[thirdparty/util-linux.git] / misc-utils / enosys.c

/*
 * Copyright (C) 2023 Thomas Weißschuh <thomas@t-8ch.de>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it would be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License along
 * with this program; if not, write to the Free Software Foundation, Inc.,
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */

#include <stddef.h>
#include <stdbool.h>
#include <getopt.h>

#include <linux/unistd.h>
#include <linux/audit.h>
#include <sys/prctl.h>
#include <sys/syscall.h>
#include <sys/ioctl.h>

#include "c.h"
#include "exitcodes.h"
#include "nls.h"
#include "bitops.h"
#include "audit-arch.h"
#include "list.h"
#include "xalloc.h"
#include "strutils.h"
#include "seccomp.h"
#include "all-io.h"

#define IS_LITTLE_ENDIAN (__BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__)

#define syscall_nr (offsetof(struct seccomp_data, nr))
#define syscall_arch (offsetof(struct seccomp_data, arch))
#define _syscall_arg(n) (offsetof(struct seccomp_data, args[n]))
#define syscall_arg_lower32(n) (_syscall_arg(n) + 4 * !IS_LITTLE_ENDIAN)
#define syscall_arg_upper32(n) (_syscall_arg(n) + 4 * IS_LITTLE_ENDIAN)

struct syscall {
	const char *const name;
	long number;
};

/* When the alias arrays are empty the compiler emits -Wtype-limits warnings.
 * Avoid those by going through this function. */
static inline bool lt(size_t a, size_t b)
{
	return a < b;
}

static const struct syscall syscalls[] = {
#define UL_SYSCALL(name, nr) { name, nr },
#include "syscalls.h"
#undef UL_SYSCALL
};

static const struct syscall errnos[] = {
#define UL_ERRNO(name, nr) { name, nr },
#include "errnos.h"
#undef UL_ERRNO
};

static const struct syscall ioctls[] = {
	{ "FIOCLEX", FIOCLEX },
};

static void __attribute__((__noreturn__)) usage(void)
{
	FILE *out = stdout;

	fputs(USAGE_HEADER, out);
	fprintf(out, _(" %s [options] -- <command>\n"), program_invocation_short_name);

	fputs(USAGE_OPTIONS, out);
	fputs(_(" -s, --syscall           syscall to block\n"), out);
	fputs(_(" -i, --ioctl             ioctl to block\n"), out);
	fputs(_(" -l, --list              list known syscalls\n"), out);
	fputs(_(" -d, --dump[=<file>]     dump seccomp bytecode\n"), out);

	fputs(USAGE_SEPARATOR, out);
	fprintf(out, USAGE_HELP_OPTIONS(25));

	fprintf(out, USAGE_MAN_TAIL("enosys(1)"));

	exit(EXIT_SUCCESS);
}

struct blocked_number {
	struct list_head head;
	long number;
	int ret;
};

static struct blocked_number *parse_block(const char *s, int ret, const struct syscall entities[], size_t n_entities)
{
	struct blocked_number *blocked;
	const char *name, *error_name;
	long blocked_number;
	char *colon;
	bool found;
	size_t i;

	colon = strchr(s, ':');
	if (colon) {
		name = xstrndup(s, colon - s);
		error_name = colon + 1;

		found = 0;
		for (i = 0; i < ARRAY_SIZE(errnos); i++) {
			if (strcmp(error_name, errnos[i].name) == 0) {
				ret = errnos[i].number;
				found = 1;
				break;
			}
		}
		if (!found)
			ret = str2num_or_err(
					colon + 1, 10, _("Unknown errno"), 0, INT_MAX);
	} else {
		name = s;
	}

	found = 0;
	for (i = 0; i < n_entities; i++) {
		if (strcmp(name, entities[i].name) == 0) {
			blocked_number = entities[i].number;
			found = 1;
			break;
		}
	}
	if (!found)
		blocked_number = str2num_or_err(
				name, 10, _("Unknown syscall"), 0, LONG_MAX);

	blocked = xmalloc(sizeof(*blocked));
	blocked->number = blocked_number;
	blocked->ret = ret;

	if (name != s)
		free((char *)name);

