自学教程：C++ BPF_STMT函数代码示例

/* Returns 0 if the the sandbox is enabled using * the time setter policy. */intenable_setter_seccomp (void){  static const struct sock_filter insns[] =  {    /* Ensure the syscall arch convention is as expected. */    BPF_STMT (BPF_LD+BPF_W+BPF_ABS,    offsetof (struct seccomp_data, arch)),    BPF_JUMP (BPF_JMP+BPF_JEQ+BPF_K, SECCOMP_AUDIT_ARCH, 1, 0),    BPF_STMT (BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),    /* Load the syscall number for checking. */    BPF_STMT (BPF_LD+BPF_W+BPF_ABS,    offsetof (struct seccomp_data, nr)),    /* Process ALLOWs as quickly as possible */    SC_ALLOW (read),    SC_ALLOW (write),    SC_ALLOW (pwritev),    SC_ALLOW (settimeofday),    SC_ALLOW (ioctl), /* TODO(wad) filter for fd and RTC_SET_TIME */#ifdef __NR_time /* This is required for x86 systems */    SC_ALLOW (time),#endif    SC_ALLOW (lseek),    SC_ALLOW (close),    SC_ALLOW (munmap),    SC_ALLOW (exit_group),    SC_ALLOW (exit),    SC_DENY (open, EINVAL),    SC_DENY (fcntl, EINVAL),    SC_DENY (fstat, EINVAL),#ifdef __NR_mmap    SC_DENY (mmap, EINVAL),#endif#ifdef __NR_mmap2    SC_DENY (mmap2, EINVAL),#endif#ifdef __NR_sendto    SC_DENY (sendto, EINVAL),#endif#ifdef __NR_socket    SC_DENY (socket, EINVAL),#endif#ifdef __NR_socketcall    SC_DENY (socketcall, EINVAL),#endif    BPF_STMT (BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),  };  static const struct sock_fprog prog =  {    .len = (unsigned short) (sizeof (insns) /sizeof (insns[0])),    .filter = (struct sock_filter *) insns,  };  return (prctl (PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) ||          prctl (PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog));}

/** * Create the berkeley packet filter for our ethertype * * Creates a BPF for our ether type. * * @param [in,out] ether The MetisGenericEther to modify * * @retval true success * @retval false failure * * Example: * @code * <#example#> * @endcode */static bool_darwinEthernet_SetFilter(MetisGenericEther *ether){    struct bpf_program filterCode = { 0 };    // BPF instructions:    // Load 12 to accumulator (offset of ethertype)    // Jump Equal to netbyteorder_ethertype 0 instructions, otherwise 1 instruction    // 0: return a length of -1 (meaning whole packet)    // 1: return a length of 0 (meaning skip packet)    struct bpf_insn instructions[] = {        BPF_STMT(BPF_LD + BPF_H + BPF_ABS,  12),        BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, 0x0801,      0,  1),        BPF_STMT(BPF_RET + BPF_K,           (u_int) - 1),        BPF_STMT(BPF_RET + BPF_K,           0),    };    //        BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ether->ethertype, 0, 1),    /* Set the filter */    filterCode.bf_len = sizeof(instructions) / sizeof(struct bpf_insn);    filterCode.bf_insns = &instructions[0];    if (ioctl(ether->etherSocket, BIOCSETF, &filterCode) < 0) {        return false;    }    return true;}

int filter_syscall(int syscall_nr, unsigned int flags){	struct sock_filter filter[] = {		BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, nr)),		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscall_nr, 0, 1),		BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL),		BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),	};	struct sock_fprog bpf_prog = {		.len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),		.filter = filter,	};	if (syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER, flags, &bpf_prog) < 0) {		pr_perror("seccomp failed");		return -1;	}	return 0;}void *wait_and_getpid(void *arg){	pthread_mutex_lock(&getpid_wait);	pthread_mutex_unlock(&getpid_wait);	pthread_mutex_destroy(&getpid_wait);	/* we expect the tg to get killed by the seccomp filter that was	 * installed via TSYNC */	ptrace(PTRACE_TRACEME);	pthread_exit((void *)1);}

