Split zygote's seccomp filter into two
To pave the way to reducing app's kernel attack surface, this change
split the single filter into one for system and one for apps. Note that
there is current no change between them.
Zygote will apply these filters appropriately to system server and apps.
Keep set_seccomp_filter() for now until the caller has switched to the
new API, which I will do immediately after this before the two filters
diverse.
Also remove get_seccomp_filter() since it doesn't seem to be used
anyway.
Test: diff the generated code, no difference except the variable names
Test: cts -m CtsSecurityTestCases -t android.security.cts.SeccompTest
Bug: 63944145
Change-Id: Id8ba05a87332c92ec697926af77bc5742eb04b23
diff --git a/libc/seccomp/Android.bp b/libc/seccomp/Android.bp
index b3707bc..bb91849 100644
--- a/libc/seccomp/Android.bp
+++ b/libc/seccomp/Android.bp
@@ -2,18 +2,24 @@
name: "libseccomp_policy",
srcs: [
"seccomp_policy.cpp",
- "arm_policy.cpp",
+ "arm_app_policy.cpp",
"arm_global_policy.cpp",
- "arm64_policy.cpp",
+ "arm_system_policy.cpp",
+ "arm64_app_policy.cpp",
"arm64_global_policy.cpp",
- "x86_policy.cpp",
+ "arm64_system_policy.cpp",
+ "x86_app_policy.cpp",
"x86_global_policy.cpp",
- "x86_64_policy.cpp",
+ "x86_system_policy.cpp",
+ "x86_64_app_policy.cpp",
"x86_64_global_policy.cpp",
- "mips_policy.cpp",
+ "x86_64_system_policy.cpp",
+ "mips_app_policy.cpp",
"mips_global_policy.cpp",
- "mips64_policy.cpp",
+ "mips_system_policy.cpp",
+ "mips64_app_policy.cpp",
"mips64_global_policy.cpp",
+ "mips64_system_policy.cpp",
],
export_include_dirs: ["include"],
cflags: ["-Wall", "-Werror"],
diff --git a/libc/seccomp/arm64_policy.cpp b/libc/seccomp/arm64_app_policy.cpp
similarity index 96%
copy from libc/seccomp/arm64_policy.cpp
copy to libc/seccomp/arm64_app_policy.cpp
index c52c737..12722e1 100644
--- a/libc/seccomp/arm64_policy.cpp
+++ b/libc/seccomp/arm64_app_policy.cpp
@@ -4,7 +4,7 @@
#include <errno.h>
#include "seccomp_bpfs.h"
-const sock_filter arm64_filter[] = {
+const sock_filter arm64_app_filter[] = {
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 0, 0, 32),
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 220, 15, 0),
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 101, 7, 0),
@@ -40,4 +40,4 @@
BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
};
-const size_t arm64_filter_size = sizeof(arm64_filter) / sizeof(struct sock_filter);
+const size_t arm64_app_filter_size = sizeof(arm64_app_filter) / sizeof(struct sock_filter);
diff --git a/libc/seccomp/arm64_policy.cpp b/libc/seccomp/arm64_system_policy.cpp
similarity index 96%
rename from libc/seccomp/arm64_policy.cpp
rename to libc/seccomp/arm64_system_policy.cpp
index c52c737..a8d7193 100644
--- a/libc/seccomp/arm64_policy.cpp
+++ b/libc/seccomp/arm64_system_policy.cpp
@@ -4,7 +4,7 @@
#include <errno.h>
#include "seccomp_bpfs.h"
-const sock_filter arm64_filter[] = {
+const sock_filter arm64_system_filter[] = {
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 0, 0, 32),
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 220, 15, 0),
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 101, 7, 0),
@@ -40,4 +40,4 @@
BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
};
-const size_t arm64_filter_size = sizeof(arm64_filter) / sizeof(struct sock_filter);
+const size_t arm64_system_filter_size = sizeof(arm64_system_filter) / sizeof(struct sock_filter);
diff --git a/libc/seccomp/arm_policy.cpp b/libc/seccomp/arm_app_policy.cpp
similarity index 98%
rename from libc/seccomp/arm_policy.cpp
rename to libc/seccomp/arm_app_policy.cpp
