本文整理汇总了C++中BPF_STMT函数的典型用法代码示例。如果您正苦于以下问题:C++ BPF_STMT函数的具体用法?C++ BPF_STMT怎么用?C++ BPF_STMT使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了BPF_STMT函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的C++代码示例。
示例1: enable_setter_seccomp
/* Returns 0 if the the sandbox is enabled using
* the time setter policy.
*/
int
enable_setter_seccomp (void)
{
static const struct sock_filter insns[] =
{
/* Ensure the syscall arch convention is as expected. */
BPF_STMT (BPF_LD+BPF_W+BPF_ABS,
offsetof (struct seccomp_data, arch)),
BPF_JUMP (BPF_JMP+BPF_JEQ+BPF_K, SECCOMP_AUDIT_ARCH, 1, 0),
BPF_STMT (BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
/* Load the syscall number for checking. */
BPF_STMT (BPF_LD+BPF_W+BPF_ABS,
offsetof (struct seccomp_data, nr)),
/* Process ALLOWs as quickly as possible */
SC_ALLOW (read),
SC_ALLOW (write),
SC_ALLOW (pwritev),
SC_ALLOW (settimeofday),
SC_ALLOW (ioctl), /* TODO(wad) filter for fd and RTC_SET_TIME */
#ifdef __NR_time /* This is required for x86 systems */
SC_ALLOW (time),
#endif
SC_ALLOW (lseek),
SC_ALLOW (close),
SC_ALLOW (munmap),
SC_ALLOW (exit_group),
SC_ALLOW (exit),
SC_DENY (open, EINVAL),
SC_DENY (fcntl, EINVAL),
SC_DENY (fstat, EINVAL),
#ifdef __NR_mmap
SC_DENY (mmap, EINVAL),
#endif
#ifdef __NR_mmap2
SC_DENY (mmap2, EINVAL),
#endif
#ifdef __NR_sendto
SC_DENY (sendto, EINVAL),
#endif
#ifdef __NR_socket
SC_DENY (socket, EINVAL),
#endif
#ifdef __NR_socketcall
SC_DENY (socketcall, EINVAL),
#endif
BPF_STMT (BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
};
static const struct sock_fprog prog =
{
.len = (unsigned short) (sizeof (insns) /sizeof (insns[0])),
.filter = (struct sock_filter *) insns,
};
return (prctl (PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) ||
prctl (PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog));
}
示例2: _darwinEthernet_SetFilter
/**
* Create the berkeley packet filter for our ethertype
*
* Creates a BPF for our ether type.
*
* @param [in,out] ether The MetisGenericEther to modify
*
* @retval true success
* @retval false failure
*
* Example:
* @code
* <#example#>
* @endcode
*/
static bool
_darwinEthernet_SetFilter(MetisGenericEther *ether)
{
struct bpf_program filterCode = { 0 };
// BPF instructions:
// Load 12 to accumulator (offset of ethertype)
// Jump Equal to netbyteorder_ethertype 0 instructions, otherwise 1 instruction
// 0: return a length of -1 (meaning whole packet)
// 1: return a length of 0 (meaning skip packet)
struct bpf_insn instructions[] = {
BPF_STMT(BPF_LD + BPF_H + BPF_ABS, 12),
BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, 0x0801, 0, 1),
BPF_STMT(BPF_RET + BPF_K, (u_int) - 1),
BPF_STMT(BPF_RET + BPF_K, 0),
};
// BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ether->ethertype, 0, 1),
/* Set the filter */
filterCode.bf_len = sizeof(instructions) / sizeof(struct bpf_insn);
filterCode.bf_insns = &instructions[0];
if (ioctl(ether->etherSocket, BIOCSETF, &filterCode) < 0) {
return false;
}
return true;
}
示例3: filter_syscall
int filter_syscall(int syscall_nr, unsigned int flags)
{
struct sock_filter filter[] = {
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, nr)),
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscall_nr, 0, 1),
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL),
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
};
struct sock_fprog bpf_prog = {
.len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
.filter = filter,
};
if (syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER, flags, &bpf_prog) < 0) {