/* Filter out messages from self that occur on listener socket,   caused by our actions on the command socket */static void netlink_install_filter (int sock, __u32 pid){  struct sock_filter filter[] = {    /* 0: ldh [4]	          */    BPF_STMT(BPF_LD|BPF_ABS|BPF_H, offsetof(struct nlmsghdr, nlmsg_type)),    /* 1: jeq 0x18 jt 3 jf 6  */    BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, htons(RTM_NEWROUTE), 1, 0),    /* 2: jeq 0x19 jt 3 jf 6  */    BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, htons(RTM_DELROUTE), 0, 3),    /* 3: ldw [12]		  */    BPF_STMT(BPF_LD|BPF_ABS|BPF_W, offsetof(struct nlmsghdr, nlmsg_pid)),    /* 4: jeq XX  jt 5 jf 6   */    BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, htonl(pid), 0, 1),    /* 5: ret 0    (skip)     */    BPF_STMT(BPF_RET|BPF_K, 0),    /* 6: ret 0xffff (keep)   */    BPF_STMT(BPF_RET|BPF_K, 0xffff),  };  struct sock_fprog prog = {    .len = sizeof(filter) / sizeof(filter[0]),    .filter = filter,  };  if (setsockopt(sock, SOL_SOCKET, SO_ATTACH_FILTER, &prog, sizeof(prog)) < 0)    zlog_warn ("Can't install socket filter: %s/n", safe_strerror(errno));}/* Exported interface function.  This function simply calls   netlink_socket (). */voidkernel_init (void){  unsigned long groups;  groups = RTMGRP_LINK | RTMGRP_IPV4_ROUTE | RTMGRP_IPV4_IFADDR;#ifdef HAVE_IPV6  groups |= RTMGRP_IPV6_ROUTE | RTMGRP_IPV6_IFADDR;#endif /* HAVE_IPV6 */  netlink_socket (&netlink, groups);  netlink_socket (&netlink_cmd, 0);  /* Register kernel socket. */  if (netlink.sock > 0)    {      /* Only want non-blocking on the netlink event socket */      if (fcntl (netlink.sock, F_SETFL, O_NONBLOCK) < 0)	zlog (NULL, LOG_ERR, "Can't set %s socket flags: %s", netlink.name,		safe_strerror (errno));      /* Set receive buffer size if it's set from command line */      if (nl_rcvbufsize)	netlink_recvbuf (&netlink, nl_rcvbufsize);      netlink_install_filter (netlink.sock, netlink_cmd.snl.nl_pid);      thread_add_read (hm->master, kernel_read, NULL, netlink.sock);    }}

static voidinstall_filter(void){    struct sock_filter filter[] = {        /* Load architecture */        BPF_STMT(BPF_LD | BPF_W | BPF_ABS,                (offsetof(struct seccomp_data, arch))),        /* Kill process if the architecture is not what we expect */        BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, AUDIT_ARCH_X86_64, 1, 0),        BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL),        /* Load system call number */        BPF_STMT(BPF_LD | BPF_W | BPF_ABS,                 (offsetof(struct seccomp_data, nr))),        /* Allow system calls other than open() */        BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_open, 1, 0),        BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),        /* Kill process on open() */        BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL)    };    struct sock_fprog prog = {        .len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),        .filter = filter,    };    if (seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog) == -1)        errExit("seccomp");    /* On Linux 3.16 and earlier, we must instead use:            if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog))                errExit("prctl-PR_SET_SECCOMP");    */}intmain(int argc, char **argv){    if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0))        errExit("prctl");    install_filter();    if (open("/tmp/a", O_RDONLY) == -1)        errExit("open");    printf("We shouldn't see this message/n");    exit(EXIT_SUCCESS);}

static void install_filter(void) {  struct sock_filter filter[] = {    /* Load system call number from 'seccomp_data' buffer into       accumulator */    BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, nr)),    /* Jump forward 1 instruction if system call number       is not SYS_pipe */    BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SYS_pipe, 0, 1),    /* Error out with ESRCH */    BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ERRNO | (ESRCH & SECCOMP_RET_DATA)),    /* Jump forward 1 instruction if system call number       is not SYS_geteuid */    BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SYS_geteuid, 0, 1),    /* Trigger SIGSYS */    BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_TRAP),    /* Jump forward 1 instruction if system call number       is not SYS_open */    BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SYS_open, 0, 1),    /* Trigger SIGSYS */    BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_TRAP),    /* Jump forward 1 instruction if system call number       is not SYS_rrcall_init_buffers */    BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SYS_rrcall_init_buffers, 0, 1),    /* Trigger SIGSYS */    BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_TRAP),    /* Jump forward 1 instruction if system call number       is not SYS_ioctl */    BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SYS_ioctl, 0, 1),    /* Trigger SIGSYS */    BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_TRAP),    /* Destination of system call number mismatch: allow other       system calls */    BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW)  };  struct sock_fprog prog = {    .len = (unsigned short)(sizeof(filter) / sizeof(filter[0])),    .filter = filter,  };  int ret;  ret = syscall(RR_seccomp, SECCOMP_SET_MODE_FILTER, 0, &prog);  if (ret == -1 && errno == ENOSYS) {    ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);  }  test_assert(ret == 0);}static void* waiting_thread(void* p) {  char buf;  test_assert(1 == read(pipe_fds[0], &buf, 1));  /* Check this thread wasn't affected by the SET_SECCOMP */  test_assert(0 == prctl(PR_GET_SECCOMP));  return NULL;}

