mirror of
git://anongit.mindrot.org/openssh.git
synced 2024-12-25 03:12:10 +00:00
Remove macro trickery; no binary change
This stops the SC_ALLOW(), SC_ALLOW_ARG() and SC_DENY() macros prepending __NR_ to the syscall number parameter and just makes them explicit in the macro invocations. No binary change in stripped object file before/after.
This commit is contained in:
parent
5f1596e11d
commit
e3ea335abe
@ -85,13 +85,13 @@
|
||||
|
||||
/* Simple helpers to avoid manual errors (but larger BPF programs). */
|
||||
#define SC_DENY(_nr, _errno) \
|
||||
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \
|
||||
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_nr), 0, 1), \
|
||||
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO|(_errno))
|
||||
#define SC_ALLOW(_nr) \
|
||||
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \
|
||||
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_nr), 0, 1), \
|
||||
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
|
||||
#define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \
|
||||
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 6), \
|
||||
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_nr), 0, 6), \
|
||||
/* load and test first syscall argument, low word */ \
|
||||
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
|
||||
offsetof(struct seccomp_data, args[(_arg_nr)]) + ARG_LO_OFFSET), \
|
||||
@ -120,114 +120,114 @@ static const struct sock_filter preauth_insns[] = {
|
||||
|
||||
/* Syscalls to non-fatally deny */
|
||||
#ifdef __NR_lstat
|
||||
SC_DENY(lstat, EACCES),
|
||||
SC_DENY(__NR_lstat, EACCES),
|
||||
#endif
|
||||
#ifdef __NR_lstat64
|
||||
SC_DENY(lstat64, EACCES),
|
||||
SC_DENY(__NR_lstat64, EACCES),
|
||||
#endif
|
||||
#ifdef __NR_fstat
|
||||
SC_DENY(fstat, EACCES),
|
||||
SC_DENY(__NR_fstat, EACCES),
|
||||
#endif
|
||||
#ifdef __NR_fstat64
|
||||
SC_DENY(fstat64, EACCES),
|
||||
SC_DENY(__NR_fstat64, EACCES),
|
||||
#endif
|
||||
#ifdef __NR_open
|
||||
SC_DENY(open, EACCES),
|
||||
SC_DENY(__NR_open, EACCES),
|
||||
#endif
|
||||
#ifdef __NR_openat
|
||||
SC_DENY(openat, EACCES),
|
||||
SC_DENY(__NR_openat, EACCES),
|
||||
#endif
|
||||
#ifdef __NR_newfstatat
|
||||
SC_DENY(newfstatat, EACCES),
|
||||
SC_DENY(__NR_newfstatat, EACCES),
|
||||
#endif
|
||||
#ifdef __NR_stat
|
||||
SC_DENY(stat, EACCES),
|
||||
SC_DENY(__NR_stat, EACCES),
|
||||
#endif
|
||||
#ifdef __NR_stat64
|
||||
SC_DENY(stat64, EACCES),
|
||||
SC_DENY(__NR_stat64, EACCES),
|
||||
#endif
|
||||
|
||||
/* Syscalls to permit */
|
||||
#ifdef __NR_brk
|
||||
SC_ALLOW(brk),
|
||||
SC_ALLOW(__NR_brk),
|
||||
#endif
|
||||
#ifdef __NR_clock_gettime
|
||||
SC_ALLOW(clock_gettime),
|
||||
SC_ALLOW(__NR_clock_gettime),
|
||||
#endif
|
||||
#ifdef __NR_close
|
||||
SC_ALLOW(close),
|
||||
SC_ALLOW(__NR_close),
|
||||
