* found in the LICENSE file.
*/
#define _GNU_SOURCE 1
-#include <stdio.h>
#include <stddef.h>
#include <stdlib.h>
#include <unistd.h>
-#include <syslog.h>
#include <libubox/utils.h>
#include <libubox/blobmsg.h>
#include "seccomp.h"
#include "../syscall-names.h"
-static int max_syscall = ARRAY_SIZE(syscall_names);
-
static int find_syscall(const char *name)
{
int i;
- for (i = 0; i < max_syscall; i++)
- if (syscall_names[i] && !strcmp(syscall_names[i], name))
- return i;
+ for (i = 0; i < SYSCALL_COUNT; i++) {
+ int sc = syscall_index_to_number(i);
+ if (syscall_name(sc) && !strcmp(syscall_name(sc), name))
+ return sc;
+ }
return -1;
}
blob_buf_init(&b, 0);
if (!blobmsg_add_json_from_file(&b, file)) {
- INFO("%s: failed to load %s\n", argv, file);
+ ERROR("%s: failed to load %s\n", argv, file);
return -1;
}
blobmsg_parse(policy, __SECCOMP_MAX, tb, blob_data(b.head), blob_len(b.head));
if (!tb[SECCOMP_WHITELIST]) {
- INFO("%s: %s is missing the syscall table\n", argv, file);
+ ERROR("%s: %s is missing the syscall table\n", argv, file);
return -1;
}
filter = calloc(sz, sizeof(struct sock_filter));
if (!filter) {
- INFO("failed to allocate filter memory\n");
+ ERROR("failed to allocate filter memory\n");
return -1;
}
}
if (default_policy)
- /* return -1 and set errno */
- set_filter(&filter[idx], BPF_RET + BPF_K, 0, 0, SECCOMP_RET_LOGGER(default_policy));
+ /* notify tracer; without tracer return -1 and set errno to ENOSYS */
+ set_filter(&filter[idx], BPF_RET + BPF_K, 0, 0, SECCOMP_RET_TRACE);
else
/* kill the process */
set_filter(&filter[idx], BPF_RET + BPF_K, 0, 0, SECCOMP_RET_KILL);
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
- INFO("%s: prctl(PR_SET_NO_NEW_PRIVS) failed: %s\n", argv, strerror(errno));
+ ERROR("%s: prctl(PR_SET_NO_NEW_PRIVS) failed: %s\n", argv, strerror(errno));
return errno;
}
prog.filter = filter;
if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
- INFO("%s: prctl(PR_SET_SECCOMP) failed: %s\n", argv, strerror(errno));
+ ERROR("%s: prctl(PR_SET_SECCOMP) failed: %s\n", argv, strerror(errno));
return errno;
}
return 0;