]>
Commit | Line | Data |
---|---|---|
17d728c8 SS |
1 | diff --git a/configure.ac b/configure.ac |
2 | index 4065d0e..d59ad44 100644 | |
3 | --- a/configure.ac | |
4 | +++ b/configure.ac | |
5 | @@ -764,9 +764,12 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) | |
6 | i*86-*) | |
7 | seccomp_audit_arch=AUDIT_ARCH_I386 | |
8 | ;; | |
9 | - arm*-*) | |
10 | + aarch64*-*) | |
11 | + seccomp_audit_arch=AUDIT_ARCH_AARCH64 | |
12 | + ;; | |
13 | + arm*-*) | |
14 | seccomp_audit_arch=AUDIT_ARCH_ARM | |
15 | - ;; | |
16 | + ;; | |
17 | esac | |
18 | if test "x$seccomp_audit_arch" != "x" ; then | |
19 | AC_MSG_RESULT(["$seccomp_audit_arch"]) | |
20 | diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c | |
21 | index 095b04a..52f6810 100644 | |
22 | --- a/sandbox-seccomp-filter.c | |
23 | +++ b/sandbox-seccomp-filter.c | |
24 | @@ -90,8 +90,20 @@ static const struct sock_filter preauth_insns[] = { | |
25 | /* Load the syscall number for checking. */ | |
26 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, | |
27 | offsetof(struct seccomp_data, nr)), | |
28 | - SC_DENY(open, EACCES), | |
29 | - SC_DENY(stat, EACCES), | |
30 | + SC_DENY(openat, EACCES), | |
31 | +#ifdef __NR_open | |
32 | + SC_DENY(open, EACCES), /* not on AArch64 */ | |
33 | +#endif | |
34 | +#ifdef __NR_fstat | |
35 | + SC_DENY(fstat, EACCES), /* x86_64, Aarch64 */ | |
36 | +#endif | |
37 | +#if defined(__NR_stat64) && defined(__NR_fstat64) | |
38 | + SC_DENY(stat64, EACCES), /* ix86, arm */ | |
39 | + SC_DENY(fstat64, EACCES), | |
40 | +#endif | |
41 | +#ifdef __NR_newfstatat | |
42 | + SC_DENY(newfstatat, EACCES), /* Aarch64 */ | |
43 | +#endif | |
44 | SC_ALLOW(getpid), | |
45 | SC_ALLOW(gettimeofday), | |
46 | SC_ALLOW(clock_gettime), | |
47 | @@ -111,12 +123,19 @@ static const struct sock_filter preauth_insns[] = { | |
48 | SC_ALLOW(shutdown), | |
49 | #endif | |
50 | SC_ALLOW(brk), | |
51 | +#ifdef __NR_poll /* not on AArch64 */ | |
52 | SC_ALLOW(poll), | |
53 | +#endif | |
54 | #ifdef __NR__newselect | |
55 | SC_ALLOW(_newselect), | |
56 | #else | |
57 | +#ifdef __NR_select /* not on AArch64 */ | |
58 | SC_ALLOW(select), | |
59 | #endif | |
60 | +#ifdef __NR_pselect6 /* AArch64 */ | |
61 | + SC_ALLOW(pselect6), | |
62 | +#endif | |
63 | +#endif | |
64 | SC_ALLOW(madvise), | |
65 | #ifdef __NR_mmap2 /* EABI ARM only has mmap2() */ | |
66 | SC_ALLOW(mmap2), |