1 |
commit: 24dd6026cab83b17bbf727feb07ced35fe75bb75 |
2 |
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org> |
3 |
AuthorDate: Thu Aug 27 06:39:20 2015 +0000 |
4 |
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org> |
5 |
CommitDate: Sat Apr 17 04:56:53 2021 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/pax-utils.git/commit/?id=24dd6026 |
7 |
|
8 |
security: pregen seccomp bpf programs |
9 |
|
10 |
Since the bpf programs are the same across runs, generate it ahead of |
11 |
time. This way we don't have to link against libseccomp and run the |
12 |
library calls at runtime which helps cut out most overhead. |
13 |
|
14 |
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org> |
15 |
|
16 |
.depend | 23 ++++-- |
17 |
.gitignore | 1 + |
18 |
Makefile | 24 +++--- |
19 |
Makefile.am | 2 + |
20 |
configure.ac | 9 ++- |
21 |
porting.h | 3 + |
22 |
seccomp-bpf.c | 255 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
23 |
seccomp-bpf.h | 226 +++++++++++++++++++++++++++++++++++++++++++++++++++ |
24 |
security.c | 214 ++++++------------------------------------------ |
25 |
9 files changed, 549 insertions(+), 208 deletions(-) |
26 |
|
27 |
diff --git a/.depend b/.depend |
28 |
index 5371c1c..aab4f89 100644 |
29 |
--- a/.depend |
30 |
+++ b/.depend |
31 |
@@ -1,5 +1,18 @@ |
32 |
-scanelf.o: scanelf.c paxinc.h porting.h elf.h paxelf.h |
33 |
-pspax.o: pspax.c paxinc.h porting.h elf.h paxelf.h |
34 |
-dumpelf.o: dumpelf.c paxinc.h porting.h elf.h paxelf.h |
35 |
-paxelf.o: paxelf.c paxinc.h porting.h elf.h paxelf.h |
36 |
-paxinc.o: paxinc.c paxinc.h porting.h elf.h paxelf.h |
37 |
+paxelf.o: paxelf.c paxinc.h porting.h elf.h xfuncs.h security.h paxelf.h \ |
38 |
+ macho.h paxmacho.h |
39 |
+paxmacho.o: paxmacho.c paxinc.h porting.h elf.h xfuncs.h security.h \ |
40 |
+ paxelf.h macho.h paxmacho.h |
41 |
+paxinc.o: paxinc.c paxinc.h porting.h elf.h xfuncs.h security.h paxelf.h \ |
42 |
+ macho.h paxmacho.h |
43 |
+security.o: security.c paxinc.h porting.h elf.h xfuncs.h security.h \ |
44 |
+ paxelf.h macho.h paxmacho.h seccomp-bpf.h |
45 |
+xfuncs.o: xfuncs.c paxinc.h porting.h elf.h xfuncs.h security.h paxelf.h \ |
46 |
+ macho.h paxmacho.h |
47 |
+scanelf.o: scanelf.c paxinc.h porting.h elf.h xfuncs.h security.h \ |
48 |
+ paxelf.h macho.h paxmacho.h |
49 |
+dumpelf.o: dumpelf.c paxinc.h porting.h elf.h xfuncs.h security.h \ |
50 |
+ paxelf.h macho.h paxmacho.h |
51 |
+pspax.o: pspax.c paxinc.h porting.h elf.h xfuncs.h security.h paxelf.h \ |
52 |
+ macho.h paxmacho.h |
53 |
+scanmacho.o: scanmacho.c paxinc.h porting.h elf.h xfuncs.h security.h \ |
54 |
+ paxelf.h macho.h paxmacho.h |
55 |
|
56 |
diff --git a/.gitignore b/.gitignore |
57 |
index 553ea89..a6bf3ba 100644 |
58 |
--- a/.gitignore |
59 |
+++ b/.gitignore |
60 |
@@ -43,6 +43,7 @@ core |
61 |
/pspax |
62 |
/scanelf |
63 |
/scanmacho |
64 |
+/seccomp-bpf |
65 |
/symtree |
66 |
|
67 |
/man/*.1 |
68 |
|
69 |
diff --git a/Makefile b/Makefile |
70 |
index 9a2c07c..bb6f167 100644 |
71 |
--- a/Makefile |
72 |
+++ b/Makefile |
73 |
@@ -52,11 +52,14 @@ ifeq ($(USE_DEBUG),yes) |
74 |
override CPPFLAGS += -DEBUG |
75 |
endif |
76 |
|
77 |
-ifeq ($(USE_SECCOMP),yes) |
78 |
+ifeq ($(BUILD_USE_SECCOMP),yes) |
79 |
LIBSECCOMP_CFLAGS := $(shell $(PKG_CONFIG) --cflags libseccomp) |
80 |
LIBSECCOMP_LIBS := $(shell $(PKG_CONFIG) --libs libseccomp) |
81 |
override CPPFLAGS += $(LIBSECCOMP_CFLAGS) -DWANT_SECCOMP |
82 |
-LIBS += $(LIBSECCOMP_LIBS) |
83 |
+LIBS-seccomp-bpf += $(LIBSECCOMP_LIBS) |
84 |
+endif |
85 |
+ifeq ($(USE_SECCOMP),yes) |
86 |
+override CPPFLAGS += -DWANT_SECCOMP |
87 |
endif |
88 |
|
89 |
ifdef PV |
90 |
@@ -72,8 +75,10 @@ ELF_OBJS = paxelf.o paxldso.o |
91 |
MACH_TARGETS = scanmacho |
92 |
MACH_OBJS = paxmacho.o |
93 |
COMMON_OBJS = paxinc.o security.o xfuncs.o |
94 |
+BUILD_OBJS = $(filter-out security.o,$(COMMON_OBJS)) |
95 |
TARGETS = $(ELF_TARGETS) $(MACH_TARGETS) |
96 |
TARGETS_OBJS = $(TARGETS:%=%.o) |
97 |
+BUILD_TARGETS= seccomp-bpf |
98 |
SCRIPTS_SH = lddtree symtree |
99 |
SCRIPTS_PY = lddtree |
100 |
_OBJS = $(ELF_OBJS) $(MACH_OBJS) $(COMMON_OBJS) |
101 |
@@ -139,23 +144,24 @@ ifeq ($(V),) |
102 |
endif |
103 |
$(Q)$(compile.c) $(WFLAGS) |
104 |
|
105 |
-$(ELF_TARGETS): %: $(ELF_OBJS) $(COMMON_OBJS) %.o |
106 |
- $(CC) $(CFLAGS) $(LDFLAGS) $^ -o $@ $(LIBS) $(LIBS-$@) |
107 |
+LINK = $(CC) $(CFLAGS) $(LDFLAGS) $^ -o $@ $(LIBS) $(LIBS-$@) |
108 |
|
109 |
-$(MACH_TARGETS): %: $(MACH_OBJS) $(COMMON_OBJS) %.o |
110 |
- $(CC) $(CFLAGS) $(LDFLAGS) $^ -o $@ $(LIBS) $(LIBS-$@) |
111 |
+$(BUILD_TARGETS): %: $(BUILD_OBJS) %.o; $(LINK) |
112 |
+$(ELF_TARGETS): %: $(ELF_OBJS) $(COMMON_OBJS) %.o; $(LINK) |
113 |
+$(MACH_TARGETS): %: $(MACH_OBJS) $(COMMON_OBJS) %.o; $(LINK) |
114 |
|
115 |
$(OBJS_TARGETS): %: $(_OBJS) %.c |
116 |
$(CC) $(CFLAGS) $(CPPFLAGS) -DMAIN $(LDFLAGS) $(filter-out $@.o,$^) -o $@ $(LIBS) $(LIBS-$@) |
117 |
|
118 |
-%.so: %.c |
119 |
- $(CC) -shared -fPIC -o $@ $< |
120 |
+seccomp-bpf.h: seccomp-bpf.c |
121 |
+ $(MAKE) BUILD_USE_SECCOMP=yes seccomp-bpf |
122 |
+ ./seccomp-bpf > $@ |
123 |
|
124 |
depend: |
125 |
$(CC) $(CFLAGS) -MM $(SOURCES) > .depend |
126 |
|
127 |
clean: |
128 |
- -rm -f $(OBJS) $(TARGETS) $(OBJS_TARGETS) |
129 |
+ -rm -f $(OBJS) $(TARGETS) $(OBJS_TARGETS) $(BUILD_TARGETS) |
130 |
|
131 |
distclean: clean |
132 |
-rm -f *~ core *.o |
133 |
|
134 |
diff --git a/Makefile.am b/Makefile.am |
135 |
index f369f86..748a7ca 100644 |
136 |
--- a/Makefile.am |
137 |
+++ b/Makefile.am |
138 |
@@ -92,6 +92,8 @@ EXTRA_DIST += \ |
139 |
pylint \ |
140 |
scanelf.c \ |
141 |
scanmacho.c \ |
142 |
+ seccomp-bpf.c \ |
143 |
+ seccomp-bpf.h \ |
144 |
security.c \ |
145 |
security.h \ |
146 |
symtree.sh \ |
147 |
|
148 |
diff --git a/configure.ac b/configure.ac |
149 |
index 5ffd5ef..9b96090 100644 |
150 |
--- a/configure.ac |
151 |
+++ b/configure.ac |
152 |
@@ -33,9 +33,7 @@ AM_CONDITIONAL([USE_PYTHON], [test "x$with_python" = "xyes"]) |
153 |
|
154 |
AC_ARG_WITH([seccomp], [AS_HELP_STRING([--with-seccomp], [build with seccomp])]) |
155 |
AS_IF([test "x$with_seccomp" = "xyes"], [ |
156 |
- PKG_CHECK_MODULES(LIBSECCOMP, libseccomp) |
157 |
- CPPFLAGS="$CPPFLAGS $LIBSECCOMP_CFLAGS -DWANT_SECCOMP" |
158 |
- LIBS="$LIBS $LIBSECCOMP_LIBS" |
159 |
+ CPPFLAGS="$CPPFLAGS -DWANT_SECCOMP" |
160 |
]) |
161 |
|
162 |
AX_CFLAGS_WARN_ALL |
163 |
@@ -62,7 +60,10 @@ m4_foreach_w([flag], [ |
164 |
AX_CHECK_COMPILE_FLAG(flag, AS_VAR_APPEND([CFLAGS], " flag")) |
165 |
]) |
166 |
|
167 |
-AC_CHECK_HEADERS([linux/securebits.h]) |
168 |
+AC_CHECK_HEADERS_ONCE(m4_flatten([ |
169 |
+ linux/seccomp.h |
170 |
+ linux/securebits.h |
171 |
+])) |
172 |
|
173 |
AC_CONFIG_FILES([ |
174 |
Makefile |
175 |
|
176 |
diff --git a/porting.h b/porting.h |
177 |
index c4f5fc6..f1bd74f 100644 |
178 |
--- a/porting.h |
179 |
+++ b/porting.h |
180 |
@@ -46,6 +46,9 @@ |
181 |
#endif |
182 |
#if defined(__linux__) |
183 |
# include <sys/prctl.h> |
184 |
+# if !defined(HAVE_CONFIG_H) || defined(HAVE_LINUX_SECCOMP_H) |
185 |
+# include <linux/seccomp.h> |
186 |
+# endif |
187 |
# if !defined(HAVE_CONFIG_H) || defined(HAVE_LINUX_SECUREBITS_H) |
188 |
# include <linux/securebits.h> |
189 |
# endif |
190 |
|
191 |
diff --git a/seccomp-bpf.c b/seccomp-bpf.c |
192 |
new file mode 100644 |
193 |
index 0000000..d7246b1 |
194 |
--- /dev/null |
195 |
+++ b/seccomp-bpf.c |
196 |
@@ -0,0 +1,255 @@ |
197 |
+/* |
198 |
+ * Generate the bpf rules ahead of time to speed up runtime. |
199 |
+ * |
200 |
+ * Copyright 2015 Gentoo Foundation |
201 |
+ * Distributed under the terms of the GNU General Public License v2 |
202 |
+ * |
203 |
+ * Copyright 2015 Mike Frysinger - <vapier@g.o> |
204 |
+ */ |
205 |
+ |
206 |
+const char argv0[] = "seccomp-bpf"; |
207 |
+ |
208 |
+#include <err.h> |
209 |
+#include <stdio.h> |
210 |
+#include <stdlib.h> |
211 |
+#include <unistd.h> |
212 |
+#include <sys/mman.h> |
213 |
+#include <sys/types.h> |
214 |
+ |
215 |
+#include <seccomp.h> |
216 |
+ |
217 |
+#define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0])) |
218 |
+ |
219 |
+static const struct { |
220 |
+ const char *name; |
221 |
+ uint32_t arch; |
222 |
+ const char *ifdef; |
223 |
+} gen_seccomp_arches[] = { |
224 |
+#define A(arch, ifdef) { #arch, SCMP_ARCH_##arch, ifdef } |
225 |
+ A(AARCH64, "defined(__aarch64__)"), |
226 |
+ A(ARM, "defined(__arm__)"), |
227 |
+ A(MIPS, "defined(__mips__) && defined(__MIPSEB__) && defined(_ABIO32)"), |