index 2bc168a..d0fd6ca 100644
--- a/libc/seccomp/arm_policy.cpp
+++ b/libc/seccomp/arm_app_policy.cpp
@@ -4,7 +4,7 @@
#include <errno.h>
#include "seccomp_bpfs.h"
-const sock_filter arm_filter[] = {
+const sock_filter arm_app_filter[] = {
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 0, 0, 126),
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 150, 63, 0),
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 74, 31, 0),
@@ -134,4 +134,4 @@
BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
};
-const size_t arm_filter_size = sizeof(arm_filter) / sizeof(struct sock_filter);
+const size_t arm_app_filter_size = sizeof(arm_app_filter) / sizeof(struct sock_filter);
diff --git a/libc/seccomp/arm_policy.cpp b/libc/seccomp/arm_system_policy.cpp
similarity index 98%
copy from libc/seccomp/arm_policy.cpp
copy to libc/seccomp/arm_system_policy.cpp
index 2bc168a..de67038 100644
--- a/libc/seccomp/arm_policy.cpp
+++ b/libc/seccomp/arm_system_policy.cpp
@@ -4,7 +4,7 @@
#include <errno.h>
#include "seccomp_bpfs.h"
-const sock_filter arm_filter[] = {
+const sock_filter arm_system_filter[] = {
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 0, 0, 126),
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 150, 63, 0),
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 74, 31, 0),
@@ -134,4 +134,4 @@
BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
};
-const size_t arm_filter_size = sizeof(arm_filter) / sizeof(struct sock_filter);
+const size_t arm_system_filter_size = sizeof(arm_system_filter) / sizeof(struct sock_filter);
diff --git a/libc/seccomp/include/seccomp_policy.h b/libc/seccomp/include/seccomp_policy.h
index e337dec..ed1901b 100644
--- a/libc/seccomp/include/seccomp_policy.h
+++ b/libc/seccomp/include/seccomp_policy.h
@@ -20,8 +20,11 @@
#include <stddef.h>
#include <linux/filter.h>
+// TODO(victorhsieh): remove once the callers are switched to the new API.
bool set_seccomp_filter();
+
+bool set_app_seccomp_filter();
+bool set_system_seccomp_filter();
bool set_global_seccomp_filter();
-void get_seccomp_filter(const sock_filter*& filter, size_t& filter_size);
#endif
diff --git a/libc/seccomp/mips64_policy.cpp b/libc/seccomp/mips64_app_policy.cpp
similarity index 97%
copy from libc/seccomp/mips64_policy.cpp
copy to libc/seccomp/mips64_app_policy.cpp
index 26967ce..27bb0fa 100644
--- a/libc/seccomp/mips64_policy.cpp
+++ b/libc/seccomp/mips64_app_policy.cpp
@@ -4,7 +4,7 @@
#include <errno.h>
#include "seccomp_bpfs.h"
-const sock_filter mips64_filter[] = {
+const sock_filter mips64_app_filter[] = {
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 5000, 0, 84),
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 5164, 41, 0),
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 5077, 21, 0),
@@ -92,4 +92,4 @@
BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
};
-const size_t mips64_filter_size = sizeof(mips64_filter) / sizeof(struct sock_filter);
+const size_t mips64_app_filter_size = sizeof(mips64_app_filter) / sizeof(struct sock_filter);
diff --git a/libc/seccomp/mips64_policy.cpp b/libc/seccomp/mips64_system_policy.cpp
similarity index 97%
rename from libc/seccomp/mips64_policy.cpp
rename to libc/seccomp/mips64_system_policy.cpp
index 26967ce..8f34d41 100644
--- a/libc/seccomp/mips64_policy.cpp
+++ b/libc/seccomp/mips64_system_policy.cpp
@@ -4,7 +4,7 @@
#include <errno.h>
#include "seccomp_bpfs.h"
-const sock_filter mips64_filter[] = {
+const sock_filter mips64_system_filter[] = {
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 5000, 0, 84),
