aboutsummaryrefslogtreecommitdiffstats
path: root/pkg
diff options
context:
space:
mode:
authormspectorgoogle <mspector@google.com>2020-03-11 03:21:36 -0700
committerGitHub <noreply@github.com>2020-03-11 11:21:36 +0100
commite103bc9e1bb4453045c4795f9a10a671e72b1aba (patch)
tree868db5bf000ed6e50ae36970f92abd4a6aebbd2e /pkg
parent35f53e457420e79fa28e3260cdbbf9f37b9f97e4 (diff)
executor: add seccomp support for Android
This adds support for the seccomp filters that are part of Android into the sandbox. A process running as untrusted_app in Android has a restricted set of syscalls that it is allow to run. This is accomplished by setting seccomp filters in the zygote process prior to forking into the application process. The seccomp filter list comes directly from the Android source, it cannot be dynamically loaded from an Android phone because libseccomp_policy.so does not exist as a library on the system partition.
Diffstat (limited to 'pkg')
-rw-r--r--pkg/csource/gen.go36
-rw-r--r--pkg/csource/generated.go609
2 files changed, 615 insertions, 30 deletions
diff --git a/pkg/csource/gen.go b/pkg/csource/gen.go
index 3a857ed93..773676e95 100644
--- a/pkg/csource/gen.go
+++ b/pkg/csource/gen.go
@@ -23,7 +23,7 @@ func main() {
if err != nil {
failf("%v", err)
}
- for _, include := range []string{
+ executorFilenames := []string{
"common_linux.h",
"common_akaros.h",
"common_bsd.h",
@@ -33,19 +33,18 @@ func main() {
"common_kvm_amd64.h",
"common_kvm_arm64.h",
"common_usb.h",
+ "android/android_seccomp.h",
"kvm.h",
"kvm.S.h",
- } {
- contents, err := ioutil.ReadFile("../../executor/" + include)
- if err != nil {
- failf("%v", err)
- }
- replace := []byte("#include \"" + include + "\"")
- if bytes.Index(data, replace) == -1 {
- failf("can't fine %v include", include)
- }
- data = bytes.Replace(data, replace, contents, -1)
}
+ data = replaceIncludes(executorFilenames, "../../executor/", data)
+ androidFilenames := []string{
+ "arm64_app_policy.h",
+ "arm_app_policy.h",
+ "x86_64_app_policy.h",
+ "x86_app_policy.h",
+ }
+ data = replaceIncludes(androidFilenames, "../../executor/android/", data)
for _, remove := range []string{
"(\n|^)\\s*//.*",
"\\s*//.*",
@@ -62,3 +61,18 @@ func failf(msg string, args ...interface{}) {
fmt.Fprintf(os.Stderr, msg+"\n", args...)
os.Exit(1)
}
+
+func replaceIncludes(filenames []string, location string, data []byte) []byte {
+ for _, include := range filenames {
+ contents, err := ioutil.ReadFile(location + include)
+ if err != nil {
+ failf("%v", err)
+ }
+ replace := []byte("#include \"" + include + "\"")
+ if bytes.Index(data, replace) == -1 {
+ failf("can't find %v include", include)
+ }
+ data = bytes.Replace(data, replace, contents, -1)
+ }
+ return data
+}
diff --git a/pkg/csource/generated.go b/pkg/csource/generated.go
index ea018b420..e7c2967e2 100644
--- a/pkg/csource/generated.go
+++ b/pkg/csource/generated.go
@@ -5669,7 +5669,7 @@ int wait_for_loop(int pid)
}
#endif
-#if SYZ_EXECUTOR || SYZ_SANDBOX_NONE || SYZ_SANDBOX_NAMESPACE
+#if SYZ_EXECUTOR || SYZ_SANDBOX_NONE || SYZ_SANDBOX_NAMESPACE || SYZ_SANDBOX_ANDROID
#include <linux/capability.h>
static void drop_caps(void)
@@ -5875,6 +5875,551 @@ static int do_sandbox_namespace(void)
#endif
#if SYZ_EXECUTOR || SYZ_SANDBOX_ANDROID
+#if GOARCH_arm || GOARCH_arm64 || GOARCH_386 || GOARCH_amd64
+#include <assert.h>
+#include <errno.h>
+#include <linux/audit.h>
+#include <linux/filter.h>
+#include <linux/seccomp.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <sys/prctl.h>
+#include <sys/syscall.h>
+#if GOARCH_arm64
+#define PRIMARY_ARCH AUDIT_ARCH_AARCH64
+
+const struct sock_filter arm64_app_filter[] = {
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 0, 0, 54),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 160, 27, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 101, 13, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 52, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 41, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 19, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 18, 48, 47),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 39, 47, 46),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 43, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 42, 45, 44),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 51, 44, 43),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 90, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 59, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 58, 41, 40),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 89, 40, 39),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 100, 39, 38),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 147, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 113, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 107, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 104, 35, 34),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 112, 34, 33),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 117, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 116, 32, 31),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 142, 31, 30),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 153, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 150, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 149, 28, 27),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 151, 27, 26),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 159, 26, 25),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 240, 13, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 203, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 172, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 163, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 161, 21, 20),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 170, 20, 19),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 198, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 180, 18, 17),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 202, 17, 16),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 226, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 220, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 217, 14, 13),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 224, 13, 12),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 234, 12, 11),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 274, 5, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 267, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 260, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 244, 8, 7),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 262, 7, 6),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 272, 6, 5),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 283, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 281, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 280, 3, 2),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 282, 2, 1),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 288, 1, 0),
+BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
+};
+
+#define arm64_app_filter_size (sizeof(arm64_app_filter) / sizeof(struct sock_filter))