int main(int argc, char *argv[]){    pid_t pid;    struct sock_filter filter[] = {        /* Load architecture */        BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))),        /* Kill process if the architecture is not what we expect */        /* AUDIT_ARCH_X86_64 or AUDIT_ARCH_I386 */        BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_X86_64, 1, 0),        BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL),        /* Load system call number */        BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, nr))),        /* Allow system calls other than open() */        BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_open, 1, 0),        BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),        /* Kill process on open() */        BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)    };    struct sock_fprog prog = {        .len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),        .filter = filter,    };    printf("/n*** Appling BPF filter ***/n/n");    if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0))        perror("prctl");    if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog))        perror("seccomp");    pid=fork();    if(pid==0)    {        printf("I am the child/n");        printf("The PID of child is %d/n",getpid());        printf("The PID of parent of child is %d/n/n",getppid());    }    else    {        printf("I am the parent/n");        printf("The PID of parent is %d/n",getpid());        printf("The PID of parent of parent is %d/n/n",getppid());            }    exit(EXIT_SUCCESS);}

static int_open_socket(const char *device){    int etherSocket;    etherSocket = _open_bpf_device();    if (etherSocket == -1) {        perror("bpf");        return -1;    }    // Attach the requested interface    struct ifreq if_idx = { {0} };    strncpy(if_idx.ifr_name, device, strlen(device) + 1);    if (ioctl(etherSocket, BIOCSETIF, &if_idx)) {        perror("BIOCSETIF");        return -1;    }    // Set immediate read on packet reception    uint32_t on = 1;    if (ioctl(etherSocket, BIOCIMMEDIATE, &on)) {        perror("BIOCIMMEDIATE");        return -1;    }    // Setup the BPF filter for CCNX_ETHERTYPE    struct bpf_program filterCode = { 0 };    // BPF instructions:    // Load 12 to accumulator (offset of ethertype)    // Jump Equal to netbyteorder_ethertype 0 instructions, otherwise 1 instruction    // 0: return a length of -1 (meaning whole packet)    // 1: return a length of 0 (meaning skip packet)    struct bpf_insn instructions[] = {        BPF_STMT(BPF_LD + BPF_H + BPF_ABS,  12),        BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, CCNX_ETHERTYPE,0,  1),        BPF_STMT(BPF_RET + BPF_K,           (u_int) - 1),        BPF_STMT(BPF_RET + BPF_K,           0),    };    // Install the filter    filterCode.bf_len = sizeof(instructions) / sizeof(struct bpf_insn);    filterCode.bf_insns = &instructions[0];    if (ioctl(etherSocket, BIOCSETF, &filterCode) < 0) {        perror("BIOCSETF");        return -1;    }    return etherSocket;}

static int load_arp_bpflet(int fd){	static struct sock_filter insns[] = {		BPF_STMT(BPF_LD|BPF_H|BPF_ABS, 6),		BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, ARPOP_RREQUEST, 0, 1),		BPF_STMT(BPF_RET|BPF_K, 1024),		BPF_STMT(BPF_RET|BPF_K, 0),	};	static struct sock_fprog filter = {		sizeof insns / sizeof(insns[0]),		insns	};	return setsockopt(fd, SOL_SOCKET, SO_ATTACH_FILTER, &filter, sizeof(filter));}

intbpf_arp_filter(int fd, int type_offset, int type, int pkt_size){    struct bpf_insn insns[] = {	BPF_STMT(BPF_LD+BPF_H+BPF_ABS, type_offset),	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, type, 0, 1),	BPF_STMT(BPF_RET+BPF_K, pkt_size),	BPF_STMT(BPF_RET+BPF_K, 0),    };    struct bpf_program prog;    prog.bf_len = sizeof(insns) / sizeof(struct bpf_insn);    prog.bf_insns = insns;    return ioctl(fd, BIOCSETF, &prog);}

