diff options
Diffstat (limited to 'src/fseccomp/seccomp_print.c')
-rw-r--r-- | src/fseccomp/seccomp_print.c | 40 |
1 files changed, 25 insertions, 15 deletions
diff --git a/src/fseccomp/seccomp_print.c b/src/fseccomp/seccomp_print.c index 67555e554..e10585a15 100644 --- a/src/fseccomp/seccomp_print.c +++ b/src/fseccomp/seccomp_print.c | |||
@@ -69,9 +69,14 @@ void filter_print(const char *fname) { | |||
69 | load_seccomp(fname); | 69 | load_seccomp(fname); |
70 | 70 | ||
71 | // start filter | 71 | // start filter |
72 | struct sock_filter start[] = { | 72 | const struct sock_filter start[] = { |
73 | VALIDATE_ARCHITECTURE, | 73 | VALIDATE_ARCHITECTURE, |
74 | #if defined(__x86_64__) | ||
75 | EXAMINE_SYSCALL, | ||
76 | HANDLE_X32 | ||
77 | #else | ||
74 | EXAMINE_SYSCALL | 78 | EXAMINE_SYSCALL |
79 | #endif | ||
75 | }; | 80 | }; |
76 | 81 | ||
77 | // print sizes | 82 | // print sizes |
@@ -80,7 +85,10 @@ void filter_print(const char *fname) { | |||
80 | // test the start of the filter | 85 | // test the start of the filter |
81 | if (memcmp(&start[0], filter, sizeof(start)) == 0) { | 86 | if (memcmp(&start[0], filter, sizeof(start)) == 0) { |
82 | printf(" VALIDATE_ARCHITECTURE\n"); | 87 | printf(" VALIDATE_ARCHITECTURE\n"); |
83 | printf(" EXAMINE_SYSCAL\n"); | 88 | printf(" EXAMINE_SYSCALL\n"); |
89 | #if defined(__x86_64__) | ||
90 | printf(" HANDLE_X32\n"); | ||
91 | #endif | ||
84 | } | 92 | } |
85 | else { | 93 | else { |
86 | printf("Invalid seccomp filter %s\n", fname); | 94 | printf("Invalid seccomp filter %s\n", fname); |
@@ -88,34 +96,36 @@ void filter_print(const char *fname) { | |||
88 | } | 96 | } |
89 | 97 | ||
90 | // loop trough blacklists | 98 | // loop trough blacklists |
91 | int i = 4; | 99 | int i = sizeof(start) / sizeof(struct sock_filter); |
92 | while (i < filter_cnt) { | 100 | while (i < filter_cnt) { |
93 | // minimal parsing! | 101 | // minimal parsing! |
94 | unsigned char *ptr = (unsigned char *) &filter[i]; | 102 | struct sock_filter *s = (struct sock_filter *) &filter[i]; |
95 | int *nr = (int *) (ptr + 4); | 103 | if (s->code == BPF_JMP+BPF_JEQ+BPF_K && (s + 1)->code == BPF_RET+BPF_K && (s + 1)->k == SECCOMP_RET_ALLOW ) { |
96 | if (*ptr == 0x15 && *(ptr +14) == 0xff && *(ptr + 15) == 0x7f ) { | 104 | printf(" WHITELIST %d %s\n", s->k, syscall_find_nr(s->k)); |
97 | printf(" WHITELIST %d %s\n", *nr, syscall_find_nr(*nr)); | ||
98 | i += 2; | 105 | i += 2; |
99 | } | 106 | } |
100 | else if (*ptr == 0x15 && *(ptr +14) == 0 && *(ptr + 15) == 0) { | 107 | else if (s->code == BPF_JMP+BPF_JEQ+BPF_K && (s + 1)->code == BPF_RET+BPF_K && (s + 1)->k == SECCOMP_RET_KILL ) { |
101 | printf(" BLACKLIST %d %s\n", *nr, syscall_find_nr(*nr)); | 108 | printf(" BLACKLIST %d %s\n", s->k, syscall_find_nr(s->k)); |
102 | i += 2; | 109 | i += 2; |
103 | } | 110 | } |
104 | else if (*ptr == 0x15 && *(ptr +14) == 0x5 && *(ptr + 15) == 0) { | 111 | else if (s->code == BPF_JMP+BPF_JEQ+BPF_K && (s + 1)->code == BPF_RET+BPF_K && ((s + 1)->k & ~SECCOMP_RET_DATA) == SECCOMP_RET_ERRNO) { |
105 | int err = *(ptr + 13) << 8 | *(ptr + 12); | 112 | printf(" BLACKLIST_ERRNO %d %s %d %s\n", s->k, syscall_find_nr(s->k), (s + 1)->k & SECCOMP_RET_DATA, errno_find_nr((s + 1)->k & SECCOMP_RET_DATA)); |
106 | printf(" ERRNO %d %s %d %s\n", *nr, syscall_find_nr(*nr), err, errno_find_nr(err)); | ||
107 | i += 2; | 113 | i += 2; |
108 | } | 114 | } |
109 | else if (*ptr == 0x06 && *(ptr +6) == 0 && *(ptr + 7) == 0 ) { | 115 | else if (s->code == BPF_RET+BPF_K && (s->k & ~SECCOMP_RET_DATA) == SECCOMP_RET_ERRNO) { |
116 | printf(" RETURN_ERRNO %d %s\n", s->k & SECCOMP_RET_DATA, errno_find_nr(s->k & SECCOMP_RET_DATA)); | ||
117 | i++; | ||
118 | } | ||
119 | else if (s->code == BPF_RET+BPF_K && s->k == SECCOMP_RET_KILL) { | ||
110 | printf(" KILL_PROCESS\n"); | 120 | printf(" KILL_PROCESS\n"); |
111 | i++; | 121 | i++; |
112 | } | 122 | } |
113 | else if (*ptr == 0x06 && *(ptr +6) == 0xff && *(ptr + 7) == 0x7f ) { | 123 | else if (s->code == BPF_RET+BPF_K && s->k == SECCOMP_RET_ALLOW) { |
114 | printf(" RETURN_ALLOW\n"); | 124 | printf(" RETURN_ALLOW\n"); |
115 | i++; | 125 | i++; |
116 | } | 126 | } |
117 | else { | 127 | else { |
118 | printf(" UNKNOWN ENTRY!!!\n"); | 128 | printf(" UNKNOWN ENTRY %x!\n", s->code); |
119 | i++; | 129 | i++; |
120 | } | 130 | } |
121 | } | 131 | } |