Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--.depend23
-rw-r--r--.gitignore1
-rw-r--r--Makefile24
-rw-r--r--Makefile.am2
-rw-r--r--configure.ac9
-rw-r--r--porting.h3
-rw-r--r--seccomp-bpf.c255
-rw-r--r--seccomp-bpf.h226
-rw-r--r--security.c214
9 files changed, 549 insertions, 208 deletions
diff --git a/.depend b/.depend
index 5371c1c..aab4f89 100644
--- a/.depend
+++ b/.depend
@@ -1,5 +1,18 @@
-scanelf.o: scanelf.c paxinc.h porting.h elf.h paxelf.h
-pspax.o: pspax.c paxinc.h porting.h elf.h paxelf.h
-dumpelf.o: dumpelf.c paxinc.h porting.h elf.h paxelf.h
-paxelf.o: paxelf.c paxinc.h porting.h elf.h paxelf.h
-paxinc.o: paxinc.c paxinc.h porting.h elf.h paxelf.h
+paxelf.o: paxelf.c paxinc.h porting.h elf.h xfuncs.h security.h paxelf.h \
+ macho.h paxmacho.h
+paxmacho.o: paxmacho.c paxinc.h porting.h elf.h xfuncs.h security.h \
+ paxelf.h macho.h paxmacho.h
+paxinc.o: paxinc.c paxinc.h porting.h elf.h xfuncs.h security.h paxelf.h \
+ macho.h paxmacho.h
+security.o: security.c paxinc.h porting.h elf.h xfuncs.h security.h \
+ paxelf.h macho.h paxmacho.h seccomp-bpf.h
+xfuncs.o: xfuncs.c paxinc.h porting.h elf.h xfuncs.h security.h paxelf.h \
+ macho.h paxmacho.h
+scanelf.o: scanelf.c paxinc.h porting.h elf.h xfuncs.h security.h \
+ paxelf.h macho.h paxmacho.h
+dumpelf.o: dumpelf.c paxinc.h porting.h elf.h xfuncs.h security.h \
+ paxelf.h macho.h paxmacho.h
+pspax.o: pspax.c paxinc.h porting.h elf.h xfuncs.h security.h paxelf.h \
+ macho.h paxmacho.h
+scanmacho.o: scanmacho.c paxinc.h porting.h elf.h xfuncs.h security.h \
+ paxelf.h macho.h paxmacho.h
diff --git a/.gitignore b/.gitignore
index 553ea89..a6bf3ba 100644
--- a/.gitignore
+++ b/.gitignore
@@ -43,6 +43,7 @@ core
/pspax
/scanelf
/scanmacho
+/seccomp-bpf
/symtree
/man/*.1
diff --git a/Makefile b/Makefile
index 9a2c07c..bb6f167 100644
--- a/Makefile
+++ b/Makefile
@@ -52,11 +52,14 @@ ifeq ($(USE_DEBUG),yes)
override CPPFLAGS += -DEBUG
endif
-ifeq ($(USE_SECCOMP),yes)
+ifeq ($(BUILD_USE_SECCOMP),yes)
LIBSECCOMP_CFLAGS := $(shell $(PKG_CONFIG) --cflags libseccomp)
LIBSECCOMP_LIBS := $(shell $(PKG_CONFIG) --libs libseccomp)
override CPPFLAGS += $(LIBSECCOMP_CFLAGS) -DWANT_SECCOMP
-LIBS += $(LIBSECCOMP_LIBS)
+LIBS-seccomp-bpf += $(LIBSECCOMP_LIBS)
+endif
+ifeq ($(USE_SECCOMP),yes)
+override CPPFLAGS += -DWANT_SECCOMP
endif
ifdef PV
@@ -72,8 +75,10 @@ ELF_OBJS = paxelf.o paxldso.o
MACH_TARGETS = scanmacho
MACH_OBJS = paxmacho.o
COMMON_OBJS = paxinc.o security.o xfuncs.o
+BUILD_OBJS = $(filter-out security.o,$(COMMON_OBJS))
TARGETS = $(ELF_TARGETS) $(MACH_TARGETS)
TARGETS_OBJS = $(TARGETS:%=%.o)
+BUILD_TARGETS= seccomp-bpf
SCRIPTS_SH = lddtree symtree
SCRIPTS_PY = lddtree
_OBJS = $(ELF_OBJS) $(MACH_OBJS) $(COMMON_OBJS)
@@ -139,23 +144,24 @@ ifeq ($(V),)
endif
$(Q)$(compile.c) $(WFLAGS)
-$(ELF_TARGETS): %: $(ELF_OBJS) $(COMMON_OBJS) %.o
- $(CC) $(CFLAGS) $(LDFLAGS) $^ -o $@ $(LIBS) $(LIBS-$@)
+LINK = $(CC) $(CFLAGS) $(LDFLAGS) $^ -o $@ $(LIBS) $(LIBS-$@)
-$(MACH_TARGETS): %: $(MACH_OBJS) $(COMMON_OBJS) %.o
- $(CC) $(CFLAGS) $(LDFLAGS) $^ -o $@ $(LIBS) $(LIBS-$@)
+$(BUILD_TARGETS): %: $(BUILD_OBJS) %.o; $(LINK)
+$(ELF_TARGETS): %: $(ELF_OBJS) $(COMMON_OBJS) %.o; $(LINK)
+$(MACH_TARGETS): %: $(MACH_OBJS) $(COMMON_OBJS) %.o; $(LINK)
$(OBJS_TARGETS): %: $(_OBJS) %.c
$(CC) $(CFLAGS) $(CPPFLAGS) -DMAIN $(LDFLAGS) $(filter-out $@.o,$^) -o $@ $(LIBS) $(LIBS-$@)
-%.so: %.c
- $(CC) -shared -fPIC -o $@ $<
+seccomp-bpf.h: seccomp-bpf.c
+ $(MAKE) BUILD_USE_SECCOMP=yes seccomp-bpf
+ ./seccomp-bpf > $@
depend:
$(CC) $(CFLAGS) -MM $(SOURCES) > .depend
clean:
- -rm -f $(OBJS) $(TARGETS) $(OBJS_TARGETS)
+ -rm -f $(OBJS) $(TARGETS) $(OBJS_TARGETS) $(BUILD_TARGETS)
distclean: clean
-rm -f *~ core *.o
diff --git a/Makefile.am b/Makefile.am
index f369f86..748a7ca 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -92,6 +92,8 @@ EXTRA_DIST += \
pylint \
scanelf.c \
scanmacho.c \
+ seccomp-bpf.c \
+ seccomp-bpf.h \
security.c \
security.h \
symtree.sh \
diff --git a/configure.ac b/configure.ac
index 5ffd5ef..9b96090 100644
--- a/configure.ac
+++ b/configure.ac
@@ -33,9 +33,7 @@ AM_CONDITIONAL([USE_PYTHON], [test "x$with_python" = "xyes"])
AC_ARG_WITH([seccomp], [AS_HELP_STRING([--with-seccomp], [build with seccomp])])
AS_IF([test "x$with_seccomp" = "xyes"], [
- PKG_CHECK_MODULES(LIBSECCOMP, libseccomp)
- CPPFLAGS="$CPPFLAGS $LIBSECCOMP_CFLAGS -DWANT_SECCOMP"
- LIBS="$LIBS $LIBSECCOMP_LIBS"
+ CPPFLAGS="$CPPFLAGS -DWANT_SECCOMP"
])
AX_CFLAGS_WARN_ALL
@@ -62,7 +60,10 @@ m4_foreach_w([flag], [
AX_CHECK_COMPILE_FLAG(flag, AS_VAR_APPEND([CFLAGS], " flag"))
])
-AC_CHECK_HEADERS([linux/securebits.h])
+AC_CHECK_HEADERS_ONCE(m4_flatten([
+ linux/seccomp.h
+ linux/securebits.h
+]))
AC_CONFIG_FILES([
Makefile
diff --git a/porting.h b/porting.h
index c4f5fc6..f1bd74f 100644
--- a/porting.h
+++ b/porting.h
@@ -46,6 +46,9 @@
#endif
#if defined(__linux__)
# include <sys/prctl.h>
+# if !defined(HAVE_CONFIG_H) || defined(HAVE_LINUX_SECCOMP_H)
+# include <linux/seccomp.h>
+# endif
# if !defined(HAVE_CONFIG_H) || defined(HAVE_LINUX_SECUREBITS_H)
# include <linux/securebits.h>
# endif
diff --git a/seccomp-bpf.c b/seccomp-bpf.c
new file mode 100644
index 0000000..d7246b1
--- /dev/null
+++ b/seccomp-bpf.c
@@ -0,0 +1,255 @@
+/*
+ * Generate the bpf rules ahead of time to speed up runtime.
+ *
+ * Copyright 2015 Gentoo Foundation
+ * Distributed under the terms of the GNU General Public License v2
+ *
+ * Copyright 2015 Mike Frysinger - <vapier@gentoo.org>
+ */
+
+const char argv0[] = "seccomp-bpf";
+
+#include <err.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sys/mman.h>
+#include <sys/types.h>
+
+#include <seccomp.h>
+
+#define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0]))
+
+static const struct {
+ const char *name;
+ uint32_t arch;
+ const char *ifdef;
+} gen_seccomp_arches[] = {
+#define A(arch, ifdef) { #arch, SCMP_ARCH_##arch, ifdef }
+ A(AARCH64, "defined(__aarch64__)"),
+ A(ARM, "defined(__arm__)"),
+ A(MIPS, "defined(__mips__) && defined(__MIPSEB__) && defined(_ABIO32)"),
+ A(MIPS64, "defined(__mips__) && defined(__MIPSEB__) && defined(_ABI64)"),
+ A(MIPS64N32, "defined(__mips__) && defined(__MIPSEB__) && defined(_ABIN32)"),
+ A(MIPSEL, "defined(__mips__) && defined(__MIPSEL__) && defined(_ABIO32)"),
+ A(MIPSEL64, "defined(__mips__) && defined(__MIPSEL__) && defined(_ABI64)"),
+ A(MIPSEL64N32, "defined(__mips__) && defined(__MIPSEL__) && defined(_ABIN32)"),
+ A(PARISC, "defined(__hppa__) && !defined(__hppa64__)"),
+ A(PARISC64, "defined(__hppa__) && defined(__hppa64__)"),
+ A(PPC, "defined(__powerpc__) && !defined(__powerpc64__) && defined(__BIG_ENDIAN__)"),
+ A(PPC64, "defined(__powerpc__) && defined(__powerpc64__) && defined(__BIG_ENDIAN__)"),
+ A(PPC64LE, "defined(__powerpc__) && defined(__powerpc64__) && !defined(__BIG_ENDIAN__)"),
+ A(RISCV64, "defined(__riscv) && __riscv_xlen == 64"),
+ A(S390, "defined(__s390__) && !defined(__s390x__)"),
+ A(S390X, "defined(__s390__) && defined(__s390x__)"),
+ A(X86, "defined(__i386__)"),
+ A(X32, "defined(__x86_64__) && defined(__ILP32__)"),
+ A(X86_64, "defined(__x86_64__) && !defined(__ILP32__)"),
+#undef A
+};
+
+/* Simple helper to add all of the syscalls in an array. */
+static int gen_seccomp_rules_add(scmp_filter_ctx ctx, int syscalls[], size_t num)
+{
+ static uint8_t prio;
+ size_t i;
+ for (i = 0; i < num; ++i) {
+ if (seccomp_syscall_priority(ctx, syscalls[i], prio++) < 0) {