ATF_TC_BODY(bpfjit_extmem_side_effect, tc){	static struct bpf_insn insns[] = {		BPF_STMT(BPF_LD+BPF_B+BPF_ABS, 0),  /* A <- P[0]  */		BPF_STMT(BPF_LDX+BPF_W+BPF_IMM, 2), /* X <- 2     */		BPF_STMT(BPF_ST, 1),                /* M[1] <- A  */		BPF_STMT(BPF_ALU+BPF_ADD+BPF_X, 0), /* A <- A + X */		BPF_STMT(BPF_STX, 2),               /* M[2] <- X  */		BPF_STMT(BPF_ST, 3),                /* M[3] <- A  */		BPF_STMT(BPF_LD+BPF_B+BPF_ABS, 99), /* A <- P[99] */		BPF_STMT(BPF_RET+BPF_A, 0)          /* ret A      */	};	bpfjit_func_t code;	uint8_t pkt[1] = { 1 };	uint32_t mem[ctx.extwords];	/* Pre-inited words. */	mem[0] = 0;	mem[3] = 7;	mem[1] = mem[2] = 0xdeadbeef;	bpf_args_t args = {		.pkt = pkt,		.buflen = sizeof(pkt),		.wirelen = sizeof(pkt),		.mem = mem,	};	size_t insn_count = sizeof(insns) / sizeof(insns[0]);	RZ(rump_init());	rump_schedule();	code = rumpns_bpfjit_generate_code(&ctx, insns, insn_count);	rump_unschedule();	ATF_REQUIRE(code != NULL);	ATF_CHECK(code(&ctx, &args) == 0);	rump_schedule();	rumpns_bpfjit_free_code(code);	rump_unschedule();	ATF_CHECK(mem[0] == 0);	ATF_CHECK(mem[1] == 1);	ATF_CHECK(mem[2] == 2);	ATF_CHECK(mem[3] == 3);}ATF_TC(bpfjit_extmem_invalid_store);ATF_TC_HEAD(bpfjit_extmem_invalid_store, tc){	atf_tc_set_md_var(tc, "descr", "Test that out-of-range store "	    "fails validation");}

/* * npfctl_bpf_tcpfl: code block to match TCP flags. */voidnpfctl_bpf_tcpfl(npf_bpf_t *ctx, uint8_t tf, uint8_t tf_mask, bool checktcp){	const u_int tcpfl_off = offsetof(struct tcphdr, th_flags);	const bool usingmask = tf_mask != tf;	/* X <- IP header length */	fetch_l3(ctx, AF_UNSPEC, X_EQ_L4OFF);	if (checktcp) {		const u_int jf = usingmask ? 3 : 2;		assert(ctx->ingroup == false);		/* A <- L4 protocol; A == TCP?  If not, jump out. */		struct bpf_insn insns_tcp[] = {			BPF_STMT(BPF_LD+BPF_W+BPF_MEM, BPF_MW_L4PROTO),			BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, IPPROTO_TCP, 0, jf),		};		add_insns(ctx, insns_tcp, __arraycount(insns_tcp));	} else {		assert(ctx->flags & CHECKED_L4);	}	struct bpf_insn insns_tf[] = {		/* A <- TCP flags */		BPF_STMT(BPF_LD+BPF_B+BPF_IND, tcpfl_off),	};	add_insns(ctx, insns_tf, __arraycount(insns_tf));	if (usingmask) {		/* A <- (A & mask) */		struct bpf_insn insns_mask[] = {			BPF_STMT(BPF_ALU+BPF_AND+BPF_K, tf_mask),		};		add_insns(ctx, insns_mask, __arraycount(insns_mask));	}	struct bpf_insn insns_cmp[] = {		/* A == expected-TCP-flags? */		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, tf, 0, JUMP_MAGIC),	};	add_insns(ctx, insns_cmp, __arraycount(insns_cmp));	if (!checktcp) {		uint32_t mwords[] = { BM_TCPFL, 2, tf, tf_mask};		done_block(ctx, mwords, sizeof(mwords));	}}

static int setup_seccomp_filter(void){	struct sock_filter filter[] = {		BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, nr)),		/* Allow all syscalls except ptrace */		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ptrace, 0, 1),		BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL),		BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),	};	struct sock_fprog bpf_prog = {		.len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),		.filter = filter,	};	if (sys_prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, (long) &bpf_prog, 0, 0) < 0)		return -1;	return 0;}static int check_ptrace_dump_seccomp_filters(void){	pid_t pid;	int ret = 0, len;	if (opts.check_ms_kernel) {		pr_warn("Skipping PTRACE_SECCOMP_GET_FILTER check");		return 0;	}	pid = fork_and_ptrace_attach(setup_seccomp_filter);	if (pid < 0)		return -1;	len = ptrace(PTRACE_SECCOMP_GET_FILTER, pid, 0, NULL);	if (len < 0) {		ret = -1;		pr_perror("Dumping seccomp filters not supported");	}	kill(pid, SIGKILL);	return ret;}