pr_perror("seccomp failed");
return -1;
}
return 0;
}
void *wait_and_getpid(void *arg)
{
pthread_mutex_lock(&getpid_wait);
pthread_mutex_unlock(&getpid_wait);
pthread_mutex_destroy(&getpid_wait);
/* we expect the tg to get killed by the seccomp filter that was
* installed via TSYNC */
ptrace(PTRACE_TRACEME);
pthread_exit((void *)1);
}
示例4: netlink_install_filter
/* Filter out messages from self that occur on listener socket,
caused by our actions on the command socket
*/
static void netlink_install_filter (int sock, __u32 pid)
{
struct sock_filter filter[] = {
/* 0: ldh [4] */
BPF_STMT(BPF_LD|BPF_ABS|BPF_H, offsetof(struct nlmsghdr, nlmsg_type)),
/* 1: jeq 0x18 jt 3 jf 6 */
BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, htons(RTM_NEWROUTE), 1, 0),
/* 2: jeq 0x19 jt 3 jf 6 */
BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, htons(RTM_DELROUTE), 0, 3),
/* 3: ldw [12] */
BPF_STMT(BPF_LD|BPF_ABS|BPF_W, offsetof(struct nlmsghdr, nlmsg_pid)),
/* 4: jeq XX jt 5 jf 6 */
BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, htonl(pid), 0, 1),
/* 5: ret 0 (skip) */
BPF_STMT(BPF_RET|BPF_K, 0),
/* 6: ret 0xffff (keep) */
BPF_STMT(BPF_RET|BPF_K, 0xffff),
};
struct sock_fprog prog = {
.len = sizeof(filter) / sizeof(filter[0]),
.filter = filter,
};
if (setsockopt(sock, SOL_SOCKET, SO_ATTACH_FILTER, &prog, sizeof(prog)) < 0)
zlog_warn ("Can't install socket filter: %s\n", safe_strerror(errno));
}
/* Exported interface function. This function simply calls
netlink_socket (). */
void
kernel_init (void)
{
unsigned long groups;
groups = RTMGRP_LINK | RTMGRP_IPV4_ROUTE | RTMGRP_IPV4_IFADDR;
#ifdef HAVE_IPV6
groups |= RTMGRP_IPV6_ROUTE | RTMGRP_IPV6_IFADDR;
#endif /* HAVE_IPV6 */
netlink_socket (&netlink, groups);
netlink_socket (&netlink_cmd, 0);
/* Register kernel socket. */
if (netlink.sock > 0)
{
/* Only want non-blocking on the netlink event socket */
if (fcntl (netlink.sock, F_SETFL, O_NONBLOCK) < 0)
zlog (NULL, LOG_ERR, "Can't set %s socket flags: %s", netlink.name,
safe_strerror (errno));
/* Set receive buffer size if it's set from command line */
if (nl_rcvbufsize)
netlink_recvbuf (&netlink, nl_rcvbufsize);
netlink_install_filter (netlink.sock, netlink_cmd.snl.nl_pid);
thread_add_read (hm->master, kernel_read, NULL, netlink.sock);
}
}
示例5: install_filter
static void
install_filter(void)
{
struct sock_filter filter[] = {
/* Load architecture */
BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
(offsetof(struct seccomp_data, arch))),
/* Kill process if the architecture is not what we expect */
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, AUDIT_ARCH_X86_64, 1, 0),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL),
/* Load system call number */
BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
(offsetof(struct seccomp_data, nr))),
/* Allow system calls other than open() */
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_open, 1, 0),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
/* Kill process on open() */
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL)
};
struct sock_fprog prog = {
.len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),
.filter = filter,
};
if (seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog) == -1)
errExit("seccomp");
/* On Linux 3.16 and earlier, we must instead use:
if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog))
errExit("prctl-PR_SET_SECCOMP");
*/
}
int
main(int argc, char **argv)
{
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0))
errExit("prctl");
install_filter();