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 5164, 41, 0),
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 5077, 21, 0),
@@ -92,4 +92,4 @@
BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
};
-const size_t mips64_filter_size = sizeof(mips64_filter) / sizeof(struct sock_filter);
+const size_t mips64_system_filter_size = sizeof(mips64_system_filter) / sizeof(struct sock_filter);
diff --git a/libc/seccomp/mips_policy.cpp b/libc/seccomp/mips_app_policy.cpp
similarity index 98%
copy from libc/seccomp/mips_policy.cpp
copy to libc/seccomp/mips_app_policy.cpp
index 7485b90..abda7eb 100644
--- a/libc/seccomp/mips_policy.cpp
+++ b/libc/seccomp/mips_app_policy.cpp
@@ -4,7 +4,7 @@
#include <errno.h>
#include "seccomp_bpfs.h"
-const sock_filter mips_filter[] = {
+const sock_filter mips_app_filter[] = {
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 4001, 0, 110),
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 4131, 55, 0),
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 4063, 27, 0),
@@ -118,4 +118,4 @@
BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
};
-const size_t mips_filter_size = sizeof(mips_filter) / sizeof(struct sock_filter);
+const size_t mips_app_filter_size = sizeof(mips_app_filter) / sizeof(struct sock_filter);
diff --git a/libc/seccomp/mips_policy.cpp b/libc/seccomp/mips_system_policy.cpp
similarity index 98%
rename from libc/seccomp/mips_policy.cpp
rename to libc/seccomp/mips_system_policy.cpp
index 7485b90..7b9da60 100644
--- a/libc/seccomp/mips_policy.cpp
+++ b/libc/seccomp/mips_system_policy.cpp
@@ -4,7 +4,7 @@
#include <errno.h>
#include "seccomp_bpfs.h"
-const sock_filter mips_filter[] = {
+const sock_filter mips_system_filter[] = {
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 4001, 0, 110),
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 4131, 55, 0),
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 4063, 27, 0),
@@ -118,4 +118,4 @@
BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
};
-const size_t mips_filter_size = sizeof(mips_filter) / sizeof(struct sock_filter);
+const size_t mips_system_filter_size = sizeof(mips_system_filter) / sizeof(struct sock_filter);
diff --git a/libc/seccomp/seccomp_bpfs.h b/libc/seccomp/seccomp_bpfs.h
index a8f47ca..8728c36 100644
--- a/libc/seccomp/seccomp_bpfs.h
+++ b/libc/seccomp/seccomp_bpfs.h
@@ -20,28 +20,45 @@
#include <stddef.h>
#include <linux/seccomp.h>
-extern const struct sock_filter arm_filter[];
-extern const size_t arm_filter_size;
+extern const struct sock_filter arm_app_filter[];
+extern const size_t arm_app_filter_size;
+extern const struct sock_filter arm_system_filter[];
+extern const size_t arm_system_filter_size;
extern const struct sock_filter arm_global_filter[];
extern const size_t arm_global_filter_size;
-extern const struct sock_filter arm64_filter[];
-extern const size_t arm64_filter_size;
+
+extern const struct sock_filter arm64_app_filter[];
+extern const size_t arm64_app_filter_size;
+extern const struct sock_filter arm64_system_filter[];
+extern const size_t arm64_system_filter_size;
extern const struct sock_filter arm64_global_filter[];
extern const size_t arm64_global_filter_size;
-extern const struct sock_filter x86_filter[];
-extern const size_t x86_filter_size;
+
+extern const struct sock_filter x86_app_filter[];
+extern const size_t x86_app_filter_size;
+extern const struct sock_filter x86_system_filter[];
+extern const size_t x86_system_filter_size;
extern const struct sock_filter x86_global_filter[];
extern const size_t x86_global_filter_size;
-extern const struct sock_filter x86_64_filter[];
