From d01216de45884300c87e7d3ccb70e53ebb461449 Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Sat, 19 Aug 2017 23:22:38 +0300 Subject: Feature: switch/config option to block secondary architectures Add a feature for a new (opt-in) command line switch and config file option to block secondary architectures entirely. Also block changing Linux execution domain with personality() system call for the primary architecture. Closes #1479 --- src/include/seccomp.h | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'src/include/seccomp.h') diff --git a/src/include/seccomp.h b/src/include/seccomp.h index b1a19a9b6..2f2b2384d 100644 --- a/src/include/seccomp.h +++ b/src/include/seccomp.h @@ -105,6 +105,11 @@ struct seccomp_data { BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \ BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) +#define VALIDATE_ARCHITECTURE_KILL \ + BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \ + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) + #define VALIDATE_ARCHITECTURE_64 \ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_X86_64, 1, 0), \ @@ -122,6 +127,10 @@ struct seccomp_data { BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0), \ BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0), \ RETURN_ERRNO(EPERM) +#define HANDLE_X32_KILL \ + BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0), \ + BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0), \ + KILL_PROCESS #endif #define EXAMINE_SYSCALL BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ -- cgit v1.2.3-54-g00ecf