proc/priv/shim: seccomp bpf filter via libseccomp

Rulesets adapted from Flatpak for compatibility. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-20 23:39:47 +09:00
parent 27f5922d5c
commit 3df344828f
5 changed files with 361 additions and 0 deletions
--- a/internal/proc/priv/shim/export.h
+++ b/internal/proc/priv/shim/export.h
@@ -0,0 +1,22 @@
+#include <stdint.h>
+#include <seccomp.h>
+
+#if (SCMP_VER_MAJOR < 2) || \
+    (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR < 5) || \
+    (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR == 5 && SCMP_VER_MICRO < 1)
+#error This package requires libseccomp >= v2.5.1
+#endif
+
+typedef enum {
+  F_DENY_NS    = 1 << 0,
+  F_DENY_TTY   = 1 << 1,
+  F_DENY_DEVEL = 1 << 2,
+  F_MULTIARCH  = 1 << 3,
+  F_LINUX32    = 1 << 4,
+  F_CAN        = 1 << 5,
+  F_BLUETOOTH  = 1 << 6,
+} f_syscall_opts;
+
+extern void F_println(char *v);
+int f_tmpfile_fd();
+int32_t f_export_bpf(int fd, uint32_t arch, uint32_t multiarch, f_syscall_opts opts);