aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authormspectorgoogle <mspector@google.com>2020-03-11 03:21:36 -0700
committerGitHub <noreply@github.com>2020-03-11 11:21:36 +0100
commite103bc9e1bb4453045c4795f9a10a671e72b1aba (patch)
tree868db5bf000ed6e50ae36970f92abd4a6aebbd2e
parent35f53e457420e79fa28e3260cdbbf9f37b9f97e4 (diff)
executor: add seccomp support for Android
This adds support for the seccomp filters that are part of Android into the sandbox. A process running as untrusted_app in Android has a restricted set of syscalls that it is allow to run. This is accomplished by setting seccomp filters in the zygote process prior to forking into the application process. The seccomp filter list comes directly from the Android source, it cannot be dynamically loaded from an Android phone because libseccomp_policy.so does not exist as a library on the system partition.
Diffstat
-rw-r--r--executor/android/android_seccomp.h111
-rw-r--r--executor/android/arm64_app_policy.h64
-rw-r--r--executor/android/arm_app_policy.h146
-rw-r--r--executor/android/x86_64_app_policy.h110
-rw-r--r--executor/android/x86_app_policy.h130
-rw-r--r--executor/common_linux.h82
-rw-r--r--pkg/csource/gen.go36
-rw-r--r--pkg/csource/generated.go609
8 files changed, 1238 insertions, 50 deletions
diff --git a/executor/android/android_seccomp.h b/executor/android/android_seccomp.h
new file mode 100644
index 000000000..21fd723e3
--- /dev/null
+++ b/executor/android/android_seccomp.h
@@ -0,0 +1,111 @@
+// Copyright 2016 syzkaller project authors. All rights reserved.
+// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
+
+// These headers are generated by the Android build system and need to be updated periodically.
+#if GOARCH_arm64
+#define PRIMARY_ARCH AUDIT_ARCH_AARCH64
+#include "arm64_app_policy.h"
+static const struct sock_filter* primary_app_filter = arm64_app_filter;
+static const size_t primary_app_filter_size = arm64_app_filter_size;
+// We need 3 for ValidateArchitecture and 1 for ExamineSyscall and 4 for ValidateArchitectureAndJumpIfNeeded + 2 extra Disallow
+#define kFilterMaxSize (arm64_app_filter_size + 3 + 1 + 4 + 2)
+
+#elif GOARCH_arm
+#define PRIMARY_ARCH AUDIT_ARCH_ARM
+#include "arm_app_policy.h"
+static const struct sock_filter* primary_app_filter = arm_app_filter;
+static const size_t primary_app_filter_size = arm_app_filter_size;
+#define kFilterMaxSize (arm_app_filter_size + 3 + 1 + 4 + 2)
+
+#elif GOARCH_amd64
+#define PRIMARY_ARCH AUDIT_ARCH_X86_64
+#include "x86_64_app_policy.h"
+static const struct sock_filter* primary_app_filter = x86_64_app_filter;
+static const size_t primary_app_filter_size = x86_64_app_filter_size;
+#define kFilterMaxSize (x86_64_app_filter_size + 3 + 1 + 4 + 2)
+
+#elif GOARCH_386
+#define PRIMARY_ARCH AUDIT_ARCH_I386
+#include "x86_app_policy.h"
+static const struct sock_filter* primary_app_filter = x86_app_filter;
+static const size_t primary_app_filter_size = x86_app_filter_size;
+#define kFilterMaxSize (x86_app_filter_size + 3 + 1 + 4 + 2)
+
+#else
+#error No architecture was defined!
+#endif
+
+#define syscall_nr (offsetof(struct seccomp_data, nr))
+#define syscall_arg(_n) (offsetof(struct seccomp_data, args[_n]))
+#define arch_nr (offsetof(struct seccomp_data, arch))
+
+
+typedef struct Filter_t {
+ struct sock_filter data[kFilterMaxSize];
+ size_t count;
+} Filter;
+
+inline void push_back(Filter* filter_array, struct sock_filter filter)
+{
+ if (filter_array->count == kFilterMaxSize)
+ fail("Can't add another syscall to seccomp filter: count %zu.", filter_array->count);
+ filter_array->data[filter_array->count++] = filter;
+}
+
+inline void Disallow(Filter* f)
+{
+ struct sock_filter filter = BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_TRAP);
+ push_back(f, filter);
+}
+
+static void ExamineSyscall(Filter* f)
+{
+ struct sock_filter filter = BPF_STMT(BPF_LD | BPF_W | BPF_ABS, syscall_nr);
+ push_back(f, filter);
+}
+
+static void ValidateArchitecture(Filter* f)
+{
+ struct sock_filter filter1 = BPF_STMT(BPF_LD | BPF_W | BPF_ABS, arch_nr);
+ struct sock_filter filter2 = BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, PRIMARY_ARCH, 1, 0);
+ push_back(f, filter1);
+ push_back(f, filter2);
+ Disallow(f);
+}
+
+// Modified from the orignal Android code to fail instead of return.
+static void install_filter(const Filter* f)
+{
+ struct sock_fprog prog = {
+ (unsigned short)f->count,
+ (struct sock_filter*)&f->data[0],
+ };
+ // This assumes either the current process has CAP_SYS_ADMIN, or PR_SET_NO_NEW_PRIVS bit is set.
+ if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) < 0) {
+ fail("Could not set seccomp filter of size %zu", f->count);
+ }
+}
+
+// Modified from the orignal Android code as we don't need dual arch support
+void set_app_seccomp_filter()
+{
+ const struct sock_filter *p;
+ size_t p_size;
+ Filter f;
+ f.count = 0;
+
+ p = primary_app_filter;
+ p_size = primary_app_filter_size;
+
+ ValidateArchitecture(&f);
+
+ ExamineSyscall(&f);
+
+ for (size_t i = 0; i < p_size; ++i) {
+ push_back(&f, p[i]);
+ }
+ Disallow(&f);
+
+ // Will fail() if anything fails.
+ install_filter(&f);
+}
diff --git a/executor/android/arm64_app_policy.h b/executor/android/arm64_app_policy.h
new file mode 100644
index 000000000..589e96e20
--- /dev/null
+++ b/executor/android/arm64_app_policy.h
@@ -0,0 +1,64 @@
+// Copyright 2016 syzkaller project authors. All rights reserved.
+// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
+
+// File autogenerated by genseccomp.py from Android Q - edit at your peril!!
