From 0b0dda0de16af32ca07b29a9c4248ab1837952de Mon Sep 17 00:00:00 2001 From: Albert S Date: Wed, 22 Dec 2021 10:17:48 +0100 Subject: [PATCH] pledge: Begin filter for setsockopt() args --- exile.h | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/exile.h b/exile.h index 868798e..faac529 100644 --- a/exile.h +++ b/exile.h @@ -666,6 +666,12 @@ static int get_pledge_argfilter(long syscall, uint64_t pledge_promises, struct s EXILE_BPF_NOP }; + struct sock_filter setsockopt_filter[] = { + BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, args[2]))), + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SO_DEBUG, EXILE_SYSCALL_EXIT_BPF_NO_MATCH, 0), + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SO_SNDBUFFORCE, EXILE_SYSCALL_EXIT_BPF_NO_MATCH, 0) + }; + int result = 0; int current_filter_index = 1; switch(syscall) @@ -738,6 +744,11 @@ static int get_pledge_argfilter(long syscall, uint64_t pledge_promises, struct s socket_filter[current_filter_index-1].jf = EXILE_SYSCALL_EXIT_BPF_NO_MATCH; result = current_filter_index; memcpy(filter, socket_filter, result * sizeof(struct sock_filter)); + break; + case EXILE_SYS(setsockopt): + result = sizeof(setsockopt_filter)/sizeof(setsockopt_filter[0]); + memcpy(filter, setsockopt_filter, sizeof(setsockopt_filter)); + break; } return result; }