[gentoo-commits] proj/pax-utils:master commit in: / - gentoo-commits

From:	Mike Frysinger <vapier@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/pax-utils:master commit in: /
Date:	Sat, 17 Apr 2021 05:39:13
Message-Id:	`1618635413.24dd6026cab83b17bbf727feb07ced35fe75bb75.vapier@gentoo`

1

commit:     24dd6026cab83b17bbf727feb07ced35fe75bb75

2

Author:     Mike Frysinger <vapier <AT> gentoo <DOT> org>

3

AuthorDate: Thu Aug 27 06:39:20 2015 +0000

4

Commit:     Mike Frysinger <vapier <AT> gentoo <DOT> org>

5

CommitDate: Sat Apr 17 04:56:53 2021 +0000

6

URL:        https://gitweb.gentoo.org/proj/pax-utils.git/commit/?id=24dd6026

7

8

security: pregen seccomp bpf programs

9

10

Since the bpf programs are the same across runs, generate it ahead of

11

time.  This way we don't have to link against libseccomp and run the

12

library calls at runtime which helps cut out most overhead.

13

14

Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>

15

16

 .depend       |  23 ++++--

17

 .gitignore    |   1 +

18

 Makefile      |  24 +++---

19

 Makefile.am   |   2 +

20

 configure.ac  |   9 ++-

21

 porting.h     |   3 +

22

 seccomp-bpf.c | 255 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

23

 seccomp-bpf.h | 226 +++++++++++++++++++++++++++++++++++++++++++++++++++

24

 security.c    | 214 ++++++------------------------------------------

25

 9 files changed, 549 insertions(+), 208 deletions(-)

26

27

diff --git a/.depend b/.depend

28

index 5371c1c..aab4f89 100644

29

--- a/.depend

30

+++ b/.depend

31

@@ -1,5 +1,18 @@

32

-scanelf.o: scanelf.c paxinc.h porting.h elf.h paxelf.h

33

-pspax.o: pspax.c paxinc.h porting.h elf.h paxelf.h

34

-dumpelf.o: dumpelf.c paxinc.h porting.h elf.h paxelf.h

35

-paxelf.o: paxelf.c paxinc.h porting.h elf.h paxelf.h

36

-paxinc.o: paxinc.c paxinc.h porting.h elf.h paxelf.h

37

+paxelf.o: paxelf.c paxinc.h porting.h elf.h xfuncs.h security.h paxelf.h \

38

+ macho.h paxmacho.h

39

+paxmacho.o: paxmacho.c paxinc.h porting.h elf.h xfuncs.h security.h \

40

+ paxelf.h macho.h paxmacho.h

41

+paxinc.o: paxinc.c paxinc.h porting.h elf.h xfuncs.h security.h paxelf.h \

42

+ macho.h paxmacho.h

43

+security.o: security.c paxinc.h porting.h elf.h xfuncs.h security.h \

44

+ paxelf.h macho.h paxmacho.h seccomp-bpf.h

45

+xfuncs.o: xfuncs.c paxinc.h porting.h elf.h xfuncs.h security.h paxelf.h \

46

+ macho.h paxmacho.h

47

+scanelf.o: scanelf.c paxinc.h porting.h elf.h xfuncs.h security.h \

48

+ paxelf.h macho.h paxmacho.h

49

+dumpelf.o: dumpelf.c paxinc.h porting.h elf.h xfuncs.h security.h \

50

+ paxelf.h macho.h paxmacho.h

51

+pspax.o: pspax.c paxinc.h porting.h elf.h xfuncs.h security.h paxelf.h \

52

+ macho.h paxmacho.h

53

+scanmacho.o: scanmacho.c paxinc.h porting.h elf.h xfuncs.h security.h \

54

+ paxelf.h macho.h paxmacho.h

55

56

diff --git a/.gitignore b/.gitignore

57

index 553ea89..a6bf3ba 100644

58

--- a/.gitignore

59

+++ b/.gitignore

60

@@ -43,6 +43,7 @@ core

61

 /pspax

62

 /scanelf

63

 /scanmacho

64

+/seccomp-bpf

65

 /symtree

66

67

 /man/*.1

68

69

diff --git a/Makefile b/Makefile

70

index 9a2c07c..bb6f167 100644

71

--- a/Makefile

72

+++ b/Makefile

73

@@ -52,11 +52,14 @@ ifeq ($(USE_DEBUG),yes)

74

 override CPPFLAGS += -DEBUG

75

 endif

76

77

-ifeq ($(USE_SECCOMP),yes)

78

+ifeq ($(BUILD_USE_SECCOMP),yes)

79

 LIBSECCOMP_CFLAGS := $(shell $(PKG_CONFIG) --cflags libseccomp)

80

 LIBSECCOMP_LIBS   := $(shell $(PKG_CONFIG) --libs libseccomp)

81

 override CPPFLAGS += $(LIBSECCOMP_CFLAGS) -DWANT_SECCOMP

82

-LIBS              += $(LIBSECCOMP_LIBS)

83

+LIBS-seccomp-bpf  += $(LIBSECCOMP_LIBS)

84

+endif

85

+ifeq ($(USE_SECCOMP),yes)

86

+override CPPFLAGS += -DWANT_SECCOMP

87

 endif

88

89

 ifdef PV

90

@@ -72,8 +75,10 @@ ELF_OBJS     = paxelf.o paxldso.o

91

 MACH_TARGETS = scanmacho

92

 MACH_OBJS    = paxmacho.o

93

 COMMON_OBJS  = paxinc.o security.o xfuncs.o

94

+BUILD_OBJS   = $(filter-out security.o,$(COMMON_OBJS))

95

 TARGETS      = $(ELF_TARGETS) $(MACH_TARGETS)

96

 TARGETS_OBJS = $(TARGETS:%=%.o)

97

+BUILD_TARGETS= seccomp-bpf

98

 SCRIPTS_SH   = lddtree symtree

99

 SCRIPTS_PY   = lddtree

100

 _OBJS        = $(ELF_OBJS) $(MACH_OBJS) $(COMMON_OBJS)

101

@@ -139,23 +144,24 @@ ifeq ($(V),)

102

 endif

103

 	$(Q)$(compile.c) $(WFLAGS)

104

105

-$(ELF_TARGETS): %: $(ELF_OBJS) $(COMMON_OBJS) %.o

106

-	$(CC) $(CFLAGS) $(LDFLAGS) $^ -o $@ $(LIBS) $(LIBS-$@)

107

+LINK = $(CC) $(CFLAGS) $(LDFLAGS) $^ -o $@ $(LIBS) $(LIBS-$@)

108

109

-$(MACH_TARGETS): %: $(MACH_OBJS) $(COMMON_OBJS) %.o

110

-	$(CC) $(CFLAGS) $(LDFLAGS) $^ -o $@ $(LIBS) $(LIBS-$@)

111

+$(BUILD_TARGETS): %: $(BUILD_OBJS) %.o; $(LINK)

112

+$(ELF_TARGETS): %: $(ELF_OBJS) $(COMMON_OBJS) %.o; $(LINK)

113

+$(MACH_TARGETS): %: $(MACH_OBJS) $(COMMON_OBJS) %.o; $(LINK)

114

115

 $(OBJS_TARGETS): %: $(_OBJS) %.c

116

 	$(CC) $(CFLAGS) $(CPPFLAGS) -DMAIN $(LDFLAGS) $(filter-out $@.o,$^) -o $@ $(LIBS) $(LIBS-$@)

117

118

-%.so: %.c

119

-	$(CC) -shared -fPIC -o $@ $<

120

+seccomp-bpf.h: seccomp-bpf.c

121

+	$(MAKE) BUILD_USE_SECCOMP=yes seccomp-bpf

122

+	./seccomp-bpf > $@

123

124

 depend:

125

 	$(CC) $(CFLAGS) -MM $(SOURCES) > .depend

126

127

 clean:

128

-	-rm -f $(OBJS) $(TARGETS) $(OBJS_TARGETS)

129

+	-rm -f $(OBJS) $(TARGETS) $(OBJS_TARGETS) $(BUILD_TARGETS)

130

131

 distclean: clean

132

 	-rm -f *~ core *.o

133

134

diff --git a/Makefile.am b/Makefile.am

135

index f369f86..748a7ca 100644

136

--- a/Makefile.am

137

+++ b/Makefile.am

138

@@ -92,6 +92,8 @@ EXTRA_DIST += \

139

 	pylint \

140

 	scanelf.c \

141

 	scanmacho.c \

142

+	seccomp-bpf.c \

143

+	seccomp-bpf.h \

144

 	security.c \

145

 	security.h \

146

 	symtree.sh \

147

148

diff --git a/configure.ac b/configure.ac

149

index 5ffd5ef..9b96090 100644

150

--- a/configure.ac

151

+++ b/configure.ac

152

@@ -33,9 +33,7 @@ AM_CONDITIONAL([USE_PYTHON], [test "x$with_python" = "xyes"])

153

154

 AC_ARG_WITH([seccomp], [AS_HELP_STRING([--with-seccomp], [build with seccomp])])

155

 AS_IF([test "x$with_seccomp" = "xyes"], [

156

-	PKG_CHECK_MODULES(LIBSECCOMP, libseccomp)

157

-	CPPFLAGS="$CPPFLAGS $LIBSECCOMP_CFLAGS -DWANT_SECCOMP"

158

-	LIBS="$LIBS $LIBSECCOMP_LIBS"

159

+	CPPFLAGS="$CPPFLAGS -DWANT_SECCOMP"

160

])

161

162

 AX_CFLAGS_WARN_ALL

163

@@ -62,7 +60,10 @@ m4_foreach_w([flag], [

164

 	AX_CHECK_COMPILE_FLAG(flag, AS_VAR_APPEND([CFLAGS], " flag"))

165

])

166

167

-AC_CHECK_HEADERS([linux/securebits.h])

168

+AC_CHECK_HEADERS_ONCE(m4_flatten([

169

+	linux/seccomp.h

170

+	linux/securebits.h

171

+]))

172

173

 AC_CONFIG_FILES([

174

 	Makefile

175

176

diff --git a/porting.h b/porting.h

177

index c4f5fc6..f1bd74f 100644

178

--- a/porting.h

179

+++ b/porting.h

180

@@ -46,6 +46,9 @@

181

 #endif

182

 #if defined(__linux__)

183

 # include <sys/prctl.h>

184

+# if !defined(HAVE_CONFIG_H) || defined(HAVE_LINUX_SECCOMP_H)

185

+#  include <linux/seccomp.h>

186

+# endif

187

 # if !defined(HAVE_CONFIG_H) || defined(HAVE_LINUX_SECUREBITS_H)

188

 #  include <linux/securebits.h>

189

 # endif

190

191

diff --git a/seccomp-bpf.c b/seccomp-bpf.c

192

new file mode 100644

193

index 0000000..d7246b1

194

--- /dev/null

195

+++ b/seccomp-bpf.c

196

@@ -0,0 +1,255 @@

197

+/*

198

+ * Generate the bpf rules ahead of time to speed up runtime.

199

+ *

200

+ * Copyright 2015 Gentoo Foundation

201

+ * Distributed under the terms of the GNU General Public License v2

202

+ *

203

+ * Copyright 2015 Mike Frysinger  - <vapier@g.o>

204

+ */

205

+

206

+const char argv0[] = "seccomp-bpf";

207

+

208

+#include <err.h>

209

+#include <stdio.h>

210

+#include <stdlib.h>

211

+#include <unistd.h>

212

+#include <sys/mman.h>

213

+#include <sys/types.h>

214

+

215

+#include <seccomp.h>

216

+

217

+#define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0]))

218

+

219

+static const struct {

220

+	const char *name;

221

+	uint32_t arch;

222

+	const char *ifdef;

223

+} gen_seccomp_arches[] = {

224

+#define A(arch, ifdef) { #arch, SCMP_ARCH_##arch, ifdef }

225

+	A(AARCH64,     "defined(__aarch64__)"),

226

+	A(ARM,         "defined(__arm__)"),

227

+	A(MIPS,        "defined(__mips__) && defined(__MIPSEB__) && defined(_ABIO32)"),

228

+	A(MIPS64,      "defined(__mips__) && defined(__MIPSEB__) && defined(_ABI64)"),

229

+	A(MIPS64N32,   "defined(__mips__) && defined(__MIPSEB__) && defined(_ABIN32)"),

230

+	A(MIPSEL,      "defined(__mips__) && defined(__MIPSEL__) && defined(_ABIO32)"),

231

+	A(MIPSEL64,    "defined(__mips__) && defined(__MIPSEL__) && defined(_ABI64)"),

232

+	A(MIPSEL64N32, "defined(__mips__) && defined(__MIPSEL__) && defined(_ABIN32)"),

233

+	A(PARISC,      "defined(__hppa__) && !defined(__hppa64__)"),

234

+	A(PARISC64,    "defined(__hppa__) &&  defined(__hppa64__)"),

235

+	A(PPC,         "defined(__powerpc__) && !defined(__powerpc64__) &&  defined(__BIG_ENDIAN__)"),

236

+	A(PPC64,       "defined(__powerpc__) &&  defined(__powerpc64__) &&  defined(__BIG_ENDIAN__)"),

237

+	A(PPC64LE,     "defined(__powerpc__) &&  defined(__powerpc64__) && !defined(__BIG_ENDIAN__)"),

238

+	A(RISCV64,     "defined(__riscv) && __riscv_xlen == 64"),

239

+	A(S390,        "defined(__s390__) && !defined(__s390x__)"),

240

+	A(S390X,       "defined(__s390__) &&  defined(__s390x__)"),

241

+	A(X86,         "defined(__i386__)"),

242

+	A(X32,         "defined(__x86_64__) &&  defined(__ILP32__)"),

243

+	A(X86_64,      "defined(__x86_64__) && !defined(__ILP32__)"),

244

+#undef A

245

+};

