Quoting Paul Moore ([email protected]): > On Friday, June 20, 2014 06:40:23 PM Serge Hallyn wrote: > > Quoting Paul Moore ([email protected]): > > > ... The example below adds both a x86 and a x86_64 specific rule as well > > > as common rule ... > > > > > > ======================================================= > > > #include <stdio.h> > > > #include <seccomp.h> > > > #include <unistd.h> > > > #include <sys/personality.h> > > > > > > int main() > > > { > > > int ret; > > > > > > scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW); > > > scmp_filter_ctx ctx32 = seccomp_init(SCMP_ACT_ALLOW); > > > > > > seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 0); > > > seccomp_attr_set(ctx32, SCMP_FLTATR_CTL_NNP, 0); > > > > > > /* setup x86 filter */ > > > > > > ret = seccomp_arch_add(ctx32, SCMP_ARCH_X86); > > > printf("archadd: ret is %d\n", ret); > > > > > > ret = seccomp_arch_remove(ctx32, SCMP_ARCH_NATIVE); > > > printf("archrm: ret is %d\n", ret); > > > > > > /* x86-only rules */ > > > > > > ret = seccomp_rule_add(ctx32, SCMP_ACT_ERRNO(1), > > > > > > __NR_foo, 0); > > > > > > printf("ruleadd: ret is %d\n", ret); > > > > > > /* x86_64-only rules */ > > > > > > ret = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(1), > > > > > > __NR_bar, 0); > > > > > > printf("ruleadd: ret is %d\n", ret); > > > > > > /* common rules */ > > > > > > ret = seccomp_merge(ctx, ctx32); > > > printf("merge: ret is %d\n", ret); > > > > > > ret = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(1), > > > > > > __NR_delete_module, 0); > > > > Could you also have added this rule separately to each context > > before merging them? > > Yes, it's just more work on your part. > > > > printf("ruleadd: ret is %d\n", ret); > > > > > > ret = seccomp_load(ctx); > > > printf("ret for load %d\n", ret); > > > > > > personality(PER_LINUX32); > > > execl("/bin/bash", "/bin/bash", NULL); > > > > > > } > > > ======================================================= > > > > Ok, so nwo we're getting close to my original code again - keeping > > in mind that I am processing a policy configuration file, I can't > > actually use __NR_foo, I need to resolve the symbol names. I'm > > doing it using seccomp_syscall_resolve_name_arch. Do you expect > > that to work as well? > > > > Can you explain where I go wrong with my original code? (re-pasted > > below) > > You can use seccomp_syscall_resolve_name_arch(), but since you are using it > inside a call to seccomp_rule_add() you should use the native architecture > token and not force the x86 architecture. Remember that seccomp_rule_add() > expects syscall numbers with respect to the native ABI, regardless of what > ABIs may be configured for the filter. This is very important, and the main > reason why your original code was not working as expected.
I see - thanks, that went completely over my head before. > Alternatively, instead of seccomp_syscall_resolve_name_arch() you could use > seccomp_syscall_resolve_name() to save yourself some typing. Yup I'll switch to that, thanks! -serge ------------------------------------------------------------------------------ HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions Find What Matters Most in Your Big Data with HPCC Systems Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for Fast Processing & Easy Data Exploration http://p.sf.net/sfu/hpccsystems _______________________________________________ libseccomp-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/libseccomp-discuss