if (open("/tmp/a", O_RDONLY) == -1)
errExit("open");
printf("We shouldn't see this message\n");
exit(EXIT_SUCCESS);
}
示例6: install_filter
static void install_filter(void) {
struct sock_filter filter[] = {
/* Load system call number from 'seccomp_data' buffer into
accumulator */
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, nr)),
/* Jump forward 1 instruction if system call number
is not SYS_pipe */
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SYS_pipe, 0, 1),
/* Error out with ESRCH */
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ERRNO | (ESRCH & SECCOMP_RET_DATA)),
/* Jump forward 1 instruction if system call number
is not SYS_geteuid */
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SYS_geteuid, 0, 1),
/* Trigger SIGSYS */
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_TRAP),
/* Jump forward 1 instruction if system call number
is not SYS_open */
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SYS_open, 0, 1),
/* Trigger SIGSYS */
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_TRAP),
/* Jump forward 1 instruction if system call number
is not SYS_rrcall_init_buffers */
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SYS_rrcall_init_buffers, 0, 1),
/* Trigger SIGSYS */
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_TRAP),
/* Jump forward 1 instruction if system call number
is not SYS_ioctl */
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SYS_ioctl, 0, 1),
/* Trigger SIGSYS */
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_TRAP),
/* Destination of system call number mismatch: allow other
system calls */
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW)
};
struct sock_fprog prog = {
.len = (unsigned short)(sizeof(filter) / sizeof(filter[0])),
.filter = filter,
};
int ret;
ret = syscall(RR_seccomp, SECCOMP_SET_MODE_FILTER, 0, &prog);
if (ret == -1 && errno == ENOSYS) {
ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
}
test_assert(ret == 0);
}
static void* waiting_thread(void* p) {
char buf;
test_assert(1 == read(pipe_fds[0], &buf, 1));
/* Check this thread wasn't affected by the SET_SECCOMP */
test_assert(0 == prctl(PR_GET_SECCOMP));
return NULL;
}
示例7: main
int main(int argc, char *argv[])
{
pid_t pid;
struct sock_filter filter[] = {
/* Load architecture */
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))),
/* Kill process if the architecture is not what we expect */
/* AUDIT_ARCH_X86_64 or AUDIT_ARCH_I386 */
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_X86_64, 1, 0),
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL),
/* Load system call number */
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, nr))),
/* Allow system calls other than open() */
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_open, 1, 0),
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
/* Kill process on open() */
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
};
struct sock_fprog prog = {
.len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),
.filter = filter,
};
printf("\n*** Appling BPF filter ***\n\n");
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0))
perror("prctl");
if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog))
perror("seccomp");
pid=fork();
if(pid==0)
{
printf("I am the child\n");
printf("The PID of child is %d\n",getpid());
printf("The PID of parent of child is %d\n\n",getppid());
}
else
{
printf("I am the parent\n");
printf("The PID of parent is %d\n",getpid());
printf("The PID of parent of parent is %d\n\n",getppid());
}