/***********************************************************************%FUNCTION: initFilter*%ARGUMENTS:* fd -- file descriptor of BSD device* type -- Ethernet frame type (0 for watch mode)* hwaddr -- buffer with ehthernet address*%RETURNS:* Nothing*%DESCRIPTION:* Initializes the packet filter rules.***********************************************************************/voidinitFilter(int fd, UINT16_t type, unsigned char *hwaddr){    /* Packet Filter Instructions:     * Note that the ethernet type names come from "pppoe.h" and are     * used here to maintain consistency with the rest of this file. */    static struct bpf_insn bpfRun[] = {         /* run PPPoE */        BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 12),     /* ethernet type */        BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ETH_PPPOE_SESSION, 5, 0),        BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ETH_PPPOE_DISCOVERY, 0, 9),        BPF_STMT(BPF_LD+BPF_W+BPF_ABS, 0),      /* first word of dest. addr */#define PPPOE_BCAST_CMPW 4                     /* offset of word compare */        BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0, 0, 2),        BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 4),      /* next 1/2 word of dest. */#define PPPOE_BCAST_CMPH 6                     /* offset of 1/2 word compare */        BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0, 4, 0),        BPF_STMT(BPF_LD+BPF_W+BPF_ABS, 0),      /* first word of dest. addr */#define PPPOE_FILTER_CMPW 8                     /* offset of word compare */        BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0, 0, 3),        BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 4),      /* next 1/2 word of dest. */#define PPPOE_FILTER_CMPH 10                    /* offset of 1/rd compare */        BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0, 0, 1),        BPF_STMT(BPF_RET+BPF_K, (u_int) -1),    /* keep packet */        BPF_STMT(BPF_RET+BPF_K, 0),             /* drop packet */    };    /* Fix the potentially varying parts */    bpfRun[1].code = (u_short) BPF_JMP+BPF_JEQ+BPF_K;    bpfRun[1].jt   = 5;    bpfRun[1].jf   = 0;    bpfRun[1].k    = Eth_PPPOE_Session;    bpfRun[2].code = (u_short) BPF_JMP+BPF_JEQ+BPF_K;    bpfRun[2].jt   = 0;    bpfRun[2].jf   = 9;    bpfRun[2].k    = Eth_PPPOE_Discovery;    {      struct bpf_insn bpfInsn[sizeof(bpfRun) / sizeof(bpfRun[0])];      struct bpf_program bpfProgram;      memcpy(bpfInsn, bpfRun, sizeof(bpfRun));      bpfInsn[PPPOE_BCAST_CMPW].k = ((0xff << 24) | (0xff << 16) |                                     (0xff << 8) | 0xff);      bpfInsn[PPPOE_BCAST_CMPH].k = ((0xff << 8) | 0xff);      bpfInsn[PPPOE_FILTER_CMPW].k = ((hwaddr[0] << 24) | (hwaddr[1] << 16) |				      (hwaddr[2] << 8) | hwaddr[3]);      bpfInsn[PPPOE_FILTER_CMPH].k = ((hwaddr[4] << 8) | hwaddr[5]);      bpfProgram.bf_len = (sizeof(bpfInsn) / sizeof(bpfInsn[0]));      bpfProgram.bf_insns = &bpfInsn[0];            /* Apply the filter */      if (ioctl(fd, BIOCSETF, &bpfProgram) < 0) {	fatalSys("ioctl(BIOCSETF)");      }    }}

