// debug filter void filter_debug(void) { // start filter struct sock_filter filter[] = { VALIDATE_ARCHITECTURE, EXAMINE_SYSCALL }; // print sizes printf("SECCOMP Filter:\n"); if (sfilter == NULL) { printf("SECCOMP filter not allocated\n"); return; } if (sfilter_index < 4) return; // test the start of the filter if (memcmp(sfilter, filter, sizeof(filter)) == 0) { printf(" VALIDATE_ARCHITECTURE\n"); printf(" EXAMINE_SYSCAL\n"); } // loop trough blacklists int i = 4; while (i < sfilter_index) { // minimal parsing! unsigned char *ptr = (unsigned char *) &sfilter[i]; int *nr = (int *) (ptr + 4); if (*ptr == 0x15 && *(ptr +14) == 0xff && *(ptr + 15) == 0x7f ) { printf(" WHITELIST %d %s\n", *nr, syscall_find_nr(*nr)); i += 2; } else if (*ptr == 0x15 && *(ptr +14) == 0 && *(ptr + 15) == 0) { printf(" BLACKLIST %d %s\n", *nr, syscall_find_nr(*nr)); i += 2; } else if (*ptr == 0x15 && *(ptr +14) == 0x5 && *(ptr + 15) == 0) { int err = *(ptr + 13) << 8 | *(ptr + 12); printf(" ERRNO %d %s %d %s\n", *nr, syscall_find_nr(*nr), err, errno_find_nr(err)); i += 2; } else if (*ptr == 0x06 && *(ptr +6) == 0 && *(ptr + 7) == 0 ) { printf(" KILL_PROCESS\n"); i++; } else if (*ptr == 0x06 && *(ptr +6) == 0xff && *(ptr + 7) == 0x7f ) { printf(" RETURN_ALLOW\n"); i++; } else { printf(" UNKNOWN ENTRY!!!\n"); i++; } } }
static void filter_add_blacklist(int syscall) { assert(sfilter); assert(sfilter_alloc_size); assert(sfilter_index); if (arg_debug) printf("Blacklisting syscall %d %s\n", syscall, syscall_find_nr(syscall)); if ((sfilter_index + 2) > sfilter_alloc_size) filter_realloc(); struct sock_filter filter[] = { BLACKLIST(syscall) }; #if 0 { int i; unsigned char *ptr = (unsigned char *) &filter[0]; for (i = 0; i < sizeof(filter); i++, ptr++) printf("%x, ", (*ptr) & 0xff); printf("\n"); } #endif memcpy(&sfilter[sfilter_index], filter, sizeof(filter)); sfilter_index += sizeof(filter) / sizeof(struct sock_filter); }