Merge branch 'seccomp-syscall'

rootmos · Oct 27, 2022 · 7a5937d · 7a5937d
2 parents da8f3c7 + bc7e497
commit 7a5937d
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 4 deletions.
diff --git a/.version b/.version
@@ -1,3 +1,3 @@
 VERSION_MAJOR=0
 VERSION_MINOR=5
-VERSION_PATCH=3
+VERSION_PATCH=4
diff --git a/build/seccomp.c b/build/seccomp.c
@@ -1,6 +1,13 @@
 #include <linux/seccomp.h>
 #include <linux/filter.h>
-#include <sys/prctl.h>
+#include <sys/syscall.h>
+
+#ifndef seccomp
+static int seccomp(unsigned int operation, unsigned int flags, void *args)
+{
+    return syscall(SYS_seccomp, operation, flags, args);
+}
+#endif
 
 void seccomp_apply_filter()
 {
@@ -9,6 +16,6 @@ void seccomp_apply_filter()
     };
 
     struct sock_fprog p = { .len = LENGTH(filter), .filter = filter };
-    int r = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &p);
-    CHECK(r, "prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER)");
+    int r = seccomp(SECCOMP_SET_MODE_FILTER, 0, &p);
+    CHECK(r, "seccomp(SECCOMP_SET_MODE_FILTER)");
 }
diff --git a/hlua/filter.bpf b/hlua/filter.bpf
@@ -2,6 +2,7 @@
 ld [$$offsetof(struct seccomp_data, arch)$$]
 jne #$AUDIT_ARCH_X86_64, bad
 ld [$$offsetof(struct seccomp_data, nr)$$]
+jge #$__X32_SYSCALL_BIT, bad
 
 jeq #$__NR_brk, good
 

diff --git a/hpython/filter.bpf b/hpython/filter.bpf
@@ -2,6 +2,7 @@
 ld [$$offsetof(struct seccomp_data, arch)$$]
 jne #$AUDIT_ARCH_X86_64, bad
 ld [$$offsetof(struct seccomp_data, nr)$$]
+jge #$__X32_SYSCALL_BIT, bad
 
 jeq #$__NR_read, good
 jeq #$__NR_write, good