	return blocked;
}

int main(int argc, char **argv)
{
	int c;
	size_t i;
	FILE *dump = NULL;
	static const struct option longopts[] = {
		{ "syscall",    required_argument, NULL, 's' },
		{ "ioctl",      required_argument, NULL, 'i' },
		{ "list",       no_argument,       NULL, 'l' },
		{ "list-ioctl", no_argument,       NULL, 'm' },
		{ "dump",       optional_argument, NULL, 'd' },
		{ "version",    no_argument,       NULL, 'V' },
		{ "help",       no_argument,       NULL, 'h' },
		{ 0 }
	};

	struct blocked_number *blocked;
	struct list_head *loop_ctr;
	struct list_head blocked_syscalls;
	bool blocking_execve = false;
	INIT_LIST_HEAD(&blocked_syscalls);
	struct list_head blocked_ioctls;
	INIT_LIST_HEAD(&blocked_ioctls);

	setlocale(LC_ALL, "");
	bindtextdomain(PACKAGE, LOCALEDIR);
	textdomain(PACKAGE);

	while ((c = getopt_long (argc, argv, "+Vhs:i:lmd::", longopts, NULL)) != -1) {
		switch (c) {
		case 's':
			blocked = parse_block(optarg, ENOSYS, syscalls, ARRAY_SIZE(syscalls));
			list_add(&blocked->head, &blocked_syscalls);
			if (blocked->number == __NR_execve)
				blocking_execve = true;

			break;
		case 'i':
			blocked = parse_block(optarg, ENOTTY, ioctls, ARRAY_SIZE(ioctls));
			list_add(&blocked->head, &blocked_ioctls);

			break;
		case 'l':
			for (i = 0; lt(i, ARRAY_SIZE(syscalls)); i++)
				printf("%5ld %s\n", syscalls[i].number, syscalls[i].name);
			return EXIT_SUCCESS;
		case 'm':
			for (i = 0; lt(i, ARRAY_SIZE(ioctls)); i++)
				printf("%5ld %s\n", ioctls[i].number, ioctls[i].name);
			return EXIT_SUCCESS;
		case 'd':
			if (optarg) {
				dump = fopen(optarg, "w");
				if (!dump)
					err(EXIT_FAILURE, _("Could not open %s"), optarg);
			} else {
				dump = stdout;
			}
			break;
		case 'V':
			print_version(EXIT_SUCCESS);
		case 'h':
			usage();
		default:
			errtryhelp(EXIT_FAILURE);
		}
	}

	if (!dump && optind >= argc)
		errtryhelp(EXIT_FAILURE);

	struct sock_filter filter[BPF_MAXINSNS];
	struct sock_filter *f = filter;

#define INSTR(_instruction)                                        \
	if (f == &filter[ARRAY_SIZE(filter)])                      \
		errx(EXIT_FAILURE, _("filter too big")); \
	*f++ = (struct sock_filter) _instruction

	INSTR(BPF_STMT(BPF_LD | BPF_W | BPF_ABS, syscall_arch));
	INSTR(BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SECCOMP_ARCH_NATIVE, 1, 0));
	INSTR(BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_TRAP));

	/* Blocking "execve" normally would also block our own call to
	 * it and the end of main. To distinguish between our execve
	 * and the execve to be blocked, compare the environ pointer.
	 *
	 * See https://lore.kernel.org/all/CAAnLoWnS74dK9Wq4EQ-uzQ0qCRfSK-dLqh+HCais-5qwDjrVzg@mail.gmail.com/
	 */
	if (blocking_execve) {
		INSTR(BPF_STMT(BPF_LD | BPF_W | BPF_ABS, syscall_nr));
		INSTR(BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_execve, 0, 5));
		INSTR(BPF_STMT(BPF_LD | BPF_W | BPF_ABS, syscall_arg_lower32(2)));
		INSTR(BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, (uint64_t)(uintptr_t) environ, 0, 3));
		INSTR(BPF_STMT(BPF_LD | BPF_W | BPF_ABS, syscall_arg_upper32(2)));
		INSTR(BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, (uint64_t)(uintptr_t) environ >> 32, 0, 1));
		INSTR(BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW));
	}

	INSTR(BPF_STMT(BPF_LD | BPF_W | BPF_ABS, syscall_nr));

	list_for_each(loop_ctr, &blocked_syscalls) {
		blocked = list_entry(loop_ctr, struct blocked_number, head);

		INSTR(BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, blocked->number, 0, 1));
		INSTR(BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ERRNO | blocked->ret));
	}

	if (!list_empty(&blocked_ioctls)) {
		INSTR(BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_ioctl, 1, 0));
		INSTR(BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW));

		list_for_each(loop_ctr, &blocked_ioctls) {
			blocked = list_entry(loop_ctr, struct blocked_number, head);

