OpenCoverage

sandbox-seccomp-filter.c

Absolute File Name:/home/opencoverage/opencoverage/guest-scripts/openssh/src/sandbox-seccomp-filter.c
Switch to Source codePreprocessed file
LineSourceCount
1-
2-
3-
4-
5-
6-
7-
8-
9-
10-
11-
12-
13-
14-
15static const struct sock_filter preauth_insns[] = {-
16-
17 -
18{ (unsigned short)(0x00 -
19+-
200x00-
21+-
220x20), 0, 0, __builtin_offsetof (-
23struct seccomp_data-
24, -
25arch-
26) }-
27 -
28 ,-
29 -
30{ (unsigned short)(0x05 -
31+-
320x10-
33+-
340x00), -
351-
36, -
370-
38, (62|0x80000000|0x40000000) }-
39 ,-
40 -
41{ (unsigned short)(0x06 -
42+-
430x00), 0, 0, 0x00000000U }-
44 ,-
45-
46 -
47{ (unsigned short)(0x00 -
48+-
490x00-
50+-
510x20), 0, 0, __builtin_offsetof (-
52struct seccomp_data-
53, -
54nr-
55) }-
56 -
57 ,-
58-
59-
60-
61 -
62{ (unsigned short)(0x05 -
63+-
640x10-
65+-
660x00), -
670-
68, -
691-
70, -
71(-
726-
73) -
74}-
75, -
76{ (unsigned short)(0x06 -
77+-
780x00), 0, 0, 0x00050000U-
79|(-
8013-
81) -
82}-
83 ,-
84-
85-
86-
87-
88-
89 -
90{ (unsigned short)(0x05 -
91+-
920x10-
93+-
940x00), -
950-
96, -
971-
98, -
99(-
1005-
101) -
102}-
103, -
104{ (unsigned short)(0x06 -
105+-
1060x00), 0, 0, 0x00050000U-
107|(-
10813-
109) -
110}-
111 ,-
112-
113-
114-
115-
116-
117 -
118{ (unsigned short)(0x05 -
119+-
1200x10-
121+-
1220x00), -
1230-
124, -
1251-
126, -
127(-
1282-
129) -
130}-
131, -
132{ (unsigned short)(0x06 -
133+-
1340x00), 0, 0, 0x00050000U-
135|(-
13613-
137) -
138}-
139 ,-
140-
141-
142 -
143{ (unsigned short)(0x05 -
144+-
1450x10-
146+-
1470x00), -
1480-
149, -
1501-
151, -
152(-
153257-
154) -
155}-
156, -
157{ (unsigned short)(0x06 -
158+-
1590x00), 0, 0, 0x00050000U-
160|(-
16113-
162) -
163}-
164 ,-
165-
166-
167 -
168{ (unsigned short)(0x05 -
169+-
1700x10-
171+-
1720x00), -
1730-
174, -
1751-
176, -
177(-
178262-
179) -
180}-
181, -
182{ (unsigned short)(0x06 -
183+-
1840x00), 0, 0, 0x00050000U-
185|(-
18613-
187) -
188}-
189 ,-
190-
191-
192 -
193{ (unsigned short)(0x05 -
194+-
1950x10-
196+-
1970x00), -
1980-
199, -
2001-
201, -
202(-
2034-
204) -
205}-
206, -
207{ (unsigned short)(0x06 -
208+-
2090x00), 0, 0, 0x00050000U-
210|(-
21113-
212) -
213}-
214 ,-
215-
216-
217-
218-
219-
220-
221-
222 -
223{ (unsigned short)(0x05 -
224+-
2250x10-
226+-
2270x00), -
2280-
229, -
2301-
231, -
232(-
23312-
234) -
235}-
236, -
237{ (unsigned short)(0x06 -
238+-
2390x00), 0, 0, 0x7fff0000U }-
240 ,-
241-
242-
243 -
244{ (unsigned short)(0x05 -
245+-
2460x10-
247+-
2480x00), -
2490-
250, -
2511-
252, -
253(-
254228-
255) -
256}-
257, -
258{ (unsigned short)(0x06 -
259+-
2600x00), 0, 0, 0x7fff0000U }-
261 ,-
262-
263-
264 -
265{ (unsigned short)(0x05 -
266+-
2670x10-
268+-
2690x00), -
2700-
271, -
2721-
273, -
274(-
2753-
276) -
277}-
278, -
279{ (unsigned short)(0x06 -
280+-
2810x00), 0, 0, 0x7fff0000U }-
282 ,-
283-
284-
285 -
286{ (unsigned short)(0x05 -
287+-
2880x10-
289+-
2900x00), -
2910-
292, -
2931-
294, -
295(-
29660-
297) -
298}-
299, -
300{ (unsigned short)(0x06 -
301+-
3020x00), 0, 0, 0x7fff0000U }-
303 ,-
304-
305-
306 -
307{ (unsigned short)(0x05 -
308+-
3090x10-
310+-
3110x00), -
3120-
313, -
3141-
315, -
316(-
317231-
318) -
319}-
320, -
321{ (unsigned short)(0x06 -
322+-
3230x00), 0, 0, 0x7fff0000U }-
324 ,-
325-
326-
327 -
328{ (unsigned short)(0x05 -
329+-
3300x10-
331+-
3320x00), -
3330-
334, -
3351-
336, -
337(-
338202-
339) -
340}-
341, -
