Create seccomp policy without TRAP for further processing
Bug: 34946764
Test: Make sure boots, seccomp still blocks, and is faster
Change-Id: Ib4abf4307ae545ee69a3fb9328f62c760a1b40f7
diff --git a/libc/tools/genseccomp.py b/libc/tools/genseccomp.py
index bd003a3..fa6e7e3 100755
--- a/libc/tools/genseccomp.py
+++ b/libc/tools/genseccomp.py
@@ -117,16 +117,17 @@
# len(bpf) - i - 1, which is where we will put the kill statement, and
# then the statement after that is the allow statement
if "{fail}" in statement and "{allow}" in statement:
- bpf[i] = statement.format(fail=str(len(bpf) - i - 1),
- allow=str(len(bpf) - i))
+ bpf[i] = statement.format(fail=str(len(bpf) - i),
+ allow=str(len(bpf) - i - 1))
# Add check that we aren't off the bottom of the syscalls
bpf.insert(0,
"BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, " + str(ranges[0].begin) +
", 0, " + str(len(bpf)) + "),")
- # Add the error and allow calls at the end
- bpf.append("BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRAP),")
+ # Add the allow calls at the end. If the syscall is not matched, we will
+ # continue. This allows the user to choose to match further syscalls, and
+ # also to choose the action when we want to block
bpf.append("BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),")
# And output policy