			INSTR(BPF_STMT(BPF_LD | BPF_W | BPF_ABS, syscall_arg_lower32(1)));
			INSTR(BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, (uint64_t) blocked->number, 0, 3));
			INSTR(BPF_STMT(BPF_LD | BPF_W | BPF_ABS, syscall_arg_upper32(1)));
			INSTR(BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, (uint64_t) blocked->number >> 32, 0, 1));
			INSTR(BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ERRNO | blocked->ret));
		}
	}

	INSTR(BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW));

	if (dump) {
		if (fwrite_all(filter, (f - filter) * sizeof(filter[0]), 1, dump))
			err(EXIT_FAILURE, _("Could not dump seccomp filter"));
		return EXIT_SUCCESS;
	}

	struct sock_fprog prog = {
		.len    = f - filter,
		.filter = filter,
	};

	/* *SET* below will return EINVAL when either the filter is invalid or
	 * seccomp is not supported. To distinguish those cases do a *GET* here
	 */
	if (prctl(PR_GET_SECCOMP) == -1 && errno == EINVAL)
		err(EXIT_NOTSUPP, _("Seccomp non-functional"));

	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0))
		err_nosys(EXIT_FAILURE, _("Could not run prctl(PR_SET_NO_NEW_PRIVS)"));

	if (ul_set_seccomp_filter_spec_allow(&prog))
		err_nosys(EXIT_FAILURE, _("Could not seccomp filter"));

