From 88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3 Mon Sep 17 00:00:00 2001
From: Topi Miettinen <toiwoton@gmail.com>
Date: Sat, 14 Mar 2020 00:07:06 +0200
Subject: seccomp: allow defining separate filters for 32-bit arch

System calls (names and numbers) are not exactly the same for 32 bit
and 64 bit architectures. Let's allow defining separate filters for
32-bit arch using seccomp.32, seccomp.32.drop, seccomp.32.keep. This
is useful for mixed 64/32 bit application environments like Steam and
Wine.

Implement protocol and mdwx filtering also for 32 bit arch. It's still
better to block secondary archs completely if not needed.

Lists of supported system calls are also updated.

Warn if preload libraries would be needed due to trace, tracelog or
postexecseccomp (seccomp.drop=execve etc), because a 32-bit dynamic
linker does not understand the 64 bit preload libraries.

Closes #3267.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
---
 src/fseccomp/fseccomp.h | 34 ++++++++++++----------------------
 1 file changed, 12 insertions(+), 22 deletions(-)

(limited to 'src/fseccomp/fseccomp.h')

diff --git a/src/fseccomp/fseccomp.h b/src/fseccomp/fseccomp.h
index bf55870f2..e8dd083b6 100644
--- a/src/fseccomp/fseccomp.h
+++ b/src/fseccomp/fseccomp.h
@@ -24,21 +24,11 @@
 #include <string.h>
 #include <assert.h>
 #include "../include/common.h"
+#include "../include/syscall.h"
 
 // main.c
 extern int arg_quiet;
 
-// syscall.c
-void syscall_print(void);
-int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall, int arg, void *ptrarg), int fd, int arg, void *ptrarg);
-const char *syscall_find_nr(int nr);
-void syscalls_in_list(const char *list, const char *slist, int fd, char **prelist, char **postlist);
-
-// errno.c
-void errno_print(void);
-int errno_find_name(const char *name);
-char *errno_find_nr(int nr);
-
 // protocol.c
 void protocol_print(void);
 void protocol_build_filter(const char *prlist, const char *fname);
@@ -49,27 +39,27 @@ void seccomp_secondary_32(const char *fname);
 void seccomp_secondary_block(const char *fname);
 
 // seccomp_file.c
-void write_to_file(int fd, const void *data, int size);
-void filter_init(int fd);
-void filter_add_whitelist(int fd, int syscall, int arg, void *ptrarg);
-void filter_add_whitelist_for_excluded(int fd, int syscall, int arg, void *ptrarg);
-void filter_add_blacklist(int fd, int syscall, int arg, void *ptrarg);
-void filter_add_blacklist_for_excluded(int fd, int syscall, int arg, void *ptrarg);
-void filter_add_errno(int fd, int syscall, int arg, void *ptrarg);
+void write_to_file(int fd, const void *data, size_t size);
+void filter_init(int fd, bool native);
+void filter_add_whitelist(int fd, int syscall, int arg, void *ptrarg, bool native);
+void filter_add_whitelist_for_excluded(int fd, int syscall, int arg, void *ptrarg, bool native);
+void filter_add_blacklist(int fd, int syscall, int arg, void *ptrarg, bool native);
+void filter_add_blacklist_for_excluded(int fd, int syscall, int arg, void *ptrarg, bool native);
 void filter_end_blacklist(int fd);
 void filter_end_whitelist(int fd);
 
 // seccomp.c
 // default list
-void seccomp_default(const char *fname, int allow_debuggers);
+void seccomp_default(const char *fname, int allow_debuggers, bool native);
 // drop list
-void seccomp_drop(const char *fname1, const char *fname2, char *list, int allow_debuggers);
+void seccomp_drop(const char *fname1, const char *fname2, char *list, int allow_debuggers, bool native);
 // default+drop list
-void seccomp_default_drop(const char *fname1, const char *fname2, char *list, int allow_debuggers);
+void seccomp_default_drop(const char *fname1, const char *fname2, char *list, int allow_debuggers, bool native);
 // whitelisted filter
-void seccomp_keep(const char *fname1, const char *fname2, char *list);
+void seccomp_keep(const char *fname1, const char *fname2, char *list, bool native);
 // block writable and executable memory
 void memory_deny_write_execute(const char *fname);
+void memory_deny_write_execute_32(const char *fname);
 
 // seccomp_print
 void filter_print(const char *fname);
-- 
cgit v1.2.3-70-g09d2