228 |
+ A(MIPS64, "defined(__mips__) && defined(__MIPSEB__) && defined(_ABI64)"), |
229 |
+ A(MIPS64N32, "defined(__mips__) && defined(__MIPSEB__) && defined(_ABIN32)"), |
230 |
+ A(MIPSEL, "defined(__mips__) && defined(__MIPSEL__) && defined(_ABIO32)"), |
231 |
+ A(MIPSEL64, "defined(__mips__) && defined(__MIPSEL__) && defined(_ABI64)"), |
232 |
+ A(MIPSEL64N32, "defined(__mips__) && defined(__MIPSEL__) && defined(_ABIN32)"), |
233 |
+ A(PARISC, "defined(__hppa__) && !defined(__hppa64__)"), |
234 |
+ A(PARISC64, "defined(__hppa__) && defined(__hppa64__)"), |
235 |
+ A(PPC, "defined(__powerpc__) && !defined(__powerpc64__) && defined(__BIG_ENDIAN__)"), |
236 |
+ A(PPC64, "defined(__powerpc__) && defined(__powerpc64__) && defined(__BIG_ENDIAN__)"), |
237 |
+ A(PPC64LE, "defined(__powerpc__) && defined(__powerpc64__) && !defined(__BIG_ENDIAN__)"), |
238 |
+ A(RISCV64, "defined(__riscv) && __riscv_xlen == 64"), |
239 |
+ A(S390, "defined(__s390__) && !defined(__s390x__)"), |
240 |
+ A(S390X, "defined(__s390__) && defined(__s390x__)"), |
241 |
+ A(X86, "defined(__i386__)"), |
242 |
+ A(X32, "defined(__x86_64__) && defined(__ILP32__)"), |
243 |
+ A(X86_64, "defined(__x86_64__) && !defined(__ILP32__)"), |
244 |
+#undef A |
245 |
+}; |
246 |
+ |
247 |
+/* Simple helper to add all of the syscalls in an array. */ |
248 |
+static int gen_seccomp_rules_add(scmp_filter_ctx ctx, int syscalls[], size_t num) |
249 |
+{ |
250 |
+ static uint8_t prio; |
251 |
+ size_t i; |
252 |
+ for (i = 0; i < num; ++i) { |
253 |
+ if (seccomp_syscall_priority(ctx, syscalls[i], prio++) < 0) { |
254 |
+ warn("seccomp_syscall_priority failed"); |
255 |
+ return -1; |
256 |
+ } |
257 |
+ if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, syscalls[i], 0) < 0) { |
258 |
+ warn("seccomp_rule_add failed"); |
259 |
+ return -1; |
260 |
+ } |
261 |
+ } |
262 |
+ return 0; |
263 |
+} |
264 |
+#define gen_seccomp_rules_add(ctx, syscalls) gen_seccomp_rules_add(ctx, syscalls, ARRAY_SIZE(syscalls)) |
265 |
+ |
266 |
+static void gen_seccomp_dump(scmp_filter_ctx ctx, const char *name) |
267 |
+{ |
268 |
+ unsigned char buf[32768 * 8]; |
269 |
+ ssize_t i, len; |
270 |
+ int fd; |
271 |
+ |
272 |
+ fd = memfd_create("bpf", MFD_CLOEXEC); |
273 |
+ if (fd < 0) |
274 |
+ err(1, "memfd_create failed"); |
275 |
+ if (seccomp_export_bpf(ctx, fd) < 0) |
276 |
+ err(1, "seccomp_export_bpf_mem failed"); |
277 |
+ if (lseek(fd, 0, SEEK_SET) != 0) |
278 |
+ err(1, "seek failed"); |
279 |
+ len = read(fd, buf, sizeof(buf)); |
280 |
+ if (len <= 0) |
281 |
+ err(1, "read failed"); |
282 |
+ |
283 |
+ printf("static const unsigned char seccomp_bpf_blks_%s[] = {\n\t", name); |
284 |
+ for (i = 0; i < len; ++i) |
285 |
+ printf("%u,", buf[i]); |
286 |
+ printf("\n};\n"); |
287 |
+} |
288 |
+ |
289 |
+static void gen_seccomp_program(const char *name) |
290 |
+{ |
291 |
+ printf( |
292 |
+ "static const seccomp_bpf_program_t seccomp_bpf_program_%s = {\n" |
293 |
+ " .cnt = sizeof(seccomp_bpf_blks_%s) / 8,\n" |
294 |
+ " .bpf = seccomp_bpf_blks_%s,\n" |
295 |
+ "};\n", name, name, name); |
296 |
+} |
297 |
+ |
298 |
+int main(void) |
299 |
+{ |
300 |
+ /* Order determines priority (first == lowest prio). */ |
301 |
+ int base_syscalls[] = { |
302 |
+ /* We write the most w/scanelf. */ |
303 |
+ SCMP_SYS(write), |
304 |
+ |
305 |
+ /* Then the stat family of functions. */ |
306 |
+ SCMP_SYS(newfstatat), |
307 |
+ SCMP_SYS(fstat), |
308 |
+ SCMP_SYS(fstat64), |
309 |
+ SCMP_SYS(fstatat64), |
310 |
+ SCMP_SYS(lstat), |
311 |
+ SCMP_SYS(lstat64), |
312 |
+ SCMP_SYS(stat), |
313 |
+ SCMP_SYS(stat64), |
314 |
+ SCMP_SYS(statx), |
315 |
+ |
316 |
+ /* Then the fd close func. */ |
317 |
+ SCMP_SYS(close), |
318 |
+ |
319 |
+ /* Then fd open family of functions. */ |
320 |
+ SCMP_SYS(open), |
321 |
+ SCMP_SYS(openat), |
322 |
+ |
323 |
+ /* Then the memory mapping functions. */ |
324 |
+ SCMP_SYS(mmap), |
325 |
+ SCMP_SYS(mmap2), |
326 |
+ SCMP_SYS(munmap), |
327 |
+ |
328 |
+ /* Then the directory reading functions. */ |
329 |
+ SCMP_SYS(getdents), |
330 |
+ SCMP_SYS(getdents64), |
331 |
+ |
332 |
+ /* Then the file reading functions. */ |
333 |
+ SCMP_SYS(pread64), |
334 |
+ SCMP_SYS(read), |
335 |
+ |
336 |
+ /* Then the fd manipulation functions. */ |
337 |
+ SCMP_SYS(fcntl), |
338 |
+ SCMP_SYS(fcntl64), |
339 |
+ |
340 |
+ /* After this point, just sort the list alphabetically. */ |
341 |
+ SCMP_SYS(access), |
342 |
+ SCMP_SYS(brk), |
343 |
+ SCMP_SYS(capget), |
344 |
+ SCMP_SYS(chdir), |
345 |
+ SCMP_SYS(exit), |
346 |
+ SCMP_SYS(exit_group), |
347 |
+ SCMP_SYS(faccessat), |
348 |
+#ifndef __SNR_faccessat2 |
349 |
+/* faccessat2 is not yet defined in libseccomp-2.5.1 */ |
350 |
+# define __SNR_faccessat2 __NR_faccessat2 |
351 |
+#endif |
352 |
+ SCMP_SYS(faccessat2), |
353 |
+ SCMP_SYS(fchdir), |
354 |
+ SCMP_SYS(getpid), |
355 |
+ SCMP_SYS(gettid), |
356 |
+ SCMP_SYS(ioctl), |
357 |
+ SCMP_SYS(lseek), |
358 |
+ SCMP_SYS(_llseek), |
359 |
+ SCMP_SYS(mprotect), |
360 |
+ |
361 |
+ /* Syscalls listed because of sandbox. */ |
362 |
+ SCMP_SYS(readlink), |
363 |
+ |
364 |
+ /* Syscalls listed because of fakeroot. */ |
365 |
+ SCMP_SYS(msgget), |
366 |
+ SCMP_SYS(msgrcv), |
367 |
+ SCMP_SYS(msgsnd), |
368 |
+ SCMP_SYS(semget), |
369 |
+ SCMP_SYS(semop), |
370 |
+ SCMP_SYS(semtimedop), |
371 |
+ /* |
372 |
+ * Some targets (e.g. ppc & i386) implement the above functions |
373 |
+ * as ipc() subcalls. #675378 |
374 |
+ */ |
375 |
+ SCMP_SYS(ipc), |
376 |
+ }; |
377 |
+ int fork_syscalls[] = { |
378 |
+ SCMP_SYS(clone), |
379 |
+ SCMP_SYS(execve), |
380 |
+ SCMP_SYS(fork), |
381 |
+ SCMP_SYS(rt_sigaction), |
382 |
+ SCMP_SYS(rt_sigprocmask), |
383 |
+ SCMP_SYS(unshare), |
384 |
+ SCMP_SYS(vfork), |
385 |
+ SCMP_SYS(wait4), |
386 |
+ SCMP_SYS(waitid), |
387 |
+ SCMP_SYS(waitpid), |
388 |
+ }; |
389 |
+ |
390 |
+ /* TODO: Handle debug and KILL vs TRAP. */ |
391 |
+ |
392 |
+ scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_KILL); |
393 |
+ if (!ctx) |
394 |
+ err(1, "seccomp_init failed"); |
395 |
+ |
396 |
+ printf("/* AUTO GENERATED; see seccomp-bpf.c for details. */\n"); |
397 |
+ printf("#undef SECCOMP_BPF_AVAILABLE\n"); |
398 |
+ |
399 |
+ if (seccomp_arch_remove(ctx, seccomp_arch_native()) < 0) |
400 |
+ err(1, "seccomp_arch_remove failed"); |
401 |
+ |
402 |
+ for (size_t i = 0; i < ARRAY_SIZE(gen_seccomp_arches); ++i) { |
403 |
+ uint32_t arch = gen_seccomp_arches[i].arch; |
404 |
+ |
405 |
+ seccomp_reset(ctx, SCMP_ACT_KILL); |
406 |
+ |
407 |
+ if (arch != seccomp_arch_native()) { |
408 |
+ if (seccomp_arch_remove(ctx, seccomp_arch_native()) < 0) |
409 |
+ err(1, "seccomp_arch_remove failed"); |
410 |
+ if (seccomp_arch_add(ctx, arch) < 0) |
411 |
+ err(1, "seccomp_arch_add failed"); |
412 |
+ } |
413 |
+ |
414 |
+ printf("\n#if %s\n", gen_seccomp_arches[i].ifdef); |
415 |
+ printf("/* %s */\n", gen_seccomp_arches[i].name); |
416 |
+ printf("#define SECCOMP_BPF_AVAILABLE\n"); |
417 |
+ |
418 |
+ if (gen_seccomp_rules_add(ctx, base_syscalls) < 0) |
419 |
+ err(1, "seccomp_rules_add failed"); |
420 |
+ gen_seccomp_dump(ctx, "base"); |
421 |
+ |
422 |
+ if (gen_seccomp_rules_add(ctx, fork_syscalls) < 0) |
423 |
+ err(1, "seccomp_rules_add failed"); |
424 |
+ gen_seccomp_dump(ctx, "fork"); |
425 |
+ |
426 |
+ if (0) { |
427 |
+ printf("/*\n"); |
428 |
+ fflush(stdout); |
429 |
+ seccomp_export_pfc(ctx, 1); |
430 |
+ fflush(stdout); |
431 |
+ printf("*/\n"); |
432 |
+ } |
433 |
+ |
434 |
+ printf("#endif\n"); |
435 |
+ } |
436 |
+ |
437 |
+ printf( |
438 |
+ "\n" |
439 |
+ "#ifdef SECCOMP_BPF_AVAILABLE\n" |
440 |
+ "typedef struct {\n" |
441 |
+ " uint16_t cnt;\n" |
442 |
+ " const void *bpf;\n" |
443 |
+ "} seccomp_bpf_program_t;\n"); |
444 |
+ gen_seccomp_program("base"); |
445 |
+ gen_seccomp_program("fork"); |
446 |
+ printf("#endif\n"); |
447 |
+ |
448 |
+ seccomp_release(ctx); |
449 |
+ |
450 |
+ return 0; |
451 |
+} |
452 |
|
453 |
diff --git a/seccomp-bpf.h b/seccomp-bpf.h |
454 |
new file mode 100644 |
455 |
index 0000000..dfb7716 |
456 |
--- /dev/null |
457 |
+++ b/seccomp-bpf.h |
458 |
@@ -0,0 +1,226 @@ |
459 |
+/* AUTO GENERATED; see seccomp-bpf.c for details. */ |
460 |
+#undef SECCOMP_BPF_AVAILABLE |
461 |
+ |
462 |
+#if defined(__aarch64__) |
463 |
+/* AARCH64 */ |
464 |
+#define SECCOMP_BPF_AVAILABLE |
465 |
+static const unsigned char seccomp_bpf_blks_base[] = { |