+
+const struct sock_filter arm64_app_filter[] = {
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 0, 0, 54),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 160, 27, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 101, 13, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 52, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 41, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 19, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 18, 48, 47), //io_setup|io_destroy|io_submit|io_cancel|io_getevents|setxattr|lsetxattr|fsetxattr|getxattr|lgetxattr|fgetxattr|listxattr|llistxattr|flistxattr|removexattr|lremovexattr|fremovexattr|getcwd
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 39, 47, 46), //eventfd2|epoll_create1|epoll_ctl|epoll_pwait|dup|dup3|fcntl|inotify_init1|inotify_add_watch|inotify_rm_watch|ioctl|ioprio_set|ioprio_get|flock|mknodat|mkdirat|unlinkat|symlinkat|linkat|renameat
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 43, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 42, 45, 44), //pivot_root
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 51, 44, 43), //statfs|fstatfs|truncate|ftruncate|fallocate|faccessat|chdir|fchdir
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 90, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 59, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 58, 41, 40), //fchmod|fchmodat|fchownat|fchown|openat|close
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 89, 40, 39), //pipe2|quotactl|getdents64|lseek|read|write|readv|writev|pread64|pwrite64|preadv|pwritev|sendfile|pselect6|ppoll|signalfd4|vmsplice|splice|tee|readlinkat|newfstatat|fstat|sync|fsync|fdatasync|sync_file_range|timerfd_create|timerfd_settime|timerfd_gettime|utimensat
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 100, 39, 38), //capget|capset|personality|exit|exit_group|waitid|set_tid_address|unshare|futex|set_robust_list
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 147, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 113, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 107, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 104, 35, 34), //nanosleep|getitimer|setitimer
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 112, 34, 33), //timer_create|timer_gettime|timer_getoverrun|timer_settime|timer_delete
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 117, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 116, 32, 31), //clock_gettime|clock_getres|clock_nanosleep
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 142, 31, 30), //ptrace|sched_setparam|sched_setscheduler|sched_getscheduler|sched_getparam|sched_setaffinity|sched_getaffinity|sched_yield|sched_get_priority_max|sched_get_priority_min|sched_rr_get_interval|restart_syscall|kill|tkill|tgkill|sigaltstack|rt_sigsuspend|rt_sigaction|rt_sigprocmask|rt_sigpending|rt_sigtimedwait|rt_sigqueueinfo|rt_sigreturn|setpriority|getpriority
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 153, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 150, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 149, 28, 27), //setresuid|getresuid
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 151, 27, 26), //getresgid
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 159, 26, 25), //times|setpgid|getpgid|getsid|setsid|getgroups
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 240, 13, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 203, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 172, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 163, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 161, 21, 20), //uname
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 170, 20, 19), //getrlimit|setrlimit|getrusage|umask|prctl|getcpu|gettimeofday
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 198, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 180, 18, 17), //getpid|getppid|getuid|geteuid|getgid|getegid|gettid|sysinfo
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 202, 17, 16), //socket|socketpair|bind|listen
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 226, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 220, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 217, 14, 13), //connect|getsockname|getpeername|sendto|recvfrom|setsockopt|getsockopt|shutdown|sendmsg|recvmsg|readahead|brk|munmap|mremap
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 224, 13, 12), //clone|execve|mmap|fadvise64
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 234, 12, 11), //mprotect|msync|mlock|munlock|mlockall|munlockall|mincore|madvise
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 274, 5, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 267, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 260, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 244, 8, 7), //rt_tgsigqueueinfo|perf_event_open|accept4|recvmmsg
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 262, 7, 6), //wait4|prlimit64
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 272, 6, 5), //syncfs|setns|sendmmsg|process_vm_readv|process_vm_writev
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 283, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 281, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 280, 3, 2), //sched_setattr|sched_getattr|renameat2|seccomp|getrandom|memfd_create
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 282, 2, 1), //execveat
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 288, 1, 0), //membarrier|mlock2|copy_file_range|preadv2|pwritev2
+BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
+};
+
+#define arm64_app_filter_size (sizeof(arm64_app_filter) / sizeof(struct sock_filter))
diff --git a/executor/android/arm_app_policy.h b/executor/android/arm_app_policy.h
new file mode 100644
index 000000000..9c633adac
--- /dev/null
+++ b/executor/android/arm_app_policy.h
@@ -0,0 +1,146 @@
+// Copyright 2016 syzkaller project authors. All rights reserved.
+// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
+
+// File autogenerated by genseccomp.py from Android Q - edit at your peril!!
+
+const struct sock_filter arm_app_filter[] = {
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 0, 0, 136),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 190, 67, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 85, 33, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 45, 17, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 26, 9, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 19, 5, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 10, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 8, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 7, 128, 127), //restart_syscall|exit|fork|read|write|open|close
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 9, 127, 126), //creat
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 13, 126, 125), //unlink|execve|chdir
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 24, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 21, 124, 123), //lseek|getpid
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 25, 123, 122), //getuid
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 36, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 33, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 27, 120, 119), //ptrace
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 34, 119, 118), //access
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 41, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 40, 117, 116), //sync|kill|rename|mkdir
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 44, 116, 115), //dup|pipe|times
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 63, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 57, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 54, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 46, 112, 111), //brk
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 56, 111, 110), //ioctl|fcntl
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 60, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 58, 109, 108), //setpgid
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 61, 108, 107), //umask
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 75, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 66, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 65, 105, 104), //dup2|getppid
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 68, 104, 103), //setsid|sigaction
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 77, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 76, 102, 101), //setrlimit
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 79, 101, 100), //getrusage|gettimeofday
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 125, 17, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 114, 9, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 96, 5, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 94, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 91, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 86, 95, 94), //readlink
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 93, 94, 93), //munmap|truncate
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 95, 93, 92), //fchmod
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 104, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 98, 91, 90), //getpriority|setpriority
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 106, 90, 89), //setitimer|getitimer
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 118, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 116, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 115, 87, 86), //wait4
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 117, 86, 85), //sysinfo
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 122, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 121, 84, 83), //fsync|sigreturn|clone
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 123, 83, 82), //uname