static int install_filter(int nr, int arch, int error){	struct sock_filter filter[] = {		BPF_STMT(BPF_LD+BPF_W+BPF_ABS,			 (offsetof(struct seccomp_data, arch))),		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, arch, 0, 3),		BPF_STMT(BPF_LD+BPF_W+BPF_ABS,			 (offsetof(struct seccomp_data, nr))),		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, nr, 0, 1),		BPF_STMT(BPF_RET+BPF_K,			 SECCOMP_RET_ERRNO|(error & SECCOMP_RET_DATA)),		BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),	};	struct sock_fprog prog = {		.len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),		.filter = filter,	};	if (prctl(PR_SET_SECCOMP, 2, &prog)) {		perror("prctl");		return 1;	}	return 0;}int main(int argc, char **argv){	if (argc < 5) {		fprintf(stderr, "Usage:/n"			"dropper <syscall_nr> <arch> <errno> <prog> [<args>]/n"			"Hint:	AUDIT_ARCH_I386: 0x%X/n"			"	AUDIT_ARCH_X86_64: 0x%X/n"			"/n", AUDIT_ARCH_I386, AUDIT_ARCH_X86_64);		return 1;	}	if (install_filter(strtol(argv[1], NULL, 0), strtol(argv[2], NULL, 0),			   strtol(argv[3], NULL, 0)))		return 1;	execv(argv[4], &argv[4]);	printf("Failed to execv/n");	return 255;}

intbpf_filter_receive_none(int fd){    struct bpf_insn insns[] = {	BPF_STMT(BPF_RET+BPF_K, 0),    };    struct bpf_program prog;    prog.bf_len = sizeof(insns) / sizeof(struct bpf_insn);    prog.bf_insns = insns;    return ioctl(fd, BIOCSETF, &prog);}

int qrpc_set_filter(const int sock){	struct sock_filter filter[] = {		BPF_STMT(BPF_LD + BPF_H + BPF_ABS, ETH_ALEN << 1),	/* read packet type id */		BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K,			QRPC_RAW_SOCK_PROT, 0, 1),			/* if qtn packet */		BPF_STMT(BPF_RET + BPF_K, ETH_FRAME_LEN),		/* accept packet */		BPF_STMT(BPF_RET + BPF_K, 0)				/* else  ignore packet */	};	struct sock_fprog fp;	fp.filter = filter;	fp.len = ARRAY_SIZE(filter);	if (setsockopt(sock, SOL_SOCKET, SO_ATTACH_FILTER, &fp, sizeof(fp)) < 0) {		printf("Cannot set rpc packet filter/n");		return -1;	}	return 0;}

int lldp_network_bind_raw_socket(int ifindex) {        typedef struct LLDPFrame {                struct ethhdr hdr;                uint8_t tlvs[0];        } LLDPFrame;        struct sock_filter filter[] = {                BPF_STMT(BPF_LD + BPF_W + BPF_ABS, offsetof(LLDPFrame, hdr.h_dest)),      /* A <- 4 bytes of destination MAC */                BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, 0x0180c200, 1, 0),                    /* A != 01:80:c2:00 */                BPF_STMT(BPF_RET + BPF_K, 0),                                             /* drop packet */                BPF_STMT(BPF_LD + BPF_H + BPF_ABS, offsetof(LLDPFrame, hdr.h_dest) + 4),  /* A <- remaining 2 bytes of destination MAC */                BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, 0x0000, 3, 0),                        /* A != 00:00 */                BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, 0x0003, 2, 0),                        /* A != 00:03 */                BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, 0x000e, 1, 0),                        /* A != 00:0e */                BPF_STMT(BPF_RET + BPF_K, 0),                                             /* drop packet */                BPF_STMT(BPF_LD + BPF_H + BPF_ABS, offsetof(LLDPFrame, hdr.h_proto)),     /* A <- protocol */                BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, ETHERTYPE_LLDP, 1, 0),                /* A != ETHERTYPE_LLDP */                BPF_STMT(BPF_RET + BPF_K, 0),                                             /* drop packet */                BPF_STMT(BPF_RET + BPF_K, (uint32_t) -1),                                 /* accept packet */        };        struct sock_fprog fprog = {                .len = ELEMENTSOF(filter),                .filter = filter        };        _cleanup_close_ int s = -1;        union sockaddr_union saddrll = {                .ll.sll_family = AF_PACKET,                .ll.sll_ifindex = ifindex,        };        int r;        assert(ifindex > 0);        s = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL));        if (s < 0)                return -errno;        r = setsockopt(s, SOL_SOCKET, SO_ATTACH_FILTER, &fprog, sizeof(fprog));        if (r < 0)                return -errno;        r = bind(s, &saddrll.sa, sizeof(saddrll.ll));        if (r < 0)                return -errno;        r = s;        s = -1;        return r;}

