aboutgitcodebugslistschat
path: root/seccomp.sh
diff options
context:
space:
mode:
Diffstat (limited to 'seccomp.sh')
-rwxr-xr-xseccomp.sh23
1 files changed, 18 insertions, 5 deletions
diff --git a/seccomp.sh b/seccomp.sh
index e1224e0..6499c58 100755
--- a/seccomp.sh
+++ b/seccomp.sh
@@ -20,6 +20,15 @@ OUT="$(mktemp)"
[ -z "${ARCH}" ] && ARCH="$(uname -m)"
[ -z "${CC}" ] && CC="cc"
+AUDIT_ARCH="AUDIT_ARCH_$(echo ${ARCH} | tr [a-z] [A-Z] \
+ | sed 's/^ARM.*/ARM/' \
+ | sed 's/I[456]86/I386/' \
+ | sed 's/PPC64/PPC/' \
+ | sed 's/PPCLE/PPC64LE/' \
+ | sed 's/MIPS64EL/MIPSEL64/' \
+ | sed 's/HPPA/PARISC/' \
+ | sed 's/SH4/SH/')"
+
HEADER="/* This file was automatically generated by $(basename ${0}) */
#ifndef AUDIT_ARCH_PPC64LE
@@ -29,11 +38,11 @@ HEADER="/* This file was automatically generated by $(basename ${0}) */
# Prefix for each profile: check that 'arch' in seccomp_data is matching
PRE='
struct sock_filter filter_@PROFILE@[] = {
- /* cppcheck-suppress badBitmaskCheck */
+ /* cppcheck-suppress [badBitmaskCheck, unmatchedSuppression] */
BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
(offsetof(struct seccomp_data, arch))),
- BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, PASST_AUDIT_ARCH, 0, @KILL@),
- /* cppcheck-suppress badBitmaskCheck */
+ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, @AUDIT_ARCH@, 0, @KILL@),
+ /* cppcheck-suppress [badBitmaskCheck, unmatchedSuppression] */
BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
(offsetof(struct seccomp_data, nr))),
@@ -233,7 +242,8 @@ gen_profile() {
sub ${__i} CALL "NR:${__nr}" "NAME:${__name}" "ALLOW:${__allow}"
done
- finish PRE "PROFILE:${__profile}" "KILL:$(( __statements + 1))"
+ finish PRE "PROFILE:${__profile}" "KILL:$(( __statements + 1))" \
+ "AUDIT_ARCH:${AUDIT_ARCH}"
}
printf '%s\n' "${HEADER}" > "${OUT}"
@@ -242,7 +252,10 @@ for __p in ${__profiles}; do
__calls="$(sed -n 's/[\t ]*\*[\t ]*#syscalls\(:'"${__p}"'\|\)[\t ]\{1,\}\(.*\)/\2/p' ${IN})"
__calls="${__calls} ${EXTRA_SYSCALLS:-}"
__calls="$(filter ${__calls})"
- echo "seccomp profile ${__p} allows: ${__calls}" | tr '\n' ' ' | fmt -t
+
+ cols="$(stty -a | sed -n 's/.*columns \([0-9]*\).*/\1/p' || :)" 2>/dev/null
+ case $cols in [0-9]*) col_args="-w ${cols}";; *) col_args="";; esac
+ echo "seccomp profile ${__p} allows: ${__calls}" | tr '\n' ' ' | fmt -t ${col_args}
# Pad here to keep gen_profile() "simple"
__count=0