466 |
+ 32,0,0,0,4,0,0,0,21,0,0,33,183,0,0,192,32,0,0,0,0,0,0,0,21,0,30,0,192,0,0,0,21,0,29,0,193,0,0,0,21,0,28,0,190,0,0,0,21,0,27,0,189,0,0,0,21,0,26,0,188,0,0,0,21,0,25,0,186,0,0,0,21,0,24,0,226,0,0,0,21,0,23,0,62,0,0,0,21,0,22,0,29,0,0,0,21,0,21,0,178,0,0,0,21,0,20,0,172,0,0,0,21,0,19,0,50,0,0,0,21,0,18,0,183,1,0,0,21,0,17,0,48,0,0,0,21,0,16,0,94,0,0,0,21,0,15,0,93,0,0,0,21,0,14,0,49,0,0,0,21,0,13,0,90,0,0,0,21,0,12,0,214,0,0,0,21,0,11,0,25,0,0,0,21,0,10,0,63,0,0,0,21,0,9,0,67,0,0,0,21,0,8,0,61,0,0,0,21,0,7,0,215,0,0,0,21,0,6,0,222,0,0,0,21,0,5,0,56,0,0,0,21,0,4,0,57,0,0,0,21,0,3,0,35,1,0,0,21,0,2,0,80,0,0,0,21,0,1,0,79,0,0,0,21,0,0,1,64,0,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0, |
467 |
+}; |
468 |
+static const unsigned char seccomp_bpf_blks_fork[] = { |
469 |
+ 32,0,0,0,4,0,0,0,21,0,0,40,183,0,0,192,32,0,0,0,0,0,0,0,21,0,37,0,95,0,0,0,21,0,36,0,4,1,0,0,21,0,35,0,97,0,0,0,21,0,34,0,135,0,0,0,21,0,33,0,134,0,0,0,21,0,32,0,221,0,0,0,21,0,31,0,220,0,0,0,21,0,30,0,192,0,0,0,21,0,29,0,193,0,0,0,21,0,28,0,190,0,0,0,21,0,27,0,189,0,0,0,21,0,26,0,188,0,0,0,21,0,25,0,186,0,0,0,21,0,24,0,226,0,0,0,21,0,23,0,62,0,0,0,21,0,22,0,29,0,0,0,21,0,21,0,178,0,0,0,21,0,20,0,172,0,0,0,21,0,19,0,50,0,0,0,21,0,18,0,183,1,0,0,21,0,17,0,48,0,0,0,21,0,16,0,94,0,0,0,21,0,15,0,93,0,0,0,21,0,14,0,49,0,0,0,21,0,13,0,90,0,0,0,21,0,12,0,214,0,0,0,21,0,11,0,25,0,0,0,21,0,10,0,63,0,0,0,21,0,9,0,67,0,0,0,21,0,8,0,61,0,0,0,21,0,7,0,215,0,0,0,21,0,6,0,222,0,0,0,21,0,5,0,56,0,0,0,21,0,4,0,57,0,0,0,21,0,3,0,35,1,0,0,21,0,2,0,80,0,0,0,21,0,1,0,79,0,0,0,21,0,0,1,64,0,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0, |
470 |
+}; |
471 |
+#endif |
472 |
+ |
473 |
+#if defined(__arm__) |
474 |
+/* ARM */ |
475 |
+#define SECCOMP_BPF_AVAILABLE |
476 |
+static const unsigned char seccomp_bpf_blks_base[] = { |
477 |
+ 32,0,0,0,4,0,0,0,21,0,0,44,40,0,0,64,32,0,0,0,0,0,0,0,21,0,41,0,56,1,0,0,21,0,40,0,42,1,0,0,21,0,39,0,43,1,0,0,21,0,38,0,45,1,0,0,21,0,37,0,46,1,0,0,21,0,36,0,47,1,0,0,21,0,35,0,85,0,0,0,21,0,34,0,125,0,0,0,21,0,33,0,140,0,0,0,21,0,32,0,19,0,0,0,21,0,31,0,54,0,0,0,21,0,30,0,224,0,0,0,21,0,29,0,20,0,0,0,21,0,28,0,133,0,0,0,21,0,27,0,183,1,0,0,21,0,26,0,78,1,0,0,21,0,25,0,248,0,0,0,21,0,24,0,1,0,0,0,21,0,23,0,12,0,0,0,21,0,22,0,184,0,0,0,21,0,21,0,45,0,0,0,21,0,20,0,33,0,0,0,21,0,19,0,221,0,0,0,21,0,18,0,55,0,0,0,21,0,17,0,3,0,0,0,21,0,16,0,180,0,0,0,21,0,15,0,217,0,0,0,21,0,14,0,141,0,0,0,21,0,13,0,91,0,0,0,21,0,12,0,192,0,0,0,21,0,11,0,66,1,0,0,21,0,10,0,5,0,0,0,21,0,9,0,6,0,0,0,21,0,8,0,141,1,0,0,21,0,7,0,195,0,0,0,21,0,6,0,106,0,0,0,21,0,5,0,196,0,0,0,21,0,4,0,107,0,0,0,21,0,3,0,71,1,0,0,21,0,2,0,197,0,0,0,21,0,1,0,108,0,0,0,21,0,0,1,4,0,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0, |
478 |
+}; |
479 |
+static const unsigned char seccomp_bpf_blks_fork[] = { |
480 |
+ 32,0,0,0,4,0,0,0,21,0,0,53,40,0,0,64,32,0,0,0,0,0,0,0,21,0,50,0,24,1,0,0,21,0,49,0,114,0,0,0,21,0,48,0,190,0,0,0,21,0,47,0,81,1,0,0,21,0,46,0,175,0,0,0,21,0,45,0,174,0,0,0,21,0,44,0,2,0,0,0,21,0,43,0,11,0,0,0,21,0,42,0,120,0,0,0,21,0,41,0,56,1,0,0,21,0,40,0,42,1,0,0,21,0,39,0,43,1,0,0,21,0,38,0,45,1,0,0,21,0,37,0,46,1,0,0,21,0,36,0,47,1,0,0,21,0,35,0,85,0,0,0,21,0,34,0,125,0,0,0,21,0,33,0,140,0,0,0,21,0,32,0,19,0,0,0,21,0,31,0,54,0,0,0,21,0,30,0,224,0,0,0,21,0,29,0,20,0,0,0,21,0,28,0,133,0,0,0,21,0,27,0,183,1,0,0,21,0,26,0,78,1,0,0,21,0,25,0,248,0,0,0,21,0,24,0,1,0,0,0,21,0,23,0,12,0,0,0,21,0,22,0,184,0,0,0,21,0,21,0,45,0,0,0,21,0,20,0,33,0,0,0,21,0,19,0,221,0,0,0,21,0,18,0,55,0,0,0,21,0,17,0,3,0,0,0,21,0,16,0,180,0,0,0,21,0,15,0,217,0,0,0,21,0,14,0,141,0,0,0,21,0,13,0,91,0,0,0,21,0,12,0,192,0,0,0,21,0,11,0,66,1,0,0,21,0,10,0,5,0,0,0,21,0,9,0,6,0,0,0,21,0,8,0,141,1,0,0,21,0,7,0,195,0,0,0,21,0,6,0,106,0,0,0,21,0,5,0,196,0,0,0,21,0,4,0,107,0,0,0,21,0,3,0,71,1,0,0,21,0,2,0,197,0,0,0,2 |
481 |
1,0,1,0,108,0,0,0,21,0,0,1,4,0,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0, |
482 |
+}; |
483 |
+#endif |
484 |
+ |
485 |
+#if defined(__mips__) && defined(__MIPSEB__) && defined(_ABIO32) |
486 |
+/* MIPS */ |
487 |
+#define SECCOMP_BPF_AVAILABLE |
488 |
+static const unsigned char seccomp_bpf_blks_base[] = { |
489 |
+ 0,32,0,0,0,0,0,4,0,21,0,44,0,0,0,8,0,32,0,0,0,0,0,0,0,21,41,0,0,0,16,21,0,21,40,0,0,0,17,41,0,21,39,0,0,0,17,48,0,21,38,0,0,0,17,49,0,21,37,0,0,0,17,47,0,21,36,0,0,0,15,245,0,21,35,0,0,0,16,29,0,21,34,0,0,0,16,44,0,21,33,0,0,0,15,179,0,21,32,0,0,0,15,214,0,21,31,0,0,0,16,126,0,21,30,0,0,0,15,180,0,21,29,0,0,0,16,37,0,21,28,0,0,0,17,87,0,21,27,0,0,0,16,204,0,21,26,0,0,0,16,150,0,21,25,0,0,0,15,161,0,21,24,0,0,0,15,172,0,21,23,0,0,0,16,108,0,21,22,0,0,0,15,205,0,21,21,0,0,0,15,193,0,21,20,0,0,0,16,124,0,21,19,0,0,0,15,215,0,21,18,0,0,0,15,163,0,21,17,0,0,0,16,104,0,21,16,0,0,0,16,123,0,21,15,0,0,0,16,45,0,21,14,0,0,0,15,251,0,21,13,0,0,0,16,114,0,21,12,0,0,0,15,250,0,21,11,0,0,0,16,192,0,21,10,0,0,0,15,165,0,21,9,0,0,0,15,166,0,21,8,0,0,0,17,14,0,21,7,0,0,0,16,117,0,21,6,0,0,0,16,10,0,21,5,0,0,0,16,118,0,21,4,0,0,0,16,11,0,21,3,0,0,0,16,197,0,21,2,0,0,0,16,119,0,21,1,0,0,0,16,12,0,21,0,1,0,0,15,164,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0, |
490 |
+}; |
491 |
+static const unsigned char seccomp_bpf_blks_fork[] = { |
492 |
+ 0,32,0,0,0,0,0,4,0,21,0,53,0,0,0,8,0,32,0,0,0,0,0,0,0,21,50,0,0,0,15,167,0,21,49,0,0,0,16,182,0,21,48,0,0,0,16,18,0,21,47,0,0,0,16,207,0,21,46,0,0,0,16,99,0,21,45,0,0,0,16,98,0,21,44,0,0,0,15,162,0,21,43,0,0,0,15,171,0,21,42,0,0,0,16,24,0,21,41,0,0,0,16,21,0,21,40,0,0,0,17,41,0,21,39,0,0,0,17,48,0,21,38,0,0,0,17,49,0,21,37,0,0,0,17,47,0,21,36,0,0,0,15,245,0,21,35,0,0,0,16,29,0,21,34,0,0,0,16,44,0,21,33,0,0,0,15,179,0,21,32,0,0,0,15,214,0,21,31,0,0,0,16,126,0,21,30,0,0,0,15,180,0,21,29,0,0,0,16,37,0,21,28,0,0,0,17,87,0,21,27,0,0,0,16,204,0,21,26,0,0,0,16,150,0,21,25,0,0,0,15,161,0,21,24,0,0,0,15,172,0,21,23,0,0,0,16,108,0,21,22,0,0,0,15,205,0,21,21,0,0,0,15,193,0,21,20,0,0,0,16,124,0,21,19,0,0,0,15,215,0,21,18,0,0,0,15,163,0,21,17,0,0,0,16,104,0,21,16,0,0,0,16,123,0,21,15,0,0,0,16,45,0,21,14,0,0,0,15,251,0,21,13,0,0,0,16,114,0,21,12,0,0,0,15,250,0,21,11,0,0,0,16,192,0,21,10,0,0,0,15,165,0,21,9,0,0,0,15,166,0,21,8,0,0,0,17,14,0,21,7,0,0,0,16,117,0,21,6,0,0,0,16,10,0,21,5,0,0,0,16,118 |
493 |
,0,21,4,0,0,0,16,11,0,21,3,0,0,0,16,197,0,21,2,0,0,0,16,119,0,21,1,0,0,0,16,12,0,21,0,1,0,0,15,164,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0, |
494 |
+}; |
495 |
+#endif |
496 |
+ |
497 |
+#if defined(__mips__) && defined(__MIPSEB__) && defined(_ABI64) |
498 |
+/* MIPS64 */ |
499 |
+#define SECCOMP_BPF_AVAILABLE |
500 |
+static const unsigned char seccomp_bpf_blks_base[] = { |
501 |
+ 0,32,0,0,0,0,0,4,0,21,0,39,128,0,0,8,0,32,0,0,0,0,0,0,0,21,36,0,0,0,20,94,0,21,35,0,0,0,19,199,0,21,34,0,0,0,19,198,0,21,33,0,0,0,19,203,0,21,32,0,0,0,19,204,0,21,31,0,0,0,19,202,0,21,30,0,0,0,19,223,0,21,29,0,0,0,19,146,0,21,28,0,0,0,19,144,0,21,27,0,0,0,19,151,0,21,26,0,0,0,20,58,0,21,25,0,0,0,19,174,0,21,24,0,0,0,19,215,0,21,23,0,0,0,21,63,0,21,22,0,0,0,20,139,0,21,21,0,0,0,20,85,0,21,20,0,0,0,19,194,0,21,19,0,0,0,19,214,0,21,18,0,0,0,20,3,0,21,17,0,0,0,19,148,0,21,16,0,0,0,19,156,0,21,15,0,0,0,19,206,0,21,14,0,0,0,19,136,0,21,13,0,0,0,19,152,0,21,12,0,0,0,20,188,0,21,11,0,0,0,19,212,0,21,10,0,0,0,19,147,0,21,9,0,0,0,19,145,0,21,8,0,0,0,20,127,0,21,7,0,0,0,19,138,0,21,6,0,0,0,19,139,0,21,5,0,0,0,20,206,0,21,4,0,0,0,19,140,0,21,3,0,0,0,19,142,0,21,2,0,0,0,19,141,0,21,1,0,0,0,20,132,0,21,0,1,0,0,19,137,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0, |
502 |
+}; |
503 |
+static const unsigned char seccomp_bpf_blks_fork[] = { |
504 |
+ 0,32,0,0,0,0,0,4,0,21,0,47,128,0,0,8,0,32,0,0,0,0,0,0,0,21,44,0,0,0,20,117,0,21,43,0,0,0,19,195,0,21,42,0,0,0,20,142,0,21,41,0,0,0,19,150,0,21,40,0,0,0,19,149,0,21,39,0,0,0,19,192,0,21,38,0,0,0,19,193,0,21,37,0,0,0,19,191,0,21,36,0,0,0,20,94,0,21,35,0,0,0,19,199,0,21,34,0,0,0,19,198,0,21,33,0,0,0,19,203,0,21,32,0,0,0,19,204,0,21,31,0,0,0,19,202,0,21,30,0,0,0,19,223,0,21,29,0,0,0,19,146,0,21,28,0,0,0,19,144,0,21,27,0,0,0,19,151,0,21,26,0,0,0,20,58,0,21,25,0,0,0,19,174,0,21,24,0,0,0,19,215,0,21,23,0,0,0,21,63,0,21,22,0,0,0,20,139,0,21,21,0,0,0,20,85,0,21,20,0,0,0,19,194,0,21,19,0,0,0,19,214,0,21,18,0,0,0,20,3,0,21,17,0,0,0,19,148,0,21,16,0,0,0,19,156,0,21,15,0,0,0,19,206,0,21,14,0,0,0,19,136,0,21,13,0,0,0,19,152,0,21,12,0,0,0,20,188,0,21,11,0,0,0,19,212,0,21,10,0,0,0,19,147,0,21,9,0,0,0,19,145,0,21,8,0,0,0,20,127,0,21,7,0,0,0,19,138,0,21,6,0,0,0,19,139,0,21,5,0,0,0,20,206,0,21,4,0,0,0,19,140,0,21,3,0,0,0,19,142,0,21,2,0,0,0,19,141,0,21,1,0,0,0,20,132,0,21,0,1,0,0,19,137,0,6,0,0,127,2 |