+ warn("seccomp_syscall_priority failed");
+ return -1;
+ }
+ if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, syscalls[i], 0) < 0) {
+ warn("seccomp_rule_add failed");
+ return -1;
+ }
+ }
+ return 0;
+}
+#define gen_seccomp_rules_add(ctx, syscalls) gen_seccomp_rules_add(ctx, syscalls, ARRAY_SIZE(syscalls))
+
+static void gen_seccomp_dump(scmp_filter_ctx ctx, const char *name)
+{
+ unsigned char buf[32768 * 8];
+ ssize_t i, len;
+ int fd;
+
+ fd = memfd_create("bpf", MFD_CLOEXEC);
+ if (fd < 0)
+ err(1, "memfd_create failed");
+ if (seccomp_export_bpf(ctx, fd) < 0)
+ err(1, "seccomp_export_bpf_mem failed");
+ if (lseek(fd, 0, SEEK_SET) != 0)
+ err(1, "seek failed");
+ len = read(fd, buf, sizeof(buf));
+ if (len <= 0)
+ err(1, "read failed");
+
+ printf("static const unsigned char seccomp_bpf_blks_%s[] = {\n\t", name);
+ for (i = 0; i < len; ++i)
+ printf("%u,", buf[i]);
+ printf("\n};\n");
+}
+
+static void gen_seccomp_program(const char *name)
+{
+ printf(
+ "static const seccomp_bpf_program_t seccomp_bpf_program_%s = {\n"
+ " .cnt = sizeof(seccomp_bpf_blks_%s) / 8,\n"
+ " .bpf = seccomp_bpf_blks_%s,\n"
+ "};\n", name, name, name);
+}
+
+int main(void)
+{
+ /* Order determines priority (first == lowest prio). */
+ int base_syscalls[] = {
+ /* We write the most w/scanelf. */
+ SCMP_SYS(write),
+
+ /* Then the stat family of functions. */
+ SCMP_SYS(newfstatat),
+ SCMP_SYS(fstat),
+ SCMP_SYS(fstat64),
+ SCMP_SYS(fstatat64),
+ SCMP_SYS(lstat),
+ SCMP_SYS(lstat64),
+ SCMP_SYS(stat),
+ SCMP_SYS(stat64),
+ SCMP_SYS(statx),
+
+ /* Then the fd close func. */
+ SCMP_SYS(close),
+
+ /* Then fd open family of functions. */
+ SCMP_SYS(open),
+ SCMP_SYS(openat),
+
+ /* Then the memory mapping functions. */
+ SCMP_SYS(mmap),
+ SCMP_SYS(mmap2),
+ SCMP_SYS(munmap),
+
+ /* Then the directory reading functions. */
+ SCMP_SYS(getdents),
+ SCMP_SYS(getdents64),
+
+ /* Then the file reading functions. */
+ SCMP_SYS(pread64),
+ SCMP_SYS(read),
+
+ /* Then the fd manipulation functions. */
+ SCMP_SYS(fcntl),
+ SCMP_SYS(fcntl64),
+
+ /* After this point, just sort the list alphabetically. */
+ SCMP_SYS(access),
+ SCMP_SYS(brk),
+ SCMP_SYS(capget),
+ SCMP_SYS(chdir),
+ SCMP_SYS(exit),
+ SCMP_SYS(exit_group),
+ SCMP_SYS(faccessat),
+#ifndef __SNR_faccessat2
+/* faccessat2 is not yet defined in libseccomp-2.5.1 */
+# define __SNR_faccessat2 __NR_faccessat2
+#endif
+ SCMP_SYS(faccessat2),
+ SCMP_SYS(fchdir),
+ SCMP_SYS(getpid),
+ SCMP_SYS(gettid),
+ SCMP_SYS(ioctl),
+ SCMP_SYS(lseek),
+ SCMP_SYS(_llseek),
+ SCMP_SYS(mprotect),
+
+ /* Syscalls listed because of sandbox. */
+ SCMP_SYS(readlink),
+
+ /* Syscalls listed because of fakeroot. */
+ SCMP_SYS(msgget),
+ SCMP_SYS(msgrcv),
+ SCMP_SYS(msgsnd),
+ SCMP_SYS(semget),
+ SCMP_SYS(semop),
+ SCMP_SYS(semtimedop),
+ /*
+ * Some targets (e.g. ppc & i386) implement the above functions
+ * as ipc() subcalls. #675378
+ */
+ SCMP_SYS(ipc),
+ };
+ int fork_syscalls[] = {
+ SCMP_SYS(clone),
+ SCMP_SYS(execve),
+ SCMP_SYS(fork),
+ SCMP_SYS(rt_sigaction),
+ SCMP_SYS(rt_sigprocmask),
+ SCMP_SYS(unshare),
+ SCMP_SYS(vfork),
+ SCMP_SYS(wait4),
+ SCMP_SYS(waitid),
+ SCMP_SYS(waitpid),
+ };
+
+ /* TODO: Handle debug and KILL vs TRAP. */
+
+ scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_KILL);
+ if (!ctx)
+ err(1, "seccomp_init failed");
+
+ printf("/* AUTO GENERATED; see seccomp-bpf.c for details. */\n");
+ printf("#undef SECCOMP_BPF_AVAILABLE\n");
+
+ if (seccomp_arch_remove(ctx, seccomp_arch_native()) < 0)
+ err(1, "seccomp_arch_remove failed");
+
+ for (size_t i = 0; i < ARRAY_SIZE(gen_seccomp_arches); ++i) {
+ uint32_t arch = gen_seccomp_arches[i].arch;
+
+ seccomp_reset(ctx, SCMP_ACT_KILL);
+
+ if (arch != seccomp_arch_native()) {
+ if (seccomp_arch_remove(ctx, seccomp_arch_native()) < 0)
+ err(1, "seccomp_arch_remove failed");
+ if (seccomp_arch_add(ctx, arch) < 0)
+ err(1, "seccomp_arch_add failed");
+ }
+
+ printf("\n#if %s\n", gen_seccomp_arches[i].ifdef);
+ printf("/* %s */\n", gen_seccomp_arches[i].name);
+ printf("#define SECCOMP_BPF_AVAILABLE\n");
+
+ if (gen_seccomp_rules_add(ctx, base_syscalls) < 0)
+ err(1, "seccomp_rules_add failed");
+ gen_seccomp_dump(ctx, "base");
+
+ if (gen_seccomp_rules_add(ctx, fork_syscalls) < 0)
+ err(1, "seccomp_rules_add failed");
+ gen_seccomp_dump(ctx, "fork");
+
+ if (0) {
+ printf("/*\n");
+ fflush(stdout);
+ seccomp_export_pfc(ctx, 1);
+ fflush(stdout);
+ printf("*/\n");
+ }
+
+ printf("#endif\n");
+ }
+
+ printf(
+ "\n"
+ "#ifdef SECCOMP_BPF_AVAILABLE\n"
+ "typedef struct {\n"
+ " uint16_t cnt;\n"
+ " const void *bpf;\n"
+ "} seccomp_bpf_program_t;\n");
+ gen_seccomp_program("base");
+ gen_seccomp_program("fork");
+ printf("#endif\n");
+
+ seccomp_release(ctx);
+
+ return 0;
+}
diff --git a/seccomp-bpf.h b/seccomp-bpf.h
new file mode 100644
index 0000000..dfb7716
--- /dev/null
+++ b/seccomp-bpf.h
@@ -0,0 +1,226 @@
+/* AUTO GENERATED; see seccomp-bpf.c for details. */
+#undef SECCOMP_BPF_AVAILABLE
+
+#if defined(__aarch64__)
+/* AARCH64 */
+#define SECCOMP_BPF_AVAILABLE
+static const unsigned char seccomp_bpf_blks_base[] = {
+ 32,0,0,0,4,0,0,0,21,0,0,33,183,0,0,192,32,0,0,0,0,0,0,0,21,0,30,0,192,0,0,0,21,0,29,0,193,0,0,0,21,0,28,0,190,0,0,0,21,0,27,0,189,0,0,0,21,0,26,0,188,0,0,0,21,0,25,0,186,0,0,0,21,0,24,0,226,0,0,0,21,0,23,0,62,0,0,0,21,0,22,0,29,0,0,0,21,0,21,0,178,0,0,0,21,0,20,0,172,0,0,0,21,0,19,0,50,0,0,0,21,0,18,0,183,1,0,0,21,0,17,0,48,0,0,0,21,0,16,0,94,0,0,0,21,0,15,0,93,0,0,0,21,0,14,0,49,0,0,0,21,0,13,0,90,0,0,0,21,0,12,0,214,0,0,0,21,0,11,0,25,0,0,0,21,0,10,0,63,0,0,0,21,0,9,0,67,0,0,0,21,0,8,0,61,0,0,0,21,0,7,0,215,0,0,0,21,0,6,0,222,0,0,0,21,0,5,0,56,0,0,0,21,0,4,0,57,0,0,0,21,0,3,0,35,1,0,0,21,0,2,0,80,0,0,0,21,0,1,0,79,0,0,0,21,0,0,1,64,0,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0,
+};
+static const unsigned char seccomp_bpf_blks_fork[] = {
+ 32,0,0,0,4,0,0,0,21,0,0,40,183,0,0,192,32,0,0,0,0,0,0,0,21,0,37,0,95,0,0,0,21,0,36,0,4,1,0,0,21,0,35,0,97,0,0,0,21,0,34,0,135,0,0,0,21,0,33,0,134,0,0,0,21,0,32,0,221,0,0,0,21,0,31,0,220,0,0,0,21,0,30,0,192,0,0,0,21,0,29,0,193,0,0,0,21,0,28,0,190,0,0,0,21,0,27,0,189,0,0,0,21,0,26,0,188,0,0,0,21,0,25,0,186,0,0,0,21,0,24,0,226,0,0,0,21,0,23,0,62,0,0,0,21,0,22,0,29,0,0,0,21,0,21,0,178,0,0,0,21,0,20,0,172,0,0,0,21,0,19,0,50,0,0,0,21,0,18,0,183,1,0,0,21,0,17,0,48,0,0,0,21,0,16,0,94,0,0,0,21,0,15,0,93,0,0,0,21,0,14,0,49,0,0,0,21,0,13,0,90,0,0,0,21,0,12,0,214,0,0,0,21,0,11,0,25,0,0,0,21,0,10,0,63,0,0,0,21,0,9,0,67,0,0,0,21,0,8,0,61,0,0,0,21,0,7,0,215,0,0,0,21,0,6,0,222,0,0,0,21,0,5,0,56,0,0,0,21,0,4,0,57,0,0,0,21,0,3,0,35,1,0,0,21,0,2,0,80,0,0,0,21,0,1,0,79,0,0,0,21,0,0,1,64,0,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0,
+};
+#endif
+
+#if defined(__arm__)
+/* ARM */
+#define SECCOMP_BPF_AVAILABLE
+static const unsigned char seccomp_bpf_blks_base[] = {
+ 32,0,0,0,4,0,0,0,21,0,0,44,40,0,0,64,32,0,0,0,0,0,0,0,21,0,41,0,56,1,0,0,21,0,40,0,42,1,0,0,21,0,39,0,43,1,0,0,21,0,38,0,45,1,0,0,21,0,37,0,46,1,0,0,21,0,36,0,47,1,0,0,21,0,35,0,85,0,0,0,21,0,34,0,125,0,0,0,21,0,33,0,140,0,0,0,21,0,32,0,19,0,0,0,21,0,31,0,54,0,0,0,21,0,30,0,224,0,0,0,21,0,29,0,20,0,0,0,21,0,28,0,133,0,0,0,21,0,27,0,183,1,0,0,21,0,26,0,78,1,0,0,21,0,25,0,248,0,0,0,21,0,24,0,1,0,0,0,21,0,23,0,12,0,0,0,21,0,22,0,184,0,0,0,21,0,21,0,45,0,0,0,21,0,20,0,33,0,0,0,21,0,19,0,221,0,0,0,21,0,18,0,55,0,0,0,21,0,17,0,3,0,0,0,21,0,16,0,180,0,0,0,21,0,15,0,217,0,0,0,21,0,14,0,141,0,0,0,21,0,13,0,91,0,0,0,21,0,12,0,192,0,0,0,21,0,11,0,66,1,0,0,21,0,10,0,5,0,0,0,21,0,9,0,6,0,0,0,21,0,8,0,141,1,0,0,21,0,7,0,195,0,0,0,21,0,6,0,106,0,0,0,21,0,5,0,196,0,0,0,21,0,4,0,107,0,0,0,21,0,3,0,71,1,0,0,21,0,2,0,197,0,0,0,21,0,1,0,108,0,0,0,21,0,0,1,4,0,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0,
