redmine

[seccomp] Fixed building and running i386

@@ -64,7 +64,15 @@ @@ -64,7 +64,15 @@
64 # include <linux/filter.h> // struct sock_filter 64 # include <linux/filter.h> // struct sock_filter
65 # include <linux/seccomp.h> // SECCOMP_RET_* 65 # include <linux/seccomp.h> // SECCOMP_RET_*
66 66
67 -#define syscall_nr (offsetof(struct seccomp_data, nr)) 67 +# ifndef __NR_shmdt
  68 +# ifdef __i386__
  69 +# warning [security] Caution! __NR_shmdt is not defined. Setting it to -222.
  70 +# define __NR_shmdt -222
  71 +# endif
  72 +# endif
  73 +
  74 +
  75 +# define syscall_nr (offsetof(struct seccomp_data, nr))
68 76
69 /* Read: http://www.rawether.net/support/bpfhelp.htm */ 77 /* Read: http://www.rawether.net/support/bpfhelp.htm */
70 # define SECCOMP_COPY_SYSCALL_TO_ACCUM \ 78 # define SECCOMP_COPY_SYSCALL_TO_ACCUM \
@@ -84,19 +92,14 @@ @@ -84,19 +92,14 @@
84 SECCOMP_ALLOW_ACCUM_SYSCALL(futex), \ 92 SECCOMP_ALLOW_ACCUM_SYSCALL(futex), \
85 SECCOMP_ALLOW_ACCUM_SYSCALL(inotify_init1), \ 93 SECCOMP_ALLOW_ACCUM_SYSCALL(inotify_init1), \
86 SECCOMP_ALLOW_ACCUM_SYSCALL(alarm), \ 94 SECCOMP_ALLOW_ACCUM_SYSCALL(alarm), \
87 - SECCOMP_ALLOW_ACCUM_SYSCALL(stat), /* unused */ \  
88 - SECCOMP_ALLOW_ACCUM_SYSCALL(fstat), /* unused */ \  
89 - SECCOMP_ALLOW_ACCUM_SYSCALL(lstat), \  
90 SECCOMP_ALLOW_ACCUM_SYSCALL(open), \ 95 SECCOMP_ALLOW_ACCUM_SYSCALL(open), \
91 SECCOMP_ALLOW_ACCUM_SYSCALL(write), \ 96 SECCOMP_ALLOW_ACCUM_SYSCALL(write), \
92 SECCOMP_ALLOW_ACCUM_SYSCALL(close), \ 97 SECCOMP_ALLOW_ACCUM_SYSCALL(close), \
93 SECCOMP_ALLOW_ACCUM_SYSCALL(wait4), \ 98 SECCOMP_ALLOW_ACCUM_SYSCALL(wait4), \
94 SECCOMP_ALLOW_ACCUM_SYSCALL(unlink), \ 99 SECCOMP_ALLOW_ACCUM_SYSCALL(unlink), \
95 SECCOMP_ALLOW_ACCUM_SYSCALL(tgkill), \ 100 SECCOMP_ALLOW_ACCUM_SYSCALL(tgkill), \
96 - SECCOMP_ALLOW_ACCUM_SYSCALL(clock_gettime), \  
97 SECCOMP_ALLOW_ACCUM_SYSCALL(rt_sigreturn), \ 101 SECCOMP_ALLOW_ACCUM_SYSCALL(rt_sigreturn), \
98 SECCOMP_ALLOW_ACCUM_SYSCALL(brk), \ 102 SECCOMP_ALLOW_ACCUM_SYSCALL(brk), \
99 - SECCOMP_ALLOW_ACCUM_SYSCALL(mmap), \  
100 SECCOMP_ALLOW_ACCUM_SYSCALL(munmap), \ 103 SECCOMP_ALLOW_ACCUM_SYSCALL(munmap), \
101 SECCOMP_ALLOW_ACCUM_SYSCALL(wait4), \ 104 SECCOMP_ALLOW_ACCUM_SYSCALL(wait4), \
102 SECCOMP_ALLOW_ACCUM_SYSCALL(rmdir), \ 105 SECCOMP_ALLOW_ACCUM_SYSCALL(rmdir), \
@@ -111,18 +114,39 @@ @@ -111,18 +114,39 @@
111 SECCOMP_ALLOW_ACCUM_SYSCALL(set_robust_list), /* for --threading? */ \ 114 SECCOMP_ALLOW_ACCUM_SYSCALL(set_robust_list), /* for --threading? */ \
112 SECCOMP_ALLOW_ACCUM_SYSCALL(madvise), \ 115 SECCOMP_ALLOW_ACCUM_SYSCALL(madvise), \
113 SECCOMP_ALLOW_ACCUM_SYSCALL(exit), \ 116 SECCOMP_ALLOW_ACCUM_SYSCALL(exit), \
  117 + SECCOMP_ALLOW_ACCUM_SYSCALL(clock_gettime), \
  118 +
  119 +# ifdef __i386__
  120 +# define FILTER_TABLE_ARCHDEPENDED /* unused */ \
  121 + SECCOMP_ALLOW_ACCUM_SYSCALL(fstat64), \
  122 + SECCOMP_ALLOW_ACCUM_SYSCALL(lstat64), \
  123 + SECCOMP_ALLOW_ACCUM_SYSCALL(stat64), \
  124 + SECCOMP_ALLOW_ACCUM_SYSCALL(time), \
  125 + SECCOMP_ALLOW_ACCUM_SYSCALL(mmap2), \
  126 + SECCOMP_ALLOW_ACCUM_SYSCALL(gettimeofday), \
  127 + SECCOMP_ALLOW_ACCUM_SYSCALL(_newselect), \
114 128
  129 +# else
  130 +# define FILTER_TABLE_ARCHDEPENDED \
  131 + SECCOMP_ALLOW_ACCUM_SYSCALL(fstat), /* unused */ \
  132 + SECCOMP_ALLOW_ACCUM_SYSCALL(lstat), \
  133 + SECCOMP_ALLOW_ACCUM_SYSCALL(stat), /* unused */ \
  134 + SECCOMP_ALLOW_ACCUM_SYSCALL(mmap), \
  135 +
  136 +# endif
115 137
116 138
117 /* Syscalls allowed to non-privileged thread */ 139 /* Syscalls allowed to non-privileged thread */
118 static struct sock_filter filter_table[] = { 140 static struct sock_filter filter_table[] = {
119 SECCOMP_COPY_SYSCALL_TO_ACCUM, 141 SECCOMP_COPY_SYSCALL_TO_ACCUM,
120 FILTER_TABLE_NONPRIV 142 FILTER_TABLE_NONPRIV
  143 + FILTER_TABLE_ARCHDEPENDED
121 SECCOMP_DENY, 144 SECCOMP_DENY,
122 }; 145 };
123 static struct sock_filter filter_w_mprotect_table[] = { 146 static struct sock_filter filter_w_mprotect_table[] = {
124 SECCOMP_COPY_SYSCALL_TO_ACCUM, 147 SECCOMP_COPY_SYSCALL_TO_ACCUM,
125 FILTER_TABLE_NONPRIV 148 FILTER_TABLE_NONPRIV
  149 + FILTER_TABLE_ARCHDEPENDED
126 SECCOMP_ALLOW_ACCUM_SYSCALL(mprotect), 150 SECCOMP_ALLOW_ACCUM_SYSCALL(mprotect),
127 SECCOMP_DENY, 151 SECCOMP_DENY,
128 }; 152 };