voidinitFilter(int fd, UINT16_t type, unsigned char *hwaddr){    static struct bpf_insn bpfRun[] = {         	BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 12),     	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ETH_PPPOE_SESSION, 5, 0),	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ETH_PPPOE_DISCOVERY, 0, 9),	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, 0),      #define PPPOE_BCAST_CMPW 4                     	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0, 0, 2),	BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 4),      #define PPPOE_BCAST_CMPH 6                     	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0, 4, 0),	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, 0),      #define PPPOE_FILTER_CMPW 8                     	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0, 0, 3),	BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 4),      #define PPPOE_FILTER_CMPH 10                    	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0, 0, 1),	BPF_STMT(BPF_RET+BPF_K, (u_int) -1),    	BPF_STMT(BPF_RET+BPF_K, 0),                 };        bpfRun[1].code = (u_short) BPF_JMP+BPF_JEQ+BPF_K;    bpfRun[1].jt   = 5;    bpfRun[1].jf   = 0;    bpfRun[1].k    = Eth_PPPOE_Session;    bpfRun[2].code = (u_short) BPF_JMP+BPF_JEQ+BPF_K;    bpfRun[2].jt   = 0;    bpfRun[2].jf   = 9;    bpfRun[2].k    = Eth_PPPOE_Discovery;    {      struct bpf_insn bpfInsn[sizeof(bpfRun) / sizeof(bpfRun[0])];      struct bpf_program bpfProgram;      memcpy(bpfInsn, bpfRun, sizeof(bpfRun));      bpfInsn[PPPOE_BCAST_CMPW].k = ((0xff << 24) | (0xff << 16) |				     (0xff << 8) | 0xff);      bpfInsn[PPPOE_BCAST_CMPH].k = ((0xff << 8) | 0xff);      bpfInsn[PPPOE_FILTER_CMPW].k = ((hwaddr[0] << 24) | (hwaddr[1] << 16) |				      (hwaddr[2] << 8) | hwaddr[3]);      bpfInsn[PPPOE_FILTER_CMPH].k = ((hwaddr[4] << 8) | hwaddr[5]);      bpfProgram.bf_len = (sizeof(bpfInsn) / sizeof(bpfInsn[0]));      bpfProgram.bf_insns = &bpfInsn[0];            if (ioctl(fd, BIOCSETF, &bpfProgram) < 0) {	fatalSys("ioctl(BIOCSETF)");      }    }}

int arp_network_bind_raw_socket(int ifindex, union sockaddr_union *link) {        static const struct sock_filter filter[] = {                BPF_STMT(BPF_LD + BPF_W + BPF_LEN, 0),                                         /* A <- packet length */                BPF_JUMP(BPF_JMP + BPF_JGE + BPF_K, sizeof(struct ether_arp), 1, 0),           /* packet >= arp packet ? */                BPF_STMT(BPF_RET + BPF_K, 0),                                                  /* ignore */                BPF_STMT(BPF_LD + BPF_H + BPF_ABS, offsetof(struct ether_arp, ea_hdr.ar_hrd)), /* A <- header */                BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, ARPHRD_ETHER, 1, 0),                       /* header == ethernet ? */                BPF_STMT(BPF_RET + BPF_K, 0),                                                  /* ignore */                BPF_STMT(BPF_LD + BPF_H + BPF_ABS, offsetof(struct ether_arp, ea_hdr.ar_pro)), /* A <- protocol */                BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, ETHERTYPE_IP, 1, 0),                       /* protocol == IP ? */                BPF_STMT(BPF_RET + BPF_K, 0),                                                  /* ignore */                BPF_STMT(BPF_LD + BPF_H + BPF_ABS, offsetof(struct ether_arp, ea_hdr.ar_op)),  /* A <- operation */                BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, ARPOP_REQUEST, 0, 1),                      /* protocol == request ? */                BPF_STMT(BPF_RET + BPF_K, 65535),                                              /* return all */                BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, ARPOP_REPLY, 0, 1),                        /* protocol == reply ? */                BPF_STMT(BPF_RET + BPF_K, 65535),                                              /* return all */                BPF_STMT(BPF_RET + BPF_K, 0),                                                  /* ignore */        };        struct sock_fprog fprog = {                .len = ELEMENTSOF(filter),                .filter = (struct sock_filter*) filter        };        _cleanup_close_ int s = -1;        int r;        assert(ifindex > 0);        assert(link);        s = socket(PF_PACKET, SOCK_DGRAM | SOCK_CLOEXEC | SOCK_NONBLOCK, 0);        if (s < 0)                return -errno;        r = setsockopt(s, SOL_SOCKET, SO_ATTACH_FILTER, &fprog, sizeof(fprog));        if (r < 0)                return -errno;        link->ll.sll_family = AF_PACKET;        link->ll.sll_protocol = htons(ETH_P_ARP);        link->ll.sll_ifindex = ifindex;        link->ll.sll_halen = ETH_ALEN;        memset(link->ll.sll_addr, 0xff, ETH_ALEN);        r = bind(s, &link->sa, sizeof(link->ll));        if (r < 0)                return -errno;        r = s;        s = -1;        return r;}