342{ (unsigned short)(0x06 -
343+-
3440x00), 0, 0, 0x7fff0000U }-
345 ,-
346-
347-
348 -
349{ (unsigned short)(0x05 -
350+-
3510x10-
352+-
3530x00), -
3540-
355, -
3561-
357, -
358(-
359107-
360) -
361}-
362, -
363{ (unsigned short)(0x06 -
364+-
3650x00), 0, 0, 0x7fff0000U }-
366 ,-
367-
368-
369-
370-
371-
372 -
373{ (unsigned short)(0x05 -
374+-
3750x10-
376+-
3770x00), -
3780-
379, -
3801-
381, -
382(-
383121-
384) -
385}-
386, -
387{ (unsigned short)(0x06 -
388+-
3890x00), 0, 0, 0x7fff0000U }-
390 ,-
391-
392-
393 -
394{ (unsigned short)(0x05 -
395+-
3960x10-
397+-
3980x00), -
3990-
400, -
4011-
402, -
403(-
40439-
405) -
406}-
407, -
408{ (unsigned short)(0x06 -
409+-
4100x00), 0, 0, 0x7fff0000U }-
411 ,-
412-
413-
414 -
415{ (unsigned short)(0x05 -
416+-
4170x10-
418+-
4190x00), -
4200-
421, -
4221-
423, -
424(-
425318-
426) -
427}-
428, -
429{ (unsigned short)(0x06 -
430+-
4310x00), 0, 0, 0x7fff0000U }-
432 ,-
433-
434-
435 -
436{ (unsigned short)(0x05 -
437+-
4380x10-
439+-
4400x00), -
4410-
442, -
4431-
444, -
445(-
44696-
447) -
448}-
449, -
450{ (unsigned short)(0x06 -
451+-
4520x00), 0, 0, 0x7fff0000U }-
453 ,-
454-
455-
456 -
457{ (unsigned short)(0x05 -
458+-
4590x10-
460+-
4610x00), -
4620-
463, -
4641-
465, -
466(-
467102-
468) -
469}-
470, -
471{ (unsigned short)(0x06 -
472+-
4730x00), 0, 0, 0x7fff0000U }-
474 ,-
475-
476-
477-
478-
479-
480 -
481{ (unsigned short)(0x05 -
482+-
4830x10-
484+-
4850x00), -
4860-
487, -
4881-
489, -
490(-
49128-
492) -
493}-
494, -
495{ (unsigned short)(0x06 -
496+-
4970x00), 0, 0, 0x7fff0000U }-
498 ,-
499-
500-
501 -
502{ (unsigned short)(0x05 -
503+-
5040x10-
505+-
5060x00), -
5070-
508, -
5091-
510, -
511(-
5129-
513) -
514}-
515, -
516{ (unsigned short)(0x06 -
517+-
5180x00), 0, 0, 0x7fff0000U }-
519 ,-
520-
521-
522-
523-
524-
525 -
526{ (unsigned short)(0x05 -
527+-
5280x10-
529+-
5300x00), -
5310-
532, -
5331-
534, -
535(-
53625-
537) -
538}-
539, -
540{ (unsigned short)(0x06 -
541+-
5420x00), 0, 0, 0x7fff0000U }-
543 ,-
544-
545-
546 -
547{ (unsigned short)(0x05 -
548+-
5490x10-
550+-
5510x00), -
5520-
553, -
5541-
555, -
556(-
55711-
558) -
559}-
560, -
561{ (unsigned short)(0x06 -
562+-
5630x00), 0, 0, 0x7fff0000U }-
564 ,-
565-
566-
567 -
568{ (unsigned short)(0x05 -
569+-
5700x10-
571+-
5720x00), -
5730-
574, -
5751-
576, -
577(-
57835-
579) -
580}-
581, -
582{ (unsigned short)(0x06 -
583+-
5840x00), 0, 0, 0x7fff0000U }-
585 ,-
586-
587-
588-
589-
590-
591 -
592{ (unsigned short)(0x05 -
593+-
5940x10-
595+-
5960x00), -
5970-
598, -
5991-
600, -
601(-
6027-
603) -
604}-
605, -
606{ (unsigned short)(0x06 -
607+-
6080x00), 0, 0, 0x7fff0000U }-
609 ,-
610-
611-
612 -
613{ (unsigned short)(0x05 -
614+-
6150x10-
616+-
6170x00), -
6180-
619, -
6201-
621, -
622(-
623270-
624) -
625}-
626, -
627{ (unsigned short)(0x06 -
628+-
6290x00), 0, 0, 0x7fff0000U }-
630 ,-
631-
632-
633 -
634{ (unsigned short)(0x05 -
635+-
6360x10-
637+-
6380x00), -
6390-
640, -
6411-
642, -
643(-
6440-
645) -
646}-
647, -
648{ (unsigned short)(0x06 -
649+-
6500x00), 0, 0, 0x7fff0000U }-
651 ,-
652-
653-
654 -
655{ (unsigned short)(0x05 -
656+-
6570x10-
658+-
6590x00), -
6600-
661, -
6621-
663, -
664(-
66514-
666) -
667}-
668, -
669{ (unsigned short)(0x06 -
670+-
6710x00), 0, 0, 0x7fff0000U }-
672 ,-
673-
674-
675 -
676{ (unsigned short)(0x05 -
677+-
6780x10-
679+-
6800x00), -
6810-
682, -
6831-
684, -
685(-
68623-
687) -
688}-
689, -