246

+

247

+/* Simple helper to add all of the syscalls in an array. */

248

+static int gen_seccomp_rules_add(scmp_filter_ctx ctx, int syscalls[], size_t num)

249

+{

250

+	static uint8_t prio;

251

+	size_t i;

252

+	for (i = 0; i < num; ++i) {

253

+		if (seccomp_syscall_priority(ctx, syscalls[i], prio++) < 0) {

254

+			warn("seccomp_syscall_priority failed");

255

+			return -1;

256

+		}

257

+		if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, syscalls[i], 0) < 0) {

258

+			warn("seccomp_rule_add failed");

259

+			return -1;

260

+		}

261

+	}

262

+	return 0;

263

+}

264

+#define gen_seccomp_rules_add(ctx, syscalls) gen_seccomp_rules_add(ctx, syscalls, ARRAY_SIZE(syscalls))

265

+

266

+static void gen_seccomp_dump(scmp_filter_ctx ctx, const char *name)

267

+{

268

+	unsigned char buf[32768 * 8];

269

+	ssize_t i, len;

270

+	int fd;

271

+

272

+	fd = memfd_create("bpf", MFD_CLOEXEC);

273

+	if (fd < 0)

274

+		err(1, "memfd_create failed");

275

+	if (seccomp_export_bpf(ctx, fd) < 0)

276

+		err(1, "seccomp_export_bpf_mem failed");

277

+	if (lseek(fd, 0, SEEK_SET) != 0)

278

+		err(1, "seek failed");

279

+	len = read(fd, buf, sizeof(buf));

280

+	if (len <= 0)

281

+		err(1, "read failed");

282

+

283

+	printf("static const unsigned char seccomp_bpf_blks_%s[] = {\n\t", name);

284

+	for (i = 0; i < len; ++i)

285

+		printf("%u,", buf[i]);

286

+	printf("\n};\n");

287

+}

288

+

289

+static void gen_seccomp_program(const char *name)

290

+{

291

+	printf(

292

+		"static const seccomp_bpf_program_t seccomp_bpf_program_%s = {\n"

293

+		"	.cnt = sizeof(seccomp_bpf_blks_%s) / 8,\n"

294

+		"	.bpf = seccomp_bpf_blks_%s,\n"

295

+		"};\n", name, name, name);

296

+}

297

+

298

+int main(void)

299

+{

300

+	/* Order determines priority (first == lowest prio).  */

301

+	int base_syscalls[] = {

302

+		/* We write the most w/scanelf.  */

303

+		SCMP_SYS(write),

304

+

305

+		/* Then the stat family of functions.  */

306

+		SCMP_SYS(newfstatat),

307

+		SCMP_SYS(fstat),

308

+		SCMP_SYS(fstat64),

309

+		SCMP_SYS(fstatat64),

310

+		SCMP_SYS(lstat),

311

+		SCMP_SYS(lstat64),

312

+		SCMP_SYS(stat),

313

+		SCMP_SYS(stat64),

314

+		SCMP_SYS(statx),

315

+

316

+		/* Then the fd close func.  */

317

+		SCMP_SYS(close),

318

+

319

+		/* Then fd open family of functions.  */

320

+		SCMP_SYS(open),

321

+		SCMP_SYS(openat),

322

+

323

+		/* Then the memory mapping functions.  */

324

+		SCMP_SYS(mmap),

325

+		SCMP_SYS(mmap2),

326

+		SCMP_SYS(munmap),

327

+

328

+		/* Then the directory reading functions.  */

329

+		SCMP_SYS(getdents),

330

+		SCMP_SYS(getdents64),

331

+

332

+		/* Then the file reading functions.  */

333

+		SCMP_SYS(pread64),

334

+		SCMP_SYS(read),

335

+

336

+		/* Then the fd manipulation functions.  */

337

+		SCMP_SYS(fcntl),

338

+		SCMP_SYS(fcntl64),

339

+

340

+		/* After this point, just sort the list alphabetically.  */

341

+		SCMP_SYS(access),

342

+		SCMP_SYS(brk),

343

+		SCMP_SYS(capget),

344

+		SCMP_SYS(chdir),

345

+		SCMP_SYS(exit),

346

+		SCMP_SYS(exit_group),

347

+		SCMP_SYS(faccessat),

348

+#ifndef __SNR_faccessat2

349

+/* faccessat2 is not yet defined in libseccomp-2.5.1 */

350

+# define __SNR_faccessat2 __NR_faccessat2

351

+#endif

352

+		SCMP_SYS(faccessat2),

353

+		SCMP_SYS(fchdir),

354

+		SCMP_SYS(getpid),

355

+		SCMP_SYS(gettid),

356

+		SCMP_SYS(ioctl),

357

+		SCMP_SYS(lseek),

358

+		SCMP_SYS(_llseek),

359

+		SCMP_SYS(mprotect),

360

+

361

+		/* Syscalls listed because of sandbox.  */

362

+		SCMP_SYS(readlink),

363

+

364

+		/* Syscalls listed because of fakeroot.  */

365

+		SCMP_SYS(msgget),

366

+		SCMP_SYS(msgrcv),

367

+		SCMP_SYS(msgsnd),

368

+		SCMP_SYS(semget),

369

+		SCMP_SYS(semop),

370

+		SCMP_SYS(semtimedop),

371

+		/*

372

+		 * Some targets (e.g. ppc & i386) implement the above functions

373

+		 * as ipc() subcalls.  #675378

374

+		 */

375

+		SCMP_SYS(ipc),

376

+	};

377

+	int fork_syscalls[] = {

378

+		SCMP_SYS(clone),

379

+		SCMP_SYS(execve),

380

+		SCMP_SYS(fork),

381

+		SCMP_SYS(rt_sigaction),

382

+		SCMP_SYS(rt_sigprocmask),

383

+		SCMP_SYS(unshare),

384

+		SCMP_SYS(vfork),

385

+		SCMP_SYS(wait4),

386

+		SCMP_SYS(waitid),

387

+		SCMP_SYS(waitpid),

388

+	};

389

+

390

+	/* TODO: Handle debug and KILL vs TRAP. */

391

+

392

+	scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_KILL);

393

+	if (!ctx)

394

+		err(1, "seccomp_init failed");

395

+

396

+	printf("/* AUTO GENERATED; see seccomp-bpf.c for details. */\n");

397

+	printf("#undef SECCOMP_BPF_AVAILABLE\n");

398

+

399

+	if (seccomp_arch_remove(ctx, seccomp_arch_native()) < 0)

400

+		err(1, "seccomp_arch_remove failed");

401

+

402

+	for (size_t i = 0; i < ARRAY_SIZE(gen_seccomp_arches); ++i) {

403

+		uint32_t arch = gen_seccomp_arches[i].arch;

404

+

405

+		seccomp_reset(ctx, SCMP_ACT_KILL);

406

+

407

+		if (arch != seccomp_arch_native()) {

408

+			if (seccomp_arch_remove(ctx, seccomp_arch_native()) < 0)

409

+				err(1, "seccomp_arch_remove failed");

410

+			if (seccomp_arch_add(ctx, arch) < 0)

411

+				err(1, "seccomp_arch_add failed");

412

+		}

413

+

414

+		printf("\n#if %s\n", gen_seccomp_arches[i].ifdef);

415

+		printf("/* %s */\n", gen_seccomp_arches[i].name);

416

+		printf("#define SECCOMP_BPF_AVAILABLE\n");

417

+

418

+		if (gen_seccomp_rules_add(ctx, base_syscalls) < 0)

419

+			err(1, "seccomp_rules_add failed");

420

+		gen_seccomp_dump(ctx, "base");

421

+

422

+		if (gen_seccomp_rules_add(ctx, fork_syscalls) < 0)

423

+			err(1, "seccomp_rules_add failed");

424

+		gen_seccomp_dump(ctx, "fork");

425

+

426

+		if (0) {

427

+			printf("/*\n");

428

+			fflush(stdout);

429

+			seccomp_export_pfc(ctx, 1);

430

+			fflush(stdout);

431

+			printf("*/\n");

432

+		}

433

+

434

+		printf("#endif\n");

435

+	}

436

+

437

+	printf(

438

+		"\n"

439

+		"#ifdef SECCOMP_BPF_AVAILABLE\n"

440

+		"typedef struct {\n"

441

+		"	uint16_t cnt;\n"

442

+		"	const void *bpf;\n"

443

+		"} seccomp_bpf_program_t;\n");

444

+	gen_seccomp_program("base");

445

+	gen_seccomp_program("fork");

446

+	printf("#endif\n");

447

+

448

+	seccomp_release(ctx);

449

+

450

+	return 0;

451

+}

452

453

diff --git a/seccomp-bpf.h b/seccomp-bpf.h

454

new file mode 100644

455

index 0000000..dfb7716

456

--- /dev/null

457

+++ b/seccomp-bpf.h

458

@@ -0,0 +1,226 @@

459

+/* AUTO GENERATED; see seccomp-bpf.c for details. */

460

+#undef SECCOMP_BPF_AVAILABLE

461

+

462

+#if defined(__aarch64__)

463

+/* AARCH64 */

464

+#define SECCOMP_BPF_AVAILABLE

465

+static const unsigned char seccomp_bpf_blks_base[] = {

466

+	32,0,0,0,4,0,0,0,21,0,0,33,183,0,0,192,32,0,0,0,0,0,0,0,21,0,30,0,192,0,0,0,21,0,29,0,193,0,0,0,21,0,28,0,190,0,0,0,21,0,27,0,189,0,0,0,21,0,26,0,188,0,0,0,21,0,25,0,186,0,0,0,21,0,24,0,226,0,0,0,21,0,23,0,62,0,0,0,21,0,22,0,29,0,0,0,21,0,21,0,178,0,0,0,21,0,20,0,172,0,0,0,21,0,19,0,50,0,0,0,21,0,18,0,183,1,0,0,21,0,17,0,48,0,0,0,21,0,16,0,94,0,0,0,21,0,15,0,93,0,0,0,21,0,14,0,49,0,0,0,21,0,13,0,90,0,0,0,21,0,12,0,214,0,0,0,21,0,11,0,25,0,0,0,21,0,10,0,63,0,0,0,21,0,9,0,67,0,0,0,21,0,8,0,61,0,0,0,21,0,7,0,215,0,0,0,21,0,6,0,222,0,0,0,21,0,5,0,56,0,0,0,21,0,4,0,57,0,0,0,21,0,3,0,35,1,0,0,21,0,2,0,80,0,0,0,21,0,1,0,79,0,0,0,21,0,0,1,64,0,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0,

467

+};

468

+static const unsigned char seccomp_bpf_blks_fork[] = {

469

+	32,0,0,0,4,0,0,0,21,0,0,40,183,0,0,192,32,0,0,0,0,0,0,0,21,0,37,0,95,0,0,0,21,0,36,0,4,1,0,0,21,0,35,0,97,0,0,0,21,0,34,0,135,0,0,0,21,0,33,0,134,0,0,0,21,0,32,0,221,0,0,0,21,0,31,0,220,0,0,0,21,0,30,0,192,0,0,0,21,0,29,0,193,0,0,0,21,0,28,0,190,0,0,0,21,0,27,0,189,0,0,0,21,0,26,0,188,0,0,0,21,0,25,0,186,0,0,0,21,0,24,0,226,0,0,0,21,0,23,0,62,0,0,0,21,0,22,0,29,0,0,0,21,0,21,0,178,0,0,0,21,0,20,0,172,0,0,0,21,0,19,0,50,0,0,0,21,0,18,0,183,1,0,0,21,0,17,0,48,0,0,0,21,0,16,0,94,0,0,0,21,0,15,0,93,0,0,0,21,0,14,0,49,0,0,0,21,0,13,0,90,0,0,0,21,0,12,0,214,0,0,0,21,0,11,0,25,0,0,0,21,0,10,0,63,0,0,0,21,0,9,0,67,0,0,0,21,0,8,0,61,0,0,0,21,0,7,0,215,0,0,0,21,0,6,0,222,0,0,0,21,0,5,0,56,0,0,0,21,0,4,0,57,0,0,0,21,0,3,0,35,1,0,0,21,0,2,0,80,0,0,0,21,0,1,0,79,0,0,0,21,0,0,1,64,0,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0,

470

+};

471

+#endif

472

+

473

+#if defined(__arm__)

474

+/* ARM */

475

+#define SECCOMP_BPF_AVAILABLE

476

+static const unsigned char seccomp_bpf_blks_base[] = {

477

+	32,0,0,0,4,0,0,0,21,0,0,44,40,0,0,64,32,0,0,0,0,0,0,0,21,0,41,0,56,1,0,0,21,0,40,0,42,1,0,0,21,0,39,0,43,1,0,0,21,0,38,0,45,1,0,0,21,0,37,0,46,1,0,0,21,0,36,0,47,1,0,0,21,0,35,0,85,0,0,0,21,0,34,0,125,0,0,0,21,0,33,0,140,0,0,0,21,0,32,0,19,0,0,0,21,0,31,0,54,0,0,0,21,0,30,0,224,0,0,0,21,0,29,0,20,0,0,0,21,0,28,0,133,0,0,0,21,0,27,0,183,1,0,0,21,0,26,0,78,1,0,0,21,0,25,0,248,0,0,0,21,0,24,0,1,0,0,0,21,0,23,0,12,0,0,0,21,0,22,0,184,0,0,0,21,0,21,0,45,0,0,0,21,0,20,0,33,0,0,0,21,0,19,0,221,0,0,0,21,0,18,0,55,0,0,0,21,0,17,0,3,0,0,0,21,0,16,0,180,0,0,0,21,0,15,0,217,0,0,0,21,0,14,0,141,0,0,0,21,0,13,0,91,0,0,0,21,0,12,0,192,0,0,0,21,0,11,0,66,1,0,0,21,0,10,0,5,0,0,0,21,0,9,0,6,0,0,0,21,0,8,0,141,1,0,0,21,0,7,0,195,0,0,0,21,0,6,0,106,0,0,0,21,0,5,0,196,0,0,0,21,0,4,0,107,0,0,0,21,0,3,0,71,1,0,0,21,0,2,0,197,0,0,0,21,0,1,0,108,0,0,0,21,0,0,1,4,0,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0,

