diff options
Diffstat (limited to 'man2/seccomp.2')
| -rw-r--r-- | man2/seccomp.2 | 50 |
1 files changed, 23 insertions, 27 deletions
diff --git a/man2/seccomp.2 b/man2/seccomp.2 index 640b6c179..6b32eec03 100644 --- a/man2/seccomp.2 +++ b/man2/seccomp.2 @@ -6,7 +6,7 @@ .\" .\" SPDX-License-Identifier: Linux-man-pages-copyleft .\" -.TH seccomp 2 2023-02-05 "Linux man-pages 6.03" +.TH seccomp 2 2023-05-03 "Linux man-pages 6.05.01" .SH NAME seccomp \- operate on Secure Computing state of the process .SH LIBRARY @@ -861,15 +861,11 @@ but the kernel does not support the filter return action specified by .B ESRCH Another thread caused a failure during thread sync, but its ID could not be determined. -.SH VERSIONS -The -.BR seccomp () -system call first appeared in Linux 3.17. -.\" FIXME . Add glibc version .SH STANDARDS -The -.BR seccomp () -system call is a nonstandard Linux extension. +Linux. +.SH HISTORY +Linux 3.17. +.\" FIXME . Add glibc version .SH NOTES Rather than hand-coding seccomp filters as shown in the example below, you may prefer to employ the @@ -1118,71 +1114,71 @@ cecilia #include <sys/prctl.h> #include <sys/syscall.h> #include <unistd.h> - +\& #define X32_SYSCALL_BIT 0x40000000 #define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0])) - +\& static int install_filter(int syscall_nr, unsigned int t_arch, int f_errno) { unsigned int upper_nr_limit = 0xffffffff; - +\& /* Assume that AUDIT_ARCH_X86_64 means the normal x86\-64 ABI (in the x32 ABI, all system calls have bit 30 set in the \[aq]nr\[aq] field, meaning the numbers are >= X32_SYSCALL_BIT). */ if (t_arch == AUDIT_ARCH_X86_64) upper_nr_limit = X32_SYSCALL_BIT \- 1; - +\& struct sock_filter filter[] = { /* [0] Load architecture from \[aq]seccomp_data\[aq] buffer into accumulator. */ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, (offsetof(struct seccomp_data, arch))), - +\& /* [1] Jump forward 5 instructions if architecture does not match \[aq]t_arch\[aq]. */ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, t_arch, 0, 5), - +\& /* [2] Load system call number from \[aq]seccomp_data\[aq] buffer into accumulator. */ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, (offsetof(struct seccomp_data, nr))), - +\& /* [3] Check ABI \- only needed for x86\-64 in deny\-list use cases. Use BPF_JGT instead of checking against the bit mask to avoid having to reload the syscall number. */ BPF_JUMP(BPF_JMP | BPF_JGT | BPF_K, upper_nr_limit, 3, 0), - +\& /* [4] Jump forward 1 instruction if system call number does not match \[aq]syscall_nr\[aq]. */ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, syscall_nr, 0, 1), - +\& /* [5] Matching architecture and system call: don\[aq]t execute the system call, and return \[aq]f_errno\[aq] in \[aq]errno\[aq]. */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ERRNO | (f_errno & SECCOMP_RET_DATA)), - +\& /* [6] Destination of system call number mismatch: allow other system calls. */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), - +\& /* [7] Destination of architecture mismatch: kill process. */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL_PROCESS), }; - +\& struct sock_fprog prog = { .len = ARRAY_SIZE(filter), .filter = filter, }; - +\& if (syscall(SYS_seccomp, SECCOMP_SET_MODE_FILTER, 0, &prog)) { perror("seccomp"); return 1; } - +\& return 0; } - +\& int main(int argc, char *argv[]) { @@ -1194,17 +1190,17 @@ main(int argc, char *argv[]) "\en", argv[0], AUDIT_ARCH_I386, AUDIT_ARCH_X86_64); exit(EXIT_FAILURE); } - +\& if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { perror("prctl"); exit(EXIT_FAILURE); } - +\& if (install_filter(strtol(argv[1], NULL, 0), strtoul(argv[2], NULL, 0), strtol(argv[3], NULL, 0))) exit(EXIT_FAILURE); - +\& execv(argv[4], &argv[4]); perror("execv"); exit(EXIT_FAILURE); |