-extern const size_t x86_64_filter_size;
+
+extern const struct sock_filter x86_64_app_filter[];
+extern const size_t x86_64_app_filter_size;
+extern const struct sock_filter x86_64_system_filter[];
+extern const size_t x86_64_system_filter_size;
extern const struct sock_filter x86_64_global_filter[];
extern const size_t x86_64_global_filter_size;
-extern const struct sock_filter mips_filter[];
-extern const size_t mips_filter_size;
+
+extern const struct sock_filter mips_app_filter[];
+extern const size_t mips_app_filter_size;
+extern const struct sock_filter mips_system_filter[];
+extern const size_t mips_system_filter_size;
extern const struct sock_filter mips_global_filter[];
extern const size_t mips_global_filter_size;
-extern const struct sock_filter mips64_filter[];
-extern const size_t mips64_filter_size;
+
+extern const struct sock_filter mips64_app_filter[];
+extern const size_t mips64_app_filter_size;
+extern const struct sock_filter mips64_system_filter[];
+extern const size_t mips64_system_filter_size;
extern const struct sock_filter mips64_global_filter[];
extern const size_t mips64_global_filter_size;
diff --git a/libc/seccomp/seccomp_policy.cpp b/libc/seccomp/seccomp_policy.cpp
index 19ef299..99a821f 100644
--- a/libc/seccomp/seccomp_policy.cpp
+++ b/libc/seccomp/seccomp_policy.cpp
@@ -32,13 +32,17 @@
#define DUAL_ARCH
#define PRIMARY_ARCH AUDIT_ARCH_AARCH64
-static const struct sock_filter* primary_filter = arm64_filter;
-static const size_t primary_filter_size = arm64_filter_size;
+static const struct sock_filter* primary_app_filter = arm64_app_filter;
+static const size_t primary_app_filter_size = arm64_app_filter_size;
+static const struct sock_filter* primary_system_filter = arm64_system_filter;
+static const size_t primary_system_filter_size = arm64_system_filter_size;
static const struct sock_filter* primary_global_filter = arm64_global_filter;
static const size_t primary_global_filter_size = arm64_global_filter_size;
#define SECONDARY_ARCH AUDIT_ARCH_ARM
-static const struct sock_filter* secondary_filter = arm_filter;
-static const size_t secondary_filter_size = arm_filter_size;
+static const struct sock_filter* secondary_app_filter = arm_app_filter;
+static const size_t secondary_app_filter_size = arm_app_filter_size;
+static const struct sock_filter* secondary_system_filter = arm_system_filter;
+static const size_t secondary_system_filter_size = arm_system_filter_size;
static const struct sock_filter* secondary_global_filter = arm_global_filter;
static const size_t secondary_global_filter_size = arm_global_filter_size;
@@ -46,13 +50,17 @@
#define DUAL_ARCH
#define PRIMARY_ARCH AUDIT_ARCH_X86_64
-static const struct sock_filter* primary_filter = x86_64_filter;
-static const size_t primary_filter_size = x86_64_filter_size;
+static const struct sock_filter* primary_app_filter = x86_64_app_filter;
+static const size_t primary_app_filter_size = x86_64_app_filter_size;
+static const struct sock_filter* primary_system_filter = x86_64_system_filter;
+static const size_t primary_system_filter_size = x86_64_system_filter_size;
static const struct sock_filter* primary_global_filter = x86_64_global_filter;
static const size_t primary_global_filter_size = x86_64_global_filter_size;
#define SECONDARY_ARCH AUDIT_ARCH_I386
-static const struct sock_filter* secondary_filter = x86_filter;
-static const size_t secondary_filter_size = x86_filter_size;
+static const struct sock_filter* secondary_app_filter = x86_app_filter;
+static const size_t secondary_app_filter_size = x86_app_filter_size;