478

+};

479

+static const unsigned char seccomp_bpf_blks_fork[] = {

480

+	32,0,0,0,4,0,0,0,21,0,0,53,40,0,0,64,32,0,0,0,0,0,0,0,21,0,50,0,24,1,0,0,21,0,49,0,114,0,0,0,21,0,48,0,190,0,0,0,21,0,47,0,81,1,0,0,21,0,46,0,175,0,0,0,21,0,45,0,174,0,0,0,21,0,44,0,2,0,0,0,21,0,43,0,11,0,0,0,21,0,42,0,120,0,0,0,21,0,41,0,56,1,0,0,21,0,40,0,42,1,0,0,21,0,39,0,43,1,0,0,21,0,38,0,45,1,0,0,21,0,37,0,46,1,0,0,21,0,36,0,47,1,0,0,21,0,35,0,85,0,0,0,21,0,34,0,125,0,0,0,21,0,33,0,140,0,0,0,21,0,32,0,19,0,0,0,21,0,31,0,54,0,0,0,21,0,30,0,224,0,0,0,21,0,29,0,20,0,0,0,21,0,28,0,133,0,0,0,21,0,27,0,183,1,0,0,21,0,26,0,78,1,0,0,21,0,25,0,248,0,0,0,21,0,24,0,1,0,0,0,21,0,23,0,12,0,0,0,21,0,22,0,184,0,0,0,21,0,21,0,45,0,0,0,21,0,20,0,33,0,0,0,21,0,19,0,221,0,0,0,21,0,18,0,55,0,0,0,21,0,17,0,3,0,0,0,21,0,16,0,180,0,0,0,21,0,15,0,217,0,0,0,21,0,14,0,141,0,0,0,21,0,13,0,91,0,0,0,21,0,12,0,192,0,0,0,21,0,11,0,66,1,0,0,21,0,10,0,5,0,0,0,21,0,9,0,6,0,0,0,21,0,8,0,141,1,0,0,21,0,7,0,195,0,0,0,21,0,6,0,106,0,0,0,21,0,5,0,196,0,0,0,21,0,4,0,107,0,0,0,21,0,3,0,71,1,0,0,21,0,2,0,197,0,0,0,2

481

 1,0,1,0,108,0,0,0,21,0,0,1,4,0,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0,

482

+};

483

+#endif

484

+

485

+#if defined(__mips__) && defined(__MIPSEB__) && defined(_ABIO32)

486

+/* MIPS */

487

+#define SECCOMP_BPF_AVAILABLE

488

+static const unsigned char seccomp_bpf_blks_base[] = {

489

+	0,32,0,0,0,0,0,4,0,21,0,44,0,0,0,8,0,32,0,0,0,0,0,0,0,21,41,0,0,0,16,21,0,21,40,0,0,0,17,41,0,21,39,0,0,0,17,48,0,21,38,0,0,0,17,49,0,21,37,0,0,0,17,47,0,21,36,0,0,0,15,245,0,21,35,0,0,0,16,29,0,21,34,0,0,0,16,44,0,21,33,0,0,0,15,179,0,21,32,0,0,0,15,214,0,21,31,0,0,0,16,126,0,21,30,0,0,0,15,180,0,21,29,0,0,0,16,37,0,21,28,0,0,0,17,87,0,21,27,0,0,0,16,204,0,21,26,0,0,0,16,150,0,21,25,0,0,0,15,161,0,21,24,0,0,0,15,172,0,21,23,0,0,0,16,108,0,21,22,0,0,0,15,205,0,21,21,0,0,0,15,193,0,21,20,0,0,0,16,124,0,21,19,0,0,0,15,215,0,21,18,0,0,0,15,163,0,21,17,0,0,0,16,104,0,21,16,0,0,0,16,123,0,21,15,0,0,0,16,45,0,21,14,0,0,0,15,251,0,21,13,0,0,0,16,114,0,21,12,0,0,0,15,250,0,21,11,0,0,0,16,192,0,21,10,0,0,0,15,165,0,21,9,0,0,0,15,166,0,21,8,0,0,0,17,14,0,21,7,0,0,0,16,117,0,21,6,0,0,0,16,10,0,21,5,0,0,0,16,118,0,21,4,0,0,0,16,11,0,21,3,0,0,0,16,197,0,21,2,0,0,0,16,119,0,21,1,0,0,0,16,12,0,21,0,1,0,0,15,164,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0,

490

+};

491

+static const unsigned char seccomp_bpf_blks_fork[] = {

492

+	0,32,0,0,0,0,0,4,0,21,0,53,0,0,0,8,0,32,0,0,0,0,0,0,0,21,50,0,0,0,15,167,0,21,49,0,0,0,16,182,0,21,48,0,0,0,16,18,0,21,47,0,0,0,16,207,0,21,46,0,0,0,16,99,0,21,45,0,0,0,16,98,0,21,44,0,0,0,15,162,0,21,43,0,0,0,15,171,0,21,42,0,0,0,16,24,0,21,41,0,0,0,16,21,0,21,40,0,0,0,17,41,0,21,39,0,0,0,17,48,0,21,38,0,0,0,17,49,0,21,37,0,0,0,17,47,0,21,36,0,0,0,15,245,0,21,35,0,0,0,16,29,0,21,34,0,0,0,16,44,0,21,33,0,0,0,15,179,0,21,32,0,0,0,15,214,0,21,31,0,0,0,16,126,0,21,30,0,0,0,15,180,0,21,29,0,0,0,16,37,0,21,28,0,0,0,17,87,0,21,27,0,0,0,16,204,0,21,26,0,0,0,16,150,0,21,25,0,0,0,15,161,0,21,24,0,0,0,15,172,0,21,23,0,0,0,16,108,0,21,22,0,0,0,15,205,0,21,21,0,0,0,15,193,0,21,20,0,0,0,16,124,0,21,19,0,0,0,15,215,0,21,18,0,0,0,15,163,0,21,17,0,0,0,16,104,0,21,16,0,0,0,16,123,0,21,15,0,0,0,16,45,0,21,14,0,0,0,15,251,0,21,13,0,0,0,16,114,0,21,12,0,0,0,15,250,0,21,11,0,0,0,16,192,0,21,10,0,0,0,15,165,0,21,9,0,0,0,15,166,0,21,8,0,0,0,17,14,0,21,7,0,0,0,16,117,0,21,6,0,0,0,16,10,0,21,5,0,0,0,16,118

493

 ,0,21,4,0,0,0,16,11,0,21,3,0,0,0,16,197,0,21,2,0,0,0,16,119,0,21,1,0,0,0,16,12,0,21,0,1,0,0,15,164,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0,

494

+};

495

+#endif

496

+

497

+#if defined(__mips__) && defined(__MIPSEB__) && defined(_ABI64)

498

+/* MIPS64 */

499

+#define SECCOMP_BPF_AVAILABLE

500

+static const unsigned char seccomp_bpf_blks_base[] = {

501

+	0,32,0,0,0,0,0,4,0,21,0,39,128,0,0,8,0,32,0,0,0,0,0,0,0,21,36,0,0,0,20,94,0,21,35,0,0,0,19,199,0,21,34,0,0,0,19,198,0,21,33,0,0,0,19,203,0,21,32,0,0,0,19,204,0,21,31,0,0,0,19,202,0,21,30,0,0,0,19,223,0,21,29,0,0,0,19,146,0,21,28,0,0,0,19,144,0,21,27,0,0,0,19,151,0,21,26,0,0,0,20,58,0,21,25,0,0,0,19,174,0,21,24,0,0,0,19,215,0,21,23,0,0,0,21,63,0,21,22,0,0,0,20,139,0,21,21,0,0,0,20,85,0,21,20,0,0,0,19,194,0,21,19,0,0,0,19,214,0,21,18,0,0,0,20,3,0,21,17,0,0,0,19,148,0,21,16,0,0,0,19,156,0,21,15,0,0,0,19,206,0,21,14,0,0,0,19,136,0,21,13,0,0,0,19,152,0,21,12,0,0,0,20,188,0,21,11,0,0,0,19,212,0,21,10,0,0,0,19,147,0,21,9,0,0,0,19,145,0,21,8,0,0,0,20,127,0,21,7,0,0,0,19,138,0,21,6,0,0,0,19,139,0,21,5,0,0,0,20,206,0,21,4,0,0,0,19,140,0,21,3,0,0,0,19,142,0,21,2,0,0,0,19,141,0,21,1,0,0,0,20,132,0,21,0,1,0,0,19,137,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0,

502

+};

503

+static const unsigned char seccomp_bpf_blks_fork[] = {

504

+	0,32,0,0,0,0,0,4,0,21,0,47,128,0,0,8,0,32,0,0,0,0,0,0,0,21,44,0,0,0,20,117,0,21,43,0,0,0,19,195,0,21,42,0,0,0,20,142,0,21,41,0,0,0,19,150,0,21,40,0,0,0,19,149,0,21,39,0,0,0,19,192,0,21,38,0,0,0,19,193,0,21,37,0,0,0,19,191,0,21,36,0,0,0,20,94,0,21,35,0,0,0,19,199,0,21,34,0,0,0,19,198,0,21,33,0,0,0,19,203,0,21,32,0,0,0,19,204,0,21,31,0,0,0,19,202,0,21,30,0,0,0,19,223,0,21,29,0,0,0,19,146,0,21,28,0,0,0,19,144,0,21,27,0,0,0,19,151,0,21,26,0,0,0,20,58,0,21,25,0,0,0,19,174,0,21,24,0,0,0,19,215,0,21,23,0,0,0,21,63,0,21,22,0,0,0,20,139,0,21,21,0,0,0,20,85,0,21,20,0,0,0,19,194,0,21,19,0,0,0,19,214,0,21,18,0,0,0,20,3,0,21,17,0,0,0,19,148,0,21,16,0,0,0,19,156,0,21,15,0,0,0,19,206,0,21,14,0,0,0,19,136,0,21,13,0,0,0,19,152,0,21,12,0,0,0,20,188,0,21,11,0,0,0,19,212,0,21,10,0,0,0,19,147,0,21,9,0,0,0,19,145,0,21,8,0,0,0,20,127,0,21,7,0,0,0,19,138,0,21,6,0,0,0,19,139,0,21,5,0,0,0,20,206,0,21,4,0,0,0,19,140,0,21,3,0,0,0,19,142,0,21,2,0,0,0,19,141,0,21,1,0,0,0,20,132,0,21,0,1,0,0,19,137,0,6,0,0,127,2

505

 55,0,0,0,6,0,0,0,0,0,0,

506

+};

507

+#endif

508

+

509

+#if defined(__mips__) && defined(__MIPSEB__) && defined(_ABIN32)

510

+/* MIPS64N32 */

511

+#define SECCOMP_BPF_AVAILABLE

512

+static const unsigned char seccomp_bpf_blks_base[] = {

513

+	0,32,0,0,0,0,0,4,0,21,0,40,160,0,0,8,0,32,0,0,0,0,0,0,0,21,37,0,0,0,23,120,0,21,36,0,0,0,23,127,0,21,35,0,0,0,24,34,0,21,34,0,0,0,23,150,0,21,33,0,0,0,23,191,0,21,32,0,0,0,25,39,0,21,31,0,0,0,24,119,0,21,30,0,0,0,24,61,0,21,29,0,0,0,23,170,0,21,28,0,0,0,23,190,0,21,27,0,0,0,23,235,0,21,26,0,0,0,23,124,0,21,25,0,0,0,23,132,0,21,24,0,0,0,24,68,0,21,23,0,0,0,23,182,0,21,22,0,0,0,23,112,0,21,21,0,0,0,23,128,0,21,20,0,0,0,24,155,0,21,19,0,0,0,23,188,0,21,18,0,0,0,23,123,0,21,17,0,0,0,23,121,0,21,16,0,0,0,24,107,0,21,15,0,0,0,23,114,0,21,14,0,0,0,23,115,0,21,13,0,0,0,24,186,0,21,12,0,0,0,23,116,0,21,11,0,0,0,23,118,0,21,10,0,0,0,23,117,0,21,9,0,0,0,24,112,0,21,8,0,0,0,23,113,0,21,7,0,0,0,24,71,0,21,6,0,0,0,23,175,0,21,5,0,0,0,23,174,0,21,4,0,0,0,23,179,0,21,3,0,0,0,23,180,0,21,2,0,0,0,23,178,0,21,1,0,0,0,23,199,0,21,0,1,0,0,23,122,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0,

514

+};