	if (execvp(argv[optind], argv + optind))
		err(EXIT_NOTSUPP, _("Could not exec"));
}
Commit	Line	Data
c93114cd TW	1	/*
	2	* Copyright (C) 2023 Thomas Weißschuh <thomas@t-8ch.de>
	3	*
	4	* This program is free software; you can redistribute it and/or modify
	5	* it under the terms of the GNU General Public License as published by
	6	* the Free Software Foundation; either version 2 of the License, or
	7	* (at your option) any later version.
	8	*
	9	* This program is distributed in the hope that it would be useful,
	10	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	11	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	12	* GNU General Public License for more details.
	13	*
	14	* You should have received a copy of the GNU General Public License along
	15	* with this program; if not, write to the Free Software Foundation, Inc.,
	16	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
	17	*/
	18
	19	#include <stddef.h>
	20	#include <stdbool.h>
	21	#include <getopt.h>
	22
	23	#include <linux/unistd.h>
c93114cd TW	24	#include <linux/audit.h>
c93114cd TW	25	#include <sys/prctl.h>
6c1bd545	26	#include <sys/syscall.h>
65bf3c73	27	#include <sys/ioctl.h>
c93114cd TW	28
	29	#include "c.h"
	30	#include "exitcodes.h"
13d1cbce	31	#include "nls.h"
afb669af	32	#include "bitops.h"
29e3f737	33	#include "audit-arch.h"
358e3e43 TW	34	#include "list.h"
	35	#include "xalloc.h"
	36	#include "strutils.h"
fd1786d3	37	#include "seccomp.h"
e6e606a9	38	#include "all-io.h"
c93114cd	39
afb669af	40	#define IS_LITTLE_ENDIAN (__BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__)
7626054c	41
c93114cd	42	#define syscall_nr (offsetof(struct seccomp_data, nr))
9e8fb1f5	43	#define syscall_arch (offsetof(struct seccomp_data, arch))
05a5e48c TW	44	#define _syscall_arg(n) (offsetof(struct seccomp_data, args[n]))
	45	#define syscall_arg_lower32(n) (_syscall_arg(n) + 4 * !IS_LITTLE_ENDIAN)
	46	#define syscall_arg_upper32(n) (_syscall_arg(n) + 4 * IS_LITTLE_ENDIAN)
c93114cd TW	47
	48	struct syscall {
	49	const char *const name;
58fe2636	50	long number;
c93114cd TW	51	};
c93114cd TW	52
1078c4ae TW	53	/* When the alias arrays are empty the compiler emits -Wtype-limits warnings.
	54	* Avoid those by going through this function. */
	55	static inline bool lt(size_t a, size_t b)
	56	{
	57	return a < b;
	58	}
	59
165fbfd4	60	static const struct syscall syscalls[] = {
69e542bd TW	61	#define UL_SYSCALL(name, nr) { name, nr },
	62	#include "syscalls.h"
	63	#undef UL_SYSCALL
c93114cd TW	64	};
c93114cd TW	65
ced129dc TW	66	static const struct syscall errnos[] = {
	67	#define UL_ERRNO(name, nr) { name, nr },
	68	#include "errnos.h"
	69	#undef UL_ERRNO
	70	};
	71
65bf3c73 TW	72	static const struct syscall ioctls[] = {
	73	{ "FIOCLEX", FIOCLEX },
	74	};
65bf3c73	75
344ba205 TW	76	static void __attribute__((__noreturn__)) usage(void)
	77	{
	78	FILE *out = stdout;
	79
	80	fputs(USAGE_HEADER, out);
	81	fprintf(out, _(" %s [options] -- <command>\n"), program_invocation_short_name);
	82
	83	fputs(USAGE_OPTIONS, out);
	84	fputs(_(" -s, --syscall syscall to block\n"), out);
65bf3c73	85	fputs(_(" -i, --ioctl ioctl to block\n"), out);
7f104027	86	fputs(_(" -l, --list list known syscalls\n"), out);
90cb3825	87	fputs(_(" -d, --dump[=<file>] dump seccomp bytecode\n"), out);
344ba205 TW	88
	89	fputs(USAGE_SEPARATOR, out);
	90	fprintf(out, USAGE_HELP_OPTIONS(25));
	91
	92	fprintf(out, USAGE_MAN_TAIL("enosys(1)"));
	93
	94	exit(EXIT_SUCCESS);
	95	}
	96
358e3e43 TW	97	struct blocked_number {
	98	struct list_head head;
	99	long number;
766a9bd6	100	int ret;
358e3e43 TW	101	};
358e3e43 TW	102
ced129dc	103	static struct blocked_number parse_block(const char s, int ret, const struct syscall entities[], size_t n_entities)
