103 inline void Allow(filter& f) {  in Allow()  argument
104     f.push_back(BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW));  in Allow()
107 inline void Disallow(filter& f) {  in Disallow()  argument
108     f.push_back(BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRAP));  in Disallow()
111 static void ExamineSyscall(filter& f) {  in ExamineSyscall()  argument
112     f.push_back(BPF_STMT(BPF_LD|BPF_W|BPF_ABS, syscall_nr));  in ExamineSyscall()
116 static bool SetValidateArchitectureJumpTarget(size_t offset, filter& f) {  in SetValidateArchitectureJumpTarget()  argument
117     size_t jump_length = f.size() - offset - 1;  in SetValidateArchitectureJumpTarget()
124     f[offset] = BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, SECONDARY_ARCH, u8_jump_length, 0);  in SetValidateArchitectureJumpTarget()
128 static size_t ValidateArchitectureAndJumpIfNeeded(filter& f) {  in ValidateArchitectureAndJumpIfNeeded()  argument
129     f.push_back(BPF_STMT(BPF_LD|BPF_W|BPF_ABS, arch_nr));  in ValidateArchitectureAndJumpIfNeeded()
130     f.push_back(BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, PRIMARY_ARCH, 2, 0));  in ValidateArchitectureAndJumpIfNeeded()
131     f.push_back(BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, SECONDARY_ARCH, 1, 0));  in ValidateArchitectureAndJumpIfNeeded()
132     Disallow(f);  in ValidateArchitectureAndJumpIfNeeded()
133     return f.size() - 2;  in ValidateArchitectureAndJumpIfNeeded()
136 static void ValidateArchitecture(filter& f) {  in ValidateArchitecture()  argument
137     f.push_back(BPF_STMT(BPF_LD|BPF_W|BPF_ABS, arch_nr));  in ValidateArchitecture()
138     f.push_back(BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, PRIMARY_ARCH, 1, 0));  in ValidateArchitecture()
139     Disallow(f);  in ValidateArchitecture()
143 static void ValidateSyscallArgInRange(filter& f, __u32 arg_num, __u32 range_min, __u32 range_max) {  in ValidateSyscallArgInRange()  argument
151     f.push_back(BPF_STMT(BPF_LD|BPF_W|BPF_ABS, syscall_arg));  in ValidateSyscallArgInRange()
152     f.push_back(BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, range_min, 0, 1));  in ValidateSyscallArgInRange()
153     f.push_back(BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, range_max + 1, 0, 1));  in ValidateSyscallArgInRange()
154     Disallow(f);  in ValidateSyscallArgInRange()
165 static void ValidateSetUidGid(filter& f, uint32_t uid_gid_min, uint32_t uid_gid_max, bool primary) {  in ValidateSetUidGid()  argument
176     ExamineSyscall(f);  in ValidateSetUidGid()
177     f.push_back(BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, setresuid_nr, 0, 12));  in ValidateSetUidGid()
179         ValidateSyscallArgInRange(f, arg, uid_gid_min, uid_gid_max);  in ValidateSetUidGid()
183     ExamineSyscall(f);  in ValidateSetUidGid()
184     f.push_back(BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, setresgid_nr, 0, 12));  in ValidateSetUidGid()
186         ValidateSyscallArgInRange(f, arg, uid_gid_min, uid_gid_max);  in ValidateSetUidGid()
190     Allow(f);  in ValidateSetUidGid()
193 static bool install_filter(filter const& f) {  in install_filter()  argument
195         static_cast<unsigned short>(f.size()),  in install_filter()
196         const_cast<struct sock_filter*>(&f[0]),  in install_filter()
200         PLOG(FATAL) << "Could not set seccomp filter of size " << f.size();  in install_filter()
207     filter f;  in _install_setuidgid_filter()  local
212     auto offset_to_secondary_filter = ValidateArchitectureAndJumpIfNeeded(f);  in _install_setuidgid_filter()
214     ValidateArchitecture(f);  in _install_setuidgid_filter()
217     ValidateSetUidGid(f, uid_gid_min, uid_gid_max, true /* primary */);  in _install_setuidgid_filter()
220     if (!SetValidateArchitectureJumpTarget(offset_to_secondary_filter, f)) {  in _install_setuidgid_filter()
224     ValidateSetUidGid(f, uid_gid_min, uid_gid_max, false /* primary */);  in _install_setuidgid_filter()
227     return install_filter(f);  in _install_setuidgid_filter()
237     filter f;  in _set_seccomp_filter()  local
277     auto offset_to_secondary_filter = ValidateArchitectureAndJumpIfNeeded(f);  in _set_seccomp_filter()
279     ValidateArchitecture(f);  in _set_seccomp_filter()
282     ExamineSyscall(f);  in _set_seccomp_filter()
285         f.push_back(p[i]);  in _set_seccomp_filter()
287     Disallow(f);  in _set_seccomp_filter()
290     if (!SetValidateArchitectureJumpTarget(offset_to_secondary_filter, f)) {  in _set_seccomp_filter()
294     ExamineSyscall(f);  in _set_seccomp_filter()
297         f.push_back(s[i]);  in _set_seccomp_filter()
299     Disallow(f);  in _set_seccomp_filter()
302     return install_filter(f);  in _set_seccomp_filter()