515

+static const unsigned char seccomp_bpf_blks_fork[] = {

516

+	0,32,0,0,0,0,0,4,0,21,0,48,160,0,0,8,0,32,0,0,0,0,0,0,0,21,45,0,0,0,23,120,0,21,44,0,0,0,23,127,0,21,43,0,0,0,24,34,0,21,42,0,0,0,23,150,0,21,41,0,0,0,23,191,0,21,40,0,0,0,25,39,0,21,39,0,0,0,24,119,0,21,38,0,0,0,24,61,0,21,37,0,0,0,23,170,0,21,36,0,0,0,23,190,0,21,35,0,0,0,23,235,0,21,34,0,0,0,23,124,0,21,33,0,0,0,23,132,0,21,32,0,0,0,24,68,0,21,31,0,0,0,23,182,0,21,30,0,0,0,23,112,0,21,29,0,0,0,23,128,0,21,28,0,0,0,24,155,0,21,27,0,0,0,23,188,0,21,26,0,0,0,23,123,0,21,25,0,0,0,23,121,0,21,24,0,0,0,24,107,0,21,23,0,0,0,23,114,0,21,22,0,0,0,23,115,0,21,21,0,0,0,24,186,0,21,20,0,0,0,23,116,0,21,19,0,0,0,23,118,0,21,18,0,0,0,23,117,0,21,17,0,0,0,24,112,0,21,16,0,0,0,23,113,0,21,15,0,0,0,24,97,0,21,14,0,0,0,23,171,0,21,13,0,0,0,24,122,0,21,12,0,0,0,23,126,0,21,11,0,0,0,23,125,0,21,10,0,0,0,23,168,0,21,9,0,0,0,23,169,0,21,8,0,0,0,23,167,0,21,7,0,0,0,24,71,0,21,6,0,0,0,23,175,0,21,5,0,0,0,23,174,0,21,4,0,0,0,23,179,0,21,3,0,0,0,23,180,0,21,2,0,0,0,23,178,0,21,1,0,0,0,23,199,0,21,0,1,0,0

517

 ,23,122,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0,

518

+};

519

+#endif

520

+

521

+#if defined(__mips__) && defined(__MIPSEL__) && defined(_ABIO32)

522

+/* MIPSEL */

523

+#define SECCOMP_BPF_AVAILABLE

524

+static const unsigned char seccomp_bpf_blks_base[] = {

525

+	32,0,0,0,4,0,0,0,21,0,0,44,8,0,0,64,32,0,0,0,0,0,0,0,21,0,41,0,21,16,0,0,21,0,40,0,41,17,0,0,21,0,39,0,48,17,0,0,21,0,38,0,49,17,0,0,21,0,37,0,47,17,0,0,21,0,36,0,245,15,0,0,21,0,35,0,29,16,0,0,21,0,34,0,44,16,0,0,21,0,33,0,179,15,0,0,21,0,32,0,214,15,0,0,21,0,31,0,126,16,0,0,21,0,30,0,180,15,0,0,21,0,29,0,37,16,0,0,21,0,28,0,87,17,0,0,21,0,27,0,204,16,0,0,21,0,26,0,150,16,0,0,21,0,25,0,161,15,0,0,21,0,24,0,172,15,0,0,21,0,23,0,108,16,0,0,21,0,22,0,205,15,0,0,21,0,21,0,193,15,0,0,21,0,20,0,124,16,0,0,21,0,19,0,215,15,0,0,21,0,18,0,163,15,0,0,21,0,17,0,104,16,0,0,21,0,16,0,123,16,0,0,21,0,15,0,45,16,0,0,21,0,14,0,251,15,0,0,21,0,13,0,114,16,0,0,21,0,12,0,250,15,0,0,21,0,11,0,192,16,0,0,21,0,10,0,165,15,0,0,21,0,9,0,166,15,0,0,21,0,8,0,14,17,0,0,21,0,7,0,117,16,0,0,21,0,6,0,10,16,0,0,21,0,5,0,118,16,0,0,21,0,4,0,11,16,0,0,21,0,3,0,197,16,0,0,21,0,2,0,119,16,0,0,21,0,1,0,12,16,0,0,21,0,0,1,164,15,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0,

526

+};

527

+static const unsigned char seccomp_bpf_blks_fork[] = {

528

+	32,0,0,0,4,0,0,0,21,0,0,53,8,0,0,64,32,0,0,0,0,0,0,0,21,0,50,0,167,15,0,0,21,0,49,0,182,16,0,0,21,0,48,0,18,16,0,0,21,0,47,0,207,16,0,0,21,0,46,0,99,16,0,0,21,0,45,0,98,16,0,0,21,0,44,0,162,15,0,0,21,0,43,0,171,15,0,0,21,0,42,0,24,16,0,0,21,0,41,0,21,16,0,0,21,0,40,0,41,17,0,0,21,0,39,0,48,17,0,0,21,0,38,0,49,17,0,0,21,0,37,0,47,17,0,0,21,0,36,0,245,15,0,0,21,0,35,0,29,16,0,0,21,0,34,0,44,16,0,0,21,0,33,0,179,15,0,0,21,0,32,0,214,15,0,0,21,0,31,0,126,16,0,0,21,0,30,0,180,15,0,0,21,0,29,0,37,16,0,0,21,0,28,0,87,17,0,0,21,0,27,0,204,16,0,0,21,0,26,0,150,16,0,0,21,0,25,0,161,15,0,0,21,0,24,0,172,15,0,0,21,0,23,0,108,16,0,0,21,0,22,0,205,15,0,0,21,0,21,0,193,15,0,0,21,0,20,0,124,16,0,0,21,0,19,0,215,15,0,0,21,0,18,0,163,15,0,0,21,0,17,0,104,16,0,0,21,0,16,0,123,16,0,0,21,0,15,0,45,16,0,0,21,0,14,0,251,15,0,0,21,0,13,0,114,16,0,0,21,0,12,0,250,15,0,0,21,0,11,0,192,16,0,0,21,0,10,0,165,15,0,0,21,0,9,0,166,15,0,0,21,0,8,0,14,17,0,0,21,0,7,0,117,16,0,0,21,0,6,0,10,16,0,0,21,0,5,0,118,16,0,

529

 0,21,0,4,0,11,16,0,0,21,0,3,0,197,16,0,0,21,0,2,0,119,16,0,0,21,0,1,0,12,16,0,0,21,0,0,1,164,15,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0,

530

+};

531

+#endif

532

+

533

+#if defined(__mips__) && defined(__MIPSEL__) && defined(_ABI64)

534

+/* MIPSEL64 */

535

+#define SECCOMP_BPF_AVAILABLE

536

+static const unsigned char seccomp_bpf_blks_base[] = {

537

+	32,0,0,0,4,0,0,0,21,0,0,39,8,0,0,192,32,0,0,0,0,0,0,0,21,0,36,0,94,20,0,0,21,0,35,0,199,19,0,0,21,0,34,0,198,19,0,0,21,0,33,0,203,19,0,0,21,0,32,0,204,19,0,0,21,0,31,0,202,19,0,0,21,0,30,0,223,19,0,0,21,0,29,0,146,19,0,0,21,0,28,0,144,19,0,0,21,0,27,0,151,19,0,0,21,0,26,0,58,20,0,0,21,0,25,0,174,19,0,0,21,0,24,0,215,19,0,0,21,0,23,0,63,21,0,0,21,0,22,0,139,20,0,0,21,0,21,0,85,20,0,0,21,0,20,0,194,19,0,0,21,0,19,0,214,19,0,0,21,0,18,0,3,20,0,0,21,0,17,0,148,19,0,0,21,0,16,0,156,19,0,0,21,0,15,0,206,19,0,0,21,0,14,0,136,19,0,0,21,0,13,0,152,19,0,0,21,0,12,0,188,20,0,0,21,0,11,0,212,19,0,0,21,0,10,0,147,19,0,0,21,0,9,0,145,19,0,0,21,0,8,0,127,20,0,0,21,0,7,0,138,19,0,0,21,0,6,0,139,19,0,0,21,0,5,0,206,20,0,0,21,0,4,0,140,19,0,0,21,0,3,0,142,19,0,0,21,0,2,0,141,19,0,0,21,0,1,0,132,20,0,0,21,0,0,1,137,19,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0,

538

+};

539

+static const unsigned char seccomp_bpf_blks_fork[] = {

540

+	32,0,0,0,4,0,0,0,21,0,0,47,8,0,0,192,32,0,0,0,0,0,0,0,21,0,44,0,117,20,0,0,21,0,43,0,195,19,0,0,21,0,42,0,142,20,0,0,21,0,41,0,150,19,0,0,21,0,40,0,149,19,0,0,21,0,39,0,192,19,0,0,21,0,38,0,193,19,0,0,21,0,37,0,191,19,0,0,21,0,36,0,94,20,0,0,21,0,35,0,199,19,0,0,21,0,34,0,198,19,0,0,21,0,33,0,203,19,0,0,21,0,32,0,204,19,0,0,21,0,31,0,202,19,0,0,21,0,30,0,223,19,0,0,21,0,29,0,146,19,0,0,21,0,28,0,144,19,0,0,21,0,27,0,151,19,0,0,21,0,26,0,58,20,0,0,21,0,25,0,174,19,0,0,21,0,24,0,215,19,0,0,21,0,23,0,63,21,0,0,21,0,22,0,139,20,0,0,21,0,21,0,85,20,0,0,21,0,20,0,194,19,0,0,21,0,19,0,214,19,0,0,21,0,18,0,3,20,0,0,21,0,17,0,148,19,0,0,21,0,16,0,156,19,0,0,21,0,15,0,206,19,0,0,21,0,14,0,136,19,0,0,21,0,13,0,152,19,0,0,21,0,12,0,188,20,0,0,21,0,11,0,212,19,0,0,21,0,10,0,147,19,0,0,21,0,9,0,145,19,0,0,21,0,8,0,127,20,0,0,21,0,7,0,138,19,0,0,21,0,6,0,139,19,0,0,21,0,5,0,206,20,0,0,21,0,4,0,140,19,0,0,21,0,3,0,142,19,0,0,21,0,2,0,141,19,0,0,21,0,1,0,132,20,0,0,21,0,0,1,137,19,0,0,6,0,0,0,0,0,2

541

 55,127,6,0,0,0,0,0,0,0,

542

+};

543

+#endif

544

+

545

+#if defined(__mips__) && defined(__MIPSEL__) && defined(_ABIN32)

546

+/* MIPSEL64N32 */

547

+#define SECCOMP_BPF_AVAILABLE

548

+static const unsigned char seccomp_bpf_blks_base[] = {

549

+	32,0,0,0,4,0,0,0,21,0,0,40,8,0,0,224,32,0,0,0,0,0,0,0,21,0,37,0,71,24,0,0,21,0,36,0,175,23,0,0,21,0,35,0,174,23,0,0,21,0,34,0,179,23,0,0,21,0,33,0,180,23,0,0,21,0,32,0,178,23,0,0,21,0,31,0,199,23,0,0,21,0,30,0,122,23,0,0,21,0,29,0,120,23,0,0,21,0,28,0,127,23,0,0,21,0,27,0,34,24,0,0,21,0,26,0,150,23,0,0,21,0,25,0,191,23,0,0,21,0,24,0,39,25,0,0,21,0,23,0,119,24,0,0,21,0,22,0,61,24,0,0,21,0,21,0,170,23,0,0,21,0,20,0,190,23,0,0,21,0,19,0,235,23,0,0,21,0,18,0,124,23,0,0,21,0,17,0,132,23,0,0,21,0,16,0,68,24,0,0,21,0,15,0,182,23,0,0,21,0,14,0,112,23,0,0,21,0,13,0,128,23,0,0,21,0,12,0,155,24,0,0,21,0,11,0,188,23,0,0,21,0,10,0,123,23,0,0,21,0,9,0,121,23,0,0,21,0,8,0,107,24,0,0,21,0,7,0,114,23,0,0,21,0,6,0,115,23,0,0,21,0,5,0,186,24,0,0,21,0,4,0,116,23,0,0,21,0,3,0,118,23,0,0,21,0,2,0,117,23,0,0,21,0,1,0,112,24,0,0,21,0,0,1,113,23,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0,

550

+};

551

+static const unsigned char seccomp_bpf_blks_fork[] = {

552

+	32,0,0,0,4,0,0,0,21,0,0,48,8,0,0,224,32,0,0,0,0,0,0,0,21,0,45,0,97,24,0,0,21,0,44,0,171,23,0,0,21,0,43,0,122,24,0,0,21,0,42,0,126,23,0,0,21,0,41,0,125,23,0,0,21,0,40,0,168,23,0,0,21,0,39,0,169,23,0,0,21,0,38,0,167,23,0,0,21,0,37,0,71,24,0,0,21,0,36,0,175,23,0,0,21,0,35,0,174,23,0,0,21,0,34,0,179,23,0,0,21,0,33,0,180,23,0,0,21,0,32,0,178,23,0,0,21,0,31,0,199,23,0,0,21,0,30,0,122,23,0,0,21,0,29,0,120,23,0,0,21,0,28,0,127,23,0,0,21,0,27,0,34,24,0,0,21,0,26,0,150,23,0,0,21,0,25,0,191,23,0,0,21,0,24,0,39,25,0,0,21,0,23,0,119,24,0,0,21,0,22,0,61,24,0,0,21,0,21,0,170,23,0,0,21,0,20,0,190,23,0,0,21,0,19,0,235,23,0,0,21,0,18,0,124,23,0,0,21,0,17,0,132,23,0,0,21,0,16,0,68,24,0,0,21,0,15,0,182,23,0,0,21,0,14,0,112,23,0,0,21,0,13,0,128,23,0,0,21,0,12,0,155,24,0,0,21,0,11,0,188,23,0,0,21,0,10,0,123,23,0,0,21,0,9,0,121,23,0,0,21,0,8,0,107,24,0,0,21,0,7,0,114,23,0,0,21,0,6,0,115,23,0,0,21,0,5,0,186,24,0,0,21,0,4,0,116,23,0,0,21,0,3,0,118,23,0,0,21,0,2,0,117,23,0,0,21,0,1,0,112,24,0,0,21,0,0,1,113

553

 ,23,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0,

554

+};

555

+#endif

556

+

557

+#if defined(__hppa__) && !defined(__hppa64__)

