From 06b0f6d323c396ca1df000af96fdd07cc69b06e0 Mon Sep 17 00:00:00 2001 From: Alice Frosi Date: Thu, 23 Mar 2023 17:06:00 +0100 Subject: filter: add logging mode The logging mode creates a BPF filter where all the syscalls trigger a notification to the seccomp notifier. --- filter.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) (limited to 'filter.c') diff --git a/filter.c b/filter.c index f8b782d..dbda7ca 100644 --- a/filter.c +++ b/filter.c @@ -174,6 +174,20 @@ static unsigned int get_total_args(const struct syscall_entry table[], return n; } +unsigned int create_bpf_program_log(struct sock_filter filter[]) +{ + filter[0] = (struct sock_filter)BPF_STMT( + BPF_LD | BPF_W | BPF_ABS, + (offsetof(struct seccomp_data, arch))); + filter[1] = (struct sock_filter)BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, + SEITAN_AUDIT_ARCH, 0, 1); + filter[2] = (struct sock_filter)BPF_STMT(BPF_RET | BPF_K, + SECCOMP_RET_USER_NOTIF); + filter[3] = (struct sock_filter)BPF_STMT(BPF_RET | BPF_K, + SECCOMP_RET_ALLOW); + return 4; +} + unsigned int create_bfp_program(struct syscall_entry table[], struct sock_filter filter[], unsigned int n_syscall) @@ -258,7 +272,7 @@ static int compare_names(const void *a, const void *b) ((struct syscall_numbers *)b)->name); } -int convert_bpf(char *file, struct bpf_call *entries, int n) +int convert_bpf(char *file, struct bpf_call *entries, int n, bool log) { int nt, fd, fsize; struct syscall_entry table[N_SYSCALL]; @@ -270,7 +284,10 @@ int convert_bpf(char *file, struct bpf_call *entries, int n) qsort(entries, n, sizeof(struct bpf_call), compare_bpf_call_names); nt = construct_table(entries, n, table); - fsize = create_bfp_program(table, filter, nt); + if (log) + fsize = create_bpf_program_log(filter); + else + fsize = create_bfp_program(table, filter, nt); fd = open(file, O_WRONLY | O_CREAT | O_TRUNC | O_CLOEXEC, S_IRUSR | S_IWUSR); -- cgit v1.2.3