505 |
55,0,0,0,6,0,0,0,0,0,0, |
506 |
+}; |
507 |
+#endif |
508 |
+ |
509 |
+#if defined(__mips__) && defined(__MIPSEB__) && defined(_ABIN32) |
510 |
+/* MIPS64N32 */ |
511 |
+#define SECCOMP_BPF_AVAILABLE |
512 |
+static const unsigned char seccomp_bpf_blks_base[] = { |
513 |
+ 0,32,0,0,0,0,0,4,0,21,0,40,160,0,0,8,0,32,0,0,0,0,0,0,0,21,37,0,0,0,23,120,0,21,36,0,0,0,23,127,0,21,35,0,0,0,24,34,0,21,34,0,0,0,23,150,0,21,33,0,0,0,23,191,0,21,32,0,0,0,25,39,0,21,31,0,0,0,24,119,0,21,30,0,0,0,24,61,0,21,29,0,0,0,23,170,0,21,28,0,0,0,23,190,0,21,27,0,0,0,23,235,0,21,26,0,0,0,23,124,0,21,25,0,0,0,23,132,0,21,24,0,0,0,24,68,0,21,23,0,0,0,23,182,0,21,22,0,0,0,23,112,0,21,21,0,0,0,23,128,0,21,20,0,0,0,24,155,0,21,19,0,0,0,23,188,0,21,18,0,0,0,23,123,0,21,17,0,0,0,23,121,0,21,16,0,0,0,24,107,0,21,15,0,0,0,23,114,0,21,14,0,0,0,23,115,0,21,13,0,0,0,24,186,0,21,12,0,0,0,23,116,0,21,11,0,0,0,23,118,0,21,10,0,0,0,23,117,0,21,9,0,0,0,24,112,0,21,8,0,0,0,23,113,0,21,7,0,0,0,24,71,0,21,6,0,0,0,23,175,0,21,5,0,0,0,23,174,0,21,4,0,0,0,23,179,0,21,3,0,0,0,23,180,0,21,2,0,0,0,23,178,0,21,1,0,0,0,23,199,0,21,0,1,0,0,23,122,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0, |
514 |
+}; |
515 |
+static const unsigned char seccomp_bpf_blks_fork[] = { |
516 |
+ 0,32,0,0,0,0,0,4,0,21,0,48,160,0,0,8,0,32,0,0,0,0,0,0,0,21,45,0,0,0,23,120,0,21,44,0,0,0,23,127,0,21,43,0,0,0,24,34,0,21,42,0,0,0,23,150,0,21,41,0,0,0,23,191,0,21,40,0,0,0,25,39,0,21,39,0,0,0,24,119,0,21,38,0,0,0,24,61,0,21,37,0,0,0,23,170,0,21,36,0,0,0,23,190,0,21,35,0,0,0,23,235,0,21,34,0,0,0,23,124,0,21,33,0,0,0,23,132,0,21,32,0,0,0,24,68,0,21,31,0,0,0,23,182,0,21,30,0,0,0,23,112,0,21,29,0,0,0,23,128,0,21,28,0,0,0,24,155,0,21,27,0,0,0,23,188,0,21,26,0,0,0,23,123,0,21,25,0,0,0,23,121,0,21,24,0,0,0,24,107,0,21,23,0,0,0,23,114,0,21,22,0,0,0,23,115,0,21,21,0,0,0,24,186,0,21,20,0,0,0,23,116,0,21,19,0,0,0,23,118,0,21,18,0,0,0,23,117,0,21,17,0,0,0,24,112,0,21,16,0,0,0,23,113,0,21,15,0,0,0,24,97,0,21,14,0,0,0,23,171,0,21,13,0,0,0,24,122,0,21,12,0,0,0,23,126,0,21,11,0,0,0,23,125,0,21,10,0,0,0,23,168,0,21,9,0,0,0,23,169,0,21,8,0,0,0,23,167,0,21,7,0,0,0,24,71,0,21,6,0,0,0,23,175,0,21,5,0,0,0,23,174,0,21,4,0,0,0,23,179,0,21,3,0,0,0,23,180,0,21,2,0,0,0,23,178,0,21,1,0,0,0,23,199,0,21,0,1,0,0 |
517 |
,23,122,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0, |
518 |
+}; |
519 |
+#endif |
520 |
+ |
521 |
+#if defined(__mips__) && defined(__MIPSEL__) && defined(_ABIO32) |
522 |
+/* MIPSEL */ |
523 |
+#define SECCOMP_BPF_AVAILABLE |
524 |
+static const unsigned char seccomp_bpf_blks_base[] = { |
525 |
+ 32,0,0,0,4,0,0,0,21,0,0,44,8,0,0,64,32,0,0,0,0,0,0,0,21,0,41,0,21,16,0,0,21,0,40,0,41,17,0,0,21,0,39,0,48,17,0,0,21,0,38,0,49,17,0,0,21,0,37,0,47,17,0,0,21,0,36,0,245,15,0,0,21,0,35,0,29,16,0,0,21,0,34,0,44,16,0,0,21,0,33,0,179,15,0,0,21,0,32,0,214,15,0,0,21,0,31,0,126,16,0,0,21,0,30,0,180,15,0,0,21,0,29,0,37,16,0,0,21,0,28,0,87,17,0,0,21,0,27,0,204,16,0,0,21,0,26,0,150,16,0,0,21,0,25,0,161,15,0,0,21,0,24,0,172,15,0,0,21,0,23,0,108,16,0,0,21,0,22,0,205,15,0,0,21,0,21,0,193,15,0,0,21,0,20,0,124,16,0,0,21,0,19,0,215,15,0,0,21,0,18,0,163,15,0,0,21,0,17,0,104,16,0,0,21,0,16,0,123,16,0,0,21,0,15,0,45,16,0,0,21,0,14,0,251,15,0,0,21,0,13,0,114,16,0,0,21,0,12,0,250,15,0,0,21,0,11,0,192,16,0,0,21,0,10,0,165,15,0,0,21,0,9,0,166,15,0,0,21,0,8,0,14,17,0,0,21,0,7,0,117,16,0,0,21,0,6,0,10,16,0,0,21,0,5,0,118,16,0,0,21,0,4,0,11,16,0,0,21,0,3,0,197,16,0,0,21,0,2,0,119,16,0,0,21,0,1,0,12,16,0,0,21,0,0,1,164,15,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0, |
526 |
+}; |
527 |
+static const unsigned char seccomp_bpf_blks_fork[] = { |
528 |
+ 32,0,0,0,4,0,0,0,21,0,0,53,8,0,0,64,32,0,0,0,0,0,0,0,21,0,50,0,167,15,0,0,21,0,49,0,182,16,0,0,21,0,48,0,18,16,0,0,21,0,47,0,207,16,0,0,21,0,46,0,99,16,0,0,21,0,45,0,98,16,0,0,21,0,44,0,162,15,0,0,21,0,43,0,171,15,0,0,21,0,42,0,24,16,0,0,21,0,41,0,21,16,0,0,21,0,40,0,41,17,0,0,21,0,39,0,48,17,0,0,21,0,38,0,49,17,0,0,21,0,37,0,47,17,0,0,21,0,36,0,245,15,0,0,21,0,35,0,29,16,0,0,21,0,34,0,44,16,0,0,21,0,33,0,179,15,0,0,21,0,32,0,214,15,0,0,21,0,31,0,126,16,0,0,21,0,30,0,180,15,0,0,21,0,29,0,37,16,0,0,21,0,28,0,87,17,0,0,21,0,27,0,204,16,0,0,21,0,26,0,150,16,0,0,21,0,25,0,161,15,0,0,21,0,24,0,172,15,0,0,21,0,23,0,108,16,0,0,21,0,22,0,205,15,0,0,21,0,21,0,193,15,0,0,21,0,20,0,124,16,0,0,21,0,19,0,215,15,0,0,21,0,18,0,163,15,0,0,21,0,17,0,104,16,0,0,21,0,16,0,123,16,0,0,21,0,15,0,45,16,0,0,21,0,14,0,251,15,0,0,21,0,13,0,114,16,0,0,21,0,12,0,250,15,0,0,21,0,11,0,192,16,0,0,21,0,10,0,165,15,0,0,21,0,9,0,166,15,0,0,21,0,8,0,14,17,0,0,21,0,7,0,117,16,0,0,21,0,6,0,10,16,0,0,21,0,5,0,118,16,0, |
529 |
0,21,0,4,0,11,16,0,0,21,0,3,0,197,16,0,0,21,0,2,0,119,16,0,0,21,0,1,0,12,16,0,0,21,0,0,1,164,15,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0, |
530 |
+}; |
531 |
+#endif |
532 |
+ |
533 |
+#if defined(__mips__) && defined(__MIPSEL__) && defined(_ABI64) |
534 |
+/* MIPSEL64 */ |
535 |
+#define SECCOMP_BPF_AVAILABLE |
536 |
+static const unsigned char seccomp_bpf_blks_base[] = { |
537 |
+ 32,0,0,0,4,0,0,0,21,0,0,39,8,0,0,192,32,0,0,0,0,0,0,0,21,0,36,0,94,20,0,0,21,0,35,0,199,19,0,0,21,0,34,0,198,19,0,0,21,0,33,0,203,19,0,0,21,0,32,0,204,19,0,0,21,0,31,0,202,19,0,0,21,0,30,0,223,19,0,0,21,0,29,0,146,19,0,0,21,0,28,0,144,19,0,0,21,0,27,0,151,19,0,0,21,0,26,0,58,20,0,0,21,0,25,0,174,19,0,0,21,0,24,0,215,19,0,0,21,0,23,0,63,21,0,0,21,0,22,0,139,20,0,0,21,0,21,0,85,20,0,0,21,0,20,0,194,19,0,0,21,0,19,0,214,19,0,0,21,0,18,0,3,20,0,0,21,0,17,0,148,19,0,0,21,0,16,0,156,19,0,0,21,0,15,0,206,19,0,0,21,0,14,0,136,19,0,0,21,0,13,0,152,19,0,0,21,0,12,0,188,20,0,0,21,0,11,0,212,19,0,0,21,0,10,0,147,19,0,0,21,0,9,0,145,19,0,0,21,0,8,0,127,20,0,0,21,0,7,0,138,19,0,0,21,0,6,0,139,19,0,0,21,0,5,0,206,20,0,0,21,0,4,0,140,19,0,0,21,0,3,0,142,19,0,0,21,0,2,0,141,19,0,0,21,0,1,0,132,20,0,0,21,0,0,1,137,19,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0, |
538 |
+}; |
539 |
+static const unsigned char seccomp_bpf_blks_fork[] = { |
540 |
+ 32,0,0,0,4,0,0,0,21,0,0,47,8,0,0,192,32,0,0,0,0,0,0,0,21,0,44,0,117,20,0,0,21,0,43,0,195,19,0,0,21,0,42,0,142,20,0,0,21,0,41,0,150,19,0,0,21,0,40,0,149,19,0,0,21,0,39,0,192,19,0,0,21,0,38,0,193,19,0,0,21,0,37,0,191,19,0,0,21,0,36,0,94,20,0,0,21,0,35,0,199,19,0,0,21,0,34,0,198,19,0,0,21,0,33,0,203,19,0,0,21,0,32,0,204,19,0,0,21,0,31,0,202,19,0,0,21,0,30,0,223,19,0,0,21,0,29,0,146,19,0,0,21,0,28,0,144,19,0,0,21,0,27,0,151,19,0,0,21,0,26,0,58,20,0,0,21,0,25,0,174,19,0,0,21,0,24,0,215,19,0,0,21,0,23,0,63,21,0,0,21,0,22,0,139,20,0,0,21,0,21,0,85,20,0,0,21,0,20,0,194,19,0,0,21,0,19,0,214,19,0,0,21,0,18,0,3,20,0,0,21,0,17,0,148,19,0,0,21,0,16,0,156,19,0,0,21,0,15,0,206,19,0,0,21,0,14,0,136,19,0,0,21,0,13,0,152,19,0,0,21,0,12,0,188,20,0,0,21,0,11,0,212,19,0,0,21,0,10,0,147,19,0,0,21,0,9,0,145,19,0,0,21,0,8,0,127,20,0,0,21,0,7,0,138,19,0,0,21,0,6,0,139,19,0,0,21,0,5,0,206,20,0,0,21,0,4,0,140,19,0,0,21,0,3,0,142,19,0,0,21,0,2,0,141,19,0,0,21,0,1,0,132,20,0,0,21,0,0,1,137,19,0,0,6,0,0,0,0,0,2 |
541 |
55,127,6,0,0,0,0,0,0,0, |
542 |
+}; |
543 |
+#endif |
544 |
+ |
545 |
+#if defined(__mips__) && defined(__MIPSEL__) && defined(_ABIN32) |
546 |
+/* MIPSEL64N32 */ |
547 |
+#define SECCOMP_BPF_AVAILABLE |
548 |
+static const unsigned char seccomp_bpf_blks_base[] = { |
549 |
+ 32,0,0,0,4,0,0,0,21,0,0,40,8,0,0,224,32,0,0,0,0,0,0,0,21,0,37,0,71,24,0,0,21,0,36,0,175,23,0,0,21,0,35,0,174,23,0,0,21,0,34,0,179,23,0,0,21,0,33,0,180,23,0,0,21,0,32,0,178,23,0,0,21,0,31,0,199,23,0,0,21,0,30,0,122,23,0,0,21,0,29,0,120,23,0,0,21,0,28,0,127,23,0,0,21,0,27,0,34,24,0,0,21,0,26,0,150,23,0,0,21,0,25,0,191,23,0,0,21,0,24,0,39,25,0,0,21,0,23,0,119,24,0,0,21,0,22,0,61,24,0,0,21,0,21,0,170,23,0,0,21,0,20,0,190,23,0,0,21,0,19,0,235,23,0,0,21,0,18,0,124,23,0,0,21,0,17,0,132,23,0,0,21,0,16,0,68,24,0,0,21,0,15,0,182,23,0,0,21,0,14,0,112,23,0,0,21,0,13,0,128,23,0,0,21,0,12,0,155,24,0,0,21,0,11,0,188,23,0,0,21,0,10,0,123,23,0,0,21,0,9,0,121,23,0,0,21,0,8,0,107,24,0,0,21,0,7,0,114,23,0,0,21,0,6,0,115,23,0,0,21,0,5,0,186,24,0,0,21,0,4,0,116,23,0,0,21,0,3,0,118,23,0,0,21,0,2,0,117,23,0,0,21,0,1,0,112,24,0,0,21,0,0,1,113,23,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0, |
550 |
+}; |
551 |
+static const unsigned char seccomp_bpf_blks_fork[] = { |