766a9bd6 TW	104	{
766a9bd6 TW	105	struct blocked_number *blocked;
ced129dc	106	const char name, error_name;
766a9bd6	107	long blocked_number;
ced129dc	108	char *colon;
766a9bd6 TW	109	bool found;
	110	size_t i;
	111
ced129dc TW	112	colon = strchr(s, ':');
	113	if (colon) {
	114	name = xstrndup(s, colon - s);
	115	error_name = colon + 1;
	116
	117	found = 0;
	118	for (i = 0; i < ARRAY_SIZE(errnos); i++) {
	119	if (strcmp(error_name, errnos[i].name) == 0) {
	120	ret = errnos[i].number;
	121	found = 1;
	122	break;
	123	}
	124	}
	125	if (!found)
	126	ret = str2num_or_err(
	127	colon + 1, 10, _("Unknown errno"), 0, INT_MAX);
	128	} else {
	129	name = s;
	130	}
	131
766a9bd6	132	found = 0;
ced129dc TW	133	for (i = 0; i < n_entities; i++) {
	134	if (strcmp(name, entities[i].name) == 0) {
	135	blocked_number = entities[i].number;
766a9bd6 TW	136	found = 1;
	137	break;
	138	}
	139	}
	140	if (!found)
	141	blocked_number = str2num_or_err(
ced129dc	142	name, 10, _("Unknown syscall"), 0, LONG_MAX);
766a9bd6 TW	143
	144	blocked = xmalloc(sizeof(*blocked));
	145	blocked->number = blocked_number;
	146	blocked->ret = ret;
	147
	148	if (name != s)
	149	free((char *)name);
	150
	151	return blocked;
	152	}
	153
c93114cd TW	154	int main(int argc, char **argv)
c93114cd TW	155	{
2aeb519a	156	int c;
c93114cd	157	size_t i;
90cb3825	158	FILE *dump = NULL;
c93114cd	159	static const struct option longopts[] = {
65bf3c73 TW	160	{ "syscall", required_argument, NULL, 's' },
	161	{ "ioctl", required_argument, NULL, 'i' },
	162	{ "list", no_argument, NULL, 'l' },
	163	{ "list-ioctl", no_argument, NULL, 'm' },
90cb3825	164	{ "dump", optional_argument, NULL, 'd' },
65bf3c73 TW	165	{ "version", no_argument, NULL, 'V' },
65bf3c73 TW	166	{ "help", no_argument, NULL, 'h' },
c93114cd TW	167	{ 0 }
	168	};
	169
358e3e43	170	struct blocked_number *blocked;
65bf3c73	171	struct list_head *loop_ctr;
358e3e43	172	struct list_head blocked_syscalls;
8edbb62b	173	bool blocking_execve = false;
358e3e43	174	INIT_LIST_HEAD(&blocked_syscalls);
65bf3c73 TW	175	struct list_head blocked_ioctls;
65bf3c73 TW	176	INIT_LIST_HEAD(&blocked_ioctls);
c93114cd	177
d191a7be TW	178	setlocale(LC_ALL, "");
	179	bindtextdomain(PACKAGE, LOCALEDIR);
	180	textdomain(PACKAGE);
	181
90cb3825	182	while ((c = getopt_long (argc, argv, "+Vhs:i:lmd::", longopts, NULL)) != -1) {
c93114cd TW	183	switch (c) {
c93114cd TW	184	case 's':
766a9bd6	185	blocked = parse_block(optarg, ENOSYS, syscalls, ARRAY_SIZE(syscalls));
358e3e43	186	list_add(&blocked->head, &blocked_syscalls);
766a9bd6	187	if (blocked->number == __NR_execve)
8edbb62b	188	blocking_execve = true;
358e3e43	189
65bf3c73 TW	190	break;
65bf3c73 TW	191	case 'i':
766a9bd6	192	blocked = parse_block(optarg, ENOTTY, ioctls, ARRAY_SIZE(ioctls));
65bf3c73 TW	193	list_add(&blocked->head, &blocked_ioctls);
65bf3c73 TW	194
c93114cd	195	break;
7f104027	196	case 'l':
1078c4ae	197	for (i = 0; lt(i, ARRAY_SIZE(syscalls)); i++)
e9e52c79	198	printf("%5ld %s\n", syscalls[i].number, syscalls[i].name);
7f104027	199	return EXIT_SUCCESS;
65bf3c73	200	case 'm':
1078c4ae	201	for (i = 0; lt(i, ARRAY_SIZE(ioctls)); i++)
65bf3c73 TW	202	printf("%5ld %s\n", ioctls[i].number, ioctls[i].name);
65bf3c73 TW	203	return EXIT_SUCCESS;
e6e606a9	204	case 'd':
90cb3825 TW	205	if (optarg) {
	206	dump = fopen(optarg, "w");
	207	if (!dump)
	208	err(EXIT_FAILURE, _("Could not open %s"), optarg);
	209	} else {
	210	dump = stdout;
	211	}
e6e606a9	212	break;
344ba205 TW	213	case 'V':
	214	print_version(EXIT_SUCCESS);
	215	case 'h':
	216	usage();
c93114cd	217	default:
344ba205	218	errtryhelp(EXIT_FAILURE);
c93114cd TW	219	}
	220	}
	221
e6e606a9	222	if (!dump && optind >= argc)
344ba205	223	errtryhelp(EXIT_FAILURE);
c93114cd	224