+static const struct sock_filter* secondary_system_filter = x86_system_filter;
+static const size_t secondary_system_filter_size = x86_system_filter_size;
static const struct sock_filter* secondary_global_filter = x86_global_filter;
static const size_t secondary_global_filter_size = x86_global_filter_size;
@@ -60,13 +68,17 @@
#define DUAL_ARCH
#define PRIMARY_ARCH AUDIT_ARCH_MIPSEL64
-static const struct sock_filter* primary_filter = mips64_filter;
-static const size_t primary_filter_size = mips64_filter_size;
+static const struct sock_filter* primary_app_filter = mips64_app_filter;
+static const size_t primary_app_filter_size = mips64_app_filter_size;
+static const struct sock_filter* primary_system_filter = mips64_system_filter;
+static const size_t primary_system_filter_size = mips64_system_filter_size;
static const struct sock_filter* primary_global_filter = mips64_global_filter;
static const size_t primary_global_filter_size = mips64_global_filter_size;
#define SECONDARY_ARCH AUDIT_ARCH_MIPSEL
-static const struct sock_filter* secondary_filter = mips_filter;
-static const size_t secondary_filter_size = mips_filter_size;
+static const struct sock_filter* secondary_app_filter = mips_app_filter;
+static const size_t secondary_app_filter_size = mips_app_filter_size;
+static const struct sock_filter* secondary_system_filter = mips_system_filter;
+static const size_t secondary_system_filter_size = mips_system_filter_size;
static const struct sock_filter* secondary_global_filter = mips_global_filter;
static const size_t secondary_global_filter_size = mips_global_filter_size;
@@ -122,30 +134,48 @@
const_cast<struct sock_filter*>(&f[0]),
};
+ if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1) {
+ PLOG(FATAL) << "Could not set to no new privs";
+ return false;
+ }
if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) < 0) {
PLOG(FATAL) << "Could not set seccomp filter of size " << f.size();
return false;
}
-
- LOG(INFO) << "Global filter of size " << f.size() << " installed";
return true;
}
-bool _set_seccomp_filter(bool global) {
+enum FilterType {
+ APP,
+ SYSTEM,
+ GLOBAL
+};
+
+bool _set_seccomp_filter(FilterType type) {
const sock_filter *p, *s;
size_t p_size, s_size;
filter f;
- if (global) {
+ switch (type) {
+ case APP:
+ p = primary_app_filter;
+ p_size = primary_app_filter_size;
+ s = secondary_app_filter;
+ s_size = secondary_app_filter_size;
+ break;
+ case SYSTEM:
+ p = primary_system_filter;
+ p_size = primary_system_filter_size;
+ s = secondary_system_filter;
+ s_size = secondary_system_filter_size;
+ break;
+ case GLOBAL:
p = primary_global_filter;
p_size = primary_global_filter_size;
s = secondary_global_filter;
s_size = secondary_global_filter_size;
- } else {
- p = primary_filter;
- p_size = primary_filter_size;
- s = secondary_filter;
- s_size = secondary_filter_size;
+ break;
+
}
#ifdef DUAL_ARCH
@@ -181,19 +211,17 @@
}
bool set_seccomp_filter() {
- return _set_seccomp_filter(false);
+ return _set_seccomp_filter(FilterType::APP);
+}
+
+bool set_app_seccomp_filter() {
+ return _set_seccomp_filter(FilterType::APP);
+}
+
+bool set_system_seccomp_filter() {
+ return _set_seccomp_filter(FilterType::SYSTEM);
}
bool set_global_seccomp_filter() {
- return _set_seccomp_filter(true);
-}
-
-void get_seccomp_filter(const sock_filter*& filter, size_t& filter_size) {
-#if defined __aarch64__ || defined __x86_64__ || defined __mips64__
- filter = primary_filter;
- filter_size = primary_filter_size;
-#else
- filter = secondary_filter;
- filter_size = secondary_filter_size;
-#endif