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 150, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 136, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 131, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 126, 79, 78), //mprotect
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 134, 78, 77), //quotactl|getpgid|fchdir
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 140, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 137, 76, 75), //personality
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 149, 75, 74), //_llseek|getdents|_newselect|flock|msync|readv|writev|getsid|fdatasync
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 172, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 168, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 164, 72, 71), //mlock|munlock|mlockall|munlockall|sched_setparam|sched_getparam|sched_setscheduler|sched_getscheduler|sched_yield|sched_get_priority_max|sched_get_priority_min|sched_rr_get_interval|nanosleep|mremap
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 169, 71, 70), //poll
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 183, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 182, 69, 68), //prctl|rt_sigreturn|rt_sigaction|rt_sigprocmask|rt_sigpending|rt_sigtimedwait|rt_sigqueueinfo|rt_sigsuspend|pread64|pwrite64
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 188, 68, 67), //getcwd|capget|capset|sigaltstack|sendfile
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 322, 33, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 256, 17, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 217, 9, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 207, 5, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 205, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 199, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 198, 61, 60), //vfork|ugetrlimit|mmap2|truncate64|ftruncate64|stat64|lstat64|fstat64
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 203, 60, 59), //getuid32|getgid32|geteuid32|getegid32
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 206, 59, 58), //getgroups32
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 211, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 210, 57, 56), //fchown32|setresuid32|getresuid32
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 212, 56, 55), //getresgid32
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 224, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 219, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 218, 53, 52), //getdents64
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 222, 52, 51), //mincore|madvise|fcntl64
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 250, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 249, 50, 49), //gettid|readahead|setxattr|lsetxattr|fsetxattr|getxattr|lgetxattr|fgetxattr|listxattr|llistxattr|flistxattr|removexattr|lremovexattr|fremovexattr|tkill|sendfile64|futex|sched_setaffinity|sched_getaffinity|io_setup|io_destroy|io_getevents|io_submit|io_cancel|exit_group
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 254, 49, 48), //epoll_create|epoll_ctl|epoll_wait|remap_file_pages
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 286, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 270, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 263, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 262, 45, 44), //set_tid_address|timer_create|timer_settime|timer_gettime|timer_getoverrun|timer_delete
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 269, 44, 43), //clock_gettime|clock_getres|clock_nanosleep|statfs64|fstatfs64|tgkill
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 280, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 271, 42, 41), //arm_fadvise64_64
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 285, 41, 40), //waitid|socket|bind|connect|listen
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 292, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 290, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 289, 38, 37), //getsockname|getpeername|socketpair
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 291, 37, 36), //sendto
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 316, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 298, 35, 34), //recvfrom|shutdown|setsockopt|getsockopt|sendmsg|recvmsg
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 319, 34, 33), //inotify_init|inotify_add_watch|inotify_rm_watch
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 387, 17, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 350, 9, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 345, 5, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 340, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 327, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 326, 28, 27), //openat|mkdirat|mknodat|fchownat
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 338, 27, 26), //fstatat64|unlinkat|renameat|linkat|symlinkat|readlinkat|fchmodat|faccessat|pselect6|ppoll|unshare
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 344, 26, 25), //splice|sync_file_range2|tee|vmsplice
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 348, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 347, 24, 23), //getcpu|epoll_pwait
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 349, 23, 22), //utimensat
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 373, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 369, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 367, 20, 19), //timerfd_create|eventfd|fallocate|timerfd_settime|timerfd_gettime|signalfd4|eventfd2|epoll_create1|dup3|pipe2|inotify_init1|preadv|pwritev|rt_tgsigqueueinfo|perf_event_open|recvmmsg|accept4
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 370, 19, 18), //prlimit64
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 380, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 378, 17, 16), //syncfs|sendmmsg|setns|process_vm_readv|process_vm_writev
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 386, 16, 15), //sched_setattr|sched_getattr|renameat2|seccomp|getrandom|memfd_create
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 417, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 397, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 389, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 388, 12, 11), //execveat
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 394, 11, 10), //membarrier|mlock2|copy_file_range|preadv2|pwritev2
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 403, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 398, 9, 8), //statx
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 415, 8, 7), //clock_gettime64|clock_settime64|clock_adjtime64|clock_getres_time64|clock_nanosleep_time64|timer_gettime64|timer_settime64|timerfd_gettime64|timerfd_settime64|utimensat_time64|pselect6_time64|ppoll_time64
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 983042, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 420, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 418, 5, 4), //recvmmsg_time64
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 424, 4, 3), //semtimedop_time64|rt_sigtimedwait_time64|futex_time64|sched_rr_get_interval_time64
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 983045, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 983043, 2, 1), //__ARM_NR_cacheflush
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 983046, 1, 0), //__ARM_NR_set_tls
+BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
+};
+
+#define arm_app_filter_size (sizeof(arm_app_filter) / sizeof(struct sock_filter))
diff --git a/executor/android/x86_64_app_policy.h b/executor/android/x86_64_app_policy.h
new file mode 100644
index 000000000..61a0ede03
--- /dev/null
+++ b/executor/android/x86_64_app_policy.h
@@ -0,0 +1,110 @@
+// Copyright 2016 syzkaller project authors. All rights reserved.
+// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
+
+// File autogenerated by genseccomp.py from Android Q - edit at your peril!!
+
+const struct sock_filter x86_64_app_filter[] = {
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 0, 0, 100),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 157, 49, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 95, 25, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 44, 13, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 32, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 8, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 5, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 4, 93, 92), //read|write|open|close
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 6, 92, 91), //fstat
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 24, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 21, 90, 89), //lseek|mmap|mprotect|munmap|brk|rt_sigaction|rt_sigprocmask|rt_sigreturn|ioctl|pread64|pwrite64|readv|writev
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 29, 89, 88), //sched_yield|mremap|msync|mincore|madvise
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 38, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 35, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 33, 86, 85), //dup
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 37, 85, 84), //nanosleep|getitimer
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 43, 84, 83), //setitimer|getpid|sendfile|socket|connect
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 89, 5, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 72, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 58, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 57, 80, 79), //sendto|recvfrom|sendmsg|recvmsg|shutdown|bind|listen|getsockname|getpeername|socketpair|setsockopt|getsockopt|clone
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 64, 79, 78), //vfork|execve|exit|wait4|kill|uname
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 82, 78, 77), //fcntl|flock|fsync|fdatasync|truncate|ftruncate|getdents|getcwd|chdir|fchdir
