[lxc-devel] [lxc/lxc] 3ee26d: seccomp: filter syscalls based on arguments

GitHub noreply at github.com
Mon Nov 27 21:08:58 UTC 2017 

  Branch: refs/heads/master
  Home:   https://github.com/lxc/lxc
  Commit: 3ee26d1983818685643151c16496558ffcf5ced8
      https://github.com/lxc/lxc/commit/3ee26d1983818685643151c16496558ffcf5ced8
  Author: LiFeng <lifeng68 at huawei.com>
  Date:   2017-11-27 (Mon, 27 Nov 2017)

  Changed paths:
    M src/lxc/seccomp.c

  Log Message:
  -----------
  seccomp: filter syscalls based on arguments

In order to support filtering syscalls based on arguments the seccomp version 2
specification is extended to the following form:

syscall_name action [index,value,op,valueTwo] [index,value,op]...

where the arguments of the tuple [index,value,valueTwo,op] have the following
meaning:
1. index (uint32_t):
   The index of the syscall argument.
2. value (uint64_t):
   The value for the syscall argument specified by "index".
3. valueTwo (uint64_t, optional):
   The value for the syscall argument specified by "index". This optional value
   is only valid in conjunction with SCMP_CMP_MASKED_EQ.
4. op (string):
   The operator for the syscall argument. Valid operators are the constants
   - SCMP_CMP_NE        (!=)
   - SCMP_CMP_LE        (<=)
   - SCMP_CMP_EQ        (==)
   - SCMP_CMP_GE        (>=)
   - SCMP_CMP_GT        (>)
   - SCMP_CMP_MASKED_EQ (&=)
   as defined by libseccomp >= v2.3.2.
   For convenience liblxc also understands the standard operator notation
   indicated in brackets after the libseccomp constants above as an equivalent
   notation.
Note that it is legal to specify multiple entries for the same syscall.

An example for an extended seccomp version 2 profile is:

2
blacklist allow
reject_force_umount  # comment this to allow umount -f;  not recommended
[all]
kexec_load errno 1 [0,1,SCMP_CMP_LE][3,1,==][5,1,SCMP_CMP_MASKED_EQ,1]
open_by_handle_at errno 1
init_module errno 1
finit_module errno 1
delete_module errno 1
unshare errno 9 [0,0x10000000,SCMP_CMP_EQ]
unshare errno 2 [0,0x20000000,SCMP_CMP_EQ]

Closes #1564.

Signed-off-by: LiFeng <lifeng68 at huawei.com>
Reviewed-by: Christian Brauner <christian.brauner at ubuntu.com>

More information about the lxc-devel mailing list