558

+/* PARISC */

559

+#define SECCOMP_BPF_AVAILABLE

560

+static const unsigned char seccomp_bpf_blks_base[] = {

561

+	0,32,0,0,0,0,0,4,0,21,0,45,0,0,0,15,0,32,0,0,0,0,0,0,0,21,42,0,0,0,0,228,0,21,41,0,0,0,0,185,0,21,40,0,0,0,0,186,0,21,39,0,0,0,0,188,0,21,38,0,0,0,0,189,0,21,37,0,0,0,0,190,0,21,36,0,0,0,0,85,0,21,35,0,0,0,0,125,0,21,34,0,0,0,0,140,0,21,33,0,0,0,0,19,0,21,32,0,0,0,0,54,0,21,31,0,0,0,0,206,0,21,30,0,0,0,0,20,0,21,29,0,0,0,0,133,0,21,28,0,0,0,1,183,0,21,27,0,0,0,1,31,0,21,26,0,0,0,0,222,0,21,25,0,0,0,0,1,0,21,24,0,0,0,0,12,0,21,23,0,0,0,0,106,0,21,22,0,0,0,0,45,0,21,21,0,0,0,0,33,0,21,20,0,0,0,0,202,0,21,19,0,0,0,0,55,0,21,18,0,0,0,0,3,0,21,17,0,0,0,0,108,0,21,16,0,0,0,0,201,0,21,15,0,0,0,0,141,0,21,14,0,0,0,0,91,0,21,13,0,0,0,0,89,0,21,12,0,0,0,0,90,0,21,11,0,0,0,1,19,0,21,10,0,0,0,0,5,0,21,9,0,0,0,0,6,0,21,8,0,0,0,1,93,0,21,7,0,0,0,0,101,0,21,6,0,0,0,0,18,0,21,5,0,0,0,0,198,0,21,4,0,0,0,0,84,0,21,3,0,0,0,1,24,0,21,2,0,0,0,0,112,0,21,1,0,0,0,0,28,0,21,0,1,0,0,0,4,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0,

562

+};

563

+static const unsigned char seccomp_bpf_blks_fork[] = {

564

+	0,32,0,0,0,0,0,4,0,21,0,55,0,0,0,15,0,32,0,0,0,0,0,0,0,21,52,0,0,0,0,7,0,21,51,0,0,0,0,235,0,21,50,0,0,0,0,114,0,21,49,0,0,0,0,113,0,21,48,0,0,0,1,32,0,21,47,0,0,0,0,175,0,21,46,0,0,0,0,174,0,21,45,0,0,0,0,2,0,21,44,0,0,0,0,11,0,21,43,0,0,0,0,120,0,21,42,0,0,0,0,228,0,21,41,0,0,0,0,185,0,21,40,0,0,0,0,186,0,21,39,0,0,0,0,188,0,21,38,0,0,0,0,189,0,21,37,0,0,0,0,190,0,21,36,0,0,0,0,85,0,21,35,0,0,0,0,125,0,21,34,0,0,0,0,140,0,21,33,0,0,0,0,19,0,21,32,0,0,0,0,54,0,21,31,0,0,0,0,206,0,21,30,0,0,0,0,20,0,21,29,0,0,0,0,133,0,21,28,0,0,0,1,183,0,21,27,0,0,0,1,31,0,21,26,0,0,0,0,222,0,21,25,0,0,0,0,1,0,21,24,0,0,0,0,12,0,21,23,0,0,0,0,106,0,21,22,0,0,0,0,45,0,21,21,0,0,0,0,33,0,21,20,0,0,0,0,202,0,21,19,0,0,0,0,55,0,21,18,0,0,0,0,3,0,21,17,0,0,0,0,108,0,21,16,0,0,0,0,201,0,21,15,0,0,0,0,141,0,21,14,0,0,0,0,91,0,21,13,0,0,0,0,89,0,21,12,0,0,0,0,90,0,21,11,0,0,0,1,19,0,21,10,0,0,0,0,5,0,21,9,0,0,0,0,6,0,21,8,0,0,0,1,93,0,21,7,0,0,0,0,101,0,21,6,0,0,0,0,18,0,21,5,0,0,0,0,198,0,21,4,0,0,0,0,84

565

 ,0,21,3,0,0,0,1,24,0,21,2,0,0,0,0,112,0,21,1,0,0,0,0,28,0,21,0,1,0,0,0,4,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0,

566

+};

567

+#endif

568

+

569

+#if defined(__hppa__) &&  defined(__hppa64__)

570

+/* PARISC64 */

571

+#define SECCOMP_BPF_AVAILABLE

572

+static const unsigned char seccomp_bpf_blks_base[] = {

573

+	0,32,0,0,0,0,0,4,0,21,0,45,128,0,0,15,0,32,0,0,0,0,0,0,0,21,42,0,0,0,0,141,0,21,41,0,0,0,0,91,0,21,40,0,0,0,0,89,0,21,39,0,0,0,0,90,0,21,38,0,0,0,1,19,0,21,37,0,0,0,0,5,0,21,36,0,0,0,0,6,0,21,35,0,0,0,1,93,0,21,34,0,0,0,0,101,0,21,33,0,0,0,0,18,0,21,32,0,0,0,0,198,0,21,31,0,0,0,0,84,0,21,30,0,0,0,1,24,0,21,29,0,0,0,0,112,0,21,28,0,0,0,0,28,0,21,27,0,0,0,0,4,0,21,26,0,0,0,0,228,0,21,25,0,0,0,0,185,0,21,24,0,0,0,0,186,0,21,23,0,0,0,0,188,0,21,22,0,0,0,0,189,0,21,21,0,0,0,0,190,0,21,20,0,0,0,0,85,0,21,19,0,0,0,0,125,0,21,18,0,0,0,0,140,0,21,17,0,0,0,0,19,0,21,16,0,0,0,0,54,0,21,15,0,0,0,0,206,0,21,14,0,0,0,0,20,0,21,13,0,0,0,0,133,0,21,12,0,0,0,1,183,0,21,11,0,0,0,1,31,0,21,10,0,0,0,0,222,0,21,9,0,0,0,0,1,0,21,8,0,0,0,0,12,0,21,7,0,0,0,0,106,0,21,6,0,0,0,0,45,0,21,5,0,0,0,0,33,0,21,4,0,0,0,0,202,0,21,3,0,0,0,0,55,0,21,2,0,0,0,0,3,0,21,1,0,0,0,0,108,0,21,0,1,0,0,0,201,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0,

574

+};

575

+static const unsigned char seccomp_bpf_blks_fork[] = {

576

+	0,32,0,0,0,0,0,4,0,21,0,55,128,0,0,15,0,32,0,0,0,0,0,0,0,21,52,0,0,0,0,141,0,21,51,0,0,0,0,91,0,21,50,0,0,0,0,89,0,21,49,0,0,0,0,90,0,21,48,0,0,0,1,19,0,21,47,0,0,0,0,5,0,21,46,0,0,0,0,6,0,21,45,0,0,0,1,93,0,21,44,0,0,0,0,101,0,21,43,0,0,0,0,18,0,21,42,0,0,0,0,198,0,21,41,0,0,0,0,84,0,21,40,0,0,0,1,24,0,21,39,0,0,0,0,112,0,21,38,0,0,0,0,28,0,21,37,0,0,0,0,4,0,21,36,0,0,0,0,7,0,21,35,0,0,0,0,235,0,21,34,0,0,0,0,114,0,21,33,0,0,0,0,113,0,21,32,0,0,0,1,32,0,21,31,0,0,0,0,175,0,21,30,0,0,0,0,174,0,21,29,0,0,0,0,2,0,21,28,0,0,0,0,11,0,21,27,0,0,0,0,120,0,21,26,0,0,0,0,228,0,21,25,0,0,0,0,185,0,21,24,0,0,0,0,186,0,21,23,0,0,0,0,188,0,21,22,0,0,0,0,189,0,21,21,0,0,0,0,190,0,21,20,0,0,0,0,85,0,21,19,0,0,0,0,125,0,21,18,0,0,0,0,140,0,21,17,0,0,0,0,19,0,21,16,0,0,0,0,54,0,21,15,0,0,0,0,206,0,21,14,0,0,0,0,20,0,21,13,0,0,0,0,133,0,21,12,0,0,0,1,183,0,21,11,0,0,0,1,31,0,21,10,0,0,0,0,222,0,21,9,0,0,0,0,1,0,21,8,0,0,0,0,12,0,21,7,0,0,0,0,106,0,21,6,0,0,0,0,45,0,21,5,0,0,0,0,33,0,21,4,0,0,0,0,20

577

 2,0,21,3,0,0,0,0,55,0,21,2,0,0,0,0,3,0,21,1,0,0,0,0,108,0,21,0,1,0,0,0,201,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0,

578

+};

579

+#endif

580

+

581

+#if defined(__powerpc__) && !defined(__powerpc64__) &&  defined(__BIG_ENDIAN__)

582

+/* PPC */

583

+#define SECCOMP_BPF_AVAILABLE

584

+static const unsigned char seccomp_bpf_blks_base[] = {

585

+	0,32,0,0,0,0,0,4,0,21,0,44,0,0,0,20,0,32,0,0,0,0,0,0,0,21,41,0,0,0,0,117,0,21,40,0,0,0,1,137,0,21,39,0,0,0,1,144,0,21,38,0,0,0,1,145,0,21,37,0,0,0,1,143,0,21,36,0,0,0,0,85,0,21,35,0,0,0,0,125,0,21,34,0,0,0,0,140,0,21,33,0,0,0,0,19,0,21,32,0,0,0,0,54,0,21,31,0,0,0,0,207,0,21,30,0,0,0,0,20,0,21,29,0,0,0,0,133,0,21,28,0,0,0,1,183,0,21,27,0,0,0,1,42,0,21,26,0,0,0,0,234,0,21,25,0,0,0,0,1,0,21,24,0,0,0,0,12,0,21,23,0,0,0,0,183,0,21,22,0,0,0,0,45,0,21,21,0,0,0,0,33,0,21,20,0,0,0,0,204,0,21,19,0,0,0,0,55,0,21,18,0,0,0,0,3,0,21,17,0,0,0,0,179,0,21,16,0,0,0,0,202,0,21,15,0,0,0,0,141,0,21,14,0,0,0,0,91,0,21,13,0,0,0,0,192,0,21,12,0,0,0,0,90,0,21,11,0,0,0,1,30,0,21,10,0,0,0,0,5,0,21,9,0,0,0,0,6,0,21,8,0,0,0,1,127,0,21,7,0,0,0,0,195,0,21,6,0,0,0,0,106,0,21,5,0,0,0,0,196,0,21,4,0,0,0,0,107,0,21,3,0,0,0,1,35,0,21,2,0,0,0,0,197,0,21,1,0,0,0,0,108,0,21,0,1,0,0,0,4,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0,

586

+};

587

+static const unsigned char seccomp_bpf_blks_fork[] = {

588

+	0,32,0,0,0,0,0,4,0,21,0,54,0,0,0,20,0,32,0,0,0,0,0,0,0,21,51,0,0,0,0,7,0,21,50,0,0,0,1,16,0,21,49,0,0,0,0,114,0,21,48,0,0,0,0,189,0,21,47,0,0,0,1,26,0,21,46,0,0,0,0,174,0,21,45,0,0,0,0,173,0,21,44,0,0,0,0,2,0,21,43,0,0,0,0,11,0,21,42,0,0,0,0,120,0,21,41,0,0,0,0,117,0,21,40,0,0,0,1,137,0,21,39,0,0,0,1,144,0,21,38,0,0,0,1,145,0,21,37,0,0,0,1,143,0,21,36,0,0,0,0,85,0,21,35,0,0,0,0,125,0,21,34,0,0,0,0,140,0,21,33,0,0,0,0,19,0,21,32,0,0,0,0,54,0,21,31,0,0,0,0,207,0,21,30,0,0,0,0,20,0,21,29,0,0,0,0,133,0,21,28,0,0,0,1,183,0,21,27,0,0,0,1,42,0,21,26,0,0,0,0,234,0,21,25,0,0,0,0,1,0,21,24,0,0,0,0,12,0,21,23,0,0,0,0,183,0,21,22,0,0,0,0,45,0,21,21,0,0,0,0,33,0,21,20,0,0,0,0,204,0,21,19,0,0,0,0,55,0,21,18,0,0,0,0,3,0,21,17,0,0,0,0,179,0,21,16,0,0,0,0,202,0,21,15,0,0,0,0,141,0,21,14,0,0,0,0,91,0,21,13,0,0,0,0,192,0,21,12,0,0,0,0,90,0,21,11,0,0,0,1,30,0,21,10,0,0,0,0,5,0,21,9,0,0,0,0,6,0,21,8,0,0,0,1,127,0,21,7,0,0,0,0,195,0,21,6,0,0,0,0,106,0,21,5,0,0,0,0,196,0,21,4,0,0,0,0,107,0,21,3,0,0,0,1,3

589

 5,0,21,2,0,0,0,0,197,0,21,1,0,0,0,0,108,0,21,0,1,0,0,0,4,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0,

590

+};

591

+#endif

592

+

593

+#if defined(__powerpc__) &&  defined(__powerpc64__) &&  defined(__BIG_ENDIAN__)

