如何编写一个seccomp BPF程序来过滤系统调用指令指针
How to write a seccomp BPF program to filter the system call instruction pointer
是否可以编写一个seccomp-BPF程序来过滤系统调用指令指针?例如,要终止执行的系统调用指令不是来自 libc.
的进程
根据@Qeole 的评论,我这样实现了 BPF 程序:
/* https://github.com/redpig/seccomp/blob/master/tests/resumption.c */
unsigned long lib_start = 0x700000000000;
struct sock_filter filter[] = {
/* [0] Load higher 4 bytes of the instruction pointer. */
BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
(offsetof(struct seccomp_data, instruction_pointer)) + sizeof(int)),
BPF_JUMP(BPF_JMP+BPF_JGT+BPF_K, ((__u32*)&lib_start)[1], 0, 1),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL),
};
是否可以编写一个seccomp-BPF程序来过滤系统调用指令指针?例如,要终止执行的系统调用指令不是来自 libc.
根据@Qeole 的评论,我这样实现了 BPF 程序:
/* https://github.com/redpig/seccomp/blob/master/tests/resumption.c */
unsigned long lib_start = 0x700000000000;
struct sock_filter filter[] = {
/* [0] Load higher 4 bytes of the instruction pointer. */
BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
(offsetof(struct seccomp_data, instruction_pointer)) + sizeof(int)),
BPF_JUMP(BPF_JMP+BPF_JGT+BPF_K, ((__u32*)&lib_start)[1], 0, 1),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL),
};