+
+static const struct sock_filter* primary_app_filter = arm64_app_filter;
+static const size_t primary_app_filter_size = arm64_app_filter_size;
+#define kFilterMaxSize (arm64_app_filter_size + 3 + 1 + 4 + 2)
+
+#elif GOARCH_arm
+#define PRIMARY_ARCH AUDIT_ARCH_ARM
+
+const struct sock_filter arm_app_filter[] = {
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 0, 0, 136),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 190, 67, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 85, 33, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 45, 17, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 26, 9, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 19, 5, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 10, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 8, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 7, 128, 127),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 9, 127, 126),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 13, 126, 125),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 24, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 21, 124, 123),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 25, 123, 122),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 36, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 33, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 27, 120, 119),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 34, 119, 118),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 41, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 40, 117, 116),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 44, 116, 115),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 63, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 57, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 54, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 46, 112, 111),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 56, 111, 110),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 60, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 58, 109, 108),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 61, 108, 107),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 75, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 66, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 65, 105, 104),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 68, 104, 103),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 77, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 76, 102, 101),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 79, 101, 100),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 125, 17, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 114, 9, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 96, 5, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 94, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 91, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 86, 95, 94),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 93, 94, 93),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 95, 93, 92),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 104, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 98, 91, 90),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 106, 90, 89),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 118, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 116, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 115, 87, 86),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 117, 86, 85),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 122, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 121, 84, 83),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 123, 83, 82),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 150, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 136, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 131, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 126, 79, 78),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 134, 78, 77),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 140, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 137, 76, 75),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 149, 75, 74),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 172, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 168, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 164, 72, 71),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 169, 71, 70),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 183, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 182, 69, 68),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 188, 68, 67),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 322, 33, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 256, 17, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 217, 9, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 207, 5, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 205, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 199, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 198, 61, 60),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 203, 60, 59),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 206, 59, 58),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 211, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 210, 57, 56),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 212, 56, 55),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 224, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 219, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 218, 53, 52),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 222, 52, 51),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 250, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 249, 50, 49),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 254, 49, 48),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 286, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 270, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 263, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 262, 45, 44),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 269, 44, 43),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 280, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 271, 42, 41),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 285, 41, 40),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 292, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 290, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 289, 38, 37),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 291, 37, 36),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 316, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 298, 35, 34),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 319, 34, 33),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 387, 17, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 350, 9, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 345, 5, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 340, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 327, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 326, 28, 