3085fabe TW	225	struct sock_filter filter[BPF_MAXINSNS];
	226	struct sock_filter *f = filter;
	227
	228	#define INSTR(_instruction) \
	229	if (f == &filter[ARRAY_SIZE(filter)]) \
	230	errx(EXIT_FAILURE, _("filter too big")); \
	231	*f++ = (struct sock_filter) _instruction
	232
	233	INSTR(BPF_STMT(BPF_LD \| BPF_W \| BPF_ABS, syscall_arch));
	234	INSTR(BPF_JUMP(BPF_JMP \| BPF_JEQ \| BPF_K, SECCOMP_ARCH_NATIVE, 1, 0));
	235	INSTR(BPF_STMT(BPF_RET \| BPF_K, SECCOMP_RET_TRAP));
	236
	237	/* Blocking "execve" normally would also block our own call to
	238	* it and the end of main. To distinguish between our execve
	239	* and the execve to be blocked, compare the environ pointer.
	240	*
	241	* See https://lore.kernel.org/all/CAAnLoWnS74dK9Wq4EQ-uzQ0qCRfSK-dLqh+HCais-5qwDjrVzg@mail.gmail.com/
	242	*/
8edbb62b TW	243	if (blocking_execve) {
	244	INSTR(BPF_STMT(BPF_LD \| BPF_W \| BPF_ABS, syscall_nr));
	245	INSTR(BPF_JUMP(BPF_JMP \| BPF_JEQ \| BPF_K, __NR_execve, 0, 5));
	246	INSTR(BPF_STMT(BPF_LD \| BPF_W \| BPF_ABS, syscall_arg_lower32(2)));
	247	INSTR(BPF_JUMP(BPF_JMP \| BPF_JEQ \| BPF_K, (uint64_t)(uintptr_t) environ, 0, 3));
	248	INSTR(BPF_STMT(BPF_LD \| BPF_W \| BPF_ABS, syscall_arg_upper32(2)));
	249	INSTR(BPF_JUMP(BPF_JMP \| BPF_JEQ \| BPF_K, (uint64_t)(uintptr_t) environ >> 32, 0, 1));
	250	INSTR(BPF_STMT(BPF_RET \| BPF_K, SECCOMP_RET_ALLOW));
	251	}
3085fabe TW	252
3085fabe TW	253	INSTR(BPF_STMT(BPF_LD \| BPF_W \| BPF_ABS, syscall_nr));
c93114cd	254
358e3e43 TW	255	list_for_each(loop_ctr, &blocked_syscalls) {
358e3e43 TW	256	blocked = list_entry(loop_ctr, struct blocked_number, head);
3085fabe	257
358e3e43	258	INSTR(BPF_JUMP(BPF_JMP \| BPF_JEQ \| BPF_K, blocked->number, 0, 1));
766a9bd6	259	INSTR(BPF_STMT(BPF_RET \| BPF_K, SECCOMP_RET_ERRNO \| blocked->ret));
c93114cd TW	260	}
c93114cd TW	261
ce0c5edc TW	262	if (!list_empty(&blocked_ioctls)) {
	263	INSTR(BPF_JUMP(BPF_JMP \| BPF_JEQ \| BPF_K, __NR_ioctl, 1, 0));
	264	INSTR(BPF_STMT(BPF_RET \| BPF_K, SECCOMP_RET_ALLOW));
	265
	266	list_for_each(loop_ctr, &blocked_ioctls) {
	267	blocked = list_entry(loop_ctr, struct blocked_number, head);
	268
	269	INSTR(BPF_STMT(BPF_LD \| BPF_W \| BPF_ABS, syscall_arg_lower32(1)));
	270	INSTR(BPF_JUMP(BPF_JMP \| BPF_JEQ \| BPF_K, (uint64_t) blocked->number, 0, 3));
	271	INSTR(BPF_STMT(BPF_LD \| BPF_W \| BPF_ABS, syscall_arg_upper32(1)));
	272	INSTR(BPF_JUMP(BPF_JMP \| BPF_JEQ \| BPF_K, (uint64_t) blocked->number >> 32, 0, 1));
766a9bd6	273	INSTR(BPF_STMT(BPF_RET \| BPF_K, SECCOMP_RET_ERRNO \| blocked->ret));
ce0c5edc	274	}
65bf3c73 TW	275	}
65bf3c73 TW	276
3085fabe TW	277	INSTR(BPF_STMT(BPF_RET \| BPF_K, SECCOMP_RET_ALLOW));
3085fabe TW	278
e6e606a9	279	if (dump) {
90cb3825	280	if (fwrite_all(filter, (f - filter) * sizeof(filter[0]), 1, dump))
e6e606a9 TW	281	err(EXIT_FAILURE, _("Could not dump seccomp filter"));
	282	return EXIT_SUCCESS;
	283	}
	284
c93114cd	285	struct sock_fprog prog = {
3085fabe	286	.len = f - filter,
c93114cd TW	287	.filter = filter,
	288	};
	289
f080b635 TW	290	/* SET below will return EINVAL when either the filter is invalid or
	291	* seccomp is not supported. To distinguish those cases do a GET here
	292	*/
	293	if (prctl(PR_GET_SECCOMP) == -1 && errno == EINVAL)
13d1cbce	294	err(EXIT_NOTSUPP, _("Seccomp non-functional"));
f080b635	295
c93114cd	296	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0))
a3fdbe0c	297	err_nosys(EXIT_FAILURE, _("Could not run prctl(PR_SET_NO_NEW_PRIVS)"));
c93114cd	298
fd1786d3	299	if (ul_set_seccomp_filter_spec_allow(&prog))
ced82526	300	err_nosys(EXIT_FAILURE, _("Could not seccomp filter"));
c93114cd TW	301
c93114cd TW	302	if (execvp(argv[optind], argv + optind))
13d1cbce	303	err(EXIT_NOTSUPP, _("Could not exec"));
c93114cd	304	}