594

+/* PPC64 */

595

+#define SECCOMP_BPF_AVAILABLE

596

+static const unsigned char seccomp_bpf_blks_base[] = {

597

+	0,32,0,0,0,0,0,4,0,21,0,40,128,0,0,21,0,32,0,0,0,0,0,0,0,21,37,0,0,0,0,117,0,21,36,0,0,0,0,85,0,21,35,0,0,0,0,125,0,21,34,0,0,0,0,140,0,21,33,0,0,0,0,19,0,21,32,0,0,0,0,54,0,21,31,0,0,0,0,207,0,21,30,0,0,0,0,20,0,21,29,0,0,0,0,133,0,21,28,0,0,0,1,183,0,21,27,0,0,0,1,42,0,21,26,0,0,0,0,234,0,21,25,0,0,0,0,1,0,21,24,0,0,0,0,12,0,21,23,0,0,0,0,183,0,21,22,0,0,0,0,45,0,21,21,0,0,0,0,33,0,21,20,0,0,0,0,55,0,21,19,0,0,0,0,3,0,21,18,0,0,0,0,179,0,21,17,0,0,0,0,202,0,21,16,0,0,0,0,141,0,21,15,0,0,0,0,91,0,21,14,0,0,0,0,90,0,21,13,0,0,0,1,30,0,21,12,0,0,0,0,5,0,21,11,0,0,0,0,6,0,21,10,0,0,0,1,127,0,21,9,0,0,0,0,106,0,21,8,0,0,0,0,107,0,21,7,0,0,0,0,108,0,21,6,0,0,0,1,35,0,21,5,0,0,0,0,4,0,21,4,0,0,0,1,136,0,21,3,0,0,0,1,137,0,21,2,0,0,0,1,143,0,21,1,0,0,0,1,144,0,21,0,1,0,0,1,145,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0,

598

+};

599

+static const unsigned char seccomp_bpf_blks_fork[] = {

600

+	0,32,0,0,0,0,0,4,0,21,0,50,128,0,0,21,0,32,0,0,0,0,0,0,0,21,47,0,0,0,0,7,0,21,46,0,0,0,1,16,0,21,45,0,0,0,0,114,0,21,44,0,0,0,0,189,0,21,43,0,0,0,1,26,0,21,42,0,0,0,0,174,0,21,41,0,0,0,0,173,0,21,40,0,0,0,0,2,0,21,39,0,0,0,0,11,0,21,38,0,0,0,0,120,0,21,37,0,0,0,0,117,0,21,36,0,0,0,0,85,0,21,35,0,0,0,0,125,0,21,34,0,0,0,0,140,0,21,33,0,0,0,0,19,0,21,32,0,0,0,0,54,0,21,31,0,0,0,0,207,0,21,30,0,0,0,0,20,0,21,29,0,0,0,0,133,0,21,28,0,0,0,1,183,0,21,27,0,0,0,1,42,0,21,26,0,0,0,0,234,0,21,25,0,0,0,0,1,0,21,24,0,0,0,0,12,0,21,23,0,0,0,0,183,0,21,22,0,0,0,0,45,0,21,21,0,0,0,0,33,0,21,20,0,0,0,0,55,0,21,19,0,0,0,0,3,0,21,18,0,0,0,0,179,0,21,17,0,0,0,0,202,0,21,16,0,0,0,0,141,0,21,15,0,0,0,0,91,0,21,14,0,0,0,0,90,0,21,13,0,0,0,1,30,0,21,12,0,0,0,0,5,0,21,11,0,0,0,0,6,0,21,10,0,0,0,1,127,0,21,9,0,0,0,0,106,0,21,8,0,0,0,0,107,0,21,7,0,0,0,0,108,0,21,6,0,0,0,1,35,0,21,5,0,0,0,0,4,0,21,4,0,0,0,1,136,0,21,3,0,0,0,1,137,0,21,2,0,0,0,1,143,0,21,1,0,0,0,1,144,0,21,0,1,0,0,1,145,0,6,0,0,127,255,0,0,0

601

 ,6,0,0,0,0,0,0,

602

+};

603

+#endif

604

+

605

+#if defined(__powerpc__) &&  defined(__powerpc64__) && !defined(__BIG_ENDIAN__)

606

+/* PPC64LE */

607

+#define SECCOMP_BPF_AVAILABLE

608

+static const unsigned char seccomp_bpf_blks_base[] = {

609

+	32,0,0,0,4,0,0,0,21,0,0,40,21,0,0,192,32,0,0,0,0,0,0,0,21,0,37,0,117,0,0,0,21,0,36,0,85,0,0,0,21,0,35,0,125,0,0,0,21,0,34,0,140,0,0,0,21,0,33,0,19,0,0,0,21,0,32,0,54,0,0,0,21,0,31,0,207,0,0,0,21,0,30,0,20,0,0,0,21,0,29,0,133,0,0,0,21,0,28,0,183,1,0,0,21,0,27,0,42,1,0,0,21,0,26,0,234,0,0,0,21,0,25,0,1,0,0,0,21,0,24,0,12,0,0,0,21,0,23,0,183,0,0,0,21,0,22,0,45,0,0,0,21,0,21,0,33,0,0,0,21,0,20,0,55,0,0,0,21,0,19,0,3,0,0,0,21,0,18,0,179,0,0,0,21,0,17,0,202,0,0,0,21,0,16,0,141,0,0,0,21,0,15,0,91,0,0,0,21,0,14,0,90,0,0,0,21,0,13,0,30,1,0,0,21,0,12,0,5,0,0,0,21,0,11,0,6,0,0,0,21,0,10,0,127,1,0,0,21,0,9,0,106,0,0,0,21,0,8,0,107,0,0,0,21,0,7,0,108,0,0,0,21,0,6,0,35,1,0,0,21,0,5,0,4,0,0,0,21,0,4,0,136,1,0,0,21,0,3,0,137,1,0,0,21,0,2,0,143,1,0,0,21,0,1,0,144,1,0,0,21,0,0,1,145,1,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0,

610

+};

611

+static const unsigned char seccomp_bpf_blks_fork[] = {

612

+	32,0,0,0,4,0,0,0,21,0,0,50,21,0,0,192,32,0,0,0,0,0,0,0,21,0,47,0,7,0,0,0,21,0,46,0,16,1,0,0,21,0,45,0,114,0,0,0,21,0,44,0,189,0,0,0,21,0,43,0,26,1,0,0,21,0,42,0,174,0,0,0,21,0,41,0,173,0,0,0,21,0,40,0,2,0,0,0,21,0,39,0,11,0,0,0,21,0,38,0,120,0,0,0,21,0,37,0,117,0,0,0,21,0,36,0,85,0,0,0,21,0,35,0,125,0,0,0,21,0,34,0,140,0,0,0,21,0,33,0,19,0,0,0,21,0,32,0,54,0,0,0,21,0,31,0,207,0,0,0,21,0,30,0,20,0,0,0,21,0,29,0,133,0,0,0,21,0,28,0,183,1,0,0,21,0,27,0,42,1,0,0,21,0,26,0,234,0,0,0,21,0,25,0,1,0,0,0,21,0,24,0,12,0,0,0,21,0,23,0,183,0,0,0,21,0,22,0,45,0,0,0,21,0,21,0,33,0,0,0,21,0,20,0,55,0,0,0,21,0,19,0,3,0,0,0,21,0,18,0,179,0,0,0,21,0,17,0,202,0,0,0,21,0,16,0,141,0,0,0,21,0,15,0,91,0,0,0,21,0,14,0,90,0,0,0,21,0,13,0,30,1,0,0,21,0,12,0,5,0,0,0,21,0,11,0,6,0,0,0,21,0,10,0,127,1,0,0,21,0,9,0,106,0,0,0,21,0,8,0,107,0,0,0,21,0,7,0,108,0,0,0,21,0,6,0,35,1,0,0,21,0,5,0,4,0,0,0,21,0,4,0,136,1,0,0,21,0,3,0,137,1,0,0,21,0,2,0,143,1,0,0,21,0,1,0,144,1,0,0,21,0,0,1,145,1,0,0,6,0,0,0,0,0,255,127,6

613

 ,0,0,0,0,0,0,0,

614

+};

615

+#endif

616

+

617

+#if defined(__riscv) && __riscv_xlen == 64

618

+/* RISCV64 */

619

+#define SECCOMP_BPF_AVAILABLE

620

+static const unsigned char seccomp_bpf_blks_base[] = {

621

+	32,0,0,0,4,0,0,0,21,0,0,33,243,0,0,192,32,0,0,0,0,0,0,0,21,0,30,0,192,0,0,0,21,0,29,0,193,0,0,0,21,0,28,0,190,0,0,0,21,0,27,0,189,0,0,0,21,0,26,0,188,0,0,0,21,0,25,0,186,0,0,0,21,0,24,0,226,0,0,0,21,0,23,0,62,0,0,0,21,0,22,0,29,0,0,0,21,0,21,0,178,0,0,0,21,0,20,0,172,0,0,0,21,0,19,0,50,0,0,0,21,0,18,0,183,1,0,0,21,0,17,0,48,0,0,0,21,0,16,0,94,0,0,0,21,0,15,0,93,0,0,0,21,0,14,0,49,0,0,0,21,0,13,0,90,0,0,0,21,0,12,0,214,0,0,0,21,0,11,0,25,0,0,0,21,0,10,0,63,0,0,0,21,0,9,0,67,0,0,0,21,0,8,0,61,0,0,0,21,0,7,0,215,0,0,0,21,0,6,0,222,0,0,0,21,0,5,0,56,0,0,0,21,0,4,0,57,0,0,0,21,0,3,0,35,1,0,0,21,0,2,0,80,0,0,0,21,0,1,0,79,0,0,0,21,0,0,1,64,0,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0,

622

+};

623

+static const unsigned char seccomp_bpf_blks_fork[] = {

624

+	32,0,0,0,4,0,0,0,21,0,0,40,243,0,0,192,32,0,0,0,0,0,0,0,21,0,37,0,4,1,0,0,21,0,36,0,97,0,0,0,21,0,35,0,135,0,0,0,21,0,34,0,134,0,0,0,21,0,33,0,221,0,0,0,21,0,32,0,220,0,0,0,21,0,31,0,192,0,0,0,21,0,30,0,193,0,0,0,21,0,29,0,190,0,0,0,21,0,28,0,189,0,0,0,21,0,27,0,188,0,0,0,21,0,26,0,186,0,0,0,21,0,25,0,226,0,0,0,21,0,24,0,62,0,0,0,21,0,23,0,29,0,0,0,21,0,22,0,178,0,0,0,21,0,21,0,172,0,0,0,21,0,20,0,50,0,0,0,21,0,19,0,183,1,0,0,21,0,18,0,48,0,0,0,21,0,17,0,94,0,0,0,21,0,16,0,93,0,0,0,21,0,15,0,49,0,0,0,21,0,14,0,90,0,0,0,21,0,13,0,214,0,0,0,21,0,12,0,25,0,0,0,21,0,11,0,63,0,0,0,21,0,10,0,67,0,0,0,21,0,9,0,61,0,0,0,21,0,8,0,215,0,0,0,21,0,7,0,222,0,0,0,21,0,6,0,56,0,0,0,21,0,5,0,57,0,0,0,21,0,4,0,35,1,0,0,21,0,3,0,80,0,0,0,21,0,2,0,79,0,0,0,21,0,1,0,64,0,0,0,21,0,0,1,95,0,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0,

625

+};

626

+#endif

627

+

628

+#if defined(__s390__) && !defined(__s390x__)

629

+/* S390 */

630

+#define SECCOMP_BPF_AVAILABLE

631

+static const unsigned char seccomp_bpf_blks_base[] = {

632

+	0,32,0,0,0,0,0,4,0,21,0,45,0,0,0,22,0,32,0,0,0,0,0,0,0,21,42,0,0,0,0,117,0,21,41,0,0,0,0,85,0,21,40,0,0,0,0,125,0,21,39,0,0,0,0,140,0,21,38,0,0,0,0,19,0,21,37,0,0,0,0,54,0,21,36,0,0,0,0,236,0,21,35,0,0,0,0,20,0,21,34,0,0,0,0,133,0,21,33,0,0,0,1,183,0,21,32,0,0,0,1,44,0,21,31,0,0,0,0,248,0,21,30,0,0,0,0,1,0,21,29,0,0,0,0,12,0,21,28,0,0,0,0,184,0,21,27,0,0,0,0,45,0,21,26,0,0,0,0,33,0,21,25,0,0,0,0,221,0,21,24,0,0,0,0,55,0,21,23,0,0,0,0,3,0,21,22,0,0,0,0,180,0,21,21,0,0,0,0,220,0,21,20,0,0,0,0,141,0,21,19,0,0,0,0,91,0,21,18,0,0,0,0,192,0,21,17,0,0,0,0,90,0,21,16,0,0,0,1,32,0,21,15,0,0,0,0,5,0,21,14,0,0,0,0,6,0,21,13,0,0,0,1,123,0,21,12,0,0,0,0,195,0,21,11,0,0,0,0,106,0,21,10,0,0,0,0,196,0,21,9,0,0,0,0,107,0,21,8,0,0,0,1,37,0,21,7,0,0,0,0,197,0,21,6,0,0,0,0,108,0,21,5,0,0,0,0,4,0,21,4,0,0,0,1,136,0,21,3,0,0,0,1,137,0,21,2,0,0,0,1,143,0,21,1,0,0,0,1,144,0,21,0,1,0,0,1,145,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0,

633

+};

