1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
|
// Copyright 2022 syzkaller project authors. All rights reserved.
// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
// File autogenerated by genseccomp.py from Android U - edit at your peril!!
const struct sock_filter x86_system_filter[] = {
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 0, 0, 134),
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 240, 132, 0), // futex
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 54, 131, 0), // ioctl
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 183, 65, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 88, 33, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 51, 17, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 36, 9, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 19, 5, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 11, 3, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 3, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 2, 124, 123), // restart_syscall|exit
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 7, 123, 122), // read|write|open|close
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 13, 122, 121), // execve|chdir
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 26, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 22, 120, 119), // lseek|getpid|mount
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 27, 119, 118), // ptrace
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 43, 3, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 41, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 38, 116, 115), // sync|kill
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 42, 115, 114), // dup
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 45, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 44, 113, 112), // times
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 46, 112, 111), // brk
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 66, 7, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 60, 3, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 57, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 53, 108, 107), // acct|umount2
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 58, 107, 106), // setpgid
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 64, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 62, 105, 104), // umask|chroot
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 65, 104, 103), // getppid
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 77, 3, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 74, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 68, 101, 100), // setsid|sigaction
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 76, 100, 99), // sethostname|setrlimit
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 85, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 80, 98, 97), // getrusage|gettimeofday|settimeofday
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 86, 97, 96), // readlink
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 124, 15, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 102, 7, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 94, 3, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 91, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 89, 92, 91), // reboot
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 93, 91, 90), // munmap|truncate
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 96, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 95, 89, 88), // fchmod
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 98, 88, 87), // getpriority|setpriority
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 116, 3, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 114, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 107, 85, 84), // socketcall|syslog|setitimer|getitimer|stat
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 115, 84, 83), // wait4
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 118, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 117, 82, 81), // sysinfo
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 123, 81, 80), // fsync|sigreturn|clone|setdomainname|uname
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 140, 7, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 131, 3, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 128, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 126, 77, 76), // adjtimex|mprotect
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 130, 76, 75), // init_module|delete_module
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 136, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 134, 74, 73), // quotactl|getpgid|fchdir
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 137, 73, 72), // personality
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 150, 3, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 143, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 141, 70, 69), //_llseek
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 149, 69, 68), // flock|msync|readv|writev|getsid|fdatasync
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 172, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 164, 67, 66), // mlock|munlock|mlockall|munlockall|sched_setparam|sched_getparam|sched_setscheduler|sched_getscheduler|sched_yield|sched_get_priority_max|sched_get_priority_min|sched_rr_get_interval|nanosleep|mremap
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 182, 66, 65), // prctl|rt_sigreturn|rt_sigaction|rt_sigprocmask|rt_sigpending|rt_sigtimedwait|rt_sigqueueinfo|rt_sigsuspend|pread64|pwrite64
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 303, 33, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 252, 17, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 218, 9, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 199, 5, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 197, 3, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 190, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 188, 59, 58), // getcwd|capget|capset|sigaltstack|sendfile
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 196, 58, 57), // vfork|ugetrlimit|mmap2|truncate64|ftruncate64|stat64
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 198, 57, 56), // fstat64
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 213, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 212, 55, 54), // getuid32|getgid32|geteuid32|getegid32|setreuid32|setregid32|getgroups32|setgroups32|fchown32|setresuid32|getresuid32|setresgid32|getresgid32
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 217, 54, 53), // setuid32|setgid32|setfsuid32|setfsgid32
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 241, 3, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 224, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 222, 51, 50), // mincore|madvise|getdents64|fcntl64
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 240, 50, 49), // gettid|readahead|setxattr|lsetxattr|fsetxattr|getxattr|lgetxattr|fgetxattr|listxattr|llistxattr|flistxattr|removexattr|lremovexattr|fremovexattr|tkill|sendfile64
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 245, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 244, 48, 47), // sched_setaffinity|sched_getaffinity|set_thread_area
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 250, 47, 46), // io_setup|io_destroy|io_getevents|io_submit|io_cancel
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 284, 7, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 258, 3, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 255, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 253, 43, 42), // exit_group
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 256, 42, 41), // epoll_ctl
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 272, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 271, 40, 39), // set_tid_address|timer_create|timer_settime|timer_gettime|timer_getoverrun|timer_delete|clock_settime|clock_gettime|clock_getres|clock_nanosleep|statfs64|fstatfs64|tgkill
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 273, 39, 38), // fadvise64_64
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 295, 3, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 292, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 285, 36, 35), // waitid
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 294, 35, 34), // inotify_add_watch|inotify_rm_watch
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 300, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 299, 33, 32), // openat|mkdirat|mknodat|fchownat
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 302, 32, 31), // fstatat64|unlinkat
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 374, 15, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 340, 7, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 322, 3, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 318, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 317, 27, 26), // linkat|symlinkat|readlinkat|fchmodat|faccessat|pselect6|ppoll|unshare|set_robust_list|get_robust_list|splice|sync_file_range|tee|vmsplice
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 321, 26, 25), // getcpu|epoll_pwait|utimensat
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 324, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 323, 24, 23), // timerfd_create
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 337, 23, 22), // fallocate|timerfd_settime|timerfd_gettime|signalfd4|eventfd2|epoll_create1|dup3|pipe2|inotify_init1|preadv|pwritev|rt_tgsigqueueinfo|perf_event_open
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 346, 3, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 343, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 341, 20, 19), // prlimit64
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 345, 19, 18), // clock_adjtime|syncfs
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 351, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 349, 17, 16), // setns|process_vm_readv|process_vm_writev
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 359, 16, 15), // sched_setattr|sched_getattr|renameat2|seccomp|getrandom|memfd_create|bpf|execveat
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 421, 7, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 403, 3, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 383, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 380, 12, 11), // userfaultfd|membarrier|mlock2|copy_file_range|preadv2|pwritev2
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 384, 11, 10), // statx
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 417, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 415, 9, 8), // clock_gettime64|clock_settime64|clock_adjtime64|clock_getres_time64|clock_nanosleep_time64|timer_gettime64|timer_settime64|timerfd_gettime64|timerfd_settime64|utimensat_time64|pselect6_time64|ppoll_time64
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 418, 8, 7), // recvmmsg_time64
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 438, 3, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 434, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 425, 5, 4), // rt_sigtimedwait_time64|futex_time64|sched_rr_get_interval_time64|pidfd_send_signal
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 437, 4, 3), // pidfd_open|clone3|close_range
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 440, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 439, 2, 1), // pidfd_getfd
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 441, 1, 0), // process_madvise
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
};
#define x86_system_filter_size (sizeof(x86_system_filter) / sizeof(struct sock_filter))
|
