diff options
Diffstat (limited to 'src/fseccomp/seccomp_secondary.c')
-rw-r--r-- | src/fseccomp/seccomp_secondary.c | 65 |
1 files changed, 0 insertions, 65 deletions
diff --git a/src/fseccomp/seccomp_secondary.c b/src/fseccomp/seccomp_secondary.c index ebda1b938..e398f94d0 100644 --- a/src/fseccomp/seccomp_secondary.c +++ b/src/fseccomp/seccomp_secondary.c | |||
@@ -42,71 +42,6 @@ static void write_filter(const char *fname, size_t size, const void *filter) { | |||
42 | close(dst); | 42 | close(dst); |
43 | } | 43 | } |
44 | 44 | ||
45 | void seccomp_secondary_64(const char *fname) { | ||
46 | // hardcoded syscall values | ||
47 | struct sock_filter filter[] = { | ||
48 | VALIDATE_ARCHITECTURE_64, | ||
49 | EXAMINE_SYSCALL, | ||
50 | BLACKLIST(165), // mount | ||
51 | BLACKLIST(166), // umount2 | ||
52 | // todo: implement --allow-debuggers | ||
53 | BLACKLIST(101), // ptrace | ||
54 | BLACKLIST(246), // kexec_load | ||
55 | BLACKLIST(304), // open_by_handle_at | ||
56 | BLACKLIST(303), // name_to_handle_at | ||
57 | BLACKLIST(174), // create_module | ||
58 | BLACKLIST(175), // init_module | ||
59 | BLACKLIST(313), // finit_module | ||
60 | BLACKLIST(176), // delete_module | ||
61 | BLACKLIST(172), // iopl | ||
62 | BLACKLIST(173), // ioperm | ||
63 | BLACKLIST(251), // ioprio_set | ||
64 | BLACKLIST(167), // swapon | ||
65 | BLACKLIST(168), // swapoff | ||
66 | BLACKLIST(103), // syslog | ||
67 | BLACKLIST(310), // process_vm_readv | ||
68 | BLACKLIST(311), // process_vm_writev | ||
69 | BLACKLIST(139), // sysfs | ||
70 | BLACKLIST(156), // _sysctl | ||
71 | BLACKLIST(159), // adjtimex | ||
72 | BLACKLIST(305), // clock_adjtime | ||
73 | BLACKLIST(212), // lookup_dcookie | ||
74 | BLACKLIST(298), // perf_event_open | ||
75 | BLACKLIST(300), // fanotify_init | ||
76 | BLACKLIST(312), // kcmp | ||
77 | BLACKLIST(248), // add_key | ||
78 | BLACKLIST(249), // request_key | ||
79 | BLACKLIST(250), // keyctl | ||
80 | BLACKLIST(134), // uselib | ||
81 | BLACKLIST(163), // acct | ||
82 | BLACKLIST(154), // modify_ldt | ||
83 | BLACKLIST(155), // pivot_root | ||
84 | BLACKLIST(206), // io_setup | ||
85 | BLACKLIST(207), // io_destroy | ||
86 | BLACKLIST(208), // io_getevents | ||
87 | BLACKLIST(209), // io_submit | ||
88 | BLACKLIST(210), // io_cancel | ||
89 | BLACKLIST(216), // remap_file_pages | ||
90 | BLACKLIST(237), // mbind | ||
91 | // breaking Firefox nightly when playing youtube videos | ||
92 | // TODO: test again when firefox sandbox is finally released | ||
93 | // BLACKLIST(239), // get_mempolicy | ||
94 | BLACKLIST(238), // set_mempolicy | ||
95 | BLACKLIST(256), // migrate_pages | ||
96 | BLACKLIST(279), // move_pages | ||
97 | BLACKLIST(278), // vmsplice | ||
98 | BLACKLIST(161), // chroot | ||
99 | BLACKLIST(184), // tuxcall | ||
100 | BLACKLIST(169), // reboot | ||
101 | BLACKLIST(180), // nfsservctl | ||
102 | BLACKLIST(177), // get_kernel_syms | ||
103 | |||
104 | RETURN_ALLOW | ||
105 | }; | ||
106 | |||
107 | // save filter to file | ||
108 | write_filter(fname, sizeof(filter), filter); | ||
109 | } | ||
110 | 45 | ||
111 | // 32 bit arch filter installed on 64 bit architectures | 46 | // 32 bit arch filter installed on 64 bit architectures |
112 | void seccomp_secondary_32(const char *fname) { | 47 | void seccomp_secondary_32(const char *fname) { |