634

+static const unsigned char seccomp_bpf_blks_fork[] = {

635

+	0,32,0,0,0,0,0,4,0,21,0,54,0,0,0,22,0,32,0,0,0,0,0,0,0,21,51,0,0,0,1,25,0,21,50,0,0,0,0,114,0,21,49,0,0,0,0,190,0,21,48,0,0,0,1,47,0,21,47,0,0,0,0,175,0,21,46,0,0,0,0,174,0,21,45,0,0,0,0,2,0,21,44,0,0,0,0,11,0,21,43,0,0,0,0,120,0,21,42,0,0,0,0,117,0,21,41,0,0,0,0,85,0,21,40,0,0,0,0,125,0,21,39,0,0,0,0,140,0,21,38,0,0,0,0,19,0,21,37,0,0,0,0,54,0,21,36,0,0,0,0,236,0,21,35,0,0,0,0,20,0,21,34,0,0,0,0,133,0,21,33,0,0,0,1,183,0,21,32,0,0,0,1,44,0,21,31,0,0,0,0,248,0,21,30,0,0,0,0,1,0,21,29,0,0,0,0,12,0,21,28,0,0,0,0,184,0,21,27,0,0,0,0,45,0,21,26,0,0,0,0,33,0,21,25,0,0,0,0,221,0,21,24,0,0,0,0,55,0,21,23,0,0,0,0,3,0,21,22,0,0,0,0,180,0,21,21,0,0,0,0,220,0,21,20,0,0,0,0,141,0,21,19,0,0,0,0,91,0,21,18,0,0,0,0,192,0,21,17,0,0,0,0,90,0,21,16,0,0,0,1,32,0,21,15,0,0,0,0,5,0,21,14,0,0,0,0,6,0,21,13,0,0,0,1,123,0,21,12,0,0,0,0,195,0,21,11,0,0,0,0,106,0,21,10,0,0,0,0,196,0,21,9,0,0,0,0,107,0,21,8,0,0,0,1,37,0,21,7,0,0,0,0,197,0,21,6,0,0,0,0,108,0,21,5,0,0,0,0,4,0,21,4,0,0,0,1,136,0,21,3,0,0,0,1,13

636

 7,0,21,2,0,0,0,1,143,0,21,1,0,0,0,1,144,0,21,0,1,0,0,1,145,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0,

637

+};

638

+#endif

639

+

640

+#if defined(__s390__) &&  defined(__s390x__)

641

+/* S390X */

642

+#define SECCOMP_BPF_AVAILABLE

643

+static const unsigned char seccomp_bpf_blks_base[] = {

644

+	0,32,0,0,0,0,0,4,0,21,0,39,128,0,0,22,0,32,0,0,0,0,0,0,0,21,36,0,0,0,0,117,0,21,35,0,0,0,0,85,0,21,34,0,0,0,0,125,0,21,33,0,0,0,0,19,0,21,32,0,0,0,0,54,0,21,31,0,0,0,0,236,0,21,30,0,0,0,0,20,0,21,29,0,0,0,0,133,0,21,28,0,0,0,1,183,0,21,27,0,0,0,1,44,0,21,26,0,0,0,0,248,0,21,25,0,0,0,0,1,0,21,24,0,0,0,0,12,0,21,23,0,0,0,0,184,0,21,22,0,0,0,0,45,0,21,21,0,0,0,0,33,0,21,20,0,0,0,0,55,0,21,19,0,0,0,0,3,0,21,18,0,0,0,0,180,0,21,17,0,0,0,0,220,0,21,16,0,0,0,0,141,0,21,15,0,0,0,0,91,0,21,14,0,0,0,0,90,0,21,13,0,0,0,1,32,0,21,12,0,0,0,0,5,0,21,11,0,0,0,0,6,0,21,10,0,0,0,1,123,0,21,9,0,0,0,0,106,0,21,8,0,0,0,0,107,0,21,7,0,0,0,0,108,0,21,6,0,0,0,1,37,0,21,5,0,0,0,0,4,0,21,4,0,0,0,1,136,0,21,3,0,0,0,1,137,0,21,2,0,0,0,1,143,0,21,1,0,0,0,1,144,0,21,0,1,0,0,1,145,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0,

645

+};

646

+static const unsigned char seccomp_bpf_blks_fork[] = {

647

+	0,32,0,0,0,0,0,4,0,21,0,48,128,0,0,22,0,32,0,0,0,0,0,0,0,21,45,0,0,0,1,25,0,21,44,0,0,0,0,114,0,21,43,0,0,0,0,190,0,21,42,0,0,0,1,47,0,21,41,0,0,0,0,175,0,21,40,0,0,0,0,174,0,21,39,0,0,0,0,2,0,21,38,0,0,0,0,11,0,21,37,0,0,0,0,120,0,21,36,0,0,0,0,117,0,21,35,0,0,0,0,85,0,21,34,0,0,0,0,125,0,21,33,0,0,0,0,19,0,21,32,0,0,0,0,54,0,21,31,0,0,0,0,236,0,21,30,0,0,0,0,20,0,21,29,0,0,0,0,133,0,21,28,0,0,0,1,183,0,21,27,0,0,0,1,44,0,21,26,0,0,0,0,248,0,21,25,0,0,0,0,1,0,21,24,0,0,0,0,12,0,21,23,0,0,0,0,184,0,21,22,0,0,0,0,45,0,21,21,0,0,0,0,33,0,21,20,0,0,0,0,55,0,21,19,0,0,0,0,3,0,21,18,0,0,0,0,180,0,21,17,0,0,0,0,220,0,21,16,0,0,0,0,141,0,21,15,0,0,0,0,91,0,21,14,0,0,0,0,90,0,21,13,0,0,0,1,32,0,21,12,0,0,0,0,5,0,21,11,0,0,0,0,6,0,21,10,0,0,0,1,123,0,21,9,0,0,0,0,106,0,21,8,0,0,0,0,107,0,21,7,0,0,0,0,108,0,21,6,0,0,0,1,37,0,21,5,0,0,0,0,4,0,21,4,0,0,0,1,136,0,21,3,0,0,0,1,137,0,21,2,0,0,0,1,143,0,21,1,0,0,0,1,144,0,21,0,1,0,0,1,145,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0,

648

+};

649

+#endif

650

+

651

+#if defined(__i386__)

652

+/* X86 */

653

+#define SECCOMP_BPF_AVAILABLE

654

+static const unsigned char seccomp_bpf_blks_base[] = {

655

+	32,0,0,0,4,0,0,0,21,0,0,44,3,0,0,64,32,0,0,0,0,0,0,0,21,0,41,0,117,0,0,0,21,0,40,0,85,0,0,0,21,0,39,0,125,0,0,0,21,0,38,0,140,0,0,0,21,0,37,0,19,0,0,0,21,0,36,0,54,0,0,0,21,0,35,0,224,0,0,0,21,0,34,0,20,0,0,0,21,0,33,0,133,0,0,0,21,0,32,0,183,1,0,0,21,0,31,0,51,1,0,0,21,0,30,0,252,0,0,0,21,0,29,0,1,0,0,0,21,0,28,0,12,0,0,0,21,0,27,0,184,0,0,0,21,0,26,0,45,0,0,0,21,0,25,0,33,0,0,0,21,0,24,0,221,0,0,0,21,0,23,0,55,0,0,0,21,0,22,0,3,0,0,0,21,0,21,0,180,0,0,0,21,0,20,0,220,0,0,0,21,0,19,0,141,0,0,0,21,0,18,0,91,0,0,0,21,0,17,0,192,0,0,0,21,0,16,0,90,0,0,0,21,0,15,0,39,1,0,0,21,0,14,0,5,0,0,0,21,0,13,0,6,0,0,0,21,0,12,0,127,1,0,0,21,0,11,0,195,0,0,0,21,0,10,0,106,0,0,0,21,0,9,0,196,0,0,0,21,0,8,0,107,0,0,0,21,0,7,0,44,1,0,0,21,0,6,0,197,0,0,0,21,0,5,0,108,0,0,0,21,0,4,0,4,0,0,0,21,0,3,0,137,1,0,0,21,0,2,0,143,1,0,0,21,0,1,0,144,1,0,0,21,0,0,1,145,1,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0,

656

+};

657

+static const unsigned char seccomp_bpf_blks_fork[] = {

658

+	32,0,0,0,4,0,0,0,21,0,0,54,3,0,0,64,32,0,0,0,0,0,0,0,21,0,51,0,7,0,0,0,21,0,50,0,28,1,0,0,21,0,49,0,114,0,0,0,21,0,48,0,190,0,0,0,21,0,47,0,54,1,0,0,21,0,46,0,175,0,0,0,21,0,45,0,174,0,0,0,21,0,44,0,2,0,0,0,21,0,43,0,11,0,0,0,21,0,42,0,120,0,0,0,21,0,41,0,117,0,0,0,21,0,40,0,85,0,0,0,21,0,39,0,125,0,0,0,21,0,38,0,140,0,0,0,21,0,37,0,19,0,0,0,21,0,36,0,54,0,0,0,21,0,35,0,224,0,0,0,21,0,34,0,20,0,0,0,21,0,33,0,133,0,0,0,21,0,32,0,183,1,0,0,21,0,31,0,51,1,0,0,21,0,30,0,252,0,0,0,21,0,29,0,1,0,0,0,21,0,28,0,12,0,0,0,21,0,27,0,184,0,0,0,21,0,26,0,45,0,0,0,21,0,25,0,33,0,0,0,21,0,24,0,221,0,0,0,21,0,23,0,55,0,0,0,21,0,22,0,3,0,0,0,21,0,21,0,180,0,0,0,21,0,20,0,220,0,0,0,21,0,19,0,141,0,0,0,21,0,18,0,91,0,0,0,21,0,17,0,192,0,0,0,21,0,16,0,90,0,0,0,21,0,15,0,39,1,0,0,21,0,14,0,5,0,0,0,21,0,13,0,6,0,0,0,21,0,12,0,127,1,0,0,21,0,11,0,195,0,0,0,21,0,10,0,106,0,0,0,21,0,9,0,196,0,0,0,21,0,8,0,107,0,0,0,21,0,7,0,44,1,0,0,21,0,6,0,197,0,0,0,21,0,5,0,108,0,0,0,21,0,4,0,4,0,0,0,21,0,3,0,137,1,0,0,

659

 21,0,2,0,143,1,0,0,21,0,1,0,144,1,0,0,21,0,0,1,145,1,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0,

660

+};

661

+#endif

662

+

663

+#if defined(__x86_64__) &&  defined(__ILP32__)

664

+/* X32 */

665

+#define SECCOMP_BPF_AVAILABLE

666

+static const unsigned char seccomp_bpf_blks_base[] = {

667

+	32,0,0,0,4,0,0,0,21,0,0,40,62,0,0,192,32,0,0,0,0,0,0,0,53,0,0,38,0,0,0,64,21,0,36,0,220,0,0,64,21,0,35,0,65,0,0,64,21,0,34,0,64,0,0,64,21,0,33,0,69,0,0,64,21,0,32,0,70,0,0,64,21,0,31,0,68,0,0,64,21,0,30,0,89,0,0,64,21,0,29,0,10,0,0,64,21,0,28,0,8,0,0,64,21,0,27,0,2,2,0,64,21,0,26,0,186,0,0,64,21,0,25,0,39,0,0,64,21,0,24,0,81,0,0,64,21,0,23,0,183,1,0,64,21,0,22,0,13,1,0,64,21,0,21,0,231,0,0,64,21,0,20,0,60,0,0,64,21,0,19,0,80,0,0,64,21,0,18,0,125,0,0,64,21,0,17,0,12,0,0,64,21,0,16,0,21,0,0,64,21,0,15,0,72,0,0,64,21,0,14,0,0,0,0,64,21,0,13,0,17,0,0,64,21,0,12,0,217,0,0,64,21,0,11,0,78,0,0,64,21,0,10,0,11,0,0,64,21,0,9,0,9,0,0,64,21,0,8,0,1,1,0,64,21,0,7,0,2,0,0,64,21,0,6,0,3,0,0,64,21,0,5,0,76,1,0,64,21,0,4,0,4,0,0,64,21,0,3,0,6,0,0,64,21,0,2,0,5,0,0,64,21,0,1,0,6,1,0,64,21,0,0,1,1,0,0,64,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0,

668

+};

669

+static const unsigned char seccomp_bpf_blks_fork[] = {

670

+	32,0,0,0,4,0,0,0,21,0,0,49,62,0,0,192,32,0,0,0,0,0,0,0,53,0,0,47,0,0,0,64,21,0,45,0,17,2,0,64,21,0,44,0,61,0,0,64,21,0,43,0,58,0,0,64,21,0,42,0,16,1,0,64,21,0,41,0,14,0,0,64,21,0,40,0,0,2,0,64,21,0,39,0,57,0,0,64,21,0,38,0,8,2,0,64,21,0,37,0,56,0,0,64,21,0,36,0,220,0,0,64,21,0,35,0,65,0,0,64,21,0,34,0,64,0,0,64,21,0,33,0,69,0,0,64,21,0,32,0,70,0,0,64,21,0,31,0,68,0,0,64,21,0,30,0,89,0,0,64,21,0,29,0,10,0,0,64,21,0,28,0,8,0,0,64,21,0,27,0,2,2,0,64,21,0,26,0,186,0,0,64,21,0,25,0,39,0,0,64,21,0,24,0,81,0,0,64,21,0,23,0,183,1,0,64,21,0,22,0,13,1,0,64,21,0,21,0,231,0,0,64,21,0,20,0,60,0,0,64,21,0,19,0,80,0,0,64,21,0,18,0,125,0,0,64,21,0,17,0,12,0,0,64,21,0,16,0,21,0,0,64,21,0,15,0,72,0,0,64,21,0,14,0,0,0,0,64,21,0,13,0,17,0,0,64,21,0,12,0,217,0,0,64,21,0,11,0,78,0,0,64,21,0,10,0,11,0,0,64,21,0,9,0,9,0,0,64,21,0,8,0,1,1,0,64,21,0,7,0,2,0,0,64,21,0,6,0,3,0,0,64,21,0,5,0,76,1,0,64,21,0,4,0,4,0,0,64,21,0,3,0,6,0,0,64,21,0,2,0,5,0,0,64,21,0,1,0,6,1,0,64,21,0,0,1,1,0,0,64,6,0,0,0,0,0,255,127,

671

 6,0,0,0,0,0,0,0,

672

+};

673

+#endif

674

+

675

+#if defined(__x86_64__) && !defined(__ILP32__)