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 93, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 91, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 90, 75, 74), //readlink
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 92, 74, 73), //fchmod
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 94, 73, 72), //fchown
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 120, 11, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 112, 5, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 107, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 104, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 103, 68, 67), //umask|gettimeofday|getrlimit|getrusage|sysinfo|times|ptrace|getuid
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 105, 67, 66), //getgid
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 111, 66, 65), //geteuid|getegid|setpgid|getppid
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 117, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 115, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 113, 63, 62), //setsid
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 116, 62, 61), //getgroups
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 119, 61, 60), //setresuid|getresuid
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 137, 5, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 135, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 124, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 122, 57, 56), //getresgid|getpgid
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 132, 56, 55), //getsid|capget|capset|rt_sigpending|rt_sigtimedwait|rt_sigqueueinfo|rt_sigsuspend|sigaltstack
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 136, 55, 54), //personality
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 155, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 140, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 139, 52, 51), //statfs|fstatfs
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 153, 51, 50), //getpriority|setpriority|sched_setparam|sched_getparam|sched_setscheduler|sched_getscheduler|sched_get_priority_max|sched_get_priority_min|sched_rr_get_interval|mlock|munlock|mlockall|munlockall
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 156, 50, 49), //pivot_root
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 254, 25, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 217, 13, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 186, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 162, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 160, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 159, 44, 43), //prctl|arch_prctl
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 161, 43, 42), //setrlimit
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 179, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 163, 41, 40), //sync
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 180, 40, 39), //quotactl
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 206, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 202, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 201, 37, 36), //gettid|readahead|setxattr|lsetxattr|fsetxattr|getxattr|lgetxattr|fgetxattr|listxattr|llistxattr|flistxattr|removexattr|lremovexattr|fremovexattr|tkill
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 205, 36, 35), //futex|sched_setaffinity|sched_getaffinity
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 211, 35, 34), //io_setup|io_destroy|io_getevents|io_submit|io_cancel
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 233, 5, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 228, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 221, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 220, 31, 30), //getdents64|set_tid_address|restart_syscall
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 227, 30, 29), //fadvise64|timer_create|timer_settime|timer_gettime|timer_getoverrun|timer_delete
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 232, 29, 28), //clock_gettime|clock_getres|clock_nanosleep|exit_group
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 251, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 247, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 235, 26, 25), //epoll_ctl|tgkill
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 248, 25, 24), //waitid
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 253, 24, 23), //ioprio_set|ioprio_get
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 285, 11, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 275, 5, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 262, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 257, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 256, 19, 18), //inotify_add_watch|inotify_rm_watch
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 261, 18, 17), //openat|mkdirat|mknodat|fchownat
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 274, 17, 16), //newfstatat|unlinkat|renameat|linkat|symlinkat|readlinkat|fchmodat|faccessat|pselect6|ppoll|unshare|set_robust_list
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 283, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 280, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 279, 14, 13), //splice|tee|sync_file_range|vmsplice
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 282, 13, 12), //utimensat|epoll_pwait
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 284, 12, 11), //timerfd_create
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 314, 5, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 306, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 302, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 300, 8, 7), //fallocate|timerfd_settime|timerfd_gettime|accept4|signalfd4|eventfd2|epoll_create1|dup3|pipe2|inotify_init1|preadv|pwritev|rt_tgsigqueueinfo|perf_event_open|recvmmsg
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 303, 7, 6), //prlimit64
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 312, 6, 5), //syncfs|sendmmsg|setns|getcpu|process_vm_readv|process_vm_writev
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 324, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 322, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 320, 3, 2), //sched_setattr|sched_getattr|renameat2|seccomp|getrandom|memfd_create
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 323, 2, 1), //execveat
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 329, 1, 0), //membarrier|mlock2|copy_file_range|preadv2|pwritev2
+BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
+};
+
+#define x86_64_app_filter_size (sizeof(x86_64_app_filter) / sizeof(struct sock_filter))
diff --git a/executor/android/x86_app_policy.h b/executor/android/x86_app_policy.h
new file mode 100644
index 000000000..125576cad
--- /dev/null
+++ b/executor/android/x86_app_policy.h
@@ -0,0 +1,130 @@
+// Copyright 2016 syzkaller project authors. All rights reserved.
+// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
+
+// File autogenerated by genseccomp.py from Android Q - edit at your peril!!
+
+const struct sock_filter x86_app_filter[] = {
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 0, 0, 120),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 140, 59, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 75, 29, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 41, 15, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 24, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 10, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 8, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 7, 113, 112), //restart_syscall|exit|fork|read|write|open|close
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 9, 112, 111), //creat
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 19, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 13, 110, 109), //unlink|execve|chdir
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 21, 109, 108), //lseek|getpid
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 33, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 26, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 25, 106, 105), //getuid
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 27, 105, 104), //ptrace
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 36, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 34, 103, 102), //access
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 40, 102, 101), //sync|kill|rename|mkdir
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 60, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 54, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 45, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 44, 98, 97), //dup|pipe|times
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 46, 97, 96), //brk
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 57, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 56, 95, 94), //ioctl|fcntl
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 58, 94, 93), //setpgid
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 66, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 63, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 61, 91, 90), //umask
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 65, 90, 89), //dup2|getppid
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 68, 89, 88), //setsid|sigaction
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 114, 15, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 94, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 85, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 77, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 76, 84, 83), //setrlimit
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 79, 83, 82), //getrusage|gettimeofday
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 90, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 86, 81, 80), //readlink
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 93, 80, 79), //mmap|munmap|truncate