552 |
+ 32,0,0,0,4,0,0,0,21,0,0,48,8,0,0,224,32,0,0,0,0,0,0,0,21,0,45,0,97,24,0,0,21,0,44,0,171,23,0,0,21,0,43,0,122,24,0,0,21,0,42,0,126,23,0,0,21,0,41,0,125,23,0,0,21,0,40,0,168,23,0,0,21,0,39,0,169,23,0,0,21,0,38,0,167,23,0,0,21,0,37,0,71,24,0,0,21,0,36,0,175,23,0,0,21,0,35,0,174,23,0,0,21,0,34,0,179,23,0,0,21,0,33,0,180,23,0,0,21,0,32,0,178,23,0,0,21,0,31,0,199,23,0,0,21,0,30,0,122,23,0,0,21,0,29,0,120,23,0,0,21,0,28,0,127,23,0,0,21,0,27,0,34,24,0,0,21,0,26,0,150,23,0,0,21,0,25,0,191,23,0,0,21,0,24,0,39,25,0,0,21,0,23,0,119,24,0,0,21,0,22,0,61,24,0,0,21,0,21,0,170,23,0,0,21,0,20,0,190,23,0,0,21,0,19,0,235,23,0,0,21,0,18,0,124,23,0,0,21,0,17,0,132,23,0,0,21,0,16,0,68,24,0,0,21,0,15,0,182,23,0,0,21,0,14,0,112,23,0,0,21,0,13,0,128,23,0,0,21,0,12,0,155,24,0,0,21,0,11,0,188,23,0,0,21,0,10,0,123,23,0,0,21,0,9,0,121,23,0,0,21,0,8,0,107,24,0,0,21,0,7,0,114,23,0,0,21,0,6,0,115,23,0,0,21,0,5,0,186,24,0,0,21,0,4,0,116,23,0,0,21,0,3,0,118,23,0,0,21,0,2,0,117,23,0,0,21,0,1,0,112,24,0,0,21,0,0,1,113 |
553 |
,23,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0, |
554 |
+}; |
555 |
+#endif |
556 |
+ |
557 |
+#if defined(__hppa__) && !defined(__hppa64__) |
558 |
+/* PARISC */ |
559 |
+#define SECCOMP_BPF_AVAILABLE |
560 |
+static const unsigned char seccomp_bpf_blks_base[] = { |
561 |
+ 0,32,0,0,0,0,0,4,0,21,0,45,0,0,0,15,0,32,0,0,0,0,0,0,0,21,42,0,0,0,0,228,0,21,41,0,0,0,0,185,0,21,40,0,0,0,0,186,0,21,39,0,0,0,0,188,0,21,38,0,0,0,0,189,0,21,37,0,0,0,0,190,0,21,36,0,0,0,0,85,0,21,35,0,0,0,0,125,0,21,34,0,0,0,0,140,0,21,33,0,0,0,0,19,0,21,32,0,0,0,0,54,0,21,31,0,0,0,0,206,0,21,30,0,0,0,0,20,0,21,29,0,0,0,0,133,0,21,28,0,0,0,1,183,0,21,27,0,0,0,1,31,0,21,26,0,0,0,0,222,0,21,25,0,0,0,0,1,0,21,24,0,0,0,0,12,0,21,23,0,0,0,0,106,0,21,22,0,0,0,0,45,0,21,21,0,0,0,0,33,0,21,20,0,0,0,0,202,0,21,19,0,0,0,0,55,0,21,18,0,0,0,0,3,0,21,17,0,0,0,0,108,0,21,16,0,0,0,0,201,0,21,15,0,0,0,0,141,0,21,14,0,0,0,0,91,0,21,13,0,0,0,0,89,0,21,12,0,0,0,0,90,0,21,11,0,0,0,1,19,0,21,10,0,0,0,0,5,0,21,9,0,0,0,0,6,0,21,8,0,0,0,1,93,0,21,7,0,0,0,0,101,0,21,6,0,0,0,0,18,0,21,5,0,0,0,0,198,0,21,4,0,0,0,0,84,0,21,3,0,0,0,1,24,0,21,2,0,0,0,0,112,0,21,1,0,0,0,0,28,0,21,0,1,0,0,0,4,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0, |
562 |
+}; |
563 |
+static const unsigned char seccomp_bpf_blks_fork[] = { |
564 |
+ 0,32,0,0,0,0,0,4,0,21,0,55,0,0,0,15,0,32,0,0,0,0,0,0,0,21,52,0,0,0,0,7,0,21,51,0,0,0,0,235,0,21,50,0,0,0,0,114,0,21,49,0,0,0,0,113,0,21,48,0,0,0,1,32,0,21,47,0,0,0,0,175,0,21,46,0,0,0,0,174,0,21,45,0,0,0,0,2,0,21,44,0,0,0,0,11,0,21,43,0,0,0,0,120,0,21,42,0,0,0,0,228,0,21,41,0,0,0,0,185,0,21,40,0,0,0,0,186,0,21,39,0,0,0,0,188,0,21,38,0,0,0,0,189,0,21,37,0,0,0,0,190,0,21,36,0,0,0,0,85,0,21,35,0,0,0,0,125,0,21,34,0,0,0,0,140,0,21,33,0,0,0,0,19,0,21,32,0,0,0,0,54,0,21,31,0,0,0,0,206,0,21,30,0,0,0,0,20,0,21,29,0,0,0,0,133,0,21,28,0,0,0,1,183,0,21,27,0,0,0,1,31,0,21,26,0,0,0,0,222,0,21,25,0,0,0,0,1,0,21,24,0,0,0,0,12,0,21,23,0,0,0,0,106,0,21,22,0,0,0,0,45,0,21,21,0,0,0,0,33,0,21,20,0,0,0,0,202,0,21,19,0,0,0,0,55,0,21,18,0,0,0,0,3,0,21,17,0,0,0,0,108,0,21,16,0,0,0,0,201,0,21,15,0,0,0,0,141,0,21,14,0,0,0,0,91,0,21,13,0,0,0,0,89,0,21,12,0,0,0,0,90,0,21,11,0,0,0,1,19,0,21,10,0,0,0,0,5,0,21,9,0,0,0,0,6,0,21,8,0,0,0,1,93,0,21,7,0,0,0,0,101,0,21,6,0,0,0,0,18,0,21,5,0,0,0,0,198,0,21,4,0,0,0,0,84 |
565 |
,0,21,3,0,0,0,1,24,0,21,2,0,0,0,0,112,0,21,1,0,0,0,0,28,0,21,0,1,0,0,0,4,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0, |
566 |
+}; |
567 |
+#endif |
568 |
+ |
569 |
+#if defined(__hppa__) && defined(__hppa64__) |
570 |
+/* PARISC64 */ |
571 |
+#define SECCOMP_BPF_AVAILABLE |
572 |
+static const unsigned char seccomp_bpf_blks_base[] = { |
573 |
+ 0,32,0,0,0,0,0,4,0,21,0,45,128,0,0,15,0,32,0,0,0,0,0,0,0,21,42,0,0,0,0,141,0,21,41,0,0,0,0,91,0,21,40,0,0,0,0,89,0,21,39,0,0,0,0,90,0,21,38,0,0,0,1,19,0,21,37,0,0,0,0,5,0,21,36,0,0,0,0,6,0,21,35,0,0,0,1,93,0,21,34,0,0,0,0,101,0,21,33,0,0,0,0,18,0,21,32,0,0,0,0,198,0,21,31,0,0,0,0,84,0,21,30,0,0,0,1,24,0,21,29,0,0,0,0,112,0,21,28,0,0,0,0,28,0,21,27,0,0,0,0,4,0,21,26,0,0,0,0,228,0,21,25,0,0,0,0,185,0,21,24,0,0,0,0,186,0,21,23,0,0,0,0,188,0,21,22,0,0,0,0,189,0,21,21,0,0,0,0,190,0,21,20,0,0,0,0,85,0,21,19,0,0,0,0,125,0,21,18,0,0,0,0,140,0,21,17,0,0,0,0,19,0,21,16,0,0,0,0,54,0,21,15,0,0,0,0,206,0,21,14,0,0,0,0,20,0,21,13,0,0,0,0,133,0,21,12,0,0,0,1,183,0,21,11,0,0,0,1,31,0,21,10,0,0,0,0,222,0,21,9,0,0,0,0,1,0,21,8,0,0,0,0,12,0,21,7,0,0,0,0,106,0,21,6,0,0,0,0,45,0,21,5,0,0,0,0,33,0,21,4,0,0,0,0,202,0,21,3,0,0,0,0,55,0,21,2,0,0,0,0,3,0,21,1,0,0,0,0,108,0,21,0,1,0,0,0,201,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0, |
574 |
+}; |
575 |
+static const unsigned char seccomp_bpf_blks_fork[] = { |
576 |
+ 0,32,0,0,0,0,0,4,0,21,0,55,128,0,0,15,0,32,0,0,0,0,0,0,0,21,52,0,0,0,0,141,0,21,51,0,0,0,0,91,0,21,50,0,0,0,0,89,0,21,49,0,0,0,0,90,0,21,48,0,0,0,1,19,0,21,47,0,0,0,0,5,0,21,46,0,0,0,0,6,0,21,45,0,0,0,1,93,0,21,44,0,0,0,0,101,0,21,43,0,0,0,0,18,0,21,42,0,0,0,0,198,0,21,41,0,0,0,0,84,0,21,40,0,0,0,1,24,0,21,39,0,0,0,0,112,0,21,38,0,0,0,0,28,0,21,37,0,0,0,0,4,0,21,36,0,0,0,0,7,0,21,35,0,0,0,0,235,0,21,34,0,0,0,0,114,0,21,33,0,0,0,0,113,0,21,32,0,0,0,1,32,0,21,31,0,0,0,0,175,0,21,30,0,0,0,0,174,0,21,29,0,0,0,0,2,0,21,28,0,0,0,0,11,0,21,27,0,0,0,0,120,0,21,26,0,0,0,0,228,0,21,25,0,0,0,0,185,0,21,24,0,0,0,0,186,0,21,23,0,0,0,0,188,0,21,22,0,0,0,0,189,0,21,21,0,0,0,0,190,0,21,20,0,0,0,0,85,0,21,19,0,0,0,0,125,0,21,18,0,0,0,0,140,0,21,17,0,0,0,0,19,0,21,16,0,0,0,0,54,0,21,15,0,0,0,0,206,0,21,14,0,0,0,0,20,0,21,13,0,0,0,0,133,0,21,12,0,0,0,1,183,0,21,11,0,0,0,1,31,0,21,10,0,0,0,0,222,0,21,9,0,0,0,0,1,0,21,8,0,0,0,0,12,0,21,7,0,0,0,0,106,0,21,6,0,0,0,0,45,0,21,5,0,0,0,0,33,0,21,4,0,0,0,0,20 |
577 |
2,0,21,3,0,0,0,0,55,0,21,2,0,0,0,0,3,0,21,1,0,0,0,0,108,0,21,0,1,0,0,0,201,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0, |
578 |
+}; |
579 |
+#endif |
580 |
+ |
581 |
+#if defined(__powerpc__) && !defined(__powerpc64__) && defined(__BIG_ENDIAN__) |
582 |
+/* PPC */ |
583 |
+#define SECCOMP_BPF_AVAILABLE |
584 |
+static const unsigned char seccomp_bpf_blks_base[] = { |
585 |
+ 0,32,0,0,0,0,0,4,0,21,0,44,0,0,0,20,0,32,0,0,0,0,0,0,0,21,41,0,0,0,0,117,0,21,40,0,0,0,1,137,0,21,39,0,0,0,1,144,0,21,38,0,0,0,1,145,0,21,37,0,0,0,1,143,0,21,36,0,0,0,0,85,0,21,35,0,0,0,0,125,0,21,34,0,0,0,0,140,0,21,33,0,0,0,0,19,0,21,32,0,0,0,0,54,0,21,31,0,0,0,0,207,0,21,30,0,0,0,0,20,0,21,29,0,0,0,0,133,0,21,28,0,0,0,1,183,0,21,27,0,0,0,1,42,0,21,26,0,0,0,0,234,0,21,25,0,0,0,0,1,0,21,24,0,0,0,0,12,0,21,23,0,0,0,0,183,0,21,22,0,0,0,0,45,0,21,21,0,0,0,0,33,0,21,20,0,0,0,0,204,0,21,19,0,0,0,0,55,0,21,18,0,0,0,0,3,0,21,17,0,0,0,0,179,0,21,16,0,0,0,0,202,0,21,15,0,0,0,0,141,0,21,14,0,0,0,0,91,0,21,13,0,0,0,0,192,0,21,12,0,0,0,0,90,0,21,11,0,0,0,1,30,0,21,10,0,0,0,0,5,0,21,9,0,0,0,0,6,0,21,8,0,0,0,1,127,0,21,7,0,0,0,0,195,0,21,6,0,0,0,0,106,0,21,5,0,0,0,0,196,0,21,4,0,0,0,0,107,0,21,3,0,0,0,1,35,0,21,2,0,0,0,0,197,0,21,1,0,0,0,0,108,0,21,0,1,0,0,0,4,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0, |
586 |
+}; |
587 |
+static const unsigned char seccomp_bpf_blks_fork[] = { |
588 |
+ 0,32,0,0,0,0,0,4,0,21,0,54,0,0,0,20,0,32,0,0,0,0,0,0,0,21,51,0,0,0,0,7,0,21,50,0,0,0,1,16,0,21,49,0,0,0,0,114,0,21,48,0,0,0,0,189,0,21,47,0,0,0,1,26,0,21,46,0,0,0,0,174,0,21,45,0,0,0,0,173,0,21,44,0,0,0,0,2,0,21,43,0,0,0,0,11,0,21,42,0,0,0,0,120,0,21,41,0,0,0,0,117,0,21,40,0,0,0,1,137,0,21,39,0,0,0,1,144,0,21,38,0,0,0,1,145,0,21,37,0,0,0,1,143,0,21,36,0,0,0,0,85,0,21,35,0,0,0,0,125,0,21,34,0,0,0,0,140,0,21,33,0,0,0,0,19,0,21,32,0,0,0,0,54,0,21,31,0,0,0,0,207,0,21,30,0,0,0,0,20,0,21,29,0,0,0,0,133,0,21,28,0,0,0,1,183,0,21,27,0,0,0,1,42,0,21,26,0,0,0,0,234,0,21,25,0,0,0,0,1,0,21,24,0,0,0,0,12,0,21,23,0,0,0,0,183,0,21,22,0,0,0,0,45,0,21,21,0,0,0,0,33,0,21,20,0,0,0,0,204,0,21,19,0,0,0,0,55,0,21,18,0,0,0,0,3,0,21,17,0,0,0,0,179,0,21,16,0,0,0,0,202,0,21,15,0,0,0,0,141,0,21,14,0,0,0,0,91,0,21,13,0,0,0,0,192,0,21,12,0,0,0,0,90,0,21,11,0,0,0,1,30,0,21,10,0,0,0,0,5,0,21,9,0,0,0,0,6,0,21,8,0,0,0,1,127,0,21,7,0,0,0,0,195,0,21,6,0,0,0,0,106,0,21,5,0,0,0,0,196,0,21,4,0,0,0,0,107,0,21,3,0,0,0,1,3 |
589 |
5,0,21,2,0,0,0,0,197,0,21,1,0,0,0,0,108,0,21,0,1,0,0,0,4,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0, |
590 |
+}; |
591 |
+#endif |
592 |
+ |
593 |
+#if defined(__powerpc__) && defined(__powerpc64__) && defined(__BIG_ENDIAN__) |
594 |
+/* PPC64 */ |
595 |
+#define SECCOMP_BPF_AVAILABLE |
596 |