+};
+static const unsigned char seccomp_bpf_blks_fork[] = {
+ 32,0,0,0,4,0,0,0,21,0,0,53,40,0,0,64,32,0,0,0,0,0,0,0,21,0,50,0,24,1,0,0,21,0,49,0,114,0,0,0,21,0,48,0,190,0,0,0,21,0,47,0,81,1,0,0,21,0,46,0,175,0,0,0,21,0,45,0,174,0,0,0,21,0,44,0,2,0,0,0,21,0,43,0,11,0,0,0,21,0,42,0,120,0,0,0,21,0,41,0,56,1,0,0,21,0,40,0,42,1,0,0,21,0,39,0,43,1,0,0,21,0,38,0,45,1,0,0,21,0,37,0,46,1,0,0,21,0,36,0,47,1,0,0,21,0,35,0,85,0,0,0,21,0,34,0,125,0,0,0,21,0,33,0,140,0,0,0,21,0,32,0,19,0,0,0,21,0,31,0,54,0,0,0,21,0,30,0,224,0,0,0,21,0,29,0,20,0,0,0,21,0,28,0,133,0,0,0,21,0,27,0,183,1,0,0,21,0,26,0,78,1,0,0,21,0,25,0,248,0,0,0,21,0,24,0,1,0,0,0,21,0,23,0,12,0,0,0,21,0,22,0,184,0,0,0,21,0,21,0,45,0,0,0,21,0,20,0,33,0,0,0,21,0,19,0,221,0,0,0,21,0,18,0,55,0,0,0,21,0,17,0,3,0,0,0,21,0,16,0,180,0,0,0,21,0,15,0,217,0,0,0,21,0,14,0,141,0,0,0,21,0,13,0,91,0,0,0,21,0,12,0,192,0,0,0,21,0,11,0,66,1,0,0,21,0,10,0,5,0,0,0,21,0,9,0,6,0,0,0,21,0,8,0,141,1,0,0,21,0,7,0,195,0,0,0,21,0,6,0,106,0,0,0,21,0,5,0,196,0,0,0,21,0,4,0,107,0,0,0,21,0,3,0,71,1,0,0,21,0,2,0,197,0,0,0,21,0,1,0,108,0,0,0,21,0,0,1,4,0,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0,
+};
+#endif
+
+#if defined(__mips__) && defined(__MIPSEB__) && defined(_ABIO32)
+/* MIPS */
+#define SECCOMP_BPF_AVAILABLE
+static const unsigned char seccomp_bpf_blks_base[] = {
+ 0,32,0,0,0,0,0,4,0,21,0,44,0,0,0,8,0,32,0,0,0,0,0,0,0,21,41,0,0,0,16,21,0,21,40,0,0,0,17,41,0,21,39,0,0,0,17,48,0,21,38,0,0,0,17,49,0,21,37,0,0,0,17,47,0,21,36,0,0,0,15,245,0,21,35,0,0,0,16,29,0,21,34,0,0,0,16,44,0,21,33,0,0,0,15,179,0,21,32,0,0,0,15,214,0,21,31,0,0,0,16,126,0,21,30,0,0,0,15,180,0,21,29,0,0,0,16,37,0,21,28,0,0,0,17,87,0,21,27,0,0,0,16,204,0,21,26,0,0,0,16,150,0,21,25,0,0,0,15,161,0,21,24,0,0,0,15,172,0,21,23,0,0,0,16,108,0,21,22,0,0,0,15,205,0,21,21,0,0,0,15,193,0,21,20,0,0,0,16,124,0,21,19,0,0,0,15,215,0,21,18,0,0,0,15,163,0,21,17,0,0,0,16,104,0,21,16,0,0,0,16,123,0,21,15,0,0,0,16,45,0,21,14,0,0,0,15,251,0,21,13,0,0,0,16,114,0,21,12,0,0,0,15,250,0,21,11,0,0,0,16,192,0,21,10,0,0,0,15,165,0,21,9,0,0,0,15,166,0,21,8,0,0,0,17,14,0,21,7,0,0,0,16,117,0,21,6,0,0,0,16,10,0,21,5,0,0,0,16,118,0,21,4,0,0,0,16,11,0,21,3,0,0,0,16,197,0,21,2,0,0,0,16,119,0,21,1,0,0,0,16,12,0,21,0,1,0,0,15,164,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0,
+};
+static const unsigned char seccomp_bpf_blks_fork[] = {
+ 0,32,0,0,0,0,0,4,0,21,0,53,0,0,0,8,0,32,0,0,0,0,0,0,0,21,50,0,0,0,15,167,0,21,49,0,0,0,16,182,0,21,48,0,0,0,16,18,0,21,47,0,0,0,16,207,0,21,46,0,0,0,16,99,0,21,45,0,0,0,16,98,0,21,44,0,0,0,15,162,0,21,43,0,0,0,15,171,0,21,42,0,0,0,16,24,0,21,41,0,0,0,16,21,0,21,40,0,0,0,17,41,0,21,39,0,0,0,17,48,0,21,38,0,0,0,17,49,0,21,37,0,0,0,17,47,0,21,36,0,0,0,15,245,0,21,35,0,0,0,16,29,0,21,34,0,0,0,16,44,0,21,33,0,0,0,15,179,0,21,32,0,0,0,15,214,0,21,31,0,0,0,16,126,0,21,30,0,0,0,15,180,0,21,29,0,0,0,16,37,0,21,28,0,0,0,17,87,0,21,27,0,0,0,16,204,0,21,26,0,0,0,16,150,0,21,25,0,0,0,15,161,0,21,24,0,0,0,15,172,0,21,23,0,0,0,16,108,0,21,22,0,0,0,15,205,0,21,21,0,0,0,15,193,0,21,20,0,0,0,16,124,0,21,19,0,0,0,15,215,0,21,18,0,0,0,15,163,0,21,17,0,0,0,16,104,0,21,16,0,0,0,16,123,0,21,15,0,0,0,16,45,0,21,14,0,0,0,15,251,0,21,13,0,0,0,16,114,0,21,12,0,0,0,15,250,0,21,11,0,0,0,16,192,0,21,10,0,0,0,15,165,0,21,9,0,0,0,15,166,0,21,8,0,0,0,17,14,0,21,7,0,0,0,16,117,0,21,6,0,0,0,16,10,0,21,5,0,0,0,16,118,0,21,4,0,0,0,16,11,0,21,3,0,0,0,16,197,0,21,2,0,0,0,16,119,0,21,1,0,0,0,16,12,0,21,0,1,0,0,15,164,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0,
+};
+#endif
+
+#if defined(__mips__) && defined(__MIPSEB__) && defined(_ABI64)
+/* MIPS64 */
+#define SECCOMP_BPF_AVAILABLE
+static const unsigned char seccomp_bpf_blks_base[] = {
+ 0,32,0,0,0,0,0,4,0,21,0,39,128,0,0,8,0,32,0,0,0,0,0,0,0,21,36,0,0,0,20,94,0,21,35,0,0,0,19,199,0,21,34,0,0,0,19,198,0,21,33,0,0,0,19,203,0,21,32,0,0,0,19,204,0,21,31,0,0,0,19,202,0,21,30,0,0,0,19,223,0,21,29,0,0,0,19,146,0,21,28,0,0,0,19,144,0,21,27,0,0,0,19,151,0,21,26,0,0,0,20,58,0,21,25,0,0,0,19,174,0,21,24,0,0,0,19,215,0,21,23,0,0,0,21,63,0,21,22,0,0,0,20,139,0,21,21,0,0,0,20,85,0,21,20,0,0,0,19,194,0,21,19,0,0,0,19,214,0,21,18,0,0,0,20,3,0,21,17,0,0,0,19,148,0,21,16,0,0,0,19,156,0,21,15,0,0,0,19,206,0,21,14,0,0,0,19,136,0,21,13,0,0,0,19,152,0,21,12,0,0,0,20,188,0,21,11,0,0,0,19,212,0,21,10,0,0,0,19,147,0,21,9,0,0,0,19,145,0,21,8,0,0,0,20,127,0,21,7,0,0,0,19,138,0,21,6,0,0,0,19,139,0,21,5,0,0,0,20,206,0,21,4,0,0,0,19,140,0,21,3,0,0,0,19,142,0,21,2,0,0,0,19,141,0,21,1,0,0,0,20,132,0,21,0,1,0,0,19,137,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0,
+};
+static const unsigned char seccomp_bpf_blks_fork[] = {
+ 0,32,0,0,0,0,0,4,0,21,0,47,128,0,0,8,0,32,0,0,0,0,0,0,0,21,44,0,0,0,20,117,0,21,43,0,0,0,19,195,0,21,42,0,0,0,20,142,0,21,41,0,0,0,19,150,0,21,40,0,0,0,19,149,0,21,39,0,0,0,19,192,0,21,38,0,0,0,19,193,0,21,37,0,0,0,19,191,0,21,36,0,0,0,20,94,0,21,35,0,0,0,19,199,0,21,34,0,0,0,19,198,0,21,33,0,0,0,19,203,0,21,32,0,0,0,19,204,0,21,31,0,0,0,19,202,0,21,30,0,0,0,19,223,0,21,29,0,0,0,19,146,0,21,28,0,0,0,19,144,0,21,27,0,0,0,19,151,0,21,26,0,0,0,20,58,0,21,25,0,0,0,19,174,0,21,24,0,0,0,19,215,0,21,23,0,0,0,21,63,0,21,22,0,0,0,20,139,0,21,21,0,0,0,20,85,0,21,20,0,0,0,19,194,0,21,19,0,0,0,19,214,0,21,18,0,0,0,20,3,0,21,17,0,0,0,19,148,0,21,16,0,0,0,19,156,0,21,15,0,0,0,19,206,0,21,14,0,0,0,19,136,0,21,13,0,0,0,19,152,0,21,12,0,0,0,20,188,0,21,11,0,0,0,19,212,0,21,10,0,0,0,19,147,0,21,9,0,0,0,19,145,0,21,8,0,0,0,20,127,0,21,7,0,0,0,19,138,0,21,6,0,0,0,19,139,0,21,5,0,0,0,20,206,0,21,4,0,0,0,19,140,0,21,3,0,0,0,19,142,0,21,2,0,0,0,19,141,0,21,1,0,0,0,20,132,0,21,0,1,0,0,19,137,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0,
+};
+#endif
+
+#if defined(__mips__) && defined(__MIPSEB__) && defined(_ABIN32)
+/* MIPS64N32 */
+#define SECCOMP_BPF_AVAILABLE
+static const unsigned char seccomp_bpf_blks_base[] = {
+ 0,32,0,0,0,0,0,4,0,21,0,40,160,0,0,8,0,32,0,0,0,0,0,0,0,21,37,0,0,0,23,120,0,21,36,0,0,0,23,127,0,21,35,0,0,0,24,34,0,21,34,0,0,0,23,150,0,21,33,0,0,0,23,191,0,21,32,0,0,0,25,39,0,21,31,0,0,0,24,119,0,21,30,0,0,0,24,61,0,21,29,0,0,0,23,170,0,21,28,0,0,0,23,190,0,21,27,0,0,0,23,235,0,21,26,0,0,0,23,124,0,21,25,0,0,0,23,132,0,21,24,0,0,0,24,68,0,21,23,0,0,0,23,182,0,21,22,0,0,0,23,112,0,21,21,0,0,0,23,128,0,21,20,0,0,0,24,155,0,21,19,0,0,0,23,188,0,21,18,0,0,0,23,123,0,21,17,0,0,0,23,121,0,21,16,0,0,0,24,107,0,21,15,0,0,0,23,114,0,21,14,0,0,0,23,115,0,21,13,0,0,0,24,186,0,21,12,0,0,0,23,116,0,21,11,0,0,0,23,118,0,21,10,0,0,0,23,117,0,21,9,0,0,0,24,112,0,21,8,0,0,0,23,113,0,21,7,0,0,0,24,71,0,21,6,0,0,0,23,175,0,21,5,0,0,0,23,174,0,21,4,0,0,0,23,179,0,21,3,0,0,0,23,180,0,21,2,0,0,0,23,178,0,21,1,0,0,0,23,199,0,21,0,1,0,0,23,122,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0,
+};
+static const unsigned char seccomp_bpf_blks_fork[] = {
