From c1811198cdeb4c798c7daf5b528fca174a4313ea Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolan.mcnamara@collabora.com>
Date: Thu, 9 Jan 2025 13:42:26 +0000
Subject: [PATCH] Seccomp: filter more syscalls
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Caolán McNamara <caolan.mcnamara@collabora.com>
Change-Id: Ia17360035035418ada519cf758e38be35c01a177
(cherry picked from commit 32f30437e6fe6185190cef37fd666756f6fe88cb)
---
 common/Seccomp.cpp | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/common/Seccomp.cpp b/common/Seccomp.cpp
index 90d4fcab2a5e5..b39dde565141a 100644
--- a/common/Seccomp.cpp
+++ b/common/Seccomp.cpp
@@ -111,6 +111,10 @@ bool lockdown(Type type)
         BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##name, 0, 1), \
         BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
 
+    #define REJECT_SYSCALL(name, err) \
+        BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##name, 0, 1), \
+        BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO | (err & SECCOMP_RET_DATA))
+
     #define KILL_SYSCALL_FULL(fullname) \
         BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, fullname, 0, 1), \
         BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_TRAP)
@@ -159,6 +163,10 @@ bool lockdown(Type type)
         KILL_SYSCALL(shmget),
         KILL_SYSCALL(shmat),
         KILL_SYSCALL(shmctl),
+#endif
+        REJECT_SYSCALL(execve, EPERM),
+#ifdef __NR_execveat
+        REJECT_SYSCALL(execveat, EPERM),
 #endif
         KILL_SYSCALL(getitimer),
         KILL_SYSCALL(setitimer),