676

+/* X86_64 */

677

+#define SECCOMP_BPF_AVAILABLE

678

+static const unsigned char seccomp_bpf_blks_base[] = {

679

+	32,0,0,0,4,0,0,0,21,0,0,41,62,0,0,192,32,0,0,0,0,0,0,0,53,0,0,1,0,0,0,64,21,0,0,38,255,255,255,255,21,0,36,0,16,0,0,0,21,0,35,0,186,0,0,0,21,0,34,0,39,0,0,0,21,0,33,0,81,0,0,0,21,0,32,0,183,1,0,0,21,0,31,0,13,1,0,0,21,0,30,0,231,0,0,0,21,0,29,0,60,0,0,0,21,0,28,0,80,0,0,0,21,0,27,0,125,0,0,0,21,0,26,0,12,0,0,0,21,0,25,0,21,0,0,0,21,0,24,0,72,0,0,0,21,0,23,0,0,0,0,0,21,0,22,0,17,0,0,0,21,0,21,0,217,0,0,0,21,0,20,0,78,0,0,0,21,0,19,0,11,0,0,0,21,0,18,0,9,0,0,0,21,0,17,0,1,1,0,0,21,0,16,0,2,0,0,0,21,0,15,0,3,0,0,0,21,0,14,0,76,1,0,0,21,0,13,0,4,0,0,0,21,0,12,0,6,0,0,0,21,0,11,0,5,0,0,0,21,0,10,0,6,1,0,0,21,0,9,0,1,0,0,0,21,0,8,0,220,0,0,0,21,0,7,0,65,0,0,0,21,0,6,0,64,0,0,0,21,0,5,0,69,0,0,0,21,0,4,0,70,0,0,0,21,0,3,0,68,0,0,0,21,0,2,0,89,0,0,0,21,0,1,0,10,0,0,0,21,0,0,1,8,0,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0,

680

+};

681

+static const unsigned char seccomp_bpf_blks_fork[] = {

682

+	32,0,0,0,4,0,0,0,21,0,0,50,62,0,0,192,32,0,0,0,0,0,0,0,53,0,0,1,0,0,0,64,21,0,0,47,255,255,255,255,21,0,45,0,16,0,0,0,21,0,44,0,186,0,0,0,21,0,43,0,39,0,0,0,21,0,42,0,81,0,0,0,21,0,41,0,183,1,0,0,21,0,40,0,13,1,0,0,21,0,39,0,231,0,0,0,21,0,38,0,60,0,0,0,21,0,37,0,80,0,0,0,21,0,36,0,125,0,0,0,21,0,35,0,12,0,0,0,21,0,34,0,21,0,0,0,21,0,33,0,72,0,0,0,21,0,32,0,0,0,0,0,21,0,31,0,17,0,0,0,21,0,30,0,217,0,0,0,21,0,29,0,78,0,0,0,21,0,28,0,11,0,0,0,21,0,27,0,9,0,0,0,21,0,26,0,1,1,0,0,21,0,25,0,2,0,0,0,21,0,24,0,3,0,0,0,21,0,23,0,76,1,0,0,21,0,22,0,4,0,0,0,21,0,21,0,6,0,0,0,21,0,20,0,5,0,0,0,21,0,19,0,6,1,0,0,21,0,18,0,1,0,0,0,21,0,17,0,247,0,0,0,21,0,16,0,61,0,0,0,21,0,15,0,58,0,0,0,21,0,14,0,16,1,0,0,21,0,13,0,14,0,0,0,21,0,12,0,13,0,0,0,21,0,11,0,57,0,0,0,21,0,10,0,59,0,0,0,21,0,9,0,56,0,0,0,21,0,8,0,220,0,0,0,21,0,7,0,65,0,0,0,21,0,6,0,64,0,0,0,21,0,5,0,69,0,0,0,21,0,4,0,70,0,0,0,21,0,3,0,68,0,0,0,21,0,2,0,89,0,0,0,21,0,1,0,10,0,0,0,21,0,0,1,8,0,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0,

683

+};

684

+#endif

685

+

686

+#ifdef SECCOMP_BPF_AVAILABLE

687

+typedef struct {

688

+	uint16_t cnt;

689

+	const void *bpf;

690

+} seccomp_bpf_program_t;

691

+static const seccomp_bpf_program_t seccomp_bpf_program_base = {

692

+	.cnt = sizeof(seccomp_bpf_blks_base) / 8,

693

+	.bpf = seccomp_bpf_blks_base,

694

+};

695

+static const seccomp_bpf_program_t seccomp_bpf_program_fork = {

696

+	.cnt = sizeof(seccomp_bpf_blks_fork) / 8,

697

+	.bpf = seccomp_bpf_blks_fork,

698

+};

699

+#endif

700

701

diff --git a/security.c b/security.c

702

index 802e586..4fecfa3 100644

703

--- a/security.c

704

+++ b/security.c

705

@@ -6,6 +6,7 @@

706

*/

707

708

 #include "paxinc.h"

709

+#include "seccomp-bpf.h"

710

711

 #ifdef __linux__

712

713

@@ -26,202 +27,23 @@

714

 #define CLONE_NEWUTS 0

715

 #endif

716

717

+#ifndef PR_SET_SECCOMP

718

+#define PR_SET_SECCOMP 22

719

+#endif

720

+#ifndef SECCOMP_MODE_FILTER

721

+#define SECCOMP_MODE_FILTER 2

722

+#endif

723

+

724

 #ifdef __SANITIZE_ADDRESS__

725

 /* ASAN does some weird stuff. */

726

 # define ALLOW_PIDNS 0

727

+# undef WANT_SECCOMP

728

 #else

729

 # define ALLOW_PIDNS 1

730

 #endif

731

732

-#ifdef WANT_SECCOMP

733

-# include <seccomp.h>

734

-

735

-/* Simple helper to add all of the syscalls in an array. */

736

-static int pax_seccomp_rules_add(scmp_filter_ctx ctx, int syscalls[], size_t num)

737

-{

738

-	static uint8_t prio;

739

-	size_t i;

740

-	for (i = 0; i < num; ++i) {

741

-		if (syscalls[i] < 0)

742

-			continue;

743

-

744

-		if (seccomp_syscall_priority(ctx, syscalls[i], prio++) < 0) {

745

-			warnp("seccomp_syscall_priority failed");

746

-			return -1;

747

-		}

748

-		if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, syscalls[i], 0) < 0) {

749

-			warnp("seccomp_rule_add failed");

750

-			return -1;

751

-		}

752

-	}

753

-	return 0;

754

-}

755

-#define pax_seccomp_rules_add(ctx, syscalls) pax_seccomp_rules_add(ctx, syscalls, ARRAY_SIZE(syscalls))

756

-

757

-static void

758

-pax_seccomp_sigal(__unused__ int signo, siginfo_t *info, __unused__ void *context)

759

-{

760

-#ifdef si_syscall

761

-	warn("seccomp violated: syscall %i", info->si_syscall);

762

-	fflush(stderr);

763

-	warn("  syscall = %s",

764

-		seccomp_syscall_resolve_num_arch(seccomp_arch_native(), info->si_syscall));

765

-	fflush(stderr);

766

-#else

767

-	warn("seccomp violated: syscall unknown (no si_syscall)");

768

-#endif

769

-	kill(getpid(), SIGSYS);

770

-	_exit(1);

771

-}

772

-

773

-static void pax_seccomp_signal_init(void)

774

-{

775

-	struct sigaction act;

776

-	sigemptyset(&act.sa_mask);

777

-	act.sa_sigaction = pax_seccomp_sigal,

778

-	act.sa_flags = SA_SIGINFO | SA_RESETHAND;

779

-	sigaction(SIGSYS, &act, NULL);

780

-}

781

-

782

-static void pax_seccomp_init(bool allow_forking)

783

-{

784

-	/* Order determines priority (first == lowest prio).  */

785

-	int base_syscalls[] = {

786

-		/* We write the most w/scanelf.  */

787

-		SCMP_SYS(write),

788

-		SCMP_SYS(writev),

789

-		SCMP_SYS(pwrite64),

790

-		SCMP_SYS(pwritev),

791

-

792

-		/* Then the stat family of functions.  */

793

-		SCMP_SYS(newfstatat),

794

-		SCMP_SYS(fstat),

795

-		SCMP_SYS(fstat64),

796

-		SCMP_SYS(fstatat64),

797

-		SCMP_SYS(lstat),

798

-		SCMP_SYS(lstat64),

799

-		SCMP_SYS(stat),

800

-		SCMP_SYS(stat64),

801

-		SCMP_SYS(statx),

802

-

803

-		/* Then the fd close func.  */

804

-		SCMP_SYS(close),

805

-

806

-		/* Then fd open family of functions.  */

807

-		SCMP_SYS(open),

808

-		SCMP_SYS(openat),

809

-

810

-		/* Then the memory mapping functions.  */

811

-		SCMP_SYS(mmap),

812

-		SCMP_SYS(mmap2),

813

-		SCMP_SYS(munmap),

814

-

815

-		/* Then the directory reading functions.  */

816

-		SCMP_SYS(getdents),

817

-		SCMP_SYS(getdents64),

818

-

819

-		/* Then the file reading functions.  */

820

-		SCMP_SYS(pread64),

821

-		SCMP_SYS(read),

822

-		SCMP_SYS(readv),

823

-		SCMP_SYS(preadv),

824

-

825

-		/* Then the fd manipulation functions.  */

826

-		SCMP_SYS(fcntl),

827

-		SCMP_SYS(fcntl64),

828

-

829

-		/* After this point, just sort the list alphabetically.  */

830

-		SCMP_SYS(access),

831

-		SCMP_SYS(brk),

832

-		SCMP_SYS(capget),

833

-		SCMP_SYS(chdir),

834

-		SCMP_SYS(dup),

835

-		SCMP_SYS(dup2),

836

-		SCMP_SYS(dup3),

837

-		SCMP_SYS(exit),

838

-		SCMP_SYS(exit_group),

839

-		SCMP_SYS(faccessat),

840

-		SCMP_SYS(fchdir),

841

-		SCMP_SYS(getpid),

842

-		SCMP_SYS(gettid),

843

-		SCMP_SYS(ioctl),

844

-		SCMP_SYS(lseek),

845

-		SCMP_SYS(_llseek),

846

-		SCMP_SYS(mprotect),

847

-

848

-		/* Syscalls listed because of compiler settings.  */

849

-		SCMP_SYS(futex),

850

-

851

-		/* Syscalls listed because of sandbox.  */

852

-		SCMP_SYS(readlink),

853

-		SCMP_SYS(readlinkat),

854

-		SCMP_SYS(getcwd),

855

-		#ifndef __SNR_faccessat2

856

-		/* faccessat2 is not yet defiled in latest libseccomp-2.5.1 */

857

-		#    define __SNR_faccessat2 __NR_faccessat2

858

-		#endif

859

-		SCMP_SYS(faccessat2),

860

-

861

-		/* Syscalls listed because of fakeroot.  */

862

-		SCMP_SYS(msgget),

863

-		SCMP_SYS(msgrcv),

864

-		SCMP_SYS(msgsnd),

865

-		SCMP_SYS(semget),

866

-		SCMP_SYS(semop),

867

-		SCMP_SYS(semtimedop),

868

-		/*

869

-		 * Some targets like ppc and i386 implement the above

870

-		 * syscall as subcalls via ipc() syscall.

871

-		 * https://bugs.gentoo.org/675378

872

-		 */

873

-		SCMP_SYS(ipc),

874

-	};

875

-	int fork_syscalls[] = {

876

-		SCMP_SYS(clone),

877

-		SCMP_SYS(execve),

878

-		SCMP_SYS(fork),

879

-		SCMP_SYS(rt_sigaction),

880

-		SCMP_SYS(rt_sigprocmask),

881

-		SCMP_SYS(unshare),

882

-		SCMP_SYS(vfork),

883

-		SCMP_SYS(wait4),

884

-		SCMP_SYS(waitid),

885

-		SCMP_SYS(waitpid),

886

-	};

887

-	scmp_filter_ctx ctx = seccomp_init(USE_DEBUG ? SCMP_ACT_TRAP : SCMP_ACT_KILL);

888

-	if (!ctx) {

889

-		warnp("seccomp_init failed");

890

-		return;

891

-	}

892

-

893

-	if (pax_seccomp_rules_add(ctx, base_syscalls) < 0)

894

-		goto done;

895

-

896

-	if (allow_forking)

897

-		if (pax_seccomp_rules_add(ctx, fork_syscalls) < 0)

898

-			goto done;

899

-

900

-	/* We already called prctl. */

901

-	seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 0);

902

-

903

-	if (USE_DEBUG)

904

-		pax_seccomp_signal_init();

905

-

906

-#ifndef __SANITIZE_ADDRESS__

907

-	/* ASAN does some weird stuff. */

908

-	if (seccomp_load(ctx) < 0) {

909

-		/* We have to assume that EINVAL == CONFIG_SECCOMP is disabled. */

910

-		if (errno != EINVAL)

911

-			warnp("seccomp_load failed");

912

-	}

913

-#endif

914

-

915

- done:

916

-	seccomp_release(ctx);

917

-}

918

-

919

-#else

920

-# define pax_seccomp_init(allow_forking)

921

+#ifndef SECCOMP_BPF_AVAILABLE

922

+# undef WANT_SECCOMP

923

 #endif

924

925

 static int ns_unshare(int flags)

926

@@ -308,7 +130,19 @@ void security_init(bool allow_forking)

927

 				_exit(0);

928

}

929

930

-	pax_seccomp_init(allow_forking);

931

+#ifdef WANT_SECCOMP

932

+	{

933

+	int ret;

934

+

935

+	if (allow_forking)

936

+		ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &seccomp_bpf_program_fork);

937

+	else

938

+		ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &seccomp_bpf_program_base);

939

+

940

+	if (ret)

941

+		warn("enabling seccomp failed");

942

+	}

943

+#endif

944

}

945

946

 #endif

Gentoo Archives: gentoo-commits