+ 0,32,0,0,0,0,0,4,0,21,0,48,160,0,0,8,0,32,0,0,0,0,0,0,0,21,45,0,0,0,23,120,0,21,44,0,0,0,23,127,0,21,43,0,0,0,24,34,0,21,42,0,0,0,23,150,0,21,41,0,0,0,23,191,0,21,40,0,0,0,25,39,0,21,39,0,0,0,24,119,0,21,38,0,0,0,24,61,0,21,37,0,0,0,23,170,0,21,36,0,0,0,23,190,0,21,35,0,0,0,23,235,0,21,34,0,0,0,23,124,0,21,33,0,0,0,23,132,0,21,32,0,0,0,24,68,0,21,31,0,0,0,23,182,0,21,30,0,0,0,23,112,0,21,29,0,0,0,23,128,0,21,28,0,0,0,24,155,0,21,27,0,0,0,23,188,0,21,26,0,0,0,23,123,0,21,25,0,0,0,23,121,0,21,24,0,0,0,24,107,0,21,23,0,0,0,23,114,0,21,22,0,0,0,23,115,0,21,21,0,0,0,24,186,0,21,20,0,0,0,23,116,0,21,19,0,0,0,23,118,0,21,18,0,0,0,23,117,0,21,17,0,0,0,24,112,0,21,16,0,0,0,23,113,0,21,15,0,0,0,24,97,0,21,14,0,0,0,23,171,0,21,13,0,0,0,24,122,0,21,12,0,0,0,23,126,0,21,11,0,0,0,23,125,0,21,10,0,0,0,23,168,0,21,9,0,0,0,23,169,0,21,8,0,0,0,23,167,0,21,7,0,0,0,24,71,0,21,6,0,0,0,23,175,0,21,5,0,0,0,23,174,0,21,4,0,0,0,23,179,0,21,3,0,0,0,23,180,0,21,2,0,0,0,23,178,0,21,1,0,0,0,23,199,0,21,0,1,0,0,23,122,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0,
+};
+#endif
+
+#if defined(__mips__) && defined(__MIPSEL__) && defined(_ABIO32)
+/* MIPSEL */
+#define SECCOMP_BPF_AVAILABLE
+static const unsigned char seccomp_bpf_blks_base[] = {
+ 32,0,0,0,4,0,0,0,21,0,0,44,8,0,0,64,32,0,0,0,0,0,0,0,21,0,41,0,21,16,0,0,21,0,40,0,41,17,0,0,21,0,39,0,48,17,0,0,21,0,38,0,49,17,0,0,21,0,37,0,47,17,0,0,21,0,36,0,245,15,0,0,21,0,35,0,29,16,0,0,21,0,34,0,44,16,0,0,21,0,33,0,179,15,0,0,21,0,32,0,214,15,0,0,21,0,31,0,126,16,0,0,21,0,30,0,180,15,0,0,21,0,29,0,37,16,0,0,21,0,28,0,87,17,0,0,21,0,27,0,204,16,0,0,21,0,26,0,150,16,0,0,21,0,25,0,161,15,0,0,21,0,24,0,172,15,0,0,21,0,23,0,108,16,0,0,21,0,22,0,205,15,0,0,21,0,21,0,193,15,0,0,21,0,20,0,124,16,0,0,21,0,19,0,215,15,0,0,21,0,18,0,163,15,0,0,21,0,17,0,104,16,0,0,21,0,16,0,123,16,0,0,21,0,15,0,45,16,0,0,21,0,14,0,251,15,0,0,21,0,13,0,114,16,0,0,21,0,12,0,250,15,0,0,21,0,11,0,192,16,0,0,21,0,10,0,165,15,0,0,21,0,9,0,166,15,0,0,21,0,8,0,14,17,0,0,21,0,7,0,117,16,0,0,21,0,6,0,10,16,0,0,21,0,5,0,118,16,0,0,21,0,4,0,11,16,0,0,21,0,3,0,197,16,0,0,21,0,2,0,119,16,0,0,21,0,1,0,12,16,0,0,21,0,0,1,164,15,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0,
+};
+static const unsigned char seccomp_bpf_blks_fork[] = {
+ 32,0,0,0,4,0,0,0,21,0,0,53,8,0,0,64,32,0,0,0,0,0,0,0,21,0,50,0,167,15,0,0,21,0,49,0,182,16,0,0,21,0,48,0,18,16,0,0,21,0,47,0,207,16,0,0,21,0,46,0,99,16,0,0,21,0,45,0,98,16,0,0,21,0,44,0,162,15,0,0,21,0,43,0,171,15,0,0,21,0,42,0,24,16,0,0,21,0,41,0,21,16,0,0,21,0,40,0,41,17,0,0,21,0,39,0,48,17,0,0,21,0,38,0,49,17,0,0,21,0,37,0,47,17,0,0,21,0,36,0,245,15,0,0,21,0,35,0,29,16,0,0,21,0,34,0,44,16,0,0,21,0,33,0,179,15,0,0,21,0,32,0,214,15,0,0,21,0,31,0,126,16,0,0,21,0,30,0,180,15,0,0,21,0,29,0,37,16,0,0,21,0,28,0,87,17,0,0,21,0,27,0,204,16,0,0,21,0,26,0,150,16,0,0,21,0,25,0,161,15,0,0,21,0,24,0,172,15,0,0,21,0,23,0,108,16,0,0,21,0,22,0,205,15,0,0,21,0,21,0,193,15,0,0,21,0,20,0,124,16,0,0,21,0,19,0,215,15,0,0,21,0,18,0,163,15,0,0,21,0,17,0,104,16,0,0,21,0,16,0,123,16,0,0,21,0,15,0,45,16,0,0,21,0,14,0,251,15,0,0,21,0,13,0,114,16,0,0,21,0,12,0,250,15,0,0,21,0,11,0,192,16,0,0,21,0,10,0,165,15,0,0,21,0,9,0,166,15,0,0,21,0,8,0,14,17,0,0,21,0,7,0,117,16,0,0,21,0,6,0,10,16,0,0,21,0,5,0,118,16,0,0,21,0,4,0,11,16,0,0,21,0,3,0,197,16,0,0,21,0,2,0,119,16,0,0,21,0,1,0,12,16,0,0,21,0,0,1,164,15,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0,
+};
+#endif
+
+#if defined(__mips__) && defined(__MIPSEL__) && defined(_ABI64)
+/* MIPSEL64 */
+#define SECCOMP_BPF_AVAILABLE
+static const unsigned char seccomp_bpf_blks_base[] = {
+ 32,0,0,0,4,0,0,0,21,0,0,39,8,0,0,192,32,0,0,0,0,0,0,0,21,0,36,0,94,20,0,0,21,0,35,0,199,19,0,0,21,0,34,0,198,19,0,0,21,0,33,0,203,19,0,0,21,0,32,0,204,19,0,0,21,0,31,0,202,19,0,0,21,0,30,0,223,19,0,0,21,0,29,0,146,19,0,0,21,0,28,0,144,19,0,0,21,0,27,0,151,19,0,0,21,0,26,0,58,20,0,0,21,0,25,0,174,19,0,0,21,0,24,0,215,19,0,0,21,0,23,0,63,21,0,0,21,0,22,0,139,20,0,0,21,0,21,0,85,20,0,0,21,0,20,0,194,19,0,0,21,0,19,0,214,19,0,0,21,0,18,0,3,20,0,0,21,0,17,0,148,19,0,0,21,0,16,0,156,19,0,0,21,0,15,0,206,19,0,0,21,0,14,0,136,19,0,0,21,0,13,0,152,19,0,0,21,0,12,0,188,20,0,0,21,0,11,0,212,19,0,0,21,0,10,0,147,19,0,0,21,0,9,0,145,19,0,0,21,0,8,0,127,20,0,0,21,0,7,0,138,19,0,0,21,0,6,0,139,19,0,0,21,0,5,0,206,20,0,0,21,0,4,0,140,19,0,0,21,0,3,0,142,19,0,0,21,0,2,0,141,19,0,0,21,0,1,0,132,20,0,0,21,0,0,1,137,19,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0,
+};
+static const unsigned char seccomp_bpf_blks_fork[] = {
+ 32,0,0,0,4,0,0,0,21,0,0,47,8,0,0,192,32,0,0,0,0,0,0,0,21,0,44,0,117,20,0,0,21,0,43,0,195,19,0,0,21,0,42,0,142,20,0,0,21,0,41,0,150,19,0,0,21,0,40,0,149,19,0,0,21,0,39,0,192,19,0,0,21,0,38,0,193,19,0,0,21,0,37,0,191,19,0,0,21,0,36,0,94,20,0,0,21,0,35,0,199,19,0,0,21,0,34,0,198,19,0,0,21,0,33,0,203,19,0,0,21,0,32,0,204,19,0,0,21,0,31,0,202,19,0,0,21,0,30,0,223,19,0,0,21,0,29,0,146,19,0,0,21,0,28,0,144,19,0,0,21,0,27,0,151,19,0,0,21,0,26,0,58,20,0,0,21,0,25,0,174,19,0,0,21,0,24,0,215,19,0,0,21,0,23,0,63,21,0,0,21,0,22,0,139,20,0,0,21,0,21,0,85,20,0,0,21,0,20,0,194,19,0,0,21,0,19,0,214,19,0,0,21,0,18,0,3,20,0,0,21,0,17,0,148,19,0,0,21,0,16,0,156,19,0,0,21,0,15,0,206,19,0,0,21,0,14,0,136,19,0,0,21,0,13,0,152,19,0,0,21,0,12,0,188,20,0,0,21,0,11,0,212,19,0,0,21,0,10,0,147,19,0,0,21,0,9,0,145,19,0,0,21,0,8,0,127,20,0,0,21,0,7,0,138,19,0,0,21,0,6,0,139,19,0,0,21,0,5,0,206,20,0,0,21,0,4,0,140,19,0,0,21,0,3,0,142,19,0,0,21,0,2,0,141,19,0,0,21,0,1,0,132,20,0,0,21,0,0,1,137,19,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0,
+};
+#endif
+
+#if defined(__mips__) && defined(__MIPSEL__) && defined(_ABIN32)
+/* MIPSEL64N32 */
+#define SECCOMP_BPF_AVAILABLE
+static const unsigned char seccomp_bpf_blks_base[] = {
+ 32,0,0,0,4,0,0,0,21,0,0,40,8,0,0,224,32,0,0,0,0,0,0,0,21,0,37,0,71,24,0,0,21,0,36,0,175,23,0,0,21,0,35,0,174,23,0,0,21,0,34,0,179,23,0,0,21,0,33,0,180,23,0,0,21,0,32,0,178,23,0,0,21,0,31,0,199,23,0,0,21,0,30,0,122,23,0,0,21,0,29,0,120,23,0,0,21,0,28,0,127,23,0,0,21,0,27,0,34,24,0,0,21,0,26,0,150,23,0,0,21,0,25,0,191,23,0,0,21,0,24,0,39,25,0,0,21,0,23,0,119,24,0,0,21,0,22,0,61,24,0,0,21,0,21,0,170,23,0,0,21,0,20,0,190,23,0,0,21,0,19,0,235,23,0,0,21,0,18,0,124,23,0,0,21,0,17,0,132,23,0,0,21,0,16,0,68,24,0,0,21,0,15,0,182,23,0,0,21,0,14,0,112,23,0,0,21,0,13,0,128,23,0,0,21,0,12,0,155,24,0,0,21,0,11,0,188,23,0,0,21,0,10,0,123,23,0,0,21,0,9,0,121,23,0,0,21,0,8,0,107,24,0,0,21,0,7,0,114,23,0,0,21,0,6,0,115,23,0,0,21,0,5,0,186,24,0,0,21,0,4,0,116,23,0,0,21,0,3,0,118,23,0,0,21,0,2,0,117,23,0,0,21,0,1,0,112,24,0,0,21,0,0,1,113,23,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0,
+};
+static const unsigned char seccomp_bpf_blks_fork[] = {
+ 32,0,0,0,4,0,0,0,21,0,0,48,8,0,0,224,32,0,0,0,0,0,0,0,21,0,45,0,97,24,0,0,21,0,44,0,171,23,0,0,21,0,43,0,122,24,0,0,21,0,42,0,126,23,0,0,21,0,41,0,125,23,0,0,21,0,40,0,168,23,0,0,21,0,39,0,169,23,0,0,21,0,38,0,167,23,0,0,21,0,37,0,71,24,0,0,21,0,36,0,175,23,0,0,21,0,35,0,174,23,0,0,21,0,34,0,179,23,0,0,21,0,33,0,180,23,0,0,21,0,32,0,178,23,0,0,21,0,31,0,199,23,0,0,21,0,30,0,122,23,0,0,21,0,29,0,120,23,0,0,21,0,28,0,127,23,0,0,21,0,27,0,34,24,0,0,21,0,26,0,150,23,0,0,21,0,25,0,191,23,0,0,21,0,24,0,39,25,0,0,21,0,23,0,119,24,0,0,21,0,22,0,61,24,0,0,21,0,21,0,170,23,0,0,21,0,20,0,190,23,0,0,21,0,19,0,235,23,0,0,21,0,18,0,124,23,0,0,21,0,17,0,132,23,0,0,21,0,16,0,68,24,0,0,21,0,15,0,182,23,0,0,21,0,14,0,112,23,0,0,21,0,13,0,128,23,0,0,21,0,12,0,155,24,0,0,21,0,11,0,188,23,0,0,21,0,10,0,123,23,0,0,21,0,9,0,121,23,0,0,21,0,8,0,107,24,0,0,21,0,7,0,114,23,0,0,21,0,6,0,115,23,0,0,21,0,5,0,186,24,0,0,21,0,4,0,116,23,0,0,21,0,3,0,118,23,0,0,21,0,2,0,117,23,0,0,21,0,1,0,112,24,0,0,21,0,0,1,113,23,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0,