exit(EXIT_SUCCESS);
}
示例8: _open_socket
static int
_open_socket(const char *device)
{
int etherSocket;
etherSocket = _open_bpf_device();
if (etherSocket == -1) {
perror("bpf");
return -1;
}
// Attach the requested interface
struct ifreq if_idx = { {0} };
strncpy(if_idx.ifr_name, device, strlen(device) + 1);
if (ioctl(etherSocket, BIOCSETIF, &if_idx)) {
perror("BIOCSETIF");
return -1;
}
// Set immediate read on packet reception
uint32_t on = 1;
if (ioctl(etherSocket, BIOCIMMEDIATE, &on)) {
perror("BIOCIMMEDIATE");
return -1;
}
// Setup the BPF filter for CCNX_ETHERTYPE
struct bpf_program filterCode = { 0 };
// BPF instructions:
// Load 12 to accumulator (offset of ethertype)
// Jump Equal to netbyteorder_ethertype 0 instructions, otherwise 1 instruction
// 0: return a length of -1 (meaning whole packet)
// 1: return a length of 0 (meaning skip packet)
struct bpf_insn instructions[] = {
BPF_STMT(BPF_LD + BPF_H + BPF_ABS, 12),
BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, CCNX_ETHERTYPE,0, 1),
BPF_STMT(BPF_RET + BPF_K, (u_int) - 1),
BPF_STMT(BPF_RET + BPF_K, 0),
};
// Install the filter
filterCode.bf_len = sizeof(instructions) / sizeof(struct bpf_insn);
filterCode.bf_insns = &instructions[0];
if (ioctl(etherSocket, BIOCSETF, &filterCode) < 0) {
perror("BIOCSETF");
return -1;
}
return etherSocket;
}
示例9: load_arp_bpflet
static int load_arp_bpflet(int fd)
{
static struct sock_filter insns[] = {
BPF_STMT(BPF_LD|BPF_H|BPF_ABS, 6),
BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, ARPOP_RREQUEST, 0, 1),
BPF_STMT(BPF_RET|BPF_K, 1024),
BPF_STMT(BPF_RET|BPF_K, 0),
};
static struct sock_fprog filter = {
sizeof insns / sizeof(insns[0]),
insns
};
return setsockopt(fd, SOL_SOCKET, SO_ATTACH_FILTER, &filter, sizeof(filter));
}
示例10: bpf_arp_filter
int
bpf_arp_filter(int fd, int type_offset, int type, int pkt_size)
{
struct bpf_insn insns[] = {
BPF_STMT(BPF_LD+BPF_H+BPF_ABS, type_offset),
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, type, 0, 1),
BPF_STMT(BPF_RET+BPF_K, pkt_size),
BPF_STMT(BPF_RET+BPF_K, 0),
};
struct bpf_program prog;
prog.bf_len = sizeof(insns) / sizeof(struct bpf_insn);
prog.bf_insns = insns;
return ioctl(fd, BIOCSETF, &prog);
}
示例11: ATF_TC_BODY
ATF_TC_BODY(bpfjit_extmem_side_effect, tc)
{
static struct bpf_insn insns[] = {
BPF_STMT(BPF_LD+BPF_B+BPF_ABS, 0), /* A <- P[0] */
BPF_STMT(BPF_LDX+BPF_W+BPF_IMM, 2), /* X <- 2 */
BPF_STMT(BPF_ST, 1), /* M[1] <- A */
BPF_STMT(BPF_ALU+BPF_ADD+BPF_X, 0), /* A <- A + X */
BPF_STMT(BPF_STX, 2), /* M[2] <- X */
BPF_STMT(BPF_ST, 3), /* M[3] <- A */
BPF_STMT(BPF_LD+BPF_B+BPF_ABS, 99), /* A <- P[99] */
BPF_STMT(BPF_RET+BPF_A, 0) /* ret A */
};
bpfjit_func_t code;
uint8_t pkt[1] = { 1 };
uint32_t mem[ctx.extwords];
/* Pre-inited words. */
mem[0] = 0;
mem[3] = 7;
mem[1] = mem[2] = 0xdeadbeef;
bpf_args_t args = {
.pkt = pkt,
.buflen = sizeof(pkt),
.wirelen = sizeof(pkt),
.mem = mem,
};
size_t insn_count = sizeof(insns) / sizeof(insns[0]);
RZ(rump_init());
rump_schedule();
code = rumpns_bpfjit_generate_code(&ctx, insns, insn_count);
rump_unschedule();
ATF_REQUIRE(code != NULL);
ATF_CHECK(code(&ctx, &args) == 0);
rump_schedule();
rumpns_bpfjit_free_code(code);
rump_unschedule();
ATF_CHECK(mem[0] == 0);
ATF_CHECK(mem[1] == 1);
ATF_CHECK(mem[2] == 2);
ATF_CHECK(mem[3] == 3);
}
ATF_TC(bpfjit_extmem_invalid_store);
ATF_TC_HEAD(bpfjit_extmem_invalid_store, tc)
{
atf_tc_set_md_var(tc, "descr", "Test that out-of-range store "
"fails validation");
}
示例12: npfctl_bpf_tcpfl
/*
* npfctl_bpf_tcpfl: code block to match TCP flags.
