Fix problem that we don't block syscalls below min value The check that we are not below the lowest permitted syscall was off by one, so we always allowed them, rather than always denying them Test: Check arm64 boots, chrome and maps work mips and mips64 emulators boot Note that arm, x86 and x86_64 already allow syscall 0 so there will be no functional change there Change-Id: I85873f1d04124e634e648bd47c027f280f1d6dbd

commit: 65b47c9fe08e183987a9857e3e3b5d66a63d6936 [log] [tgz]
author: Paul Lawrence <paullawrence@google.com> Wed Mar 22 08:03:51 2017 -0700
committer: Paul Lawrence <paullawrence@google.com> Wed Mar 22 09:48:17 2017 -0700
tree: 8ed7de86ab77f320aa2ead741e56a4c02b405e53
parent: 8ebfc0d3a3285a595cd44d477ebe76fdaa39afcf [diff] [blame]
diff --git a/libc/tools/genseccomp.py b/libc/tools/genseccomp.py
index d9e0819..a8e551e 100755
--- a/libc/tools/genseccomp.py
+++ b/libc/tools/genseccomp.py

@@ -149,13 +149,14 @@
       bpf[i] = statement.format(fail=str(len(bpf) - i),
                                 allow=str(len(bpf) - i - 1))
 
-  # Add check that we aren't off the bottom of the syscalls
-  bpf.insert(0, BPF_JGE.format(ranges[0].begin, 0, str(len(bpf))) + ',')
 
   # Add the allow calls at the end. If the syscall is not matched, we will
   # continue. This allows the user to choose to match further syscalls, and
   # also to choose the action when we want to block
   bpf.append(BPF_ALLOW + ",")
+
+  # Add check that we aren't off the bottom of the syscalls
+  bpf.insert(0, BPF_JGE.format(ranges[0].begin, 0, str(len(bpf))) + ',')
   return bpf
commit	65b47c9fe08e183987a9857e3e3b5d66a63d6936	[log] [tgz]
author	Paul Lawrence <paullawrence@google.com>	Wed Mar 22 08:03:51 2017 -0700
committer	Paul Lawrence <paullawrence@google.com>	Wed Mar 22 09:48:17 2017 -0700
tree	8ed7de86ab77f320aa2ead741e56a4c02b405e53
parent	8ebfc0d3a3285a595cd44d477ebe76fdaa39afcf [diff] [blame]