27),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 338, 27, 26),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 344, 26, 25),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 348, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 347, 24, 23),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 349, 23, 22),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 373, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 369, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 367, 20, 19),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 370, 19, 18),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 380, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 378, 17, 16),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 386, 16, 15),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 417, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 397, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 389, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 388, 12, 11),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 394, 11, 10),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 403, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 398, 9, 8),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 415, 8, 7),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 983042, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 420, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 418, 5, 4),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 424, 4, 3),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 983045, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 983043, 2, 1),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 983046, 1, 0),
+BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
+};
+
+#define arm_app_filter_size (sizeof(arm_app_filter) / sizeof(struct sock_filter))
+
+static const struct sock_filter* primary_app_filter = arm_app_filter;
+static const size_t primary_app_filter_size = arm_app_filter_size;
+#define kFilterMaxSize (arm_app_filter_size + 3 + 1 + 4 + 2)
+
+#elif GOARCH_amd64
+#define PRIMARY_ARCH AUDIT_ARCH_X86_64
+
+const struct sock_filter x86_64_app_filter[] = {
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 0, 0, 100),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 157, 49, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 95, 25, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 44, 13, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 32, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 8, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 5, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 4, 93, 92),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 6, 92, 91),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 24, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 21, 90, 89),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 29, 89, 88),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 38, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 35, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 33, 86, 85),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 37, 85, 84),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 43, 84, 83),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 89, 5, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 72, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 58, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 57, 80, 79),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 64, 79, 78),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 82, 78, 77),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 93, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 91, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 90, 75, 74),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 92, 74, 73),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 94, 73, 72),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 120, 11, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 112, 5, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 107, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 104, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 103, 68, 67),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 105, 67, 66),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 111, 66, 65),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 117, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 115, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 113, 63, 62),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 116, 62, 61),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 119, 61, 60),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 137, 5, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 135, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 124, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 122, 57, 56),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 132, 56, 55),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 136, 55, 54),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 155, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 140, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 139, 52, 51),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 153, 51, 50),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 156, 50, 49),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 254, 25, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 217, 13, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 186, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 162, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 160, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 159, 44, 43),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 161, 43, 42),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 179, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 163, 41, 40),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 180, 40, 39),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 206, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 202, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 201, 37, 36),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 205, 36, 35),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 211, 35, 34),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 233, 5, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 228, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 221, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 220, 31, 30),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 227, 30, 29),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 232, 29, 28),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 251, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 247, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 235, 26, 25),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 248, 25, 24),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 253, 24, 23),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 285, 11, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 275, 5, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 262, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 257, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 256, 19, 18),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 261, 18, 17),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 274, 17, 16),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 283, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 280, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 279, 14, 13),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 282, 13, 12),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 284, 12, 11),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 314, 5, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 306, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 302, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 300, 8, 7),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 303, 7, 6),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 312, 6, 5),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 324, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 322, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 320, 3, 2),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 323, 2, 1),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 329, 1, 0),
+BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
+};
+
+#define x86_64_app_filter_size (sizeof(x86_64_app_filter) / sizeof(struct sock_filter))
+
+static const struct sock_filter* primary_app_filter = x86_64_app_filter;
+static const size_t primary_app_filter_size = x86_64_app_filter_size;
+#define kFilterMaxSize (x86_64_app_filter_size + 3 + 1 + 4 + 2)
+
+#elif GOARCH_386
+#define PRIMARY_ARCH AUDIT_ARCH_I386
+
+const struct sock_filter x86_app_filter[] = {
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 0, 0, 120),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 140, 59, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 75, 29, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 41, 15, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 24, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 10, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 8, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 7, 113, 112),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 9, 112, 111),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 19, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 13, 110, 109),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 21, 109, 108),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 33, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 26, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 25, 106, 105),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 27, 105, 104),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 36, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 34, 103, 102),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 40, 102, 101),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 60, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 54, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 45, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 44, 98, 97),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 46, 97, 96),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 57, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 56, 95, 94),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 58, 94, 93),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 66, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 63, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 61, 91, 90),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 65, 90, 89),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 68, 89, 88),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 114, 15, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 94, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 85, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 77, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 76, 84, 83),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 79, 83, 82),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 90, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 86, 81, 80),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 93, 80, 79),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 102, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 96, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 95, 77, 76),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 98, 76, 75),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 104, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 103, 74, 73),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 106, 73, 72),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 125, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 118, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 116, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 115, 69, 68),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 117, 68, 67),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 122, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 121, 66, 65),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 123, 65, 64),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 136, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 131, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 126, 62, 61),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 134, 61, 60),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 137, 60, 59),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 265, 29, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 207, 15, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 183, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 168, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 150, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 149, 54, 53),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 164, 53, 52),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 172, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 169, 51, 50),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 182, 50, 49),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 199, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 190, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 188, 47, 46),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 198, 46, 45),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 205, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 203, 44, 43),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 206, 43, 42),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 245, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 218, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 211, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 210, 39, 38),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 212, 38, 37),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 224, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 222, 36, 35),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 244, 35, 34),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 254, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 252, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 250, 32, 31),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 253, 31, 30),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 264, 30, 29),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 322, 15, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 295, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 284, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 272, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 271, 25, 24),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 273, 24, 23),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 291, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 285, 22, 21),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 294, 21, 20),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 313, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 300, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 299, 18, 17),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 312, 17, 16),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 318, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 317, 15, 14),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 321, 14, 13),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 351, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 344, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 340, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 337, 10, 9),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 341, 9, 8),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 346, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 345, 7, 6),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 349, 6, 5),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 375, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 358, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 357, 3, 2),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 359, 2, 1),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 380, 1, 0),
+BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
+};
+
+#define x86_app_filter_size (sizeof(x86_app_filter) / sizeof(struct sock_filter))
+
+static const struct sock_filter* primary_app_filter = x86_app_filter;
+static const size_t primary_app_filter_size = x86_app_filter_size;
+#define kFilterMaxSize (x86_app_filter_size + 3 + 1 + 4 + 2)
+
+#else
+#error No architecture was defined!
+#endif
+
+#define syscall_nr (offsetof(struct seccomp_data, nr))
+#define syscall_arg(_n) (offsetof(struct seccomp_data, args[_n]))
+#define arch_nr (offsetof(struct seccomp_data, arch))
+
+
+typedef struct Filter_t {
+ struct sock_filter data[kFilterMaxSize];
+ size_t count;
+} Filter;
+
+inline void push_back(Filter* filter_array, struct sock_filter filter)
+{
+ if (filter_array->count == kFilterMaxSize)
+ fail("Can't add another syscall to seccomp filter: count %zu.", filter_array->count);
+ filter_array->data[filter_array->count++] = filter;
+}
+
+inline void Disallow(Filter* f)
+{
+ struct sock_filter filter = BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_TRAP);
+ push_back(f, filter);
+}
+
+static void ExamineSyscall(Filter* f)
+{
+ struct sock_filter filter = BPF_STMT(BPF_LD | BPF_W | BPF_ABS, syscall_nr);
+ push_back(f, filter);
+}
+
+static void ValidateArchitecture(Filter* f)
+{
+ struct sock_filter filter1 = BPF_STMT(BPF_LD | BPF_W | BPF_ABS, arch_nr);
+ struct sock_filter filter2 = BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, PRIMARY_ARCH, 1, 0);
+ push_back(f, filter1);
+ push_back(f, filter2);
+ Disallow(f);
+}
+static void install_filter(const Filter* f)
+{
+ struct sock_fprog prog = {
+ (unsigned short)f->count,
+ (struct sock_filter*)&f->data[0],
+ };
+ if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) < 0) {
+ fail("Could not set seccomp filter of size %zu", f->count);
+ }
+}
+void set_app_seccomp_filter()
+{
+ const struct sock_filter *p;
+ size_t p_size;
+ Filter f;
+ f.count = 0;
+
+ p = primary_app_filter;
+ p_size = primary_app_filter_size;
+
+ ValidateArchitecture(&f);
+
+ ExamineSyscall(&f);
+
+ for (size_t i = 0; i < p_size; ++i) {
+ push_back(&f, p[i]);
+ }
+ Disallow(&f);
+ install_filter(&f);
+}
+
+#endif
#include <fcntl.h>
#include <grp.h>
#include <sys/xattr.h>
@@ -5957,6 +6502,20 @@ static int do_sandbox_android(void)
{
setup_common();
sandbox_common();
+ drop_caps();
+
+#if SYZ_EXECUTOR || SYZ_NET_DEVICES
+ initialize_netdevices_init();
+#endif
+#if SYZ_EXECUTOR || SYZ_DEVLINK_PCI
+ initialize_devlink_pci();
+#endif
+#if SYZ_EXECUTOR || SYZ_NET_INJECTION
+ initialize_tun();
+#endif
+#if SYZ_EXECUTOR || SYZ_NET_DEVICES
+ initialize_netdevices();
+#endif
if (chown(".", UNTRUSTED_APP_UID, UNTRUSTED_APP_UID) != 0)
fail("chmod failed");
@@ -5967,20 +6526,16 @@ static int do_sandbox_android(void)
if (setresgid(UNTRUSTED_APP_GID, UNTRUSTED_APP_GID, UNTRUSTED_APP_GID) != 0)
fail("setresgid failed");
+#if GOARCH_arm || GOARCH_arm64 || GOARCH_386 || GOARCH_amd64
+ set_app_seccomp_filter();
+#endif
+
if (setresuid(UNTRUSTED_APP_UID, UNTRUSTED_APP_UID, UNTRUSTED_APP_UID) != 0)
fail("setresuid failed");
syz_setfilecon(".", SELINUX_LABEL_APP_DATA_FILE);
syz_setcon(SELINUX_CONTEXT_UNTRUSTED_APP);
-#if SYZ_EXECUTOR || SYZ_NET_INJECTION
- initialize_tun();
-#endif
-#if SYZ_EXECUTOR || SYZ_NET_DEVICES
- initialize_netdevices_init();
- initialize_netdevices();
-#endif
-
loop();
doexit(1);
}
@@ -6000,9 +6555,13 @@ static void remove_dir(const char* dir)
struct dirent* ep;
int iter = 0;
retry:
- while (umount2(dir, MNT_DETACH) == 0) {
- debug("umount(%s)\n", dir);
+#if not SYZ_SANDBOX_ANDROID
+ if (!flag_sandbox_android) {
+ while (umount2(dir, MNT_DETACH) == 0) {
+ debug("umount(%s)\n", dir);
+ }
}
+#endif
dp = opendir(dir);
if (dp == NULL) {
if (errno == EMFILE) {
@@ -6015,9 +6574,13 @@ retry:
continue;
char filename[FILENAME_MAX];
snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name);
- while (umount2(filename, MNT_DETACH) == 0) {
- debug("umount(%s)\n", filename);
+#if not SYZ_SANDBOX_ANDROID
+ if (!flag_sandbox_android) {
+ while (umount2(filename, MNT_DETACH) == 0) {
+ debug("umount(%s)\n", filename);
+ }
}
+#endif
struct stat st;
if (lstat(filename, &st))
exitf("lstat(%s) failed", filename);
@@ -6046,9 +6609,13 @@ retry:
}
if (errno != EBUSY || i > 100)
exitf("unlink(%s) failed", filename);
- debug("umount(%s)\n", filename);
- if (umount2(filename, MNT_DETACH))
- exitf("umount(%s) failed", filename);
+#if not SYZ_SANDBOX_ANDROID
+ if (!flag_sandbox_android) {
+ debug("umount(%s)\n", filename);
+ if (umount2(filename, MNT_DETACH))
+ exitf("umount(%s) failed", filename);
+ }
+#endif
}
}
closedir(dp);
@@ -6073,9 +6640,13 @@ retry:
break;
}
if (errno == EBUSY) {
- debug("umount(%s)\n", dir);
- if (umount2(dir, MNT_DETACH))
- exitf("umount(%s) failed", dir);
+#if not SYZ_SANDBOX_ANDROID
+ if (!flag_sandbox_android) {
+ debug("umount(%s)\n", dir);
+ if (umount2(dir, MNT_DETACH))
+ exitf("umount(%s) failed", dir);
+ }
+#endif
continue;
}
if (errno == ENOTEMPTY) {
generated by ggit (джигит) mrf-deployment (git 2.46.0) at 2026-03-12 00:15:10 +0000