+static const unsigned char seccomp_bpf_blks_base[] = { |
597 |
+ 0,32,0,0,0,0,0,4,0,21,0,40,128,0,0,21,0,32,0,0,0,0,0,0,0,21,37,0,0,0,0,117,0,21,36,0,0,0,0,85,0,21,35,0,0,0,0,125,0,21,34,0,0,0,0,140,0,21,33,0,0,0,0,19,0,21,32,0,0,0,0,54,0,21,31,0,0,0,0,207,0,21,30,0,0,0,0,20,0,21,29,0,0,0,0,133,0,21,28,0,0,0,1,183,0,21,27,0,0,0,1,42,0,21,26,0,0,0,0,234,0,21,25,0,0,0,0,1,0,21,24,0,0,0,0,12,0,21,23,0,0,0,0,183,0,21,22,0,0,0,0,45,0,21,21,0,0,0,0,33,0,21,20,0,0,0,0,55,0,21,19,0,0,0,0,3,0,21,18,0,0,0,0,179,0,21,17,0,0,0,0,202,0,21,16,0,0,0,0,141,0,21,15,0,0,0,0,91,0,21,14,0,0,0,0,90,0,21,13,0,0,0,1,30,0,21,12,0,0,0,0,5,0,21,11,0,0,0,0,6,0,21,10,0,0,0,1,127,0,21,9,0,0,0,0,106,0,21,8,0,0,0,0,107,0,21,7,0,0,0,0,108,0,21,6,0,0,0,1,35,0,21,5,0,0,0,0,4,0,21,4,0,0,0,1,136,0,21,3,0,0,0,1,137,0,21,2,0,0,0,1,143,0,21,1,0,0,0,1,144,0,21,0,1,0,0,1,145,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0, |
598 |
+}; |
599 |
+static const unsigned char seccomp_bpf_blks_fork[] = { |
600 |
+ 0,32,0,0,0,0,0,4,0,21,0,50,128,0,0,21,0,32,0,0,0,0,0,0,0,21,47,0,0,0,0,7,0,21,46,0,0,0,1,16,0,21,45,0,0,0,0,114,0,21,44,0,0,0,0,189,0,21,43,0,0,0,1,26,0,21,42,0,0,0,0,174,0,21,41,0,0,0,0,173,0,21,40,0,0,0,0,2,0,21,39,0,0,0,0,11,0,21,38,0,0,0,0,120,0,21,37,0,0,0,0,117,0,21,36,0,0,0,0,85,0,21,35,0,0,0,0,125,0,21,34,0,0,0,0,140,0,21,33,0,0,0,0,19,0,21,32,0,0,0,0,54,0,21,31,0,0,0,0,207,0,21,30,0,0,0,0,20,0,21,29,0,0,0,0,133,0,21,28,0,0,0,1,183,0,21,27,0,0,0,1,42,0,21,26,0,0,0,0,234,0,21,25,0,0,0,0,1,0,21,24,0,0,0,0,12,0,21,23,0,0,0,0,183,0,21,22,0,0,0,0,45,0,21,21,0,0,0,0,33,0,21,20,0,0,0,0,55,0,21,19,0,0,0,0,3,0,21,18,0,0,0,0,179,0,21,17,0,0,0,0,202,0,21,16,0,0,0,0,141,0,21,15,0,0,0,0,91,0,21,14,0,0,0,0,90,0,21,13,0,0,0,1,30,0,21,12,0,0,0,0,5,0,21,11,0,0,0,0,6,0,21,10,0,0,0,1,127,0,21,9,0,0,0,0,106,0,21,8,0,0,0,0,107,0,21,7,0,0,0,0,108,0,21,6,0,0,0,1,35,0,21,5,0,0,0,0,4,0,21,4,0,0,0,1,136,0,21,3,0,0,0,1,137,0,21,2,0,0,0,1,143,0,21,1,0,0,0,1,144,0,21,0,1,0,0,1,145,0,6,0,0,127,255,0,0,0 |
601 |
,6,0,0,0,0,0,0, |
602 |
+}; |
603 |
+#endif |
604 |
+ |
605 |
+#if defined(__powerpc__) && defined(__powerpc64__) && !defined(__BIG_ENDIAN__) |
606 |
+/* PPC64LE */ |
607 |
+#define SECCOMP_BPF_AVAILABLE |
608 |
+static const unsigned char seccomp_bpf_blks_base[] = { |
609 |
+ 32,0,0,0,4,0,0,0,21,0,0,40,21,0,0,192,32,0,0,0,0,0,0,0,21,0,37,0,117,0,0,0,21,0,36,0,85,0,0,0,21,0,35,0,125,0,0,0,21,0,34,0,140,0,0,0,21,0,33,0,19,0,0,0,21,0,32,0,54,0,0,0,21,0,31,0,207,0,0,0,21,0,30,0,20,0,0,0,21,0,29,0,133,0,0,0,21,0,28,0,183,1,0,0,21,0,27,0,42,1,0,0,21,0,26,0,234,0,0,0,21,0,25,0,1,0,0,0,21,0,24,0,12,0,0,0,21,0,23,0,183,0,0,0,21,0,22,0,45,0,0,0,21,0,21,0,33,0,0,0,21,0,20,0,55,0,0,0,21,0,19,0,3,0,0,0,21,0,18,0,179,0,0,0,21,0,17,0,202,0,0,0,21,0,16,0,141,0,0,0,21,0,15,0,91,0,0,0,21,0,14,0,90,0,0,0,21,0,13,0,30,1,0,0,21,0,12,0,5,0,0,0,21,0,11,0,6,0,0,0,21,0,10,0,127,1,0,0,21,0,9,0,106,0,0,0,21,0,8,0,107,0,0,0,21,0,7,0,108,0,0,0,21,0,6,0,35,1,0,0,21,0,5,0,4,0,0,0,21,0,4,0,136,1,0,0,21,0,3,0,137,1,0,0,21,0,2,0,143,1,0,0,21,0,1,0,144,1,0,0,21,0,0,1,145,1,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0, |
610 |
+}; |
611 |
+static const unsigned char seccomp_bpf_blks_fork[] = { |
612 |
+ 32,0,0,0,4,0,0,0,21,0,0,50,21,0,0,192,32,0,0,0,0,0,0,0,21,0,47,0,7,0,0,0,21,0,46,0,16,1,0,0,21,0,45,0,114,0,0,0,21,0,44,0,189,0,0,0,21,0,43,0,26,1,0,0,21,0,42,0,174,0,0,0,21,0,41,0,173,0,0,0,21,0,40,0,2,0,0,0,21,0,39,0,11,0,0,0,21,0,38,0,120,0,0,0,21,0,37,0,117,0,0,0,21,0,36,0,85,0,0,0,21,0,35,0,125,0,0,0,21,0,34,0,140,0,0,0,21,0,33,0,19,0,0,0,21,0,32,0,54,0,0,0,21,0,31,0,207,0,0,0,21,0,30,0,20,0,0,0,21,0,29,0,133,0,0,0,21,0,28,0,183,1,0,0,21,0,27,0,42,1,0,0,21,0,26,0,234,0,0,0,21,0,25,0,1,0,0,0,21,0,24,0,12,0,0,0,21,0,23,0,183,0,0,0,21,0,22,0,45,0,0,0,21,0,21,0,33,0,0,0,21,0,20,0,55,0,0,0,21,0,19,0,3,0,0,0,21,0,18,0,179,0,0,0,21,0,17,0,202,0,0,0,21,0,16,0,141,0,0,0,21,0,15,0,91,0,0,0,21,0,14,0,90,0,0,0,21,0,13,0,30,1,0,0,21,0,12,0,5,0,0,0,21,0,11,0,6,0,0,0,21,0,10,0,127,1,0,0,21,0,9,0,106,0,0,0,21,0,8,0,107,0,0,0,21,0,7,0,108,0,0,0,21,0,6,0,35,1,0,0,21,0,5,0,4,0,0,0,21,0,4,0,136,1,0,0,21,0,3,0,137,1,0,0,21,0,2,0,143,1,0,0,21,0,1,0,144,1,0,0,21,0,0,1,145,1,0,0,6,0,0,0,0,0,255,127,6 |
613 |
,0,0,0,0,0,0,0, |
614 |
+}; |
615 |
+#endif |
616 |
+ |
617 |
+#if defined(__riscv) && __riscv_xlen == 64 |
618 |
+/* RISCV64 */ |
619 |
+#define SECCOMP_BPF_AVAILABLE |
620 |
+static const unsigned char seccomp_bpf_blks_base[] = { |
621 |
+ 32,0,0,0,4,0,0,0,21,0,0,33,243,0,0,192,32,0,0,0,0,0,0,0,21,0,30,0,192,0,0,0,21,0,29,0,193,0,0,0,21,0,28,0,190,0,0,0,21,0,27,0,189,0,0,0,21,0,26,0,188,0,0,0,21,0,25,0,186,0,0,0,21,0,24,0,226,0,0,0,21,0,23,0,62,0,0,0,21,0,22,0,29,0,0,0,21,0,21,0,178,0,0,0,21,0,20,0,172,0,0,0,21,0,19,0,50,0,0,0,21,0,18,0,183,1,0,0,21,0,17,0,48,0,0,0,21,0,16,0,94,0,0,0,21,0,15,0,93,0,0,0,21,0,14,0,49,0,0,0,21,0,13,0,90,0,0,0,21,0,12,0,214,0,0,0,21,0,11,0,25,0,0,0,21,0,10,0,63,0,0,0,21,0,9,0,67,0,0,0,21,0,8,0,61,0,0,0,21,0,7,0,215,0,0,0,21,0,6,0,222,0,0,0,21,0,5,0,56,0,0,0,21,0,4,0,57,0,0,0,21,0,3,0,35,1,0,0,21,0,2,0,80,0,0,0,21,0,1,0,79,0,0,0,21,0,0,1,64,0,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0, |
622 |
+}; |
623 |
+static const unsigned char seccomp_bpf_blks_fork[] = { |
624 |
+ 32,0,0,0,4,0,0,0,21,0,0,40,243,0,0,192,32,0,0,0,0,0,0,0,21,0,37,0,4,1,0,0,21,0,36,0,97,0,0,0,21,0,35,0,135,0,0,0,21,0,34,0,134,0,0,0,21,0,33,0,221,0,0,0,21,0,32,0,220,0,0,0,21,0,31,0,192,0,0,0,21,0,30,0,193,0,0,0,21,0,29,0,190,0,0,0,21,0,28,0,189,0,0,0,21,0,27,0,188,0,0,0,21,0,26,0,186,0,0,0,21,0,25,0,226,0,0,0,21,0,24,0,62,0,0,0,21,0,23,0,29,0,0,0,21,0,22,0,178,0,0,0,21,0,21,0,172,0,0,0,21,0,20,0,50,0,0,0,21,0,19,0,183,1,0,0,21,0,18,0,48,0,0,0,21,0,17,0,94,0,0,0,21,0,16,0,93,0,0,0,21,0,15,0,49,0,0,0,21,0,14,0,90,0,0,0,21,0,13,0,214,0,0,0,21,0,12,0,25,0,0,0,21,0,11,0,63,0,0,0,21,0,10,0,67,0,0,0,21,0,9,0,61,0,0,0,21,0,8,0,215,0,0,0,21,0,7,0,222,0,0,0,21,0,6,0,56,0,0,0,21,0,5,0,57,0,0,0,21,0,4,0,35,1,0,0,21,0,3,0,80,0,0,0,21,0,2,0,79,0,0,0,21,0,1,0,64,0,0,0,21,0,0,1,95,0,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0, |
625 |
+}; |
626 |
+#endif |
627 |
+ |
628 |
+#if defined(__s390__) && !defined(__s390x__) |
629 |
+/* S390 */ |
630 |
+#define SECCOMP_BPF_AVAILABLE |
631 |
+static const unsigned char seccomp_bpf_blks_base[] = { |
632 |
+ 0,32,0,0,0,0,0,4,0,21,0,45,0,0,0,22,0,32,0,0,0,0,0,0,0,21,42,0,0,0,0,117,0,21,41,0,0,0,0,85,0,21,40,0,0,0,0,125,0,21,39,0,0,0,0,140,0,21,38,0,0,0,0,19,0,21,37,0,0,0,0,54,0,21,36,0,0,0,0,236,0,21,35,0,0,0,0,20,0,21,34,0,0,0,0,133,0,21,33,0,0,0,1,183,0,21,32,0,0,0,1,44,0,21,31,0,0,0,0,248,0,21,30,0,0,0,0,1,0,21,29,0,0,0,0,12,0,21,28,0,0,0,0,184,0,21,27,0,0,0,0,45,0,21,26,0,0,0,0,33,0,21,25,0,0,0,0,221,0,21,24,0,0,0,0,55,0,21,23,0,0,0,0,3,0,21,22,0,0,0,0,180,0,21,21,0,0,0,0,220,0,21,20,0,0,0,0,141,0,21,19,0,0,0,0,91,0,21,18,0,0,0,0,192,0,21,17,0,0,0,0,90,0,21,16,0,0,0,1,32,0,21,15,0,0,0,0,5,0,21,14,0,0,0,0,6,0,21,13,0,0,0,1,123,0,21,12,0,0,0,0,195,0,21,11,0,0,0,0,106,0,21,10,0,0,0,0,196,0,21,9,0,0,0,0,107,0,21,8,0,0,0,1,37,0,21,7,0,0,0,0,197,0,21,6,0,0,0,0,108,0,21,5,0,0,0,0,4,0,21,4,0,0,0,1,136,0,21,3,0,0,0,1,137,0,21,2,0,0,0,1,143,0,21,1,0,0,0,1,144,0,21,0,1,0,0,1,145,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0, |
633 |
+}; |
634 |
+static const unsigned char seccomp_bpf_blks_fork[] = { |
635 |
+ 0,32,0,0,0,0,0,4,0,21,0,54,0,0,0,22,0,32,0,0,0,0,0,0,0,21,51,0,0,0,1,25,0,21,50,0,0,0,0,114,0,21,49,0,0,0,0,190,0,21,48,0,0,0,1,47,0,21,47,0,0,0,0,175,0,21,46,0,0,0,0,174,0,21,45,0,0,0,0,2,0,21,44,0,0,0,0,11,0,21,43,0,0,0,0,120,0,21,42,0,0,0,0,117,0,21,41,0,0,0,0,85,0,21,40,0,0,0,0,125,0,21,39,0,0,0,0,140,0,21,38,0,0,0,0,19,0,21,37,0,0,0,0,54,0,21,36,0,0,0,0,236,0,21,35,0,0,0,0,20,0,21,34,0,0,0,0,133,0,21,33,0,0,0,1,183,0,21,32,0,0,0,1,44,0,21,31,0,0,0,0,248,0,21,30,0,0,0,0,1,0,21,29,0,0,0,0,12,0,21,28,0,0,0,0,184,0,21,27,0,0,0,0,45,0,21,26,0,0,0,0,33,0,21,25,0,0,0,0,221,0,21,24,0,0,0,0,55,0,21,23,0,0,0,0,3,0,21,22,0,0,0,0,180,0,21,21,0,0,0,0,220,0,21,20,0,0,0,0,141,0,21,19,0,0,0,0,91,0,21,18,0,0,0,0,192,0,21,17,0,0,0,0,90,0,21,16,0,0,0,1,32,0,21,15,0,0,0,0,5,0,21,14,0,0,0,0,6,0,21,13,0,0,0,1,123,0,21,12,0,0,0,0,195,0,21,11,0,0,0,0,106,0,21,10,0,0,0,0,196,0,21,9,0,0,0,0,107,0,21,8,0,0,0,1,37,0,21,7,0,0,0,0,197,0,21,6,0,0,0,0,108,0,21,5,0,0,0,0,4,0,21,4,0,0,0,1,136,0,21,3,0,0,0,1,13 |
636 |
7,0,21,2,0,0,0,1,143,0,21,1,0,0,0,1,144,0,21,0,1,0,0,1,145,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0, |