*/
void
npfctl_bpf_tcpfl(npf_bpf_t *ctx, uint8_t tf, uint8_t tf_mask, bool checktcp)
{
const u_int tcpfl_off = offsetof(struct tcphdr, th_flags);
const bool usingmask = tf_mask != tf;
/* X <- IP header length */
fetch_l3(ctx, AF_UNSPEC, X_EQ_L4OFF);
if (checktcp) {
const u_int jf = usingmask ? 3 : 2;
assert(ctx->ingroup == false);
/* A <- L4 protocol; A == TCP? If not, jump out. */
struct bpf_insn insns_tcp[] = {
BPF_STMT(BPF_LD+BPF_W+BPF_MEM, BPF_MW_L4PROTO),
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, IPPROTO_TCP, 0, jf),
};
add_insns(ctx, insns_tcp, __arraycount(insns_tcp));
} else {
assert(ctx->flags & CHECKED_L4);
}
struct bpf_insn insns_tf[] = {
/* A <- TCP flags */
BPF_STMT(BPF_LD+BPF_B+BPF_IND, tcpfl_off),
};
add_insns(ctx, insns_tf, __arraycount(insns_tf));
if (usingmask) {
/* A <- (A & mask) */
struct bpf_insn insns_mask[] = {
BPF_STMT(BPF_ALU+BPF_AND+BPF_K, tf_mask),
};
add_insns(ctx, insns_mask, __arraycount(insns_mask));
}
struct bpf_insn insns_cmp[] = {
/* A == expected-TCP-flags? */
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, tf, 0, JUMP_MAGIC),
};
add_insns(ctx, insns_cmp, __arraycount(insns_cmp));
if (!checktcp) {
uint32_t mwords[] = { BM_TCPFL, 2, tf, tf_mask};
done_block(ctx, mwords, sizeof(mwords));
}
}
示例13: setup_seccomp_filter
static int setup_seccomp_filter(void)
{
struct sock_filter filter[] = {
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, nr)),
/* Allow all syscalls except ptrace */
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ptrace, 0, 1),
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL),
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
};
struct sock_fprog bpf_prog = {
.len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
.filter = filter,
};
if (sys_prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, (long) &bpf_prog, 0, 0) < 0)
return -1;
return 0;
}
static int check_ptrace_dump_seccomp_filters(void)
{
pid_t pid;
int ret = 0, len;
if (opts.check_ms_kernel) {
pr_warn("Skipping PTRACE_SECCOMP_GET_FILTER check");
return 0;
}
pid = fork_and_ptrace_attach(setup_seccomp_filter);
if (pid < 0)
return -1;
len = ptrace(PTRACE_SECCOMP_GET_FILTER, pid, 0, NULL);
if (len < 0) {
ret = -1;
pr_perror("Dumping seccomp filters not supported");
}
kill(pid, SIGKILL);
return ret;
}
示例14: initFilter
/**********************************************************************
*%FUNCTION: initFilter
*%ARGUMENTS:
* fd -- file descriptor of BSD device
* type -- Ethernet frame type (0 for watch mode)
* hwaddr -- buffer with ehthernet address
*%RETURNS:
* Nothing
*%DESCRIPTION:
* Initializes the packet filter rules.
