Fix problem that we don't block syscalls below min value
The check that we are not below the lowest permitted syscall was
off by one, so we always allowed them, rather than always denying
them
Test: Check arm64 boots, chrome and maps work
mips and mips64 emulators boot
Note that arm, x86 and x86_64 already allow syscall 0 so there
will be no functional change there
Change-Id: I85873f1d04124e634e648bd47c027f280f1d6dbd
diff --git a/libc/seccomp/arm64_policy.cpp b/libc/seccomp/arm64_policy.cpp
index 0bf85a3..5eee365 100644
--- a/libc/seccomp/arm64_policy.cpp
+++ b/libc/seccomp/arm64_policy.cpp
@@ -5,7 +5,7 @@
#include "seccomp_bpfs.h"
const sock_filter arm64_filter[] = {
-BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 5, 0, 25),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 5, 0, 26),
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 203, 13, 0),
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 101, 7, 0),
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 43, 3, 0),
diff --git a/libc/seccomp/arm_policy.cpp b/libc/seccomp/arm_policy.cpp
index 73fdda4..94b1545 100644
--- a/libc/seccomp/arm_policy.cpp
+++ b/libc/seccomp/arm_policy.cpp
@@ -5,7 +5,7 @@
#include "seccomp_bpfs.h"
const sock_filter arm_filter[] = {
-BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 0, 0, 123),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 0, 0, 124),
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 143, 61, 0),
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 74, 31, 0),
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 41, 15, 0),
diff --git a/libc/seccomp/mips64_policy.cpp b/libc/seccomp/mips64_policy.cpp
index 9439922..92f175a 100644
--- a/libc/seccomp/mips64_policy.cpp
+++ b/libc/seccomp/mips64_policy.cpp
@@ -5,7 +5,7 @@
#include "seccomp_bpfs.h"
const sock_filter mips64_filter[] = {
-BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 5000, 0, 77),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 5000, 0, 78),
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 5168, 39, 0),
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 5077, 19, 0),
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 5034, 9, 0),
diff --git a/libc/seccomp/mips_policy.cpp b/libc/seccomp/mips_policy.cpp
index 3ded9f7..279017e 100644
--- a/libc/seccomp/mips_policy.cpp
+++ b/libc/seccomp/mips_policy.cpp
@@ -5,7 +5,7 @@
#include "seccomp_bpfs.h"
const sock_filter mips_filter[] = {
-BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 4001, 0, 107),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 4001, 0, 108),
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 4131, 53, 0),
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 4064, 27, 0),
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 4036, 13, 0),
diff --git a/libc/seccomp/x86_64_policy.cpp b/libc/seccomp/x86_64_policy.cpp
index e1f0aa3..69756c6 100644
--- a/libc/seccomp/x86_64_policy.cpp
+++ b/libc/seccomp/x86_64_policy.cpp
@@ -5,7 +5,7 @@
#include "seccomp_bpfs.h"
const sock_filter x86_64_filter[] = {
-BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 0, 0, 79),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 0, 0, 80),
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 157, 39, 0),
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 72, 19, 0),
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 32, 9, 0),
diff --git a/libc/seccomp/x86_policy.cpp b/libc/seccomp/x86_policy.cpp
index 77fe208..ca02aa6 100644
--- a/libc/seccomp/x86_policy.cpp
+++ b/libc/seccomp/x86_policy.cpp
@@ -5,7 +5,7 @@
#include "seccomp_bpfs.h"
const sock_filter x86_filter[] = {
-BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 0, 0, 109),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 0, 0, 110),
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 131, 55, 0),
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 64, 27, 0),
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 36, 13, 0),
diff --git a/libc/tools/genseccomp.py b/libc/tools/genseccomp.py
index d9e0819..a8e551e 100755
--- a/libc/tools/genseccomp.py
+++ b/libc/tools/genseccomp.py
@@ -149,13 +149,14 @@
bpf[i] = statement.format(fail=str(len(bpf) - i),
allow=str(len(bpf) - i - 1))
- # Add check that we aren't off the bottom of the syscalls
- bpf.insert(0, BPF_JGE.format(ranges[0].begin, 0, str(len(bpf))) + ',')
# Add the allow calls at the end. If the syscall is not matched, we will
# continue. This allows the user to choose to match further syscalls, and
# also to choose the action when we want to block
bpf.append(BPF_ALLOW + ",")
+
+ # Add check that we aren't off the bottom of the syscalls
+ bpf.insert(0, BPF_JGE.format(ranges[0].begin, 0, str(len(bpf))) + ',')
return bpf
diff --git a/libc/tools/test_genseccomp.py b/libc/tools/test_genseccomp.py
index 19672a1..73f768d 100755
--- a/libc/tools/test_genseccomp.py
+++ b/libc/tools/test_genseccomp.py
@@ -113,13 +113,13 @@
def test_convert_ranges_to_bpf(self):
ranges = genseccomp.convert_NRs_to_ranges([("b", 2), ("a", 1)])
bpf = genseccomp.convert_ranges_to_bpf(ranges)
- self.assertEquals(bpf, ['BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 1, 0, 1),',
+ self.assertEquals(bpf, ['BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 1, 0, 2),',
'BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 3, 1, 0), //a|b',
'BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),'])
ranges = genseccomp.convert_NRs_to_ranges([("b", 3), ("a", 1)])
bpf = genseccomp.convert_ranges_to_bpf(ranges)
- self.assertEquals(bpf, ['BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 1, 0, 3),',
+ self.assertEquals(bpf, ['BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 1, 0, 4),',
'BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 3, 1, 0),',
'BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 2, 2, 1), //a',
'BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 4, 1, 0), //b',
@@ -165,7 +165,7 @@
#include "seccomp_bpfs.h"
const sock_filter arm_filter[] = {
- BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 3, 0, 3),
+ BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 3, 0, 4),
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 140, 1, 0),
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 4, 2, 1), //read
BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 141, 1, 0), //_llseek