637 |
+}; |
638 |
+#endif |
639 |
+ |
640 |
+#if defined(__s390__) && defined(__s390x__) |
641 |
+/* S390X */ |
642 |
+#define SECCOMP_BPF_AVAILABLE |
643 |
+static const unsigned char seccomp_bpf_blks_base[] = { |
644 |
+ 0,32,0,0,0,0,0,4,0,21,0,39,128,0,0,22,0,32,0,0,0,0,0,0,0,21,36,0,0,0,0,117,0,21,35,0,0,0,0,85,0,21,34,0,0,0,0,125,0,21,33,0,0,0,0,19,0,21,32,0,0,0,0,54,0,21,31,0,0,0,0,236,0,21,30,0,0,0,0,20,0,21,29,0,0,0,0,133,0,21,28,0,0,0,1,183,0,21,27,0,0,0,1,44,0,21,26,0,0,0,0,248,0,21,25,0,0,0,0,1,0,21,24,0,0,0,0,12,0,21,23,0,0,0,0,184,0,21,22,0,0,0,0,45,0,21,21,0,0,0,0,33,0,21,20,0,0,0,0,55,0,21,19,0,0,0,0,3,0,21,18,0,0,0,0,180,0,21,17,0,0,0,0,220,0,21,16,0,0,0,0,141,0,21,15,0,0,0,0,91,0,21,14,0,0,0,0,90,0,21,13,0,0,0,1,32,0,21,12,0,0,0,0,5,0,21,11,0,0,0,0,6,0,21,10,0,0,0,1,123,0,21,9,0,0,0,0,106,0,21,8,0,0,0,0,107,0,21,7,0,0,0,0,108,0,21,6,0,0,0,1,37,0,21,5,0,0,0,0,4,0,21,4,0,0,0,1,136,0,21,3,0,0,0,1,137,0,21,2,0,0,0,1,143,0,21,1,0,0,0,1,144,0,21,0,1,0,0,1,145,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0, |
645 |
+}; |
646 |
+static const unsigned char seccomp_bpf_blks_fork[] = { |
647 |
+ 0,32,0,0,0,0,0,4,0,21,0,48,128,0,0,22,0,32,0,0,0,0,0,0,0,21,45,0,0,0,1,25,0,21,44,0,0,0,0,114,0,21,43,0,0,0,0,190,0,21,42,0,0,0,1,47,0,21,41,0,0,0,0,175,0,21,40,0,0,0,0,174,0,21,39,0,0,0,0,2,0,21,38,0,0,0,0,11,0,21,37,0,0,0,0,120,0,21,36,0,0,0,0,117,0,21,35,0,0,0,0,85,0,21,34,0,0,0,0,125,0,21,33,0,0,0,0,19,0,21,32,0,0,0,0,54,0,21,31,0,0,0,0,236,0,21,30,0,0,0,0,20,0,21,29,0,0,0,0,133,0,21,28,0,0,0,1,183,0,21,27,0,0,0,1,44,0,21,26,0,0,0,0,248,0,21,25,0,0,0,0,1,0,21,24,0,0,0,0,12,0,21,23,0,0,0,0,184,0,21,22,0,0,0,0,45,0,21,21,0,0,0,0,33,0,21,20,0,0,0,0,55,0,21,19,0,0,0,0,3,0,21,18,0,0,0,0,180,0,21,17,0,0,0,0,220,0,21,16,0,0,0,0,141,0,21,15,0,0,0,0,91,0,21,14,0,0,0,0,90,0,21,13,0,0,0,1,32,0,21,12,0,0,0,0,5,0,21,11,0,0,0,0,6,0,21,10,0,0,0,1,123,0,21,9,0,0,0,0,106,0,21,8,0,0,0,0,107,0,21,7,0,0,0,0,108,0,21,6,0,0,0,1,37,0,21,5,0,0,0,0,4,0,21,4,0,0,0,1,136,0,21,3,0,0,0,1,137,0,21,2,0,0,0,1,143,0,21,1,0,0,0,1,144,0,21,0,1,0,0,1,145,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0, |
648 |
+}; |
649 |
+#endif |
650 |
+ |
651 |
+#if defined(__i386__) |
652 |
+/* X86 */ |
653 |
+#define SECCOMP_BPF_AVAILABLE |
654 |
+static const unsigned char seccomp_bpf_blks_base[] = { |
655 |
+ 32,0,0,0,4,0,0,0,21,0,0,44,3,0,0,64,32,0,0,0,0,0,0,0,21,0,41,0,117,0,0,0,21,0,40,0,85,0,0,0,21,0,39,0,125,0,0,0,21,0,38,0,140,0,0,0,21,0,37,0,19,0,0,0,21,0,36,0,54,0,0,0,21,0,35,0,224,0,0,0,21,0,34,0,20,0,0,0,21,0,33,0,133,0,0,0,21,0,32,0,183,1,0,0,21,0,31,0,51,1,0,0,21,0,30,0,252,0,0,0,21,0,29,0,1,0,0,0,21,0,28,0,12,0,0,0,21,0,27,0,184,0,0,0,21,0,26,0,45,0,0,0,21,0,25,0,33,0,0,0,21,0,24,0,221,0,0,0,21,0,23,0,55,0,0,0,21,0,22,0,3,0,0,0,21,0,21,0,180,0,0,0,21,0,20,0,220,0,0,0,21,0,19,0,141,0,0,0,21,0,18,0,91,0,0,0,21,0,17,0,192,0,0,0,21,0,16,0,90,0,0,0,21,0,15,0,39,1,0,0,21,0,14,0,5,0,0,0,21,0,13,0,6,0,0,0,21,0,12,0,127,1,0,0,21,0,11,0,195,0,0,0,21,0,10,0,106,0,0,0,21,0,9,0,196,0,0,0,21,0,8,0,107,0,0,0,21,0,7,0,44,1,0,0,21,0,6,0,197,0,0,0,21,0,5,0,108,0,0,0,21,0,4,0,4,0,0,0,21,0,3,0,137,1,0,0,21,0,2,0,143,1,0,0,21,0,1,0,144,1,0,0,21,0,0,1,145,1,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0, |
656 |
+}; |
657 |
+static const unsigned char seccomp_bpf_blks_fork[] = { |
658 |
+ 32,0,0,0,4,0,0,0,21,0,0,54,3,0,0,64,32,0,0,0,0,0,0,0,21,0,51,0,7,0,0,0,21,0,50,0,28,1,0,0,21,0,49,0,114,0,0,0,21,0,48,0,190,0,0,0,21,0,47,0,54,1,0,0,21,0,46,0,175,0,0,0,21,0,45,0,174,0,0,0,21,0,44,0,2,0,0,0,21,0,43,0,11,0,0,0,21,0,42,0,120,0,0,0,21,0,41,0,117,0,0,0,21,0,40,0,85,0,0,0,21,0,39,0,125,0,0,0,21,0,38,0,140,0,0,0,21,0,37,0,19,0,0,0,21,0,36,0,54,0,0,0,21,0,35,0,224,0,0,0,21,0,34,0,20,0,0,0,21,0,33,0,133,0,0,0,21,0,32,0,183,1,0,0,21,0,31,0,51,1,0,0,21,0,30,0,252,0,0,0,21,0,29,0,1,0,0,0,21,0,28,0,12,0,0,0,21,0,27,0,184,0,0,0,21,0,26,0,45,0,0,0,21,0,25,0,33,0,0,0,21,0,24,0,221,0,0,0,21,0,23,0,55,0,0,0,21,0,22,0,3,0,0,0,21,0,21,0,180,0,0,0,21,0,20,0,220,0,0,0,21,0,19,0,141,0,0,0,21,0,18,0,91,0,0,0,21,0,17,0,192,0,0,0,21,0,16,0,90,0,0,0,21,0,15,0,39,1,0,0,21,0,14,0,5,0,0,0,21,0,13,0,6,0,0,0,21,0,12,0,127,1,0,0,21,0,11,0,195,0,0,0,21,0,10,0,106,0,0,0,21,0,9,0,196,0,0,0,21,0,8,0,107,0,0,0,21,0,7,0,44,1,0,0,21,0,6,0,197,0,0,0,21,0,5,0,108,0,0,0,21,0,4,0,4,0,0,0,21,0,3,0,137,1,0,0, |
659 |
21,0,2,0,143,1,0,0,21,0,1,0,144,1,0,0,21,0,0,1,145,1,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0, |
660 |
+}; |
661 |
+#endif |
662 |
+ |
663 |
+#if defined(__x86_64__) && defined(__ILP32__) |
664 |
+/* X32 */ |
665 |
+#define SECCOMP_BPF_AVAILABLE |
666 |
+static const unsigned char seccomp_bpf_blks_base[] = { |
667 |
+ 32,0,0,0,4,0,0,0,21,0,0,40,62,0,0,192,32,0,0,0,0,0,0,0,53,0,0,38,0,0,0,64,21,0,36,0,220,0,0,64,21,0,35,0,65,0,0,64,21,0,34,0,64,0,0,64,21,0,33,0,69,0,0,64,21,0,32,0,70,0,0,64,21,0,31,0,68,0,0,64,21,0,30,0,89,0,0,64,21,0,29,0,10,0,0,64,21,0,28,0,8,0,0,64,21,0,27,0,2,2,0,64,21,0,26,0,186,0,0,64,21,0,25,0,39,0,0,64,21,0,24,0,81,0,0,64,21,0,23,0,183,1,0,64,21,0,22,0,13,1,0,64,21,0,21,0,231,0,0,64,21,0,20,0,60,0,0,64,21,0,19,0,80,0,0,64,21,0,18,0,125,0,0,64,21,0,17,0,12,0,0,64,21,0,16,0,21,0,0,64,21,0,15,0,72,0,0,64,21,0,14,0,0,0,0,64,21,0,13,0,17,0,0,64,21,0,12,0,217,0,0,64,21,0,11,0,78,0,0,64,21,0,10,0,11,0,0,64,21,0,9,0,9,0,0,64,21,0,8,0,1,1,0,64,21,0,7,0,2,0,0,64,21,0,6,0,3,0,0,64,21,0,5,0,76,1,0,64,21,0,4,0,4,0,0,64,21,0,3,0,6,0,0,64,21,0,2,0,5,0,0,64,21,0,1,0,6,1,0,64,21,0,0,1,1,0,0,64,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0, |
668 |
+}; |
669 |
+static const unsigned char seccomp_bpf_blks_fork[] = { |
670 |
+ 32,0,0,0,4,0,0,0,21,0,0,49,62,0,0,192,32,0,0,0,0,0,0,0,53,0,0,47,0,0,0,64,21,0,45,0,17,2,0,64,21,0,44,0,61,0,0,64,21,0,43,0,58,0,0,64,21,0,42,0,16,1,0,64,21,0,41,0,14,0,0,64,21,0,40,0,0,2,0,64,21,0,39,0,57,0,0,64,21,0,38,0,8,2,0,64,21,0,37,0,56,0,0,64,21,0,36,0,220,0,0,64,21,0,35,0,65,0,0,64,21,0,34,0,64,0,0,64,21,0,33,0,69,0,0,64,21,0,32,0,70,0,0,64,21,0,31,0,68,0,0,64,21,0,30,0,89,0,0,64,21,0,29,0,10,0,0,64,21,0,28,0,8,0,0,64,21,0,27,0,2,2,0,64,21,0,26,0,186,0,0,64,21,0,25,0,39,0,0,64,21,0,24,0,81,0,0,64,21,0,23,0,183,1,0,64,21,0,22,0,13,1,0,64,21,0,21,0,231,0,0,64,21,0,20,0,60,0,0,64,21,0,19,0,80,0,0,64,21,0,18,0,125,0,0,64,21,0,17,0,12,0,0,64,21,0,16,0,21,0,0,64,21,0,15,0,72,0,0,64,21,0,14,0,0,0,0,64,21,0,13,0,17,0,0,64,21,0,12,0,217,0,0,64,21,0,11,0,78,0,0,64,21,0,10,0,11,0,0,64,21,0,9,0,9,0,0,64,21,0,8,0,1,1,0,64,21,0,7,0,2,0,0,64,21,0,6,0,3,0,0,64,21,0,5,0,76,1,0,64,21,0,4,0,4,0,0,64,21,0,3,0,6,0,0,64,21,0,2,0,5,0,0,64,21,0,1,0,6,1,0,64,21,0,0,1,1,0,0,64,6,0,0,0,0,0,255,127, |
671 |
6,0,0,0,0,0,0,0, |
672 |
+}; |
673 |
+#endif |
674 |
+ |
675 |
+#if defined(__x86_64__) && !defined(__ILP32__) |
676 |
+/* X86_64 */ |
677 |
+#define SECCOMP_BPF_AVAILABLE |
678 |
+static const unsigned char seccomp_bpf_blks_base[] = { |
679 |
+ 32,0,0,0,4,0,0,0,21,0,0,41,62,0,0,192,32,0,0,0,0,0,0,0,53,0,0,1,0,0,0,64,21,0,0,38,255,255,255,255,21,0,36,0,16,0,0,0,21,0,35,0,186,0,0,0,21,0,34,0,39,0,0,0,21,0,33,0,81,0,0,0,21,0,32,0,183,1,0,0,21,0,31,0,13,1,0,0,21,0,30,0,231,0,0,0,21,0,29,0,60,0,0,0,21,0,28,0,80,0,0,0,21,0,27,0,125,0,0,0,21,0,26,0,12,0,0,0,21,0,25,0,21,0,0,0,21,0,24,0,72,0,0,0,21,0,23,0,0,0,0,0,21,0,22,0,17,0,0,0,21,0,21,0,217,0,0,0,21,0,20,0,78,0,0,0,21,0,19,0,11,0,0,0,21,0,18,0,9,0,0,0,21,0,17,0,1,1,0,0,21,0,16,0,2,0,0,0,21,0,15,0,3,0,0,0,21,0,14,0,76,1,0,0,21,0,13,0,4,0,0,0,21,0,12,0,6,0,0,0,21,0,11,0,5,0,0,0,21,0,10,0,6,1,0,0,21,0,9,0,1,0,0,0,21,0,8,0,220,0,0,0,21,0,7,0,65,0,0,0,21,0,6,0,64,0,0,0,21,0,5,0,69,0,0,0,21,0,4,0,70,0,0,0,21,0,3,0,68,0,0,0,21,0,2,0,89,0,0,0,21,0,1,0,10,0,0,0,21,0,0,1,8,0,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0, |
680 |
+}; |
681 |
+static const unsigned char seccomp_bpf_blks_fork[] = { |
682 |
+ 32,0,0,0,4,0,0,0,21,0,0,50,62,0,0,192,32,0,0,0,0,0,0,0,53,0,0,1,0,0,0,64,21,0,0,47,255,255,255,255,21,0,45,0,16,0,0,0,21,0,44,0,186,0,0,0,21,0,43,0,39,0,0,0,21,0,42,0,81,0,0,0,21,0,41,0,183,1,0,0,21,0,40,0,13,1,0,0,21,0,39,0,231,0,0,0,21,0,38,0,60,0,0,0,21,0,37,0,80,0,0,0,21,0,36,0,125,0,0,0,21,0,35,0,12,0,0,0,21,0,34,0,21,0,0,0,21,0,33,0,72,0,0,0,21,0,32,0,0,0,0,0,21,0,31,0,17,0,0,0,21,0,30,0,217,0,0,0,21,0,29,0,78,0,0,0,21,0,28,0,11,0,0,0,21,0,27,0,9,0,0,0,21,0,26,0,1,1,0,0,21,0,25,0,2,0,0,0,21,0,24,0,3,0,0,0,21,0,23,0,76,1,0,0,21,0,22,0,4,0,0,0,21,0,21,0,6,0,0,0,21,0,20,0,5,0,0,0,21,0,19,0,6,1,0,0,21,0,18,0,1,0,0,0,21,0,17,0,247,0,0,0,21,0,16,0,61,0,0,0,21,0,15,0,58,0,0,0,21,0,14,0,16,1,0,0,21,0,13,0,14,0,0,0,21,0,12,0,13,0,0,0,21,0,11,0,57,0,0,0,21,0,10,0,59,0,0,0,21,0,9,0,56,0,0,0,21,0,8,0,220,0,0,0,21,0,7,0,65,0,0,0,21,0,6,0,64,0,0,0,21,0,5,0,69,0,0,0,21,0,4,0,70,0,0,0,21,0,3,0,68,0,0,0,21,0,2,0,89,0,0,0,21,0,1,0,10,0,0,0,21,0,0,1,8,0,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0, |