#endif
|
||||
#ifdef __NR_exit
|
||||
SC_ALLOW(exit),
|
||||
SC_ALLOW(__NR_exit),
|
||||
#endif
|
||||
#ifdef __NR_exit_group
|
||||
SC_ALLOW(exit_group),
|
||||
SC_ALLOW(__NR_exit_group),
|
||||
#endif
|
||||
#ifdef __NR_getpgid
|
||||
SC_ALLOW(getpgid),
|
||||
SC_ALLOW(__NR_getpgid),
|
||||
#endif
|
||||
#ifdef __NR_getpid
|
||||
SC_ALLOW(getpid),
|
||||
SC_ALLOW(__NR_getpid),
|
||||
#endif
|
||||
#ifdef __NR_getrandom
|
||||
SC_ALLOW(getrandom),
|
||||
SC_ALLOW(__NR_getrandom),
|
||||
#endif
|
||||
#ifdef __NR_gettimeofday
|
||||
SC_ALLOW(gettimeofday),
|
||||
SC_ALLOW(__NR_gettimeofday),
|
||||
#endif
|
||||
#ifdef __NR_madvise
|
||||
SC_ALLOW(madvise),
|
||||
SC_ALLOW(__NR_madvise),
|
||||
#endif
|
||||
#ifdef __NR_mmap
|
||||
SC_ALLOW(mmap),
|
||||
SC_ALLOW(__NR_mmap),
|
||||
#endif
|
||||
#ifdef __NR_mmap2
|
||||
SC_ALLOW(mmap2),
|
||||
SC_ALLOW(__NR_mmap2),
|
||||
#endif
|
||||
#ifdef __NR_mremap
|
||||
SC_ALLOW(mremap),
|
||||
SC_ALLOW(__NR_mremap),
|
||||
#endif
|
||||
#ifdef __NR_munmap
|
||||
SC_ALLOW(munmap),
|
||||
SC_ALLOW(__NR_munmap),
|
||||
#endif
|
||||
#ifdef __NR__newselect
|
||||
SC_ALLOW(_newselect),
|
||||
SC_ALLOW(__NR__newselect),
|
||||
#endif
|
||||
#ifdef __NR_poll
|
||||
SC_ALLOW(poll),
|
||||
SC_ALLOW(__NR_poll),
|
||||
#endif
|
||||
#ifdef __NR_pselect6
|
||||
SC_ALLOW(pselect6),
|
||||
SC_ALLOW(__NR_pselect6),
|
||||
#endif
|
||||
#ifdef __NR_read
|
||||
SC_ALLOW(read),
|
||||
SC_ALLOW(__NR_read),
|
||||
#endif
|
||||
#ifdef __NR_rt_sigprocmask
|
||||
SC_ALLOW(rt_sigprocmask),
|
||||
SC_ALLOW(__NR_rt_sigprocmask),
|
||||
#endif
|
||||
#ifdef __NR_select
|
||||
SC_ALLOW(select),
|
||||
SC_ALLOW(__NR_select),
|
||||
#endif
|
||||
#ifdef __NR_shutdown
|
||||
SC_ALLOW(shutdown),
|
||||
SC_ALLOW(__NR_shutdown),
|
||||
#endif
|
||||
#ifdef __NR_sigprocmask
|
||||
SC_ALLOW(sigprocmask),
|
||||
SC_ALLOW(__NR_sigprocmask),
|
||||
#endif
|
||||
#ifdef __NR_time
|
||||
SC_ALLOW(time),
|
||||
SC_ALLOW(__NR_time),
|
||||
#endif
|
||||
#ifdef __NR_write
|
||||
SC_ALLOW(write),
|
||||
SC_ALLOW(__NR_write),
|
||||
#endif
|
||||
#ifdef __NR_socketcall
|
||||
SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN),
|
||||
SC_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN),
|
||||
#endif
|
||||
#if defined(__NR_ioctl) && defined(__s390__)
|
||||
/* Allow ioctls for ICA crypto card on s390 */
|
||||
SC_ALLOW_ARG(ioctl, 1, Z90STAT_STATUS_MASK),
|
||||
SC_ALLOW_ARG(ioctl, 1, ICARSAMODEXPO),
|
||||
SC_ALLOW_ARG(ioctl, 1, ICARSACRT),
|
||||
SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK),
|
||||
SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO),
|
||||
SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT),
|
||||
#endif /* defined(__NR_ioctl) && defined(__s390__) */
|
||||
|
||||
/* Default deny */
|
||||
|
Loading…
Reference in New Issue
Block a user