Forbid setsockopt(SOL_SOCKET, SO_MARK)

author: Nicolas Douma <nicolas@serveur.io> 2020-04-29 02:52:18 +0200
committer: Nicolas Douma <nicolas@serveur.io> 2020-04-29 02:52:18 +0200
commit: 6f7c1ccc1f6527750ed530217b7ae0a534acf90d (patch)
tree: 866a65eed5e5e314102403b6fcfe8ab7171f3b9a
parent: Update comment style (diff)
download: netifexec-6f7c1ccc1f6527750ed530217b7ae0a534acf90d.tar.xz
netifexec-6f7c1ccc1f6527750ed530217b7ae0a534acf90d.zip
1 files changed, 4 insertions, 2 deletions
diff --git a/netifexec.c b/netifexec.c
index ee53980..34e71a8 100644
--- a/netifexec.c
+++ b/netifexec.c
@@ -448,9 +448,11 @@ static void hook_setsockopt(int cgroupfd, char *iface)
 	struct bpf_insn bpf_program[] = {
 			BPF_MOV64_IMM(BPF_REG_0, SK_PASS),
 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, offsetof(struct bpf_sockopt, level)),
-			BPF_JMP_IMM(BPF_AND, BPF_REG_2, SOL_SOCKET, 3),
+			BPF_JMP_IMM(BPF_AND, BPF_REG_2, SOL_SOCKET, 5),
 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, offsetof(struct bpf_sockopt, optname)),
-			BPF_JMP_IMM(BPF_AND, BPF_REG_2, SO_BINDTODEVICE, 1),
+			BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, SO_BINDTODEVICE, 2),
+			BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, SO_MARK, 1),
+			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
 			BPF_MOV64_IMM(BPF_REG_0, SK_DROP),
 			BPF_EXIT_INSN()
 	};
author	Nicolas Douma <nicolas@serveur.io>	2020-04-29 02:52:18 +0200
committer	Nicolas Douma <nicolas@serveur.io>	2020-04-29 02:52:18 +0200
commit	6f7c1ccc1f6527750ed530217b7ae0a534acf90d (patch)
tree	866a65eed5e5e314102403b6fcfe8ab7171f3b9a
parent	Update comment style (diff)
download	netifexec-6f7c1ccc1f6527750ed530217b7ae0a534acf90d.tar.xz netifexec-6f7c1ccc1f6527750ed530217b7ae0a534acf90d.zip