From f5c440184fb7c02d420e3c4274e63474c74bbeff Mon Sep 17 00:00:00 2001 From: Daniel Borkmann Date: Sat, 15 Jun 2013 16:55:29 +0200 Subject: man: bpfc: add example of loadable x86_64 seccomp-BPF filter Add the example in bpfc code from http://outflux.net/teach-seccomp/ to the man page, so that people can also experiment with seccomp bpf and to demonstrate that there are no limits on bpfc when it comes to this. Actually this code is even more efficient than the one given in the example URL above. Signed-off-by: Daniel Borkmann --- bpfc.8 | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/bpfc.8 b/bpfc.8 index a70816b..5c35d0b 100644 --- a/bpfc.8 +++ b/bpfc.8 @@ -264,6 +264,24 @@ words, some small example filter programs: pass: ret #-1 drop: ret #0 .PP +.SS A loadable x86_64 seccomp-BPF filter to allow a given set of syscalls: +.PP + ld [4] /* offsetof(struct seccomp_data, arch) */ + jne #0xc000003e, bad /* AUDIT_ARCH_X86_64 */ + ld [0] /* offsetof(struct seccomp_data, nr) */ + jeq #15, good /* __NR_rt_sigreturn */ + jeq #231, good /* __NR_exit_group */ + jeq #60, good /* __NR_exit */ + jeq #0, good /* __NR_read */ + jeq #1, good /* __NR_write */ + jeq #5, good /* __NR_fstat */ + jeq #9, good /* __NR_mmap */ + jeq #14, good /* __NR_rt_sigprocmask */ + jeq #13, good /* __NR_rt_sigaction */ + jeq #35, good /* __NR_nanosleep */ + bad: ret #0 /* SECCOMP_RET_KILL */ + good: ret #0x7fff0000 /* SECCOMP_RET_ALLOW */ +.PP .SS Allow any (hardware accelerated) VLAN: .PP ld vlanp -- cgit v1.2.3-54-g00ecf