Seccomp: filter more syscalls

Signed-off-by: Caolán McNamara <[email protected]> Change-Id: Ia17360035035418ada519cf758e38be35c01a177 (cherry picked from commit 32f3043)
CollaboraOnline · Jan 31, 2025 · c181119 · c181119
1 parent 3107e6b
commit c181119
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/common/Seccomp.cpp b/common/Seccomp.cpp
@@ -111,6 +111,10 @@ bool lockdown(Type type)
         BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##name, 0, 1), \
         BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
 
+    #define REJECT_SYSCALL(name, err) \
+        BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##name, 0, 1), \
+        BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO | (err & SECCOMP_RET_DATA))
+
     #define KILL_SYSCALL_FULL(fullname) \
         BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, fullname, 0, 1), \
         BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_TRAP)
@@ -159,6 +163,10 @@ bool lockdown(Type type)
         KILL_SYSCALL(shmget),
         KILL_SYSCALL(shmat),
         KILL_SYSCALL(shmctl),
+#endif
+        REJECT_SYSCALL(execve, EPERM),
+#ifdef __NR_execveat
+        REJECT_SYSCALL(execveat, EPERM),
 #endif
         KILL_SYSCALL(getitimer),
         KILL_SYSCALL(setitimer),