+ return _set_seccomp_filter(FilterType::GLOBAL);
}
diff --git a/libc/seccomp/x86_64_policy.cpp b/libc/seccomp/x86_64_app_policy.cpp
similarity index 97%
rename from libc/seccomp/x86_64_policy.cpp
rename to libc/seccomp/x86_64_app_policy.cpp
index 025e24f..171b959 100644
--- a/libc/seccomp/x86_64_policy.cpp
+++ b/libc/seccomp/x86_64_app_policy.cpp
@@ -4,7 +4,7 @@
#include <errno.h>
#include "seccomp_bpfs.h"
-const sock_filter x86_64_filter[] = {
+const sock_filter x86_64_app_filter[] = {
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 0, 0, 88),
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 175, 43, 0),
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 79, 21, 0),
@@ -96,4 +96,4 @@
BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
};
-const size_t x86_64_filter_size = sizeof(x86_64_filter) / sizeof(struct sock_filter);
+const size_t x86_64_app_filter_size = sizeof(x86_64_app_filter) / sizeof(struct sock_filter);
diff --git a/libc/seccomp/x86_64_policy.cpp b/libc/seccomp/x86_64_system_policy.cpp
similarity index 97%
copy from libc/seccomp/x86_64_policy.cpp
copy to libc/seccomp/x86_64_system_policy.cpp
index 025e24f..f2b2601 100644
--- a/libc/seccomp/x86_64_policy.cpp
+++ b/libc/seccomp/x86_64_system_policy.cpp
@@ -4,7 +4,7 @@
#include <errno.h>
#include "seccomp_bpfs.h"
-const sock_filter x86_64_filter[] = {
+const sock_filter x86_64_system_filter[] = {
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 0, 0, 88),
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 175, 43, 0),
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 79, 21, 0),
@@ -96,4 +96,4 @@
BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
};
-const size_t x86_64_filter_size = sizeof(x86_64_filter) / sizeof(struct sock_filter);
+const size_t x86_64_system_filter_size = sizeof(x86_64_system_filter) / sizeof(struct sock_filter);
diff --git a/libc/seccomp/x86_policy.cpp b/libc/seccomp/x86_app_policy.cpp
similarity index 98%
rename from libc/seccomp/x86_policy.cpp
rename to libc/seccomp/x86_app_policy.cpp
index 494a42a..2db2368 100644
--- a/libc/seccomp/x86_policy.cpp
+++ b/libc/seccomp/x86_app_policy.cpp
@@ -4,7 +4,7 @@
#include <errno.h>
#include "seccomp_bpfs.h"
-const sock_filter x86_filter[] = {
+const sock_filter x86_app_filter[] = {
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 0, 0, 116),
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 131, 57, 0),
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 66, 29, 0),
@@ -124,4 +124,4 @@
BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
};
-const size_t x86_filter_size = sizeof(x86_filter) / sizeof(struct sock_filter);
+const size_t x86_app_filter_size = sizeof(x86_app_filter) / sizeof(struct sock_filter);
diff --git a/libc/seccomp/x86_policy.cpp b/libc/seccomp/x86_system_policy.cpp
similarity index 98%
copy from libc/seccomp/x86_policy.cpp
copy to libc/seccomp/x86_system_policy.cpp
index 494a42a..b45e609 100644
--- a/libc/seccomp/x86_policy.cpp
+++ b/libc/seccomp/x86_system_policy.cpp
@@ -4,7 +4,7 @@
#include <errno.h>
#include "seccomp_bpfs.h"
-const sock_filter x86_filter[] = {
+const sock_filter x86_system_filter[] = {
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 0, 0, 116),
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 131, 57, 0),
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 66, 29, 0),
@@ -124,4 +124,4 @@
BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
};
-const size_t x86_filter_size = sizeof(x86_filter) / sizeof(struct sock_filter);
+const size_t x86_system_filter_size = sizeof(x86_system_filter) / sizeof(struct sock_filter);