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 102, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 96, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 95, 77, 76), //fchmod
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 98, 76, 75), //getpriority|setpriority
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 104, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 103, 74, 73), //socketcall
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 106, 73, 72), //setitimer|getitimer
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 125, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 118, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 116, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 115, 69, 68), //wait4
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 117, 68, 67), //sysinfo
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 122, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 121, 66, 65), //fsync|sigreturn|clone
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 123, 65, 64), //uname
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 136, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 131, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 126, 62, 61), //mprotect
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 134, 61, 60), //quotactl|getpgid|fchdir
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 137, 60, 59), //personality
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 265, 29, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 207, 15, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 183, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 168, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 150, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 149, 54, 53), //_llseek|getdents|_newselect|flock|msync|readv|writev|getsid|fdatasync
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 164, 53, 52), //mlock|munlock|mlockall|munlockall|sched_setparam|sched_getparam|sched_setscheduler|sched_getscheduler|sched_yield|sched_get_priority_max|sched_get_priority_min|sched_rr_get_interval|nanosleep|mremap
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 172, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 169, 51, 50), //poll
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 182, 50, 49), //prctl|rt_sigreturn|rt_sigaction|rt_sigprocmask|rt_sigpending|rt_sigtimedwait|rt_sigqueueinfo|rt_sigsuspend|pread64|pwrite64
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 199, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 190, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 188, 47, 46), //getcwd|capget|capset|sigaltstack|sendfile
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 198, 46, 45), //vfork|ugetrlimit|mmap2|truncate64|ftruncate64|stat64|lstat64|fstat64
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 205, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 203, 44, 43), //getuid32|getgid32|geteuid32|getegid32
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 206, 43, 42), //getgroups32
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 245, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 218, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 211, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 210, 39, 38), //fchown32|setresuid32|getresuid32
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 212, 38, 37), //getresgid32
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 224, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 222, 36, 35), //mincore|madvise|getdents64|fcntl64
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 244, 35, 34), //gettid|readahead|setxattr|lsetxattr|fsetxattr|getxattr|lgetxattr|fgetxattr|listxattr|llistxattr|flistxattr|removexattr|lremovexattr|fremovexattr|tkill|sendfile64|futex|sched_setaffinity|sched_getaffinity|set_thread_area
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 254, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 252, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 250, 32, 31), //io_setup|io_destroy|io_getevents|io_submit|io_cancel
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 253, 31, 30), //exit_group
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 264, 30, 29), //epoll_create|epoll_ctl|epoll_wait|remap_file_pages|set_tid_address|timer_create|timer_settime|timer_gettime|timer_getoverrun|timer_delete
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 322, 15, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 295, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 284, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 272, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 271, 25, 24), //clock_gettime|clock_getres|clock_nanosleep|statfs64|fstatfs64|tgkill
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 273, 24, 23), //fadvise64_64
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 291, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 285, 22, 21), //waitid
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 294, 21, 20), //inotify_init|inotify_add_watch|inotify_rm_watch
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 313, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 300, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 299, 18, 17), //openat|mkdirat|mknodat|fchownat
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 312, 17, 16), //fstatat64|unlinkat|renameat|linkat|symlinkat|readlinkat|fchmodat|faccessat|pselect6|ppoll|unshare|set_robust_list
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 318, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 317, 15, 14), //splice|sync_file_range|tee|vmsplice
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 321, 14, 13), //getcpu|epoll_pwait|utimensat
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 351, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 344, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 340, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 337, 10, 9), //timerfd_create|eventfd|fallocate|timerfd_settime|timerfd_gettime|signalfd4|eventfd2|epoll_create1|dup3|pipe2|inotify_init1|preadv|pwritev|rt_tgsigqueueinfo|perf_event_open
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 341, 9, 8), //prlimit64
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 346, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 345, 7, 6), //syncfs
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 349, 6, 5), //setns|process_vm_readv|process_vm_writev
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 375, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 358, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 357, 3, 2), //sched_setattr|sched_getattr|renameat2|seccomp|getrandom|memfd_create
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 359, 2, 1), //execveat
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 380, 1, 0), //membarrier|mlock2|copy_file_range|preadv2|pwritev2
+BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
+};
+
+#define x86_app_filter_size (sizeof(x86_app_filter) / sizeof(struct sock_filter))
diff --git a/executor/common_linux.h b/executor/common_linux.h
index 148ca0c33..64dff5a15 100644
--- a/executor/common_linux.h
+++ b/executor/common_linux.h
@@ -2620,7 +2620,7 @@ int wait_for_loop(int pid)
}
#endif
-#if SYZ_EXECUTOR || SYZ_SANDBOX_NONE || SYZ_SANDBOX_NAMESPACE
+#if SYZ_EXECUTOR || SYZ_SANDBOX_NONE || SYZ_SANDBOX_NAMESPACE || SYZ_SANDBOX_ANDROID
#include <linux/capability.h>
static void drop_caps(void)
@@ -2857,6 +2857,20 @@ static int do_sandbox_namespace(void)
#endif
#if SYZ_EXECUTOR || SYZ_SANDBOX_ANDROID
+// seccomp only supported for Arm, Arm64, X86, and X86_64 archs
+#if GOARCH_arm || GOARCH_arm64 || GOARCH_386 || GOARCH_amd64
+#include <assert.h>
+#include <errno.h>
+#include <linux/audit.h>
+#include <linux/filter.h>
+#include <linux/seccomp.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <sys/prctl.h>
+#include <sys/syscall.h>
+
+#include "android/android_seccomp.h"
+#endif
#include <fcntl.h> // open(2)
#include <grp.h> // setgroups
#include <sys/xattr.h> // setxattr, getxattr
@@ -2969,6 +2983,20 @@ static int do_sandbox_android(void)
{
setup_common();
sandbox_common();
+ drop_caps();
+
+#if SYZ_EXECUTOR || SYZ_NET_DEVICES
+ initialize_netdevices_init();
+#endif
+#if SYZ_EXECUTOR || SYZ_DEVLINK_PCI
+ initialize_devlink_pci();
+#endif
+#if SYZ_EXECUTOR || SYZ_NET_INJECTION
+ initialize_tun();
+#endif
+#if SYZ_EXECUTOR || SYZ_NET_DEVICES
+ initialize_netdevices();
+#endif
if (chown(".", UNTRUSTED_APP_UID, UNTRUSTED_APP_UID) != 0)
fail("chmod failed");
@@ -2979,21 +3007,19 @@ static int do_sandbox_android(void)
if (setresgid(UNTRUSTED_APP_GID, UNTRUSTED_APP_GID, UNTRUSTED_APP_GID) != 0)
fail("setresgid failed");
+#if GOARCH_arm || GOARCH_arm64 || GOARCH_386 || GOARCH_amd64
+ // Will fail() if anything fails.
+ // Must be called when the new process still has CAP_SYS_ADMIN, in this case,
+ // before changing uid from 0, which clears capabilities.
+ set_app_seccomp_filter();
+#endif
+
if (setresuid(UNTRUSTED_APP_UID, UNTRUSTED_APP_UID, UNTRUSTED_APP_UID) != 0)
fail("setresuid failed");
syz_setfilecon(".", SELINUX_LABEL_APP_DATA_FILE);
syz_setcon(SELINUX_CONTEXT_UNTRUSTED_APP);
-#if SYZ_EXECUTOR || SYZ_NET_INJECTION
- initialize_tun();
-#endif
-#if SYZ_EXECUTOR || SYZ_NET_DEVICES
- // Note: sandbox_android does not unshare net namespace.
- initialize_netdevices_init();
- initialize_netdevices();
-#endif
-
loop();
doexit(1);
}
@@ -3019,9 +3045,13 @@ static void remove_dir(const char* dir)
struct dirent* ep;
int iter = 0;
retry:
- while (umount2(dir, MNT_DETACH) == 0) {
- debug("umount(%s)\n", dir);
+#if not SYZ_SANDBOX_ANDROID
+ if (!flag_sandbox_android) {
+ while (umount2(dir, MNT_DETACH) == 0) {
+ debug("umount(%s)\n", dir);
+ }
}
+#endif
dp = opendir(dir);
if (dp == NULL) {
if (errno == EMFILE) {
@@ -3039,9 +3069,13 @@ retry:
snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name);
// If it's 9p mount with broken transport, lstat will fail.
// So try to umount first.
