From 8edbb62b9b8aa76d340ac4a7d1bd713c47c82e80 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Thomas=20Wei=C3=9Fschuh?= <thomas@t-8ch.de>
Date: Sun, 4 Feb 2024 10:06:39 +0100
Subject: [PATCH] enosys: optimize bytecode when execve is not blocked
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Signed-off-by: Thomas WeiÃschuh <thomas@t-8ch.de>
---
 misc-utils/enosys.c | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/misc-utils/enosys.c b/misc-utils/enosys.c
index 7c9afa768f..22096dfe0b 100644
--- a/misc-utils/enosys.c
+++ b/misc-utils/enosys.c
@@ -121,6 +121,7 @@ int main(int argc, char **argv)
 	struct blocked_number *blocked;
 	struct list_head *loop_ctr;
 	struct list_head blocked_syscalls;
+	bool blocking_execve = false;
 	INIT_LIST_HEAD(&blocked_syscalls);
 	struct list_head blocked_ioctls;
 	INIT_LIST_HEAD(&blocked_ioctls);
@@ -147,6 +148,8 @@ int main(int argc, char **argv)
 			blocked = xmalloc(sizeof(*blocked));
 			blocked->number = blocked_number;
 			list_add(&blocked->head, &blocked_syscalls);
+			if (blocked_number == __NR_execve)
+				blocking_execve = true;
 
 			break;
 		case 'i':
@@ -205,13 +208,15 @@ int main(int argc, char **argv)
 	 *
 	 * See https://lore.kernel.org/all/CAAnLoWnS74dK9Wq4EQ-uzQ0qCRfSK-dLqh+HCais-5qwDjrVzg@mail.gmail.com/
 	 */
-	INSTR(BPF_STMT(BPF_LD | BPF_W | BPF_ABS, syscall_nr));
-	INSTR(BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_execve, 0, 5));
-	INSTR(BPF_STMT(BPF_LD | BPF_W | BPF_ABS, syscall_arg_lower32(2)));
-	INSTR(BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, (uint64_t)(uintptr_t) environ, 0, 3));
-	INSTR(BPF_STMT(BPF_LD | BPF_W | BPF_ABS, syscall_arg_upper32(2)));
-	INSTR(BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, (uint64_t)(uintptr_t) environ >> 32, 0, 1));
-	INSTR(BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW));
+	if (blocking_execve) {
+		INSTR(BPF_STMT(BPF_LD | BPF_W | BPF_ABS, syscall_nr));
+		INSTR(BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_execve, 0, 5));
+		INSTR(BPF_STMT(BPF_LD | BPF_W | BPF_ABS, syscall_arg_lower32(2)));
+		INSTR(BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, (uint64_t)(uintptr_t) environ, 0, 3));
+		INSTR(BPF_STMT(BPF_LD | BPF_W | BPF_ABS, syscall_arg_upper32(2)));
+		INSTR(BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, (uint64_t)(uintptr_t) environ >> 32, 0, 1));
+		INSTR(BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW));
+	}
 
 	INSTR(BPF_STMT(BPF_LD | BPF_W | BPF_ABS, syscall_nr));
 
-- 
2.47.3