+};
+#endif
+
+#if defined(__hppa__) && !defined(__hppa64__)
+/* PARISC */
+#define SECCOMP_BPF_AVAILABLE
+static const unsigned char seccomp_bpf_blks_base[] = {
+ 0,32,0,0,0,0,0,4,0,21,0,45,0,0,0,15,0,32,0,0,0,0,0,0,0,21,42,0,0,0,0,228,0,21,41,0,0,0,0,185,0,21,40,0,0,0,0,186,0,21,39,0,0,0,0,188,0,21,38,0,0,0,0,189,0,21,37,0,0,0,0,190,0,21,36,0,0,0,0,85,0,21,35,0,0,0,0,125,0,21,34,0,0,0,0,140,0,21,33,0,0,0,0,19,0,21,32,0,0,0,0,54,0,21,31,0,0,0,0,206,0,21,30,0,0,0,0,20,0,21,29,0,0,0,0,133,0,21,28,0,0,0,1,183,0,21,27,0,0,0,1,31,0,21,26,0,0,0,0,222,0,21,25,0,0,0,0,1,0,21,24,0,0,0,0,12,0,21,23,0,0,0,0,106,0,21,22,0,0,0,0,45,0,21,21,0,0,0,0,33,0,21,20,0,0,0,0,202,0,21,19,0,0,0,0,55,0,21,18,0,0,0,0,3,0,21,17,0,0,0,0,108,0,21,16,0,0,0,0,201,0,21,15,0,0,0,0,141,0,21,14,0,0,0,0,91,0,21,13,0,0,0,0,89,0,21,12,0,0,0,0,90,0,21,11,0,0,0,1,19,0,21,10,0,0,0,0,5,0,21,9,0,0,0,0,6,0,21,8,0,0,0,1,93,0,21,7,0,0,0,0,101,0,21,6,0,0,0,0,18,0,21,5,0,0,0,0,198,0,21,4,0,0,0,0,84,0,21,3,0,0,0,1,24,0,21,2,0,0,0,0,112,0,21,1,0,0,0,0,28,0,21,0,1,0,0,0,4,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0,
+};
+static const unsigned char seccomp_bpf_blks_fork[] = {
+ 0,32,0,0,0,0,0,4,0,21,0,55,0,0,0,15,0,32,0,0,0,0,0,0,0,21,52,0,0,0,0,7,0,21,51,0,0,0,0,235,0,21,50,0,0,0,0,114,0,21,49,0,0,0,0,113,0,21,48,0,0,0,1,32,0,21,47,0,0,0,0,175,0,21,46,0,0,0,0,174,0,21,45,0,0,0,0,2,0,21,44,0,0,0,0,11,0,21,43,0,0,0,0,120,0,21,42,0,0,0,0,228,0,21,41,0,0,0,0,185,0,21,40,0,0,0,0,186,0,21,39,0,0,0,0,188,0,21,38,0,0,0,0,189,0,21,37,0,0,0,0,190,0,21,36,0,0,0,0,85,0,21,35,0,0,0,0,125,0,21,34,0,0,0,0,140,0,21,33,0,0,0,0,19,0,21,32,0,0,0,0,54,0,21,31,0,0,0,0,206,0,21,30,0,0,0,0,20,0,21,29,0,0,0,0,133,0,21,28,0,0,0,1,183,0,21,27,0,0,0,1,31,0,21,26,0,0,0,0,222,0,21,25,0,0,0,0,1,0,21,24,0,0,0,0,12,0,21,23,0,0,0,0,106,0,21,22,0,0,0,0,45,0,21,21,0,0,0,0,33,0,21,20,0,0,0,0,202,0,21,19,0,0,0,0,55,0,21,18,0,0,0,0,3,0,21,17,0,0,0,0,108,0,21,16,0,0,0,0,201,0,21,15,0,0,0,0,141,0,21,14,0,0,0,0,91,0,21,13,0,0,0,0,89,0,21,12,0,0,0,0,90,0,21,11,0,0,0,1,19,0,21,10,0,0,0,0,5,0,21,9,0,0,0,0,6,0,21,8,0,0,0,1,93,0,21,7,0,0,0,0,101,0,21,6,0,0,0,0,18,0,21,5,0,0,0,0,198,0,21,4,0,0,0,0,84,0,21,3,0,0,0,1,24,0,21,2,0,0,0,0,112,0,21,1,0,0,0,0,28,0,21,0,1,0,0,0,4,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0,
+};
+#endif
+
+#if defined(__hppa__) && defined(__hppa64__)
+/* PARISC64 */
+#define SECCOMP_BPF_AVAILABLE
+static const unsigned char seccomp_bpf_blks_base[] = {
+ 0,32,0,0,0,0,0,4,0,21,0,45,128,0,0,15,0,32,0,0,0,0,0,0,0,21,42,0,0,0,0,141,0,21,41,0,0,0,0,91,0,21,40,0,0,0,0,89,0,21,39,0,0,0,0,90,0,21,38,0,0,0,1,19,0,21,37,0,0,0,0,5,0,21,36,0,0,0,0,6,0,21,35,0,0,0,1,93,0,21,34,0,0,0,0,101,0,21,33,0,0,0,0,18,0,21,32,0,0,0,0,198,0,21,31,0,0,0,0,84,0,21,30,0,0,0,1,24,0,21,29,0,0,0,0,112,0,21,28,0,0,0,0,28,0,21,27,0,0,0,0,4,0,21,26,0,0,0,0,228,0,21,25,0,0,0,0,185,0,21,24,0,0,0,0,186,0,21,23,0,0,0,0,188,0,21,22,0,0,0,0,189,0,21,21,0,0,0,0,190,0,21,20,0,0,0,0,85,0,21,19,0,0,0,0,125,0,21,18,0,0,0,0,140,0,21,17,0,0,0,0,19,0,21,16,0,0,0,0,54,0,21,15,0,0,0,0,206,0,21,14,0,0,0,0,20,0,21,13,0,0,0,0,133,0,21,12,0,0,0,1,183,0,21,11,0,0,0,1,31,0,21,10,0,0,0,0,222,0,21,9,0,0,0,0,1,0,21,8,0,0,0,0,12,0,21,7,0,0,0,0,106,0,21,6,0,0,0,0,45,0,21,5,0,0,0,0,33,0,21,4,0,0,0,0,202,0,21,3,0,0,0,0,55,0,21,2,0,0,0,0,3,0,21,1,0,0,0,0,108,0,21,0,1,0,0,0,201,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0,
+};
+static const unsigned char seccomp_bpf_blks_fork[] = {
+ 0,32,0,0,0,0,0,4,0,21,0,55,128,0,0,15,0,32,0,0,0,0,0,0,0,21,52,0,0,0,0,141,0,21,51,0,0,0,0,91,0,21,50,0,0,0,0,89,0,21,49,0,0,0,0,90,0,21,48,0,0,0,1,19,0,21,47,0,0,0,0,5,0,21,46,0,0,0,0,6,0,21,45,0,0,0,1,93,0,21,44,0,0,0,0,101,0,21,43,0,0,0,0,18,0,21,42,0,0,0,0,198,0,21,41,0,0,0,0,84,0,21,40,0,0,0,1,24,0,21,39,0,0,0,0,112,0,21,38,0,0,0,0,28,0,21,37,0,0,0,0,4,0,21,36,0,0,0,0,7,0,21,35,0,0,0,0,235,0,21,34,0,0,0,0,114,0,21,33,0,0,0,0,113,0,21,32,0,0,0,1,32,0,21,31,0,0,0,0,175,0,21,30,0,0,0,0,174,0,21,29,0,0,0,0,2,0,21,28,0,0,0,0,11,0,21,27,0,0,0,0,120,0,21,26,0,0,0,0,228,0,21,25,0,0,0,0,185,0,21,24,0,0,0,0,186,0,21,23,0,0,0,0,188,0,21,22,0,0,0,0,189,0,21,21,0,0,0,0,190,0,21,20,0,0,0,0,85,0,21,19,0,0,0,0,125,0,21,18,0,0,0,0,140,0,21,17,0,0,0,0,19,0,21,16,0,0,0,0,54,0,21,15,0,0,0,0,206,0,21,14,0,0,0,0,20,0,21,13,0,0,0,0,133,0,21,12,0,0,0,1,183,0,21,11,0,0,0,1,31,0,21,10,0,0,0,0,222,0,21,9,0,0,0,0,1,0,21,8,0,0,0,0,12,0,21,7,0,0,0,0,106,0,21,6,0,0,0,0,45,0,21,5,0,0,0,0,33,0,21,4,0,0,0,0,202,0,21,3,0,0,0,0,55,0,21,2,0,0,0,0,3,0,21,1,0,0,0,0,108,0,21,0,1,0,0,0,201,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0,
+};
+#endif
+
+#if defined(__powerpc__) && !defined(__powerpc64__) && defined(__BIG_ENDIAN__)
+/* PPC */
+#define SECCOMP_BPF_AVAILABLE
+static const unsigned char seccomp_bpf_blks_base[] = {
+ 0,32,0,0,0,0,0,4,0,21,0,44,0,0,0,20,0,32,0,0,0,0,0,0,0,21,41,0,0,0,0,117,0,21,40,0,0,0,1,137,0,21,39,0,0,0,1,144,0,21,38,0,0,0,1,145,0,21,37,0,0,0,1,143,0,21,36,0,0,0,0,85,0,21,35,0,0,0,0,125,0,21,34,0,0,0,0,140,0,21,33,0,0,0,0,19,0,21,32,0,0,0,0,54,0,21,31,0,0,0,0,207,0,21,30,0,0,0,0,20,0,21,29,0,0,0,0,133,0,21,28,0,0,0,1,183,0,21,27,0,0,0,1,42,0,21,26,0,0,0,0,234,0,21,25,0,0,0,0,1,0,21,24,0,0,0,0,12,0,21,23,0,0,0,0,183,0,21,22,0,0,0,0,45,0,21,21,0,0,0,0,33,0,21,20,0,0,0,0,204,0,21,19,0,0,0,0,55,0,21,18,0,0,0,0,3,0,21,17,0,0,0,0,179,0,21,16,0,0,0,0,202,0,21,15,0,0,0,0,141,0,21,14,0,0,0,0,91,0,21,13,0,0,0,0,192,0,21,12,0,0,0,0,90,0,21,11,0,0,0,1,30,0,21,10,0,0,0,0,5,0,21,9,0,0,0,0,6,0,21,8,0,0,0,1,127,0,21,7,0,0,0,0,195,0,21,6,0,0,0,0,106,0,21,5,0,0,0,0,196,0,21,4,0,0,0,0,107,0,21,3,0,0,0,1,35,0,21,2,0,0,0,0,197,0,21,1,0,0,0,0,108,0,21,0,1,0,0,0,4,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0,
+};
+static const unsigned char seccomp_bpf_blks_fork[] = {
+ 0,32,0,0,0,0,0,4,0,21,0,54,0,0,0,20,0,32,0,0,0,0,0,0,0,21,51,0,0,0,0,7,0,21,50,0,0,0,1,16,0,21,49,0,0,0,0,114,0,21,48,0,0,0,0,189,0,21,47,0,0,0,1,26,0,21,46,0,0,0,0,174,0,21,45,0,0,0,0,173,0,21,44,0,0,0,0,2,0,21,43,0,0,0,0,11,0,21,42,0,0,0,0,120,0,21,41,0,0,0,0,117,0,21,40,0,0,0,1,137,0,21,39,0,0,0,1,144,0,21,38,0,0,0,1,145,0,21,37,0,0,0,1,143,0,21,36,0,0,0,0,85,0,21,35,0,0,0,0,125,0,21,34,0,0,0,0,140,0,21,33,0,0,0,0,19,0,21,32,0,0,0,0,54,0,21,31,0,0,0,0,207,0,21,30,0,0,0,0,20,0,21,29,0,0,0,0,133,0,21,28,0,0,0,1,183,0,21,27,0,0,0,1,42,0,21,26,0,0,0,0,234,0,21,25,0,0,0,0,1,0,21,24,0,0,0,0,12,0,21,23,0,0,0,0,183,0,21,22,0,0,0,0,45,0,21,21,0,0,0,0,33,0,21,20,0,0,0,0,204,0,21,19,0,0,0,0,55,0,21,18,0,0,0,0,3,0,21,17,0,0,0,0,179,0,21,16,0,0,0,0,202,0,21,15,0,0,0,0,141,0,21,14,0,0,0,0,91,0,21,13,0,0,0,0,192,0,21,12,0,0,0,0,90,0,21,11,0,0,0,1,30,0,21,10,0,0,0,0,5,0,21,9,0,0,0,0,6,0,21,8,0,0,0,1,127,0,21,7,0,0,0,0,195,0,21,6,0,0,0,0,106,0,21,5,0,0,0,0,196,0,21,4,0,0,0,0,107,0,21,3,0,0,0,1,35,0,21,2,0,0,0,0,197,0,21,1,0,0,0,0,108,0,21,0,1,0,0,0,4,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0,
+};
+#endif
+
+#if defined(__powerpc__) && defined(__powerpc64__) && defined(__BIG_ENDIAN__)
+/* PPC64 */
+#define SECCOMP_BPF_AVAILABLE
+static const unsigned char seccomp_bpf_blks_base[] = {