- while (umount2(filename, MNT_DETACH) == 0) {
- debug("umount(%s)\n", filename);
+#if not SYZ_SANDBOX_ANDROID
+ if (!flag_sandbox_android) {
+ while (umount2(filename, MNT_DETACH) == 0) {
+ debug("umount(%s)\n", filename);
+ }
}
+#endif
struct stat st;
if (lstat(filename, &st))
exitf("lstat(%s) failed", filename);
@@ -3071,9 +3105,13 @@ retry:
}
if (errno != EBUSY || i > 100)
exitf("unlink(%s) failed", filename);
- debug("umount(%s)\n", filename);
- if (umount2(filename, MNT_DETACH))
- exitf("umount(%s) failed", filename);
+#if not SYZ_SANDBOX_ANDROID
+ if (!flag_sandbox_android) {
+ debug("umount(%s)\n", filename);
+ if (umount2(filename, MNT_DETACH))
+ exitf("umount(%s) failed", filename);
+ }
+#endif
}
}
closedir(dp);
@@ -3099,9 +3137,13 @@ retry:
break;
}
if (errno == EBUSY) {
- debug("umount(%s)\n", dir);
- if (umount2(dir, MNT_DETACH))
- exitf("umount(%s) failed", dir);
+#if not SYZ_SANDBOX_ANDROID
+ if (!flag_sandbox_android) {
+ debug("umount(%s)\n", dir);
+ if (umount2(dir, MNT_DETACH))
+ exitf("umount(%s) failed", dir);
+ }
+#endif
continue;
}
if (errno == ENOTEMPTY) {
diff --git a/pkg/csource/gen.go b/pkg/csource/gen.go
index 3a857ed93..773676e95 100644
--- a/pkg/csource/gen.go
+++ b/pkg/csource/gen.go
@@ -23,7 +23,7 @@ func main() {
if err != nil {
failf("%v", err)
}
- for _, include := range []string{
+ executorFilenames := []string{
"common_linux.h",
"common_akaros.h",
"common_bsd.h",
@@ -33,19 +33,18 @@ func main() {
"common_kvm_amd64.h",
"common_kvm_arm64.h",
"common_usb.h",
+ "android/android_seccomp.h",
"kvm.h",
"kvm.S.h",
- } {
- contents, err := ioutil.ReadFile("../../executor/" + include)
- if err != nil {
- failf("%v", err)
- }
- replace := []byte("#include \"" + include + "\"")
- if bytes.Index(data, replace) == -1 {
- failf("can't fine %v include", include)
- }
- data = bytes.Replace(data, replace, contents, -1)
}
+ data = replaceIncludes(executorFilenames, "../../executor/", data)
+ androidFilenames := []string{
+ "arm64_app_policy.h",
+ "arm_app_policy.h",
+ "x86_64_app_policy.h",
+ "x86_app_policy.h",
+ }
+ data = replaceIncludes(androidFilenames, "../../executor/android/", data)
for _, remove := range []string{
"(\n|^)\\s*//.*",
"\\s*//.*",
@@ -62,3 +61,18 @@ func failf(msg string, args ...interface{}) {
fmt.Fprintf(os.Stderr, msg+"\n", args...)
os.Exit(1)
}
+
+func replaceIncludes(filenames []string, location string, data []byte) []byte {
+ for _, include := range filenames {
+ contents, err := ioutil.ReadFile(location + include)
+ if err != nil {
+ failf("%v", err)
+ }
+ replace := []byte("#include \"" + include + "\"")
+ if bytes.Index(data, replace) == -1 {
+ failf("can't find %v include", include)
+ }
+ data = bytes.Replace(data, replace, contents, -1)
+ }
+ return data
+}
diff --git a/pkg/csource/generated.go b/pkg/csource/generated.go
index ea018b420..e7c2967e2 100644
--- a/pkg/csource/generated.go
+++ b/pkg/csource/generated.go
@@ -5669,7 +5669,7 @@ int wait_for_loop(int pid)
}
#endif
-#if SYZ_EXECUTOR || SYZ_SANDBOX_NONE || SYZ_SANDBOX_NAMESPACE
+#if SYZ_EXECUTOR || SYZ_SANDBOX_NONE || SYZ_SANDBOX_NAMESPACE || SYZ_SANDBOX_ANDROID
#include <linux/capability.h>
static void drop_caps(void)
@@ -5875,6 +5875,551 @@ static int do_sandbox_namespace(void)
#endif
#if SYZ_EXECUTOR || SYZ_SANDBOX_ANDROID
+#if GOARCH_arm || GOARCH_arm64 || GOARCH_386 || GOARCH_amd64
+#include <assert.h>
+#include <errno.h>
+#include <linux/audit.h>
+#include <linux/filter.h>
+#include <linux/seccomp.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <sys/prctl.h>
+#include <sys/syscall.h>
+#if GOARCH_arm64
+#define PRIMARY_ARCH AUDIT_ARCH_AARCH64
+
+const struct sock_filter arm64_app_filter[] = {
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 0, 0, 54),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 160, 27, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 101, 13, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 52, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 41, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 19, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 18, 48, 47),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 39, 47, 46),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 43, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 42, 45, 44),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 51, 44, 43),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 90, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 59, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 58, 41, 40),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 89, 40, 39),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 100, 39, 38),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 147, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 113, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 107, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 104, 35, 34),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 112, 34, 33),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 117, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 116, 32, 31),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 142, 31, 30),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 153, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 150, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 149, 28, 27),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 151, 27, 26),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 159, 26, 25),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 240, 13, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 203, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 172, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 163, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 161, 21, 20),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 170, 20, 19),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 198, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 180, 18, 17),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 202, 17, 16),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 226, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 220, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 217, 14, 13),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 224, 13, 12),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 234, 12, 11),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 274, 5, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 267, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 260, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 244, 8, 7),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 262, 7, 6),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 272, 6, 5),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 283, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 281, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 280, 3, 2),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 282, 2, 1),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 288, 1, 0),
+BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
+};
+
+#define arm64_app_filter_size (sizeof(arm64_app_filter) / sizeof(struct sock_filter))
+
+static const struct sock_filter* primary_app_filter = arm64_app_filter;
+static const size_t primary_app_filter_size = arm64_app_filter_size;
+#define kFilterMaxSize (arm64_app_filter_size + 3 + 1 + 4 + 2)
+
+#elif GOARCH_arm
+#define PRIMARY_ARCH AUDIT_ARCH_ARM
+
+const struct sock_filter arm_app_filter[] = {
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 0, 0, 136),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 190, 67, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 85, 33, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 45, 17, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 26, 9, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 19, 5, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 10, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 8, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 7, 128, 127),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 9, 127, 126),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 13, 126, 125),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 24, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 21, 124, 123),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 25, 123, 122),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 36, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 33, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 27, 120, 119),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 34, 119, 118),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 41, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 40, 117, 116),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 44, 116, 115),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 63, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 57, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 54, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 46, 112, 111),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 56, 111, 110),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 60, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 58, 109, 108),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 61, 108, 107),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 75, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 66, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 65, 105, 104),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 68, 104, 103),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 77, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 76, 102, 101),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 79, 101, 100),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 125, 17, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 114, 9, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 96, 5, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 94, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 91, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 86, 95, 94),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 93, 94, 93),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 95, 93, 92),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 104, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 98, 91, 90),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 106, 90, 89),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 118, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 116, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 115, 87, 86),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 117, 86, 85),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 122, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 121, 84, 83),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 123, 83, 82),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 150, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 136, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 131, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 126, 79, 78),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 134, 78, 77),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 140, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 137, 76, 75),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 149, 75, 74),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 172, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 168, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 164, 72, 71),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 169, 71, 70),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 183, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 182, 69, 68),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 188, 68, 67),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 322, 33, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 256, 17, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 217, 9, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 207, 5, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 205, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 199, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 198, 61, 60),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 203, 60, 59),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 206, 59, 58),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 211, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 210, 57, 56),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 212, 56, 55),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 224, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 219, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 218, 53, 52),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 222, 52, 51),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 250, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 249, 50, 49),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 254, 49, 48),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 286, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 270, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 263, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 262, 45, 44),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 269, 44, 43),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 280, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 271, 42, 41),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 285, 41, 40),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 292, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 290, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 289, 38, 37),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 291, 37, 36),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 316, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 298, 35, 34),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 319, 34, 33),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 387, 17, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 350, 9, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 345, 5, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 340, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 327, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 326, 28, 27),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 338, 27, 26),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 344, 26, 25),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 348, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 347, 24, 23),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 349, 23, 22),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 373, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 369, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 367, 20, 19),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 370, 19, 18),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 380, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 378, 17, 16),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 386, 16, 15),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 417, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 397, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 389, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 388, 12, 11),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 394, 11, 10),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 403, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 398, 9, 8),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 415, 8, 7),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 983042, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 420, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 418, 5, 4),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 424, 4, 3),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 983045, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 983043, 2, 1),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 983046, 1, 0),
+BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
+};
+
+#define arm_app_filter_size (sizeof(arm_app_filter) / sizeof(struct sock_filter))
+
+static const struct sock_filter* primary_app_filter = arm_app_filter;
+static const size_t primary_app_filter_size = arm_app_filter_size;
+#define kFilterMaxSize (arm_app_filter_size + 3 + 1 + 4 + 2)
+
+#elif GOARCH_amd64
+#define PRIMARY_ARCH AUDIT_ARCH_X86_64
+
+const struct sock_filter x86_64_app_filter[] = {
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 0, 0, 100),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 157, 49, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 95, 25, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 44, 13, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 32, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 8, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 5, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 4, 93, 92),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 6, 92, 91),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 24, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 21, 90, 89),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 29, 89, 88),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 38, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 35, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 33, 86, 85),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 37, 85, 84),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 43, 84, 83),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 89, 5, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 72, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 58, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 57, 80, 79),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 64, 79, 78),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 82, 78, 77),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 93, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 91, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 90, 75, 74),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 92, 74, 73),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 94, 73, 72),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 120, 11, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 112, 5, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 107, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 104, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 103, 68, 67),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 105, 67, 66),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 111, 66, 65),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 117, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 115, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 113, 63, 62),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 116, 62, 61),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 119, 61, 60),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 137, 5, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 135, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 124, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 122, 57, 56),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 132, 56, 55),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 136, 55, 54),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 155, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 140, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 139, 52, 51),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 153, 51, 50),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 156, 50, 49),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 254, 25, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 217, 13, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 186, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 162, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 160, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 159, 44, 43),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 161, 43, 42),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 179, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 163, 41, 40),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 180, 40, 39),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 206, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 202, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 201, 37, 36),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 205, 36, 35),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 211, 35, 34),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 233, 5, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 228, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 221, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 220, 31, 30),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 227, 30, 29),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 232, 29, 28),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 251, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 247, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 235, 26, 25),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 248, 25, 24),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 253, 24, 23),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 285, 11, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 275, 5, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 262, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 257, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 256, 19, 18),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 261, 18, 17),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 274, 17, 16),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 283, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 280, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 279, 14, 13),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 282, 13, 12),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 284, 12, 11),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 314, 5, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 306, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 302, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 300, 8, 7),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 303, 7, 6),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 312, 6, 5),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 324, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 322, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 320, 3, 2),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 323, 2, 1),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 329, 1, 0),
+BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
+};
+
+#define x86_64_app_filter_size (sizeof(x86_64_app_filter) / sizeof(struct sock_filter))
+
+static const struct sock_filter* primary_app_filter = x86_64_app_filter;
+static const size_t primary_app_filter_size = x86_64_app_filter_size;
+#define kFilterMaxSize (x86_64_app_filter_size + 3 + 1 + 4 + 2)
+
+#elif GOARCH_386
+#define PRIMARY_ARCH AUDIT_ARCH_I386
+
+const struct sock_filter x86_app_filter[] = {
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 0, 0, 120),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 140, 59, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 75, 29, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 41, 15, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 24, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 10, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 8, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 7, 113, 112),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 9, 112, 111),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 19, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 13, 110, 109),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 21, 109, 108),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 33, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 26, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 25, 106, 105),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 27, 105, 104),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 36, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 34, 103, 102),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 40, 102, 101),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 60, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 54, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 45, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 44, 98, 97),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 46, 97, 96),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 57, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 56, 95, 94),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 58, 94, 93),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 66, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 63, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 61, 91, 90),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 65, 90, 89),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 68, 89, 88),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 114, 15, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 94, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 85, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 77, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 76, 84, 83),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 79, 83, 82),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 90, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 86, 81, 80),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 93, 80, 79),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 102, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 96, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 95, 77, 76),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 98, 76, 75),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 104, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 103, 74, 73),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 106, 73, 72),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 125, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 118, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 116, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 115, 69, 68),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 117, 68, 67),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 122, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 121, 66, 65),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 123, 65, 64),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 136, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 131, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 126, 62, 61),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 134, 61, 60),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 137, 60, 59),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 265, 29, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 207, 15, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 183, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 168, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 150, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 149, 54, 53),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 164, 53, 52),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 172, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 169, 51, 50),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 182, 50, 49),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 199, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 190, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 188, 47, 46),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 198, 46, 45),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 205, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 203, 44, 43),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 206, 43, 42),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 245, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 218, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 211, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 210, 39, 38),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 212, 38, 37),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 224, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 222, 36, 35),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 244, 35, 34),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 254, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 252, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 250, 32, 31),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 253, 31, 30),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 264, 30, 29),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 322, 15, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 295, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 284, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 272, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 271, 25, 24),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 273, 24, 23),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 291, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 285, 22, 21),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 294, 21, 20),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 313, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 300, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 299, 18, 17),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 312, 17, 16),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 318, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 317, 15, 14),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 321, 14, 13),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 351, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 344, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 340, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 337, 10, 9),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 341, 9, 8),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 346, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 345, 7, 6),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 349, 6, 5),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 375, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 358, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 357, 3, 2),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 359, 2, 1),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 380, 1, 0),
+BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
+};
+
+#define x86_app_filter_size (sizeof(x86_app_filter) / sizeof(struct sock_filter))
+
+static const struct sock_filter* primary_app_filter = x86_app_filter;
+static const size_t primary_app_filter_size = x86_app_filter_size;
+#define kFilterMaxSize (x86_app_filter_size + 3 + 1 + 4 + 2)
+
+#else
+#error No architecture was defined!
