summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Borkmann <dborkman@redhat.com>2013-06-15 16:55:29 +0200
committerDaniel Borkmann <dborkman@redhat.com>2013-06-15 16:55:29 +0200
commitf5c440184fb7c02d420e3c4274e63474c74bbeff (patch)
treebab036547975be780aade1799e523f4fad1a42f9
parentf068acf8817fc41e48c053afc9b32d36c923e18b (diff)
man: bpfc: add example of loadable x86_64 seccomp-BPF filter
Add the example in bpfc code from http://outflux.net/teach-seccomp/ to the man page, so that people can also experiment with seccomp bpf and to demonstrate that there are no limits on bpfc when it comes to this. Actually this code is even more efficient than the one given in the example URL above. Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
-rw-r--r--bpfc.818
1 files changed, 18 insertions, 0 deletions
diff --git a/bpfc.8 b/bpfc.8
index a70816b..5c35d0b 100644
--- a/bpfc.8
+++ b/bpfc.8
@@ -264,6 +264,24 @@ words, some small example filter programs:
pass: ret #-1
drop: ret #0
.PP
+.SS A loadable x86_64 seccomp-BPF filter to allow a given set of syscalls:
+.PP
+ ld [4] /* offsetof(struct seccomp_data, arch) */
+ jne #0xc000003e, bad /* AUDIT_ARCH_X86_64 */
+ ld [0] /* offsetof(struct seccomp_data, nr) */
+ jeq #15, good /* __NR_rt_sigreturn */
+ jeq #231, good /* __NR_exit_group */
+ jeq #60, good /* __NR_exit */
+ jeq #0, good /* __NR_read */
+ jeq #1, good /* __NR_write */
+ jeq #5, good /* __NR_fstat */
+ jeq #9, good /* __NR_mmap */
+ jeq #14, good /* __NR_rt_sigprocmask */
+ jeq #13, good /* __NR_rt_sigaction */
+ jeq #35, good /* __NR_nanosleep */
+ bad: ret #0 /* SECCOMP_RET_KILL */
+ good: ret #0x7fff0000 /* SECCOMP_RET_ALLOW */
+.PP
.SS Allow any (hardware accelerated) VLAN:
.PP
ld vlanp