690{ (unsigned short)(0x06 -
691+-
6920x00), 0, 0, 0x7fff0000U }-
693 ,-
694-
695-
696 -
697{ (unsigned short)(0x05 -
698+-
6990x10-
700+-
7010x00), -
7020-
703, -
7041-
705, -
706(-
70748-
708) -
709}-
710, -
711{ (unsigned short)(0x06 -
712+-
7130x00), 0, 0, 0x7fff0000U }-
714 ,-
715-
716-
717-
718-
719-
720 -
721{ (unsigned short)(0x05 -
722+-
7230x10-
724+-
7250x00), -
7260-
727, -
7281-
729, -
730(-
731201-
732) -
733}-
734, -
735{ (unsigned short)(0x06 -
736+-
7370x00), 0, 0, 0x7fff0000U }-
738 ,-
739-
740-
741 -
742{ (unsigned short)(0x05 -
743+-
7440x10-
745+-
7460x00), -
7470-
748, -
7491-
750, -
751(-
7521-
753) -
754}-
755, -
756{ (unsigned short)(0x06 -
757+-
7580x00), 0, 0, 0x7fff0000U }-
759 ,-
760 -
761{ (unsigned short)(0x06 -
762+-
7630x00), 0, 0, 0x00000000U }-
764 ,-
765};-
766-
767static const struct sock_fprog preauth_program = {-
768 .len = (unsigned short)(sizeof(preauth_insns)/sizeof(preauth_insns[0])),-
769 .filter = (struct sock_filter *)preauth_insns,-
770};-
771-
772struct ssh_sandbox {-
773 pid_t child_pid;-
774};-
775-
776struct ssh_sandbox *-
777ssh_sandbox_init(struct monitor *monitor)-
778{-
779 struct ssh_sandbox *box;-
780-
781-
782-
783-
784-
785 debug3("%s: preparing seccomp filter sandbox", __func__);-
786 box = xcalloc(1, sizeof(*box));-
787 box->child_pid = 0;-
788-
789 return
never executed: return box;
 box;
never executed: return box;
0
790}-
791void-
792ssh_sandbox_child(struct ssh_sandbox *box)-
793{-
794 struct rlimit rl_zero;-
795 int nnp_failed = 0;-
796-
797-
798 rl_zero.rlim_cur = rl_zero.rlim_max = 0;-
799 if (setrlimit(
setrlimit( RLI...rl_zero) == -1Description
TRUEnever evaluated
FALSEnever evaluated
0
800 RLIMIT_FSIZE
setrlimit( RLI...rl_zero) == -1Description
TRUEnever evaluated
FALSEnever evaluated
0
801 , &rl_zero) == -1
setrlimit( RLI...rl_zero) == -1Description
TRUEnever evaluated
FALSEnever evaluated
)		0
802 fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s",
never executed: fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s", __func__, strerror( (*__errno_location ()) ));
0
803 __func__, strerror(
never executed: fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s", __func__, strerror( (*__errno_location ()) ));
0
804 (*__errno_location ())
never executed: fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s", __func__, strerror( (*__errno_location ()) ));
0
805 ));
never executed: fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s", __func__, strerror( (*__errno_location ()) ));
0
806 if (setrlimit(
setrlimit( RLI...rl_zero) == -1Description
TRUEnever evaluated
FALSEnever evaluated
0
807 RLIMIT_NOFILE
setrlimit( RLI...rl_zero) == -1Description
TRUEnever evaluated
FALSEnever evaluated
0
808 , &rl_zero) == -1
setrlimit( RLI...rl_zero) == -1Description
TRUEnever evaluated
FALSEnever evaluated
)		0
809 fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s",
never executed: fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s", __func__, strerror( (*__errno_location ()) ));
0
810 __func__, strerror(
never executed: fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s", __func__, strerror( (*__errno_location ()) ));
0
811 (*__errno_location ())
never executed: fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s", __func__, strerror( (*__errno_location ()) ));
0
812 ));
never executed: fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s", __func__, strerror( (*__errno_location ()) ));