683 |
+}; |
684 |
+#endif |
685 |
+ |
686 |
+#ifdef SECCOMP_BPF_AVAILABLE |
687 |
+typedef struct { |
688 |
+ uint16_t cnt; |
689 |
+ const void *bpf; |
690 |
+} seccomp_bpf_program_t; |
691 |
+static const seccomp_bpf_program_t seccomp_bpf_program_base = { |
692 |
+ .cnt = sizeof(seccomp_bpf_blks_base) / 8, |
693 |
+ .bpf = seccomp_bpf_blks_base, |
694 |
+}; |
695 |
+static const seccomp_bpf_program_t seccomp_bpf_program_fork = { |
696 |
+ .cnt = sizeof(seccomp_bpf_blks_fork) / 8, |
697 |
+ .bpf = seccomp_bpf_blks_fork, |
698 |
+}; |
699 |
+#endif |
700 |
|
701 |
diff --git a/security.c b/security.c |
702 |
index 802e586..4fecfa3 100644 |
703 |
--- a/security.c |
704 |
+++ b/security.c |
705 |
@@ -6,6 +6,7 @@ |
706 |
*/ |
707 |
|
708 |
#include "paxinc.h" |
709 |
+#include "seccomp-bpf.h" |
710 |
|
711 |
#ifdef __linux__ |
712 |
|
713 |
@@ -26,202 +27,23 @@ |
714 |
#define CLONE_NEWUTS 0 |
715 |
#endif |
716 |
|
717 |
+#ifndef PR_SET_SECCOMP |
718 |
+#define PR_SET_SECCOMP 22 |
719 |
+#endif |
720 |
+#ifndef SECCOMP_MODE_FILTER |
721 |
+#define SECCOMP_MODE_FILTER 2 |
722 |
+#endif |
723 |
+ |
724 |
#ifdef __SANITIZE_ADDRESS__ |
725 |
/* ASAN does some weird stuff. */ |
726 |
# define ALLOW_PIDNS 0 |
727 |
+# undef WANT_SECCOMP |
728 |
#else |
729 |
# define ALLOW_PIDNS 1 |
730 |
#endif |
731 |
|
732 |
-#ifdef WANT_SECCOMP |
733 |
-# include <seccomp.h> |
734 |
- |
735 |
-/* Simple helper to add all of the syscalls in an array. */ |
736 |
-static int pax_seccomp_rules_add(scmp_filter_ctx ctx, int syscalls[], size_t num) |
737 |
-{ |
738 |
- static uint8_t prio; |
739 |
- size_t i; |
740 |
- for (i = 0; i < num; ++i) { |
741 |
- if (syscalls[i] < 0) |
742 |
- continue; |
743 |
- |
744 |
- if (seccomp_syscall_priority(ctx, syscalls[i], prio++) < 0) { |
745 |
- warnp("seccomp_syscall_priority failed"); |
746 |
- return -1; |
747 |
- } |
748 |
- if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, syscalls[i], 0) < 0) { |
749 |
- warnp("seccomp_rule_add failed"); |
750 |
- return -1; |
751 |
- } |
752 |
- } |
753 |
- return 0; |
754 |
-} |
755 |
-#define pax_seccomp_rules_add(ctx, syscalls) pax_seccomp_rules_add(ctx, syscalls, ARRAY_SIZE(syscalls)) |
756 |
- |
757 |
-static void |
758 |
-pax_seccomp_sigal(__unused__ int signo, siginfo_t *info, __unused__ void *context) |
759 |
-{ |
760 |
-#ifdef si_syscall |
761 |
- warn("seccomp violated: syscall %i", info->si_syscall); |
762 |
- fflush(stderr); |
763 |
- warn(" syscall = %s", |
764 |
- seccomp_syscall_resolve_num_arch(seccomp_arch_native(), info->si_syscall)); |
765 |
- fflush(stderr); |
766 |
-#else |
767 |
- warn("seccomp violated: syscall unknown (no si_syscall)"); |
768 |
-#endif |
769 |
- kill(getpid(), SIGSYS); |
770 |
- _exit(1); |
771 |
-} |
772 |
- |
773 |
-static void pax_seccomp_signal_init(void) |
774 |
-{ |
775 |
- struct sigaction act; |
776 |
- sigemptyset(&act.sa_mask); |
777 |
- act.sa_sigaction = pax_seccomp_sigal, |
778 |
- act.sa_flags = SA_SIGINFO | SA_RESETHAND; |
779 |
- sigaction(SIGSYS, &act, NULL); |
780 |
-} |
781 |
- |
782 |
-static void pax_seccomp_init(bool allow_forking) |
783 |
-{ |
784 |
- /* Order determines priority (first == lowest prio). */ |
785 |
- int base_syscalls[] = { |
786 |
- /* We write the most w/scanelf. */ |
787 |
- SCMP_SYS(write), |
788 |
- SCMP_SYS(writev), |
789 |
- SCMP_SYS(pwrite64), |
790 |
- SCMP_SYS(pwritev), |
791 |
- |
792 |
- /* Then the stat family of functions. */ |
793 |
- SCMP_SYS(newfstatat), |
794 |
- SCMP_SYS(fstat), |
795 |
- SCMP_SYS(fstat64), |
796 |
- SCMP_SYS(fstatat64), |
797 |
- SCMP_SYS(lstat), |
798 |
- SCMP_SYS(lstat64), |
799 |
- SCMP_SYS(stat), |
800 |
- SCMP_SYS(stat64), |
801 |
- SCMP_SYS(statx), |
802 |
- |
803 |
- /* Then the fd close func. */ |
804 |
- SCMP_SYS(close), |
805 |
- |
806 |
- /* Then fd open family of functions. */ |
807 |
- SCMP_SYS(open), |
808 |
- SCMP_SYS(openat), |
809 |
- |
810 |
- /* Then the memory mapping functions. */ |
811 |
- SCMP_SYS(mmap), |
812 |
- SCMP_SYS(mmap2), |
813 |
- SCMP_SYS(munmap), |
814 |
- |
815 |
- /* Then the directory reading functions. */ |
816 |
- SCMP_SYS(getdents), |
817 |
- SCMP_SYS(getdents64), |
818 |
- |
819 |
- /* Then the file reading functions. */ |
820 |
- SCMP_SYS(pread64), |
821 |
- SCMP_SYS(read), |
822 |
- SCMP_SYS(readv), |
823 |
- SCMP_SYS(preadv), |
824 |
- |
825 |
- /* Then the fd manipulation functions. */ |
826 |
- SCMP_SYS(fcntl), |
827 |
- SCMP_SYS(fcntl64), |
828 |
- |
829 |
- /* After this point, just sort the list alphabetically. */ |
830 |
- SCMP_SYS(access), |
831 |
- SCMP_SYS(brk), |
832 |
- SCMP_SYS(capget), |
833 |
- SCMP_SYS(chdir), |
834 |
- SCMP_SYS(dup), |
835 |
- SCMP_SYS(dup2), |
836 |
- SCMP_SYS(dup3), |
837 |
- SCMP_SYS(exit), |
838 |
- SCMP_SYS(exit_group), |
839 |
- SCMP_SYS(faccessat), |
840 |
- SCMP_SYS(fchdir), |
841 |
- SCMP_SYS(getpid), |
842 |
- SCMP_SYS(gettid), |
843 |
- SCMP_SYS(ioctl), |
844 |
- SCMP_SYS(lseek), |
845 |
- SCMP_SYS(_llseek), |
846 |
- SCMP_SYS(mprotect), |
847 |
- |
848 |
- /* Syscalls listed because of compiler settings. */ |
849 |
- SCMP_SYS(futex), |
850 |
- |
851 |
- /* Syscalls listed because of sandbox. */ |
852 |
- SCMP_SYS(readlink), |
853 |
- SCMP_SYS(readlinkat), |
854 |
- SCMP_SYS(getcwd), |
855 |
- #ifndef __SNR_faccessat2 |
856 |
- /* faccessat2 is not yet defiled in latest libseccomp-2.5.1 */ |
857 |
- # define __SNR_faccessat2 __NR_faccessat2 |
858 |
- #endif |
859 |
- SCMP_SYS(faccessat2), |
860 |
- |
861 |
- /* Syscalls listed because of fakeroot. */ |
862 |
- SCMP_SYS(msgget), |
863 |
- SCMP_SYS(msgrcv), |
864 |
- SCMP_SYS(msgsnd), |
865 |
- SCMP_SYS(semget), |
866 |
- SCMP_SYS(semop), |
867 |
- SCMP_SYS(semtimedop), |
868 |
- /* |
869 |
- * Some targets like ppc and i386 implement the above |
870 |
- * syscall as subcalls via ipc() syscall. |
871 |
- * https://bugs.gentoo.org/675378 |
872 |
- */ |
873 |
- SCMP_SYS(ipc), |
874 |
- }; |
875 |
- int fork_syscalls[] = { |
876 |
- SCMP_SYS(clone), |
877 |
- SCMP_SYS(execve), |
878 |
- SCMP_SYS(fork), |
879 |
- SCMP_SYS(rt_sigaction), |
880 |
- SCMP_SYS(rt_sigprocmask), |
881 |
- SCMP_SYS(unshare), |
882 |
- SCMP_SYS(vfork), |
883 |
- SCMP_SYS(wait4), |
884 |
- SCMP_SYS(waitid), |
885 |
- SCMP_SYS(waitpid), |
886 |
- }; |
887 |
- scmp_filter_ctx ctx = seccomp_init(USE_DEBUG ? SCMP_ACT_TRAP : SCMP_ACT_KILL); |
888 |
- if (!ctx) { |
889 |
- warnp("seccomp_init failed"); |
890 |
- return; |
891 |
- } |
892 |
- |
893 |
- if (pax_seccomp_rules_add(ctx, base_syscalls) < 0) |
894 |
- goto done; |
895 |
- |
896 |
- if (allow_forking) |
897 |
- if (pax_seccomp_rules_add(ctx, fork_syscalls) < 0) |
898 |
- goto done; |
899 |
- |
900 |
- /* We already called prctl. */ |
901 |
- seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 0); |
902 |
- |
903 |
- if (USE_DEBUG) |
904 |
- pax_seccomp_signal_init(); |
905 |
- |
906 |
-#ifndef __SANITIZE_ADDRESS__ |
907 |
- /* ASAN does some weird stuff. */ |
908 |
- if (seccomp_load(ctx) < 0) { |
909 |
- /* We have to assume that EINVAL == CONFIG_SECCOMP is disabled. */ |
910 |
- if (errno != EINVAL) |
911 |
- warnp("seccomp_load failed"); |
912 |
- } |
913 |
-#endif |
914 |
- |
915 |
- done: |
916 |
- seccomp_release(ctx); |
917 |
-} |
918 |
- |
919 |
-#else |
920 |
-# define pax_seccomp_init(allow_forking) |
921 |
+#ifndef SECCOMP_BPF_AVAILABLE |
922 |
+# undef WANT_SECCOMP |
923 |
#endif |
924 |
|
925 |
static int ns_unshare(int flags) |
926 |
@@ -308,7 +130,19 @@ void security_init(bool allow_forking) |
927 |
_exit(0); |
928 |
} |
929 |
|
930 |
- pax_seccomp_init(allow_forking); |
931 |
+#ifdef WANT_SECCOMP |
932 |
+ { |
933 |
+ int ret; |
934 |
+ |
935 |
+ if (allow_forking) |
936 |
+ ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &seccomp_bpf_program_fork); |
937 |
+ else |
938 |
+ ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &seccomp_bpf_program_base); |
939 |
+ |
940 |
+ if (ret) |
941 |
+ warn("enabling seccomp failed"); |
942 |
+ } |
943 |
+#endif |
944 |
} |
945 |
|
946 |
#endif |