+ 0,32,0,0,0,0,0,4,0,21,0,40,128,0,0,21,0,32,0,0,0,0,0,0,0,21,37,0,0,0,0,117,0,21,36,0,0,0,0,85,0,21,35,0,0,0,0,125,0,21,34,0,0,0,0,140,0,21,33,0,0,0,0,19,0,21,32,0,0,0,0,54,0,21,31,0,0,0,0,207,0,21,30,0,0,0,0,20,0,21,29,0,0,0,0,133,0,21,28,0,0,0,1,183,0,21,27,0,0,0,1,42,0,21,26,0,0,0,0,234,0,21,25,0,0,0,0,1,0,21,24,0,0,0,0,12,0,21,23,0,0,0,0,183,0,21,22,0,0,0,0,45,0,21,21,0,0,0,0,33,0,21,20,0,0,0,0,55,0,21,19,0,0,0,0,3,0,21,18,0,0,0,0,179,0,21,17,0,0,0,0,202,0,21,16,0,0,0,0,141,0,21,15,0,0,0,0,91,0,21,14,0,0,0,0,90,0,21,13,0,0,0,1,30,0,21,12,0,0,0,0,5,0,21,11,0,0,0,0,6,0,21,10,0,0,0,1,127,0,21,9,0,0,0,0,106,0,21,8,0,0,0,0,107,0,21,7,0,0,0,0,108,0,21,6,0,0,0,1,35,0,21,5,0,0,0,0,4,0,21,4,0,0,0,1,136,0,21,3,0,0,0,1,137,0,21,2,0,0,0,1,143,0,21,1,0,0,0,1,144,0,21,0,1,0,0,1,145,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0,
+};
+static const unsigned char seccomp_bpf_blks_fork[] = {
+ 0,32,0,0,0,0,0,4,0,21,0,50,128,0,0,21,0,32,0,0,0,0,0,0,0,21,47,0,0,0,0,7,0,21,46,0,0,0,1,16,0,21,45,0,0,0,0,114,0,21,44,0,0,0,0,189,0,21,43,0,0,0,1,26,0,21,42,0,0,0,0,174,0,21,41,0,0,0,0,173,0,21,40,0,0,0,0,2,0,21,39,0,0,0,0,11,0,21,38,0,0,0,0,120,0,21,37,0,0,0,0,117,0,21,36,0,0,0,0,85,0,21,35,0,0,0,0,125,0,21,34,0,0,0,0,140,0,21,33,0,0,0,0,19,0,21,32,0,0,0,0,54,0,21,31,0,0,0,0,207,0,21,30,0,0,0,0,20,0,21,29,0,0,0,0,133,0,21,28,0,0,0,1,183,0,21,27,0,0,0,1,42,0,21,26,0,0,0,0,234,0,21,25,0,0,0,0,1,0,21,24,0,0,0,0,12,0,21,23,0,0,0,0,183,0,21,22,0,0,0,0,45,0,21,21,0,0,0,0,33,0,21,20,0,0,0,0,55,0,21,19,0,0,0,0,3,0,21,18,0,0,0,0,179,0,21,17,0,0,0,0,202,0,21,16,0,0,0,0,141,0,21,15,0,0,0,0,91,0,21,14,0,0,0,0,90,0,21,13,0,0,0,1,30,0,21,12,0,0,0,0,5,0,21,11,0,0,0,0,6,0,21,10,0,0,0,1,127,0,21,9,0,0,0,0,106,0,21,8,0,0,0,0,107,0,21,7,0,0,0,0,108,0,21,6,0,0,0,1,35,0,21,5,0,0,0,0,4,0,21,4,0,0,0,1,136,0,21,3,0,0,0,1,137,0,21,2,0,0,0,1,143,0,21,1,0,0,0,1,144,0,21,0,1,0,0,1,145,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0,
+};
+#endif
+
+#if defined(__powerpc__) && defined(__powerpc64__) && !defined(__BIG_ENDIAN__)
+/* PPC64LE */
+#define SECCOMP_BPF_AVAILABLE
+static const unsigned char seccomp_bpf_blks_base[] = {
+ 32,0,0,0,4,0,0,0,21,0,0,40,21,0,0,192,32,0,0,0,0,0,0,0,21,0,37,0,117,0,0,0,21,0,36,0,85,0,0,0,21,0,35,0,125,0,0,0,21,0,34,0,140,0,0,0,21,0,33,0,19,0,0,0,21,0,32,0,54,0,0,0,21,0,31,0,207,0,0,0,21,0,30,0,20,0,0,0,21,0,29,0,133,0,0,0,21,0,28,0,183,1,0,0,21,0,27,0,42,1,0,0,21,0,26,0,234,0,0,0,21,0,25,0,1,0,0,0,21,0,24,0,12,0,0,0,21,0,23,0,183,0,0,0,21,0,22,0,45,0,0,0,21,0,21,0,33,0,0,0,21,0,20,0,55,0,0,0,21,0,19,0,3,0,0,0,21,0,18,0,179,0,0,0,21,0,17,0,202,0,0,0,21,0,16,0,141,0,0,0,21,0,15,0,91,0,0,0,21,0,14,0,90,0,0,0,21,0,13,0,30,1,0,0,21,0,12,0,5,0,0,0,21,0,11,0,6,0,0,0,21,0,10,0,127,1,0,0,21,0,9,0,106,0,0,0,21,0,8,0,107,0,0,0,21,0,7,0,108,0,0,0,21,0,6,0,35,1,0,0,21,0,5,0,4,0,0,0,21,0,4,0,136,1,0,0,21,0,3,0,137,1,0,0,21,0,2,0,143,1,0,0,21,0,1,0,144,1,0,0,21,0,0,1,145,1,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0,
+};
+static const unsigned char seccomp_bpf_blks_fork[] = {
+ 32,0,0,0,4,0,0,0,21,0,0,50,21,0,0,192,32,0,0,0,0,0,0,0,21,0,47,0,7,0,0,0,21,0,46,0,16,1,0,0,21,0,45,0,114,0,0,0,21,0,44,0,189,0,0,0,21,0,43,0,26,1,0,0,21,0,42,0,174,0,0,0,21,0,41,0,173,0,0,0,21,0,40,0,2,0,0,0,21,0,39,0,11,0,0,0,21,0,38,0,120,0,0,0,21,0,37,0,117,0,0,0,21,0,36,0,85,0,0,0,21,0,35,0,125,0,0,0,21,0,34,0,140,0,0,0,21,0,33,0,19,0,0,0,21,0,32,0,54,0,0,0,21,0,31,0,207,0,0,0,21,0,30,0,20,0,0,0,21,0,29,0,133,0,0,0,21,0,28,0,183,1,0,0,21,0,27,0,42,1,0,0,21,0,26,0,234,0,0,0,21,0,25,0,1,0,0,0,21,0,24,0,12,0,0,0,21,0,23,0,183,0,0,0,21,0,22,0,45,0,0,0,21,0,21,0,33,0,0,0,21,0,20,0,55,0,0,0,21,0,19,0,3,0,0,0,21,0,18,0,179,0,0,0,21,0,17,0,202,0,0,0,21,0,16,0,141,0,0,0,21,0,15,0,91,0,0,0,21,0,14,0,90,0,0,0,21,0,13,0,30,1,0,0,21,0,12,0,5,0,0,0,21,0,11,0,6,0,0,0,21,0,10,0,127,1,0,0,21,0,9,0,106,0,0,0,21,0,8,0,107,0,0,0,21,0,7,0,108,0,0,0,21,0,6,0,35,1,0,0,21,0,5,0,4,0,0,0,21,0,4,0,136,1,0,0,21,0,3,0,137,1,0,0,21,0,2,0,143,1,0,0,21,0,1,0,144,1,0,0,21,0,0,1,145,1,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0,
+};
+#endif
+
+#if defined(__riscv) && __riscv_xlen == 64
+/* RISCV64 */
+#define SECCOMP_BPF_AVAILABLE
+static const unsigned char seccomp_bpf_blks_base[] = {
+ 32,0,0,0,4,0,0,0,21,0,0,33,243,0,0,192,32,0,0,0,0,0,0,0,21,0,30,0,192,0,0,0,21,0,29,0,193,0,0,0,21,0,28,0,190,0,0,0,21,0,27,0,189,0,0,0,21,0,26,0,188,0,0,0,21,0,25,0,186,0,0,0,21,0,24,0,226,0,0,0,21,0,23,0,62,0,0,0,21,0,22,0,29,0,0,0,21,0,21,0,178,0,0,0,21,0,20,0,172,0,0,0,21,0,19,0,50,0,0,0,21,0,18,0,183,1,0,0,21,0,17,0,48,0,0,0,21,0,16,0,94,0,0,0,21,0,15,0,93,0,0,0,21,0,14,0,49,0,0,0,21,0,13,0,90,0,0,0,21,0,12,0,214,0,0,0,21,0,11,0,25,0,0,0,21,0,10,0,63,0,0,0,21,0,9,0,67,0,0,0,21,0,8,0,61,0,0,0,21,0,7,0,215,0,0,0,21,0,6,0,222,0,0,0,21,0,5,0,56,0,0,0,21,0,4,0,57,0,0,0,21,0,3,0,35,1,0,0,21,0,2,0,80,0,0,0,21,0,1,0,79,0,0,0,21,0,0,1,64,0,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0,
+};
+static const unsigned char seccomp_bpf_blks_fork[] = {
+ 32,0,0,0,4,0,0,0,21,0,0,40,243,0,0,192,32,0,0,0,0,0,0,0,21,0,37,0,4,1,0,0,21,0,36,0,97,0,0,0,21,0,35,0,135,0,0,0,21,0,34,0,134,0,0,0,21,0,33,0,221,0,0,0,21,0,32,0,220,0,0,0,21,0,31,0,192,0,0,0,21,0,30,0,193,0,0,0,21,0,29,0,190,0,0,0,21,0,28,0,189,0,0,0,21,0,27,0,188,0,0,0,21,0,26,0,186,0,0,0,21,0,25,0,226,0,0,0,21,0,24,0,62,0,0,0,21,0,23,0,29,0,0,0,21,0,22,0,178,0,0,0,21,0,21,0,172,0,0,0,21,0,20,0,50,0,0,0,21,0,19,0,183,1,0,0,21,0,18,0,48,0,0,0,21,0,17,0,94,0,0,0,21,0,16,0,93,0,0,0,21,0,15,0,49,0,0,0,21,0,14,0,90,0,0,0,21,0,13,0,214,0,0,0,21,0,12,0,25,0,0,0,21,0,11,0,63,0,0,0,21,0,10,0,67,0,0,0,21,0,9,0,61,0,0,0,21,0,8,0,215,0,0,0,21,0,7,0,222,0,0,0,21,0,6,0,56,0,0,0,21,0,5,0,57,0,0,0,21,0,4,0,35,1,0,0,21,0,3,0,80,0,0,0,21,0,2,0,79,0,0,0,21,0,1,0,64,0,0,0,21,0,0,1,95,0,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0,
+};
+#endif
+
+#if defined(__s390__) && !defined(__s390x__)
+/* S390 */
+#define SECCOMP_BPF_AVAILABLE
+static const unsigned char seccomp_bpf_blks_base[] = {
+ 0,32,0,0,0,0,0,4,0,21,0,45,0,0,0,22,0,32,0,0,0,0,0,0,0,21,42,0,0,0,0,117,0,21,41,0,0,0,0,85,0,21,40,0,0,0,0,125,0,21,39,0,0,0,0,140,0,21,38,0,0,0,0,19,0,21,37,0,0,0,0,54,0,21,36,0,0,0,0,236,0,21,35,0,0,0,0,20,0,21,34,0,0,0,0,133,0,21,33,0,0,0,1,183,0,21,32,0,0,0,1,44,0,21,31,0,0,0,0,248,0,21,30,0,0,0,0,1,0,21,29,0,0,0,0,12,0,21,28,0,0,0,0,184,0,21,27,0,0,0,0,45,0,21,26,0,0,0,0,33,0,21,25,0,0,0,0,221,0,21,24,0,0,0,0,55,0,21,23,0,0,0,0,3,0,21,22,0,0,0,0,180,0,21,21,0,0,0,0,220,0,21,20,0,0,0,0,141,0,21,19,0,0,0,0,91,0,21,18,0,0,0,0,192,0,21,17,0,0,0,0,90,0,21,16,0,0,0,1,32,0,21,15,0,0,0,0,5,0,21,14,0,0,0,0,6,0,21,13,0,0,0,1,123,0,21,12,0,0,0,0,195,0,21,11,0,0,0,0,106,0,21,10,0,0,0,0,196,0,21,9,0,0,0,0,107,0,21,8,0,0,0,1,37,0,21,7,0,0,0,0,197,0,21,6,0,0,0,0,108,0,21,5,0,0,0,0,4,0,21,4,0,0,0,1,136,0,21,3,0,0,0,1,137,0,21,2,0,0,0,1,143,0,21,1,0,0,0,1,144,0,21,0,1,0,0,1,145,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0,
+};
+static const unsigned char seccomp_bpf_blks_fork[] = {
+ 0,32,0,0,0,0,0,4,0,21,0,54,0,0,0,22,0,32,0,0,0,0,0,0,0,21,51,0,0,0,1,25,0,21,50,0,0,0,0,114,0,21,49,0,0,0,0,190,0,21,48,0,0,0,1,47,0,21,47,0,0,0,0,175,0,21,46,0,0,0,0,174,0,21,45,0,0,0,0,2,0,21,44,0,0,0,0,11,0,21,43,0,0,0,0,120,0,21,42,0,0,0,0,117,0,21,41,0,0,0,0,85,0,21,40,0,0,0,0,125,0,21,39,0,0,0,0,140,0,21,38,0,0,0,0,19,0,21,37,0,0,0,0,54,0,21,36,0,0,0,0,236,0,21,35,0,0,0,0,20,0,21,34,0,0,0,0,133,0,21,33,0,0,0,1,183,0,21,32,0,0,0,1,44,0,21,31,0,0,0,0,248,0,21,30,0,0,0,0,1,0,21,29,0,0,0,0,12,0,21,28,0,0,0,0,184,0,21,27,0,0,0,0,45,0,21,26,0,0,0,0,33,0,21,25,0,0,0,0,221,0,21,24,0,0,0,0,55,0,21,23,0,0,0,0,3,0,21,22,0,0,0,0,180,0,21,21,0,0,0,0,220,0,21,20,0,0,0,0,141,0,21,19,0,0,0,0,91,0,21,18,0,0,0,0,192,0,21,17,0,0,0,0,90,0,21,16,0,0,0,1,32,0,21,15,0,0,0,0,5,0,21,14,0,0,0,0,6,0,21,13,0,0,0,1,123,0,21,12,0,0,0,0,195,0,21,11,0,0,0,0,106,0,21,10,0,0,0,0,196,0,21,9,0,0,0,0,107,0,21,8,0,0,0,1,37,0,21,7,0,0,0,0,197,0,21,6,0,0,0,0,108,0,21,5,0,0,0,0,4,0,21,4,0,0,0,1,136,0,21,3,0,0,0,1,137,0,21,2,0,0,0,1,143,0,21,1,0,0,0,1,144,0,21,0,1,0,0,1,145,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0,