+#endif
+
+#define syscall_nr (offsetof(struct seccomp_data, nr))
+#define syscall_arg(_n) (offsetof(struct seccomp_data, args[_n]))
+#define arch_nr (offsetof(struct seccomp_data, arch))
+
+
+typedef struct Filter_t {
+ struct sock_filter data[kFilterMaxSize];
+ size_t count;
+} Filter;
+
+inline void push_back(Filter* filter_array, struct sock_filter filter)
+{
+ if (filter_array->count == kFilterMaxSize)
+ fail("Can't add another syscall to seccomp filter: count %zu.", filter_array->count);
+ filter_array->data[filter_array->count++] = filter;
+}
+
+inline void Disallow(Filter* f)
+{
+ struct sock_filter filter = BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_TRAP);
+ push_back(f, filter);
+}
+
+static void ExamineSyscall(Filter* f)
+{
+ struct sock_filter filter = BPF_STMT(BPF_LD | BPF_W | BPF_ABS, syscall_nr);
+ push_back(f, filter);
+}
+
+static void ValidateArchitecture(Filter* f)
+{
+ struct sock_filter filter1 = BPF_STMT(BPF_LD | BPF_W | BPF_ABS, arch_nr);
+ struct sock_filter filter2 = BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, PRIMARY_ARCH, 1, 0);
+ push_back(f, filter1);
+ push_back(f, filter2);
+ Disallow(f);
+}
+static void install_filter(const Filter* f)
+{
+ struct sock_fprog prog = {
+ (unsigned short)f->count,
+ (struct sock_filter*)&f->data[0],
+ };
+ if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) < 0) {
+ fail("Could not set seccomp filter of size %zu", f->count);
+ }
+}
+void set_app_seccomp_filter()
+{
+ const struct sock_filter *p;
+ size_t p_size;
+ Filter f;
+ f.count = 0;
+
+ p = primary_app_filter;
+ p_size = primary_app_filter_size;
+
+ ValidateArchitecture(&f);
+
+ ExamineSyscall(&f);
+
+ for (size_t i = 0; i < p_size; ++i) {
+ push_back(&f, p[i]);
+ }
+ Disallow(&f);
+ install_filter(&f);
+}
+
+#endif
#include <fcntl.h>
#include <grp.h>
#include <sys/xattr.h>
@@ -5957,6 +6502,20 @@ static int do_sandbox_android(void)
{
setup_common();
sandbox_common();
+ drop_caps();
+
+#if SYZ_EXECUTOR || SYZ_NET_DEVICES
+ initialize_netdevices_init();
+#endif
+#if SYZ_EXECUTOR || SYZ_DEVLINK_PCI
+ initialize_devlink_pci();
+#endif
+#if SYZ_EXECUTOR || SYZ_NET_INJECTION
+ initialize_tun();
+#endif
+#if SYZ_EXECUTOR || SYZ_NET_DEVICES
+ initialize_netdevices();
+#endif
if (chown(".", UNTRUSTED_APP_UID, UNTRUSTED_APP_UID) != 0)
fail("chmod failed");
@@ -5967,20 +6526,16 @@ static int do_sandbox_android(void)
if (setresgid(UNTRUSTED_APP_GID, UNTRUSTED_APP_GID, UNTRUSTED_APP_GID) != 0)
fail("setresgid failed");
+#if GOARCH_arm || GOARCH_arm64 || GOARCH_386 || GOARCH_amd64
+ set_app_seccomp_filter();
+#endif
+
if (setresuid(UNTRUSTED_APP_UID, UNTRUSTED_APP_UID, UNTRUSTED_APP_UID) != 0)
fail("setresuid failed");
syz_setfilecon(".", SELINUX_LABEL_APP_DATA_FILE);
syz_setcon(SELINUX_CONTEXT_UNTRUSTED_APP);
-#if SYZ_EXECUTOR || SYZ_NET_INJECTION
- initialize_tun();
-#endif
-#if SYZ_EXECUTOR || SYZ_NET_DEVICES
- initialize_netdevices_init();
- initialize_netdevices();
-#endif
-
loop();
doexit(1);
}
@@ -6000,9 +6555,13 @@ static void remove_dir(const char* dir)
struct dirent* ep;
int iter = 0;
retry:
- while (umount2(dir, MNT_DETACH) == 0) {
- debug("umount(%s)\n", dir);
+#if not SYZ_SANDBOX_ANDROID
+ if (!flag_sandbox_android) {
+ while (umount2(dir, MNT_DETACH) == 0) {
+ debug("umount(%s)\n", dir);
+ }
}
+#endif
dp = opendir(dir);
if (dp == NULL) {
if (errno == EMFILE) {
@@ -6015,9 +6574,13 @@ retry:
continue;
char filename[FILENAME_MAX];
snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name);
- while (umount2(filename, MNT_DETACH) == 0) {
- debug("umount(%s)\n", filename);
+#if not SYZ_SANDBOX_ANDROID
+ if (!flag_sandbox_android) {
+ while (umount2(filename, MNT_DETACH) == 0) {
+ debug("umount(%s)\n", filename);
+ }
}
+#endif
struct stat st;
if (lstat(filename, &st))
exitf("lstat(%s) failed", filename);
@@ -6046,9 +6609,13 @@ retry:
}
if (errno != EBUSY || i > 100)
exitf("unlink(%s) failed", filename);
- debug("umount(%s)\n", filename);
- if (umount2(filename, MNT_DETACH))
- exitf("umount(%s) failed", filename);
+#if not SYZ_SANDBOX_ANDROID
+ if (!flag_sandbox_android) {
+ debug("umount(%s)\n", filename);
+ if (umount2(filename, MNT_DETACH))
+ exitf("umount(%s) failed", filename);
+ }
+#endif
}
}
closedir(dp);
@@ -6073,9 +6640,13 @@ retry:
break;
}
if (errno == EBUSY) {
- debug("umount(%s)\n", dir);
- if (umount2(dir, MNT_DETACH))
- exitf("umount(%s) failed", dir);
+#if not SYZ_SANDBOX_ANDROID
+ if (!flag_sandbox_android) {
+ debug("umount(%s)\n", dir);
+ if (umount2(dir, MNT_DETACH))
+ exitf("umount(%s) failed", dir);
+ }
+#endif
continue;
}
if (errno == ENOTEMPTY) {
generated by ggit (джигит) mrf-deployment (git 2.46.0) at 2026-03-11 22:55:43 +0000