0
813 if (setrlimit(
setrlimit( __R...rl_zero) == -1Description
TRUEnever evaluated
FALSEnever evaluated
0
814 __RLIMIT_NPROC
setrlimit( __R...rl_zero) == -1Description
TRUEnever evaluated
FALSEnever evaluated
0
815 , &rl_zero) == -1
setrlimit( __R...rl_zero) == -1Description
TRUEnever evaluated
FALSEnever evaluated
)		0
816 fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s",
never executed: fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s", __func__, strerror( (*__errno_location ()) ));
0
817 __func__, strerror(
never executed: fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s", __func__, strerror( (*__errno_location ()) ));
0
818 (*__errno_location ())
never executed: fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s", __func__, strerror( (*__errno_location ()) ));
0
819 ));
never executed: fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s", __func__, strerror( (*__errno_location ()) ));
0
820-
821-
822-
823-
824-
825 debug3("%s: setting PR_SET_NO_NEW_PRIVS", __func__);-
826 if (prctl(
prctl( 38 , 1, 0, 0, 0) == -1Description
TRUEnever evaluated
FALSEnever evaluated
0
827 38
prctl( 38 , 1, 0, 0, 0) == -1Description
TRUEnever evaluated
FALSEnever evaluated
0
828 , 1, 0, 0, 0) == -1
prctl( 38 , 1, 0, 0, 0) == -1Description
TRUEnever evaluated
FALSEnever evaluated
) {		0
829 debug("%s: prctl(PR_SET_NO_NEW_PRIVS): %s",-
830 __func__, strerror(-
831 (*__errno_location ())-
832 ));-
833 nnp_failed = 1;-
834 }
never executed: end of block
0
835 debug3("%s: attaching seccomp filter program", __func__);-
836 if (prctl(
prctl( 22 , 2 ...program) == -1Description
TRUEnever evaluated
FALSEnever evaluated
0
837 22
prctl( 22 , 2 ...program) == -1Description
TRUEnever evaluated
FALSEnever evaluated
0
838 ,
prctl( 22 , 2 ...program) == -1Description
TRUEnever evaluated
FALSEnever evaluated
0
839 2
prctl( 22 , 2 ...program) == -1Description
TRUEnever evaluated
FALSEnever evaluated
0
840 , &preauth_program) == -1
prctl( 22 , 2 ...program) == -1Description
TRUEnever evaluated
FALSEnever evaluated
)		0
841 debug("%s: prctl(PR_SET_SECCOMP): %s",
never executed: debug("%s: prctl(PR_SET_SECCOMP): %s", __func__, strerror( (*__errno_location ()) ));
0
842 __func__, strerror(
never executed: debug("%s: prctl(PR_SET_SECCOMP): %s", __func__, strerror( (*__errno_location ()) ));
0
843 (*__errno_location ())
never executed: debug("%s: prctl(PR_SET_SECCOMP): %s", __func__, strerror( (*__errno_location ()) ));
0
844 ));
never executed: debug("%s: prctl(PR_SET_SECCOMP): %s", __func__, strerror( (*__errno_location ()) ));
0
845 else if (nnp_failed
nnp_failedDescription
TRUEnever evaluated
FALSEnever evaluated
)		0
846 fatal("%s: SECCOMP_MODE_FILTER activated but "
never executed: fatal("%s: SECCOMP_MODE_FILTER activated but " "PR_SET_NO_NEW_PRIVS failed", __func__);
0
847 "PR_SET_NO_NEW_PRIVS failed", __func__);
never executed: fatal("%s: SECCOMP_MODE_FILTER activated but " "PR_SET_NO_NEW_PRIVS failed", __func__);
0
848}
never executed: end of block
0
849-
850void-
851ssh_sandbox_parent_finish(struct ssh_sandbox *box)-
852{-
853 free(box);-
854 debug3("%s: finished", __func__);-
855}
never executed: end of block
0
856-
857void-
858ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)-
859{-
860 box->child_pid = child_pid;-
861}
never executed: end of block
0
Switch to Source codePreprocessed file
Generated by Squish Coco 4.2.2