common/Seccomp.cpp | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-)
New commits: commit 08aa7d9149bea918386a3dc4475e130bfe93917e Author: Corentin Noël <[email protected]> AuthorDate: Fri Nov 22 16:49:28 2019 +0100 Commit: Michael Meeks <[email protected]> CommitDate: Fri Nov 22 18:49:00 2019 +0100 Seccomp: add ARM support Change-Id: I6982c6e68da5e2211f9dad0eb88fccab27230ed9 Reviewed-on: https://gerrit.libreoffice.org/83511 Reviewed-by: Michael Meeks <[email protected]> Tested-by: Michael Meeks <[email protected]> diff --git a/common/Seccomp.cpp b/common/Seccomp.cpp index 534c3ce7b..c22937f9f 100644 --- a/common/Seccomp.cpp +++ b/common/Seccomp.cpp @@ -42,7 +42,12 @@ #if defined(__x86_64__) # define AUDIT_ARCH_NR AUDIT_ARCH_X86_64 -# define REG_SYSCALL REG_RAX +# define SECCOMP_REG(_ctx, _reg) ((_ctx)->uc_mcontext.gregs[(_reg)]) +# define SECCOMP_SYSCALL(_ctx) SECCOMP_REG(_ctx, REG_RAX) +#elif defined(__arm__) +# define AUDIT_ARCH_NR AUDIT_ARCH_ARM +# define SECCOMP_REG(_ctx, _reg) ((_ctx)->uc_mcontext.arm_##_reg) +# define SECCOMP_SYSCALL(_ctx) SECCOMP_REG(_ctx, r7) #else # error "Platform does not support seccomp filtering yet - unsafe." #endif @@ -65,7 +70,7 @@ static void handleSysSignal(int /* signal */, if (info->si_code != SYS_SECCOMP || !uctx) return; - unsigned int syscall = uctx->uc_mcontext.gregs[REG_SYSCALL]; + unsigned int syscall = SECCOMP_SYSCALL (uctx); Log::signalLogPrefix(); Log::signalLog(" seccomp trapped signal, un-authorized sys-call: "); @@ -92,10 +97,13 @@ bool lockdown(Type type) BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##name, 0, 1), \ BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) - #define KILL_SYSCALL(name) \ - BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##name, 0, 1), \ + #define KILL_SYSCALL_FULL(fullname) \ + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, fullname, 0, 1), \ BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_TRAP) + #define KILL_SYSCALL(name) \ + KILL_SYSCALL_FULL(__NR_##name) + struct sock_filter filterCode[] = { // Check our architecture is correct. BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, arch)), @@ -145,7 +153,12 @@ bool lockdown(Type type) KILL_SYSCALL(uselib), KILL_SYSCALL(personality), // ! KILL_SYSCALL(vhangup), +#ifdef __NR_modify_ldt KILL_SYSCALL(modify_ldt), // ! +#endif +#ifdef __PNR_modify_ldt + KILL_SYSCALL_FULL(__PNR_modify_ldt), // ! +#endif KILL_SYSCALL(pivot_root), // ! KILL_SYSCALL(chroot), KILL_SYSCALL(acct), // ! _______________________________________________ Libreoffice-commits mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
