mirror of
https://github.com/OpenFusionProject/OpenFusion.git
synced 2024-11-05 15:00:06 +00:00
[seccomp] Add support for AArch64
This is useful for 64-bit Raspberry Pis and other 64-bit ARM systems.
This commit is contained in:
parent
ca0d608a87
commit
271eef83d3
@ -31,6 +31,8 @@
|
|||||||
# define ARCH_NR AUDIT_ARCH_X86_64
|
# define ARCH_NR AUDIT_ARCH_X86_64
|
||||||
#elif defined(__arm__)
|
#elif defined(__arm__)
|
||||||
# define ARCH_NR AUDIT_ARCH_ARM
|
# define ARCH_NR AUDIT_ARCH_ARM
|
||||||
|
#elif defined(__aarch64__)
|
||||||
|
# define ARCH_NR AUDIT_ARCH_AARCH64
|
||||||
#else
|
#else
|
||||||
# error "Seccomp-bpf sandbox unsupported on this architecture"
|
# error "Seccomp-bpf sandbox unsupported on this architecture"
|
||||||
#endif
|
#endif
|
||||||
@ -105,9 +107,18 @@
|
|||||||
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
|
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
|
||||||
offsetof(struct seccomp_data, nr))
|
offsetof(struct seccomp_data, nr))
|
||||||
|
|
||||||
|
/*
|
||||||
|
* This is a special case for AArch64 where this syscall apparently only
|
||||||
|
* exists in 32-bit compatibility mode, so we can't include the definition
|
||||||
|
* even though it gets called somewhere in libc.
|
||||||
|
*/
|
||||||
|
#if defined(__aarch64__) && !defined(__NR_fstatat64)
|
||||||
|
#define __NR_fstatat64 0x4f
|
||||||
|
#endif
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* The main supported configuration is Linux on x86_64 with either glibc or
|
* The main supported configuration is Linux on x86_64 with either glibc or
|
||||||
* musl-libc, with secondary support for Linux on the Raspberry Pi (ARM).
|
* musl-libc, with secondary support for x86, ARM and ARM64 (AAarch64) Linux.
|
||||||
*
|
*
|
||||||
* Syscalls marked with "maybe" don't seem to be used in the default
|
* Syscalls marked with "maybe" don't seem to be used in the default
|
||||||
* configuration, but should probably be whitelisted anyway.
|
* configuration, but should probably be whitelisted anyway.
|
||||||
@ -135,16 +146,24 @@ static sock_filter filter[] = {
|
|||||||
ALLOW_SYSCALL(brk),
|
ALLOW_SYSCALL(brk),
|
||||||
|
|
||||||
// basic file IO
|
// basic file IO
|
||||||
|
#ifdef __NR_open
|
||||||
ALLOW_SYSCALL(open),
|
ALLOW_SYSCALL(open),
|
||||||
|
#endif
|
||||||
ALLOW_SYSCALL(openat),
|
ALLOW_SYSCALL(openat),
|
||||||
ALLOW_SYSCALL(read),
|
ALLOW_SYSCALL(read),
|
||||||
ALLOW_SYSCALL(write),
|
ALLOW_SYSCALL(write),
|
||||||
ALLOW_SYSCALL(close),
|
ALLOW_SYSCALL(close),
|
||||||
|
#if __NR_stat
|
||||||
ALLOW_SYSCALL(stat),
|
ALLOW_SYSCALL(stat),
|
||||||
|
#endif
|
||||||
ALLOW_SYSCALL(fstat),
|
ALLOW_SYSCALL(fstat),
|
||||||
ALLOW_SYSCALL(fsync), // maybe
|
ALLOW_SYSCALL(fsync), // maybe
|
||||||
|
#if __NR_creat
|
||||||
ALLOW_SYSCALL(creat), // maybe; for DB journal
|
ALLOW_SYSCALL(creat), // maybe; for DB journal
|
||||||
|
#endif
|
||||||
|
#if __NR_unlink
|
||||||
ALLOW_SYSCALL(unlink), // for DB journal
|
ALLOW_SYSCALL(unlink), // for DB journal
|
||||||
|
#endif
|
||||||
ALLOW_SYSCALL(lseek), // musl-libc; alt DB
|
ALLOW_SYSCALL(lseek), // musl-libc; alt DB
|
||||||
ALLOW_SYSCALL(truncate), // for truncate-mode DB
|
ALLOW_SYSCALL(truncate), // for truncate-mode DB
|
||||||
ALLOW_SYSCALL(ftruncate), // for truncate-mode DB
|
ALLOW_SYSCALL(ftruncate), // for truncate-mode DB
|
||||||
@ -183,7 +202,9 @@ static sock_filter filter[] = {
|
|||||||
ALLOW_SYSCALL(futex),
|
ALLOW_SYSCALL(futex),
|
||||||
|
|
||||||
// networking
|
// networking
|
||||||
|
#ifdef __NR_poll
|
||||||
ALLOW_SYSCALL(poll),
|
ALLOW_SYSCALL(poll),
|
||||||
|
#endif
|
||||||
#ifdef __NR_accept
|
#ifdef __NR_accept
|
||||||
ALLOW_SYSCALL(accept),
|
ALLOW_SYSCALL(accept),
|
||||||
#endif
|
#endif
|
||||||
@ -252,6 +273,17 @@ static sock_filter filter[] = {
|
|||||||
ALLOW_SYSCALL(clock_nanosleep_time64), // maybe
|
ALLOW_SYSCALL(clock_nanosleep_time64), // maybe
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
// AArch64 (ARM64)
|
||||||
|
#if __NR_unlinkat
|
||||||
|
ALLOW_SYSCALL(unlinkat),
|
||||||
|
#endif
|
||||||
|
#ifdef __NR_fstatat64
|
||||||
|
ALLOW_SYSCALL(fstatat64),
|
||||||
|
#endif
|
||||||
|
#ifdef __NR_ppoll
|
||||||
|
ALLOW_SYSCALL(ppoll),
|
||||||
|
#endif
|
||||||
|
|
||||||
KILL_PROCESS
|
KILL_PROCESS
|
||||||
};
|
};
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user