+};
+#endif
+
+#if defined(__s390__) && defined(__s390x__)
+/* S390X */
+#define SECCOMP_BPF_AVAILABLE
+static const unsigned char seccomp_bpf_blks_base[] = {
+ 0,32,0,0,0,0,0,4,0,21,0,39,128,0,0,22,0,32,0,0,0,0,0,0,0,21,36,0,0,0,0,117,0,21,35,0,0,0,0,85,0,21,34,0,0,0,0,125,0,21,33,0,0,0,0,19,0,21,32,0,0,0,0,54,0,21,31,0,0,0,0,236,0,21,30,0,0,0,0,20,0,21,29,0,0,0,0,133,0,21,28,0,0,0,1,183,0,21,27,0,0,0,1,44,0,21,26,0,0,0,0,248,0,21,25,0,0,0,0,1,0,21,24,0,0,0,0,12,0,21,23,0,0,0,0,184,0,21,22,0,0,0,0,45,0,21,21,0,0,0,0,33,0,21,20,0,0,0,0,55,0,21,19,0,0,0,0,3,0,21,18,0,0,0,0,180,0,21,17,0,0,0,0,220,0,21,16,0,0,0,0,141,0,21,15,0,0,0,0,91,0,21,14,0,0,0,0,90,0,21,13,0,0,0,1,32,0,21,12,0,0,0,0,5,0,21,11,0,0,0,0,6,0,21,10,0,0,0,1,123,0,21,9,0,0,0,0,106,0,21,8,0,0,0,0,107,0,21,7,0,0,0,0,108,0,21,6,0,0,0,1,37,0,21,5,0,0,0,0,4,0,21,4,0,0,0,1,136,0,21,3,0,0,0,1,137,0,21,2,0,0,0,1,143,0,21,1,0,0,0,1,144,0,21,0,1,0,0,1,145,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0,
+};
+static const unsigned char seccomp_bpf_blks_fork[] = {
+ 0,32,0,0,0,0,0,4,0,21,0,48,128,0,0,22,0,32,0,0,0,0,0,0,0,21,45,0,0,0,1,25,0,21,44,0,0,0,0,114,0,21,43,0,0,0,0,190,0,21,42,0,0,0,1,47,0,21,41,0,0,0,0,175,0,21,40,0,0,0,0,174,0,21,39,0,0,0,0,2,0,21,38,0,0,0,0,11,0,21,37,0,0,0,0,120,0,21,36,0,0,0,0,117,0,21,35,0,0,0,0,85,0,21,34,0,0,0,0,125,0,21,33,0,0,0,0,19,0,21,32,0,0,0,0,54,0,21,31,0,0,0,0,236,0,21,30,0,0,0,0,20,0,21,29,0,0,0,0,133,0,21,28,0,0,0,1,183,0,21,27,0,0,0,1,44,0,21,26,0,0,0,0,248,0,21,25,0,0,0,0,1,0,21,24,0,0,0,0,12,0,21,23,0,0,0,0,184,0,21,22,0,0,0,0,45,0,21,21,0,0,0,0,33,0,21,20,0,0,0,0,55,0,21,19,0,0,0,0,3,0,21,18,0,0,0,0,180,0,21,17,0,0,0,0,220,0,21,16,0,0,0,0,141,0,21,15,0,0,0,0,91,0,21,14,0,0,0,0,90,0,21,13,0,0,0,1,32,0,21,12,0,0,0,0,5,0,21,11,0,0,0,0,6,0,21,10,0,0,0,1,123,0,21,9,0,0,0,0,106,0,21,8,0,0,0,0,107,0,21,7,0,0,0,0,108,0,21,6,0,0,0,1,37,0,21,5,0,0,0,0,4,0,21,4,0,0,0,1,136,0,21,3,0,0,0,1,137,0,21,2,0,0,0,1,143,0,21,1,0,0,0,1,144,0,21,0,1,0,0,1,145,0,6,0,0,127,255,0,0,0,6,0,0,0,0,0,0,
+};
+#endif
+
+#if defined(__i386__)
+/* X86 */
+#define SECCOMP_BPF_AVAILABLE
+static const unsigned char seccomp_bpf_blks_base[] = {
+ 32,0,0,0,4,0,0,0,21,0,0,44,3,0,0,64,32,0,0,0,0,0,0,0,21,0,41,0,117,0,0,0,21,0,40,0,85,0,0,0,21,0,39,0,125,0,0,0,21,0,38,0,140,0,0,0,21,0,37,0,19,0,0,0,21,0,36,0,54,0,0,0,21,0,35,0,224,0,0,0,21,0,34,0,20,0,0,0,21,0,33,0,133,0,0,0,21,0,32,0,183,1,0,0,21,0,31,0,51,1,0,0,21,0,30,0,252,0,0,0,21,0,29,0,1,0,0,0,21,0,28,0,12,0,0,0,21,0,27,0,184,0,0,0,21,0,26,0,45,0,0,0,21,0,25,0,33,0,0,0,21,0,24,0,221,0,0,0,21,0,23,0,55,0,0,0,21,0,22,0,3,0,0,0,21,0,21,0,180,0,0,0,21,0,20,0,220,0,0,0,21,0,19,0,141,0,0,0,21,0,18,0,91,0,0,0,21,0,17,0,192,0,0,0,21,0,16,0,90,0,0,0,21,0,15,0,39,1,0,0,21,0,14,0,5,0,0,0,21,0,13,0,6,0,0,0,21,0,12,0,127,1,0,0,21,0,11,0,195,0,0,0,21,0,10,0,106,0,0,0,21,0,9,0,196,0,0,0,21,0,8,0,107,0,0,0,21,0,7,0,44,1,0,0,21,0,6,0,197,0,0,0,21,0,5,0,108,0,0,0,21,0,4,0,4,0,0,0,21,0,3,0,137,1,0,0,21,0,2,0,143,1,0,0,21,0,1,0,144,1,0,0,21,0,0,1,145,1,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0,
+};
+static const unsigned char seccomp_bpf_blks_fork[] = {
+ 32,0,0,0,4,0,0,0,21,0,0,54,3,0,0,64,32,0,0,0,0,0,0,0,21,0,51,0,7,0,0,0,21,0,50,0,28,1,0,0,21,0,49,0,114,0,0,0,21,0,48,0,190,0,0,0,21,0,47,0,54,1,0,0,21,0,46,0,175,0,0,0,21,0,45,0,174,0,0,0,21,0,44,0,2,0,0,0,21,0,43,0,11,0,0,0,21,0,42,0,120,0,0,0,21,0,41,0,117,0,0,0,21,0,40,0,85,0,0,0,21,0,39,0,125,0,0,0,21,0,38,0,140,0,0,0,21,0,37,0,19,0,0,0,21,0,36,0,54,0,0,0,21,0,35,0,224,0,0,0,21,0,34,0,20,0,0,0,21,0,33,0,133,0,0,0,21,0,32,0,183,1,0,0,21,0,31,0,51,1,0,0,21,0,30,0,252,0,0,0,21,0,29,0,1,0,0,0,21,0,28,0,12,0,0,0,21,0,27,0,184,0,0,0,21,0,26,0,45,0,0,0,21,0,25,0,33,0,0,0,21,0,24,0,221,0,0,0,21,0,23,0,55,0,0,0,21,0,22,0,3,0,0,0,21,0,21,0,180,0,0,0,21,0,20,0,220,0,0,0,21,0,19,0,141,0,0,0,21,0,18,0,91,0,0,0,21,0,17,0,192,0,0,0,21,0,16,0,90,0,0,0,21,0,15,0,39,1,0,0,21,0,14,0,5,0,0,0,21,0,13,0,6,0,0,0,21,0,12,0,127,1,0,0,21,0,11,0,195,0,0,0,21,0,10,0,106,0,0,0,21,0,9,0,196,0,0,0,21,0,8,0,107,0,0,0,21,0,7,0,44,1,0,0,21,0,6,0,197,0,0,0,21,0,5,0,108,0,0,0,21,0,4,0,4,0,0,0,21,0,3,0,137,1,0,0,21,0,2,0,143,1,0,0,21,0,1,0,144,1,0,0,21,0,0,1,145,1,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0,
+};
+#endif
+
+#if defined(__x86_64__) && defined(__ILP32__)
+/* X32 */
+#define SECCOMP_BPF_AVAILABLE
+static const unsigned char seccomp_bpf_blks_base[] = {
+ 32,0,0,0,4,0,0,0,21,0,0,40,62,0,0,192,32,0,0,0,0,0,0,0,53,0,0,38,0,0,0,64,21,0,36,0,220,0,0,64,21,0,35,0,65,0,0,64,21,0,34,0,64,0,0,64,21,0,33,0,69,0,0,64,21,0,32,0,70,0,0,64,21,0,31,0,68,0,0,64,21,0,30,0,89,0,0,64,21,0,29,0,10,0,0,64,21,0,28,0,8,0,0,64,21,0,27,0,2,2,0,64,21,0,26,0,186,0,0,64,21,0,25,0,39,0,0,64,21,0,24,0,81,0,0,64,21,0,23,0,183,1,0,64,21,0,22,0,13,1,0,64,21,0,21,0,231,0,0,64,21,0,20,0,60,0,0,64,21,0,19,0,80,0,0,64,21,0,18,0,125,0,0,64,21,0,17,0,12,0,0,64,21,0,16,0,21,0,0,64,21,0,15,0,72,0,0,64,21,0,14,0,0,0,0,64,21,0,13,0,17,0,0,64,21,0,12,0,217,0,0,64,21,0,11,0,78,0,0,64,21,0,10,0,11,0,0,64,21,0,9,0,9,0,0,64,21,0,8,0,1,1,0,64,21,0,7,0,2,0,0,64,21,0,6,0,3,0,0,64,21,0,5,0,76,1,0,64,21,0,4,0,4,0,0,64,21,0,3,0,6,0,0,64,21,0,2,0,5,0,0,64,21,0,1,0,6,1,0,64,21,0,0,1,1,0,0,64,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0,
+};
+static const unsigned char seccomp_bpf_blks_fork[] = {
+ 32,0,0,0,4,0,0,0,21,0,0,49,62,0,0,192,32,0,0,0,0,0,0,0,53,0,0,47,0,0,0,64,21,0,45,0,17,2,0,64,21,0,44,0,61,0,0,64,21,0,43,0,58,0,0,64,21,0,42,0,16,1,0,64,21,0,41,0,14,0,0,64,21,0,40,0,0,2,0,64,21,0,39,0,57,0,0,64,21,0,38,0,8,2,0,64,21,0,37,0,56,0,0,64,21,0,36,0,220,0,0,64,21,0,35,0,65,0,0,64,21,0,34,0,64,0,0,64,21,0,33,0,69,0,0,64,21,0,32,0,70,0,0,64,21,0,31,0,68,0,0,64,21,0,30,0,89,0,0,64,21,0,29,0,10,0,0,64,21,0,28,0,8,0,0,64,21,0,27,0,2,2,0,64,21,0,26,0,186,0,0,64,21,0,25,0,39,0,0,64,21,0,24,0,81,0,0,64,21,0,23,0,183,1,0,64,21,0,22,0,13,1,0,64,21,0,21,0,231,0,0,64,21,0,20,0,60,0,0,64,21,0,19,0,80,0,0,64,21,0,18,0,125,0,0,64,21,0,17,0,12,0,0,64,21,0,16,0,21,0,0,64,21,0,15,0,72,0,0,64,21,0,14,0,0,0,0,64,21,0,13,0,17,0,0,64,21,0,12,0,217,0,0,64,21,0,11,0,78,0,0,64,21,0,10,0,11,0,0,64,21,0,9,0,9,0,0,64,21,0,8,0,1,1,0,64,21,0,7,0,2,0,0,64,21,0,6,0,3,0,0,64,21,0,5,0,76,1,0,64,21,0,4,0,4,0,0,64,21,0,3,0,6,0,0,64,21,0,2,0,5,0,0,64,21,0,1,0,6,1,0,64,21,0,0,1,1,0,0,64,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0,
+};
+#endif
+
+#if defined(__x86_64__) && !defined(__ILP32__)
+/* X86_64 */
+#define SECCOMP_BPF_AVAILABLE
+static const unsigned char seccomp_bpf_blks_base[] = {