***********************************************************************/
void
initFilter(int fd, UINT16_t type, unsigned char *hwaddr)
{
/* Packet Filter Instructions:
* Note that the ethernet type names come from "pppoe.h" and are
* used here to maintain consistency with the rest of this file. */
static struct bpf_insn bpfRun[] = { /* run PPPoE */
BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 12), /* ethernet type */
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ETH_PPPOE_SESSION, 5, 0),
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ETH_PPPOE_DISCOVERY, 0, 9),
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, 0), /* first word of dest. addr */
#define PPPOE_BCAST_CMPW 4 /* offset of word compare */
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0, 0, 2),
BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 4), /* next 1/2 word of dest. */
#define PPPOE_BCAST_CMPH 6 /* offset of 1/2 word compare */
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0, 4, 0),
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, 0), /* first word of dest. addr */
#define PPPOE_FILTER_CMPW 8 /* offset of word compare */
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0, 0, 3),
BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 4), /* next 1/2 word of dest. */
#define PPPOE_FILTER_CMPH 10 /* offset of 1/rd compare */
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0, 0, 1),
BPF_STMT(BPF_RET+BPF_K, (u_int) -1), /* keep packet */
BPF_STMT(BPF_RET+BPF_K, 0), /* drop packet */
};
/* Fix the potentially varying parts */
bpfRun[1].code = (u_short) BPF_JMP+BPF_JEQ+BPF_K;
bpfRun[1].jt = 5;
bpfRun[1].jf = 0;
bpfRun[1].k = Eth_PPPOE_Session;
bpfRun[2].code = (u_short) BPF_JMP+BPF_JEQ+BPF_K;
bpfRun[2].jt = 0;
bpfRun[2].jf = 9;
bpfRun[2].k = Eth_PPPOE_Discovery;
{
struct bpf_insn bpfInsn[sizeof(bpfRun) / sizeof(bpfRun[0])];
struct bpf_program bpfProgram;
memcpy(bpfInsn, bpfRun, sizeof(bpfRun));
bpfInsn[PPPOE_BCAST_CMPW].k = ((0xff << 24) | (0xff << 16) |
(0xff << 8) | 0xff);
bpfInsn[PPPOE_BCAST_CMPH].k = ((0xff << 8) | 0xff);
bpfInsn[PPPOE_FILTER_CMPW].k = ((hwaddr[0] << 24) | (hwaddr[1] << 16) |
(hwaddr[2] << 8) | hwaddr[3]);
bpfInsn[PPPOE_FILTER_CMPH].k = ((hwaddr[4] << 8) | hwaddr[5]);
bpfProgram.bf_len = (sizeof(bpfInsn) / sizeof(bpfInsn[0]));
bpfProgram.bf_insns = &bpfInsn[0];
/* Apply the filter */
if (ioctl(fd, BIOCSETF, &bpfProgram) < 0) {
fatalSys("ioctl(BIOCSETF)");
}
}
}
示例15: install_filter
static int install_filter(int nr, int arch, int error)
{
struct sock_filter filter[] = {
BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
(offsetof(struct seccomp_data, arch))),
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, arch, 0, 3),
BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
(offsetof(struct seccomp_data, nr))),
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, nr, 0, 1),
BPF_STMT(BPF_RET+BPF_K,
SECCOMP_RET_ERRNO|(error & SECCOMP_RET_DATA)),
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
};
struct sock_fprog prog = {
.len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
.filter = filter,
};
if (prctl(PR_SET_SECCOMP, 2, &prog)) {
perror("prctl");
return 1;
}
return 0;
}
int main(int argc, char **argv)
{
if (argc < 5) {
fprintf(stderr, "Usage:\n"
"dropper <syscall_nr> <arch> <errno> <prog> [<args>]\n"
"Hint: AUDIT_ARCH_I386: 0x%X\n"
" AUDIT_ARCH_X86_64: 0x%X\n"
"\n", AUDIT_ARCH_I386, AUDIT_ARCH_X86_64);
return 1;
}
if (install_filter(strtol(argv[1], NULL, 0), strtol(argv[2], NULL, 0),
strtol(argv[3], NULL, 0)))
return 1;
execv(argv[4], &argv[4]);
printf("Failed to execv\n");
return 255;
}