static void android_net_utils_attachRaFilter(JNIEnv *env, jobject clazz, jobject javaFd,        jint hardwareAddressType){    if (hardwareAddressType != ARPHRD_ETHER) {        jniThrowExceptionFmt(env, "java/net/SocketException",                "attachRaFilter only supports ARPHRD_ETHER");        return;    }    uint32_t ipv6_offset = sizeof(ether_header);    uint32_t ipv6_next_header_offset = ipv6_offset + offsetof(ip6_hdr, ip6_nxt);    uint32_t icmp6_offset = ipv6_offset + sizeof(ip6_hdr);    uint32_t icmp6_type_offset = icmp6_offset + offsetof(icmp6_hdr, icmp6_type);    struct sock_filter filter_code[] = {        // Check IPv6 Next Header is ICMPv6.        BPF_STMT(BPF_LD  | BPF_B   | BPF_ABS,  ipv6_next_header_offset),        BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K,    IPPROTO_ICMPV6, 0, 3),        // Check ICMPv6 type is Router Advertisement.        BPF_STMT(BPF_LD  | BPF_B   | BPF_ABS,  icmp6_type_offset),        BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K,    ND_ROUTER_ADVERT, 0, 1),        // Accept or reject.        BPF_STMT(BPF_RET | BPF_K,              0xffff),        BPF_STMT(BPF_RET | BPF_K,              0)    };    struct sock_fprog filter = {        sizeof(filter_code) / sizeof(filter_code[0]),        filter_code,    };    int fd = jniGetFDFromFileDescriptor(env, javaFd);    if (setsockopt(fd, SOL_SOCKET, SO_ATTACH_FILTER, &filter, sizeof(filter)) != 0) {        jniThrowExceptionFmt(env, "java/net/SocketException",                "setsockopt(SO_ATTACH_FILTER): %s", strerror(errno));    }}

static void install_filter(void) {  struct sock_filter filter[] = { /* Allow all system calls */                                  BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW)  };  struct sock_fprog prog = {    .len = (unsigned short)(sizeof(filter) / sizeof(filter[0])),    .filter = filter,  };  int ret;  ret = syscall(RR_seccomp, SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,                &prog);  if (ret == -1 && errno == ENOSYS) {    atomic_puts("seccomp syscall not supported");    atomic_puts("EXIT-SUCCESS");    exit(0);  }  test_assert(ret == 0);}static void* waiting_thread(__attribute__((unused)) void* p) {  char buf;  test_assert(1 == read(pipe_fds[0], &buf, 1));  /* Check this thread *was* affected by SECCOMP_FILTER_FLAG_TSYNC */  test_assert(2 == prctl(PR_GET_SECCOMP));  return NULL;}int main(void) {  pthread_t w_thread;  test_assert(0 == pipe(pipe_fds));  pthread_create(&w_thread, NULL, waiting_thread, NULL);  /* Prepare syscallbuf patch path. Need to do this after     pthread_create since when we have more than one     thread we take a different syscall path... */  test_assert(0 == prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0));  install_filter();  test_assert(2 == prctl(PR_GET_SECCOMP));  test_assert(1 == write(pipe_fds[1], "c", 1));  pthread_join(w_thread, NULL);  atomic_puts("EXIT-SUCCESS");  return 0;}

int main(void){	const size_t arch_offset    = offsetof(struct seccomp_data, arch);	const size_t syscall_offset = offsetof(struct seccomp_data, nr);	struct sock_fprog program;	#define ARCH_NR AUDIT_ARCH_X86_64	struct sock_filter filter[] = {		BPF_STMT(BPF_LD + BPF_W + BPF_ABS, arch_offset),		BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, AUDIT_ARCH_X86_64, 0, 1),		BPF_STMT(BPF_LD + BPF_W + BPF_ABS, syscall_offset),		BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, 0, 0, 1),		BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_TRACE)	};	program.filter = filter;	program.len = sizeof(filter) / sizeof(struct sock_filter);	(void) prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);	(void) prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &program);	return 1;}