+ 32,0,0,0,4,0,0,0,21,0,0,41,62,0,0,192,32,0,0,0,0,0,0,0,53,0,0,1,0,0,0,64,21,0,0,38,255,255,255,255,21,0,36,0,16,0,0,0,21,0,35,0,186,0,0,0,21,0,34,0,39,0,0,0,21,0,33,0,81,0,0,0,21,0,32,0,183,1,0,0,21,0,31,0,13,1,0,0,21,0,30,0,231,0,0,0,21,0,29,0,60,0,0,0,21,0,28,0,80,0,0,0,21,0,27,0,125,0,0,0,21,0,26,0,12,0,0,0,21,0,25,0,21,0,0,0,21,0,24,0,72,0,0,0,21,0,23,0,0,0,0,0,21,0,22,0,17,0,0,0,21,0,21,0,217,0,0,0,21,0,20,0,78,0,0,0,21,0,19,0,11,0,0,0,21,0,18,0,9,0,0,0,21,0,17,0,1,1,0,0,21,0,16,0,2,0,0,0,21,0,15,0,3,0,0,0,21,0,14,0,76,1,0,0,21,0,13,0,4,0,0,0,21,0,12,0,6,0,0,0,21,0,11,0,5,0,0,0,21,0,10,0,6,1,0,0,21,0,9,0,1,0,0,0,21,0,8,0,220,0,0,0,21,0,7,0,65,0,0,0,21,0,6,0,64,0,0,0,21,0,5,0,69,0,0,0,21,0,4,0,70,0,0,0,21,0,3,0,68,0,0,0,21,0,2,0,89,0,0,0,21,0,1,0,10,0,0,0,21,0,0,1,8,0,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0,
+};
+static const unsigned char seccomp_bpf_blks_fork[] = {
+ 32,0,0,0,4,0,0,0,21,0,0,50,62,0,0,192,32,0,0,0,0,0,0,0,53,0,0,1,0,0,0,64,21,0,0,47,255,255,255,255,21,0,45,0,16,0,0,0,21,0,44,0,186,0,0,0,21,0,43,0,39,0,0,0,21,0,42,0,81,0,0,0,21,0,41,0,183,1,0,0,21,0,40,0,13,1,0,0,21,0,39,0,231,0,0,0,21,0,38,0,60,0,0,0,21,0,37,0,80,0,0,0,21,0,36,0,125,0,0,0,21,0,35,0,12,0,0,0,21,0,34,0,21,0,0,0,21,0,33,0,72,0,0,0,21,0,32,0,0,0,0,0,21,0,31,0,17,0,0,0,21,0,30,0,217,0,0,0,21,0,29,0,78,0,0,0,21,0,28,0,11,0,0,0,21,0,27,0,9,0,0,0,21,0,26,0,1,1,0,0,21,0,25,0,2,0,0,0,21,0,24,0,3,0,0,0,21,0,23,0,76,1,0,0,21,0,22,0,4,0,0,0,21,0,21,0,6,0,0,0,21,0,20,0,5,0,0,0,21,0,19,0,6,1,0,0,21,0,18,0,1,0,0,0,21,0,17,0,247,0,0,0,21,0,16,0,61,0,0,0,21,0,15,0,58,0,0,0,21,0,14,0,16,1,0,0,21,0,13,0,14,0,0,0,21,0,12,0,13,0,0,0,21,0,11,0,57,0,0,0,21,0,10,0,59,0,0,0,21,0,9,0,56,0,0,0,21,0,8,0,220,0,0,0,21,0,7,0,65,0,0,0,21,0,6,0,64,0,0,0,21,0,5,0,69,0,0,0,21,0,4,0,70,0,0,0,21,0,3,0,68,0,0,0,21,0,2,0,89,0,0,0,21,0,1,0,10,0,0,0,21,0,0,1,8,0,0,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0,
+};
+#endif
+
+#ifdef SECCOMP_BPF_AVAILABLE
+typedef struct {
+ uint16_t cnt;
+ const void *bpf;
+} seccomp_bpf_program_t;
+static const seccomp_bpf_program_t seccomp_bpf_program_base = {
+ .cnt = sizeof(seccomp_bpf_blks_base) / 8,
+ .bpf = seccomp_bpf_blks_base,
+};
+static const seccomp_bpf_program_t seccomp_bpf_program_fork = {
+ .cnt = sizeof(seccomp_bpf_blks_fork) / 8,
+ .bpf = seccomp_bpf_blks_fork,
+};
+#endif
diff --git a/security.c b/security.c
index 802e586..4fecfa3 100644
--- a/security.c
+++ b/security.c
@@ -6,6 +6,7 @@
*/
#include "paxinc.h"
+#include "seccomp-bpf.h"
#ifdef __linux__
@@ -26,202 +27,23 @@
#define CLONE_NEWUTS 0
#endif
+#ifndef PR_SET_SECCOMP
+#define PR_SET_SECCOMP 22
+#endif
+#ifndef SECCOMP_MODE_FILTER
+#define SECCOMP_MODE_FILTER 2
+#endif
+
#ifdef __SANITIZE_ADDRESS__
/* ASAN does some weird stuff. */
# define ALLOW_PIDNS 0
+# undef WANT_SECCOMP
#else
# define ALLOW_PIDNS 1
#endif
-#ifdef WANT_SECCOMP
-# include <seccomp.h>
-
-/* Simple helper to add all of the syscalls in an array. */
-static int pax_seccomp_rules_add(scmp_filter_ctx ctx, int syscalls[], size_t num)
-{
- static uint8_t prio;
- size_t i;
- for (i = 0; i < num; ++i) {
- if (syscalls[i] < 0)
- continue;
-
- if (seccomp_syscall_priority(ctx, syscalls[i], prio++) < 0) {
- warnp("seccomp_syscall_priority failed");
- return -1;
- }
- if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, syscalls[i], 0) < 0) {
- warnp("seccomp_rule_add failed");
- return -1;
- }
- }
- return 0;
-}
-#define pax_seccomp_rules_add(ctx, syscalls) pax_seccomp_rules_add(ctx, syscalls, ARRAY_SIZE(syscalls))
-
-static void
-pax_seccomp_sigal(__unused__ int signo, siginfo_t *info, __unused__ void *context)
-{
-#ifdef si_syscall
- warn("seccomp violated: syscall %i", info->si_syscall);
- fflush(stderr);
- warn(" syscall = %s",
- seccomp_syscall_resolve_num_arch(seccomp_arch_native(), info->si_syscall));
- fflush(stderr);
-#else
- warn("seccomp violated: syscall unknown (no si_syscall)");
-#endif
- kill(getpid(), SIGSYS);
- _exit(1);
-}
-
-static void pax_seccomp_signal_init(void)
-{
- struct sigaction act;
- sigemptyset(&act.sa_mask);
- act.sa_sigaction = pax_seccomp_sigal,
- act.sa_flags = SA_SIGINFO | SA_RESETHAND;
- sigaction(SIGSYS, &act, NULL);
-}
-
-static void pax_seccomp_init(bool allow_forking)
-{
- /* Order determines priority (first == lowest prio). */
- int base_syscalls[] = {
- /* We write the most w/scanelf. */
- SCMP_SYS(write),
- SCMP_SYS(writev),
- SCMP_SYS(pwrite64),
- SCMP_SYS(pwritev),
-
- /* Then the stat family of functions. */
- SCMP_SYS(newfstatat),
- SCMP_SYS(fstat),
- SCMP_SYS(fstat64),
- SCMP_SYS(fstatat64),
- SCMP_SYS(lstat),
- SCMP_SYS(lstat64),
- SCMP_SYS(stat),
- SCMP_SYS(stat64),
- SCMP_SYS(statx),
-
- /* Then the fd close func. */
- SCMP_SYS(close),
-
- /* Then fd open family of functions. */
- SCMP_SYS(open),
- SCMP_SYS(openat),
-
- /* Then the memory mapping functions. */
- SCMP_SYS(mmap),
- SCMP_SYS(mmap2),
- SCMP_SYS(munmap),
-
- /* Then the directory reading functions. */
- SCMP_SYS(getdents),
- SCMP_SYS(getdents64),
-
- /* Then the file reading functions. */
- SCMP_SYS(pread64),
- SCMP_SYS(read),
- SCMP_SYS(readv),
- SCMP_SYS(preadv),
-
- /* Then the fd manipulation functions. */
- SCMP_SYS(fcntl),
- SCMP_SYS(fcntl64),
-
- /* After this point, just sort the list alphabetically. */
- SCMP_SYS(access),
- SCMP_SYS(brk),
- SCMP_SYS(capget),
- SCMP_SYS(chdir),
- SCMP_SYS(dup),
- SCMP_SYS(dup2),
- SCMP_SYS(dup3),
- SCMP_SYS(exit),
- SCMP_SYS(exit_group),
- SCMP_SYS(faccessat),
- SCMP_SYS(fchdir),
- SCMP_SYS(getpid),
- SCMP_SYS(gettid),
- SCMP_SYS(ioctl),
- SCMP_SYS(lseek),
- SCMP_SYS(_llseek),
- SCMP_SYS(mprotect),
-
- /* Syscalls listed because of compiler settings. */
- SCMP_SYS(futex),
-
- /* Syscalls listed because of sandbox. */
- SCMP_SYS(readlink),
- SCMP_SYS(readlinkat),
- SCMP_SYS(getcwd),
- #ifndef __SNR_faccessat2
- /* faccessat2 is not yet defiled in latest libseccomp-2.5.1 */
- # define __SNR_faccessat2 __NR_faccessat2
- #endif
- SCMP_SYS(faccessat2),
-
- /* Syscalls listed because of fakeroot. */
- SCMP_SYS(msgget),
- SCMP_SYS(msgrcv),
- SCMP_SYS(msgsnd),
- SCMP_SYS(semget),
- SCMP_SYS(semop),
- SCMP_SYS(semtimedop),
- /*
- * Some targets like ppc and i386 implement the above
- * syscall as subcalls via ipc() syscall.
- * https://bugs.gentoo.org/675378
- */
- SCMP_SYS(ipc),
- };
- int fork_syscalls[] = {
- SCMP_SYS(clone),
- SCMP_SYS(execve),
- SCMP_SYS(fork),
- SCMP_SYS(rt_sigaction),
- SCMP_SYS(rt_sigprocmask),
- SCMP_SYS(unshare),
- SCMP_SYS(vfork),
- SCMP_SYS(wait4),
- SCMP_SYS(waitid),
- SCMP_SYS(waitpid),
- };
- scmp_filter_ctx ctx = seccomp_init(USE_DEBUG ? SCMP_ACT_TRAP : SCMP_ACT_KILL);
- if (!ctx) {
- warnp("seccomp_init failed");
- return;
- }
-
- if (pax_seccomp_rules_add(ctx, base_syscalls) < 0)
- goto done;
-
- if (allow_forking)
- if (pax_seccomp_rules_add(ctx, fork_syscalls) < 0)
- goto done;
-
- /* We already called prctl. */
- seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 0);
-
- if (USE_DEBUG)
- pax_seccomp_signal_init();
-
-#ifndef __SANITIZE_ADDRESS__
- /* ASAN does some weird stuff. */
- if (seccomp_load(ctx) < 0) {
- /* We have to assume that EINVAL == CONFIG_SECCOMP is disabled. */
- if (errno != EINVAL)
- warnp("seccomp_load failed");
- }
-#endif
-
- done:
- seccomp_release(ctx);
-}
-
-#else
-# define pax_seccomp_init(allow_forking)
+#ifndef SECCOMP_BPF_AVAILABLE
+# undef WANT_SECCOMP
#endif
static int ns_unshare(int flags)
@@ -308,7 +130,19 @@ void security_init(bool allow_forking)
_exit(0);
}
- pax_seccomp_init(allow_forking);
+#ifdef WANT_SECCOMP
+ {
+ int ret;
+
+ if (allow_forking)
+ ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &seccomp_bpf_program_fork);
+ else
+ ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &seccomp_bpf_program_base);
+
+ if (ret)
+ warn("enabling seccomp failed");
+ }
+#endif
}
#endif