Seccomp: filter more syscalls

Signed-off-by: Caolán McNamara <caolan.mcnamara@collabora.com> Change-Id: Ia17360035035418ada519cf758e38be35c01a177
CollaboraOnline · Jan 9, 2025 · c4d4506 · c4d4506
1 parent 5803eca
commit c4d4506
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/common/Seccomp.cpp b/common/Seccomp.cpp
@@ -109,6 +109,10 @@ bool lockdown([[maybe_unused]] Type type)
         BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##name, 0, 1), \
         BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
 
+    #define REJECT_SYSCALL(name, err) \
+        BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##name, 0, 1), \
+        BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO | (err & SECCOMP_RET_DATA))
+
     #define KILL_SYSCALL_FULL(fullname) \
         BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, fullname, 0, 1), \
         BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_TRAP)
@@ -158,6 +162,8 @@ bool lockdown([[maybe_unused]] Type type)
         KILL_SYSCALL(shmat),
         KILL_SYSCALL(shmctl),
 #endif
+        REJECT_SYSCALL(execve, EPERM),
+        REJECT_SYSCALL(execveat, EPERM),
         KILL_SYSCALL(getitimer),
         KILL_SYSCALL(setitimer),
         KILL_SYSCALL(sendfile),