPF_JUMP(BPF_JMP+BPF_JA+BPF_K, (3 + 1 + 2), 0, 0), // 1 + 2 + 1
+#else
+#warning 32 bit protocol filter not implemented yet for your architecture
+#endif
+                VALIDATE_ARCHITECTURE, // 3
+                EXAMINE_SYSCALL, // 3 + 1
+                ONLY(SYS_socket), // 3 + 1 + 2
+                EXAMINE_ARGUMENT(0) // 3 + 1 + 2 + 1
        };
        memcpy(ptr, &filter_start[0], sizeof(filter_start));
        ptr += sizeof(filter_start);

diff --git a/src/fseccomp/protocol.c b/src/fseccomp/protocol.c index 7a21eb2c2..b8b30f488 100644 --- a/src/fseccomp/protocol.c +++ b/src/fseccomp/protocol.c
@@ -122,10 +122,23 @@ void protocol_build_filter(const char prlist, const char fname) {
122		122
123	// header	123	// header
124	struct sock_filter filter_start[] = {	124	struct sock_filter filter_start[] = {
125	VALIDATE_ARCHITECTURE,	125	#if defined __x86_64__
126	EXAMINE_SYSCALL,	126	/* check for native arch */
127	ONLY(SYS_socket),	127	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))),
128	EXAMINE_ARGUMENT(0)	128	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1 + 2 + 1, 0),
		129	/* i386 filter */
		130	EXAMINE_SYSCALL, // 1
		131	// checking SYS_socket only: filtering SYS_socketcall not possible with seccomp
		132	ONLY(359), // 1 + 2
		133	BPF_JUMP(BPF_JMP+BPF_JA+BPF_K, (3 + 1 + 2), 0, 0), // 1 + 2 + 1
		134	#else
		135	#warning 32 bit protocol filter not implemented yet for your architecture
		136	#endif
		137	VALIDATE_ARCHITECTURE, // 3
		138	EXAMINE_SYSCALL, // 3 + 1
		139	ONLY(SYS_socket), // 3 + 1 + 2
		140
		141	EXAMINE_ARGUMENT(0) // 3 + 1 + 2 + 1
129	};	142	};
130	memcpy(ptr, &filter_start[0], sizeof(filter_start));	143	memcpy(ptr, &filter_start[0], sizeof(filter_start));
131	ptr += sizeof(filter_start);	144	ptr += sizeof(filter_start);