#define SECCOMP_RET_KILL_THREAD 0x00000000U /* kill the thread */ #define SECCOMP_RET_KILL SECCOMP_RET_KILL_THREAD #define SECCOMP_RET_TRAP 0x00030000U /* disallow and force a SIGSYS */ #define SECCOMP_RET_ERRNO 0x00050000U /* returns an errno */ #define SECCOMP_RET_USER_NOTIF 0x7f...
此外,Seccomp过滤器会向内核返回一个值,指示是否允许该系统调用,该返回值是一个 32 位的数值,其中最重要的 16 位(SECCOMP_RET_ACTION掩码)指定内核应该采取的操作,其他位(SECCOMP_RET_DATA 掩码)用于返回与操作关联的数据 。 /** All BPF programs must return a 32-bit value.* The bottom 16-bits are fo...
此外,Seccomp过滤器会向内核返回一个值,指示是否允许该系统调用,该返回值是一个 32 位的数值,其中最重要的 16 位(SECCOMP_RET_ACTION掩码)指定内核应该采取的操作,其他位(SECCOMP_RET_DATA 掩码)用于返回与操作关联的数据 。 /** All BPF programs must return a 32-bit value.* The bottom 16-bits are fo...
intmain(intargc,char**argv){...#创建filterstructsock_filterfilter[]={BPF_STMT(BPF_LD+BPF_W+BPF_ABS,(offsetof(structseccomp_data,nr))),BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K,__NR_mkdir,0,1),BPF_STMT(BPF_RET+BPF_K,SECCOMP_RET_USER_NOTIF),BPF_STMT(BPF_RET+BPF_K,SECCOMP_RET_ALLOW),}...
The ``SECCOMP_RET_USER_NOTIF`` return code lets seccomp filters pass a particular syscall to userspace to be handled. This may be useful for applications like container managers, which wish to intercept particular syscalls (``mount()``, ``finit_module()``, etc.) and change their behavior...
#define SECCOMP_RET_USER_NOTIF 0x7fc00000U ②添加规则,即添加白名单或者黑名单: seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(execve), 0); 这里将系统调用execve给禁止了。函数原型: #注释头 /** * Add a new rule to the filter * @param ctx the filter context ...
#define SECCOMP_RET_USER_NOTIF 0x7fc00000U /* notifies userspace */ #define SECCOMP_RET_TRACE 0x7ff00000U /* pass to a tracer or disallow */ #define SECCOMP_RET_LOG 0x7ffc0000U /* allow after logging */ #define SECCOMP_RET_ALLOW 0x7fff0000U /* allow */ /* Masks for the return...
When SECCOMP_RET_USER_NOTIF is returned, a * struct seccomp_knotif is created and starts out in INIT. Once the * handler reads the notification off of an FD, it transitions to SENT. * If a signal is received the state transitions back to INIT and * another message is sent. When t...
SECCOMP_RET_KILL_THREAD, #endif #if defined(SECCOMP_RET_TRAP) SECCOMP_RET_TRAP, #endif #if defined(SECCOMP_RET_ERRNO) SECCOMP_RET_ERRNO, #endif #if defined(SECCOMP_RET_USER_NOTIF) SECCOMP_RET_USER_NOTIF, #endif #if defined(SECCOMP_RET_TRACE) SECCOMP_RET_TRACE, ...
SECCOMP_RET_ERRNO, #endif #if defined(SECCOMP_RET_USER_NOTIF) SECCOMP_RET_USER_NOTIF, #endif #if defined(SECCOMP_RET_TRACE) SECCOMP_RET_TRACE, #endif #if defined(SECCOMP_RET_LOG) SECCOMP_RET_LOG, #endif #if defined(SECCOMP_RET_LOG) SECCOMP_RET_ALLOW, ...