# # pseudo filter code start # # filter for arch x86_64 (3221225534) if ($arch == 3221225534) # filter for syscall "fstat64" (-10010) [priority: 65535] if ($syscall == -10010) action ALLOW; # filter for syscall "getegid32" (-10015) [priority: 65535] if ($syscall == -10015) action ALLOW; # filter for syscall "geteuid32" (-10016) [priority: 65535] if ($syscall == -10016) action ALLOW; # filter for syscall "getgid32" (-10017) [priority: 65535] if ($syscall == -10017) action ALLOW; # filter for syscall "getuid32" (-10021) [priority: 65535] if ($syscall == -10021) action ALLOW; # filter for syscall "_llseek" (-10026) [priority: 65535] if ($syscall == -10026) action ALLOW; # filter for syscall "sigreturn" (-10058) [priority: 65535] if ($syscall == -10058) action ALLOW; # filter for syscall "stat64" (-10062) [priority: 65535] if ($syscall == -10062) action ALLOW; # filter for syscall "getrandom" (318) [priority: 65535] if ($syscall == 318) action ALLOW; # filter for syscall "prlimit64" (302) [priority: 65535] if ($syscall == 302) action ALLOW; # filter for syscall "pipe2" (293) [priority: 65535] if ($syscall == 293) action ALLOW; # filter for syscall "eventfd2" (290) [priority: 65535] if ($syscall == 290) action ALLOW; # filter for syscall "epoll_pwait" (281) [priority: 65535] if ($syscall == 281) action ALLOW; # filter for syscall "set_robust_list" (273) [priority: 65535] if ($syscall == 273) action ALLOW; # filter for syscall "epoll_wait" (232) [priority: 65535] if ($syscall == 232) action ALLOW; # filter for syscall "exit_group" (231) [priority: 65535] if ($syscall == 231) action ALLOW; # filter for syscall "clock_gettime" (228) [priority: 65535] if ($syscall == 228) action ALLOW; # filter for syscall "getdents64" (217) [priority: 65535] if ($syscall == 217) action ALLOW; # filter for syscall "epoll_create" (213) [priority: 65535] if ($syscall == 213) action ALLOW; # filter for syscall "sched_getaffinity" (204) [priority: 65535] if ($syscall == 204) action ALLOW; # filter for syscall "futex" (202) [priority: 65535] if ($syscall == 202) action ALLOW; # filter for syscall "gettid" (186) [priority: 65535] if ($syscall == 186) action ALLOW; # filter for syscall "setrlimit" (160) [priority: 65535] if ($syscall == 160) action ALLOW; # filter for syscall "_sysctl" (156) [priority: 65535] if ($syscall == 156) action ERRNO(1); # filter for syscall "mlockall" (151) [priority: 65535] if ($syscall == 151) action ALLOW; # filter for syscall "sigaltstack" (131) [priority: 65535] if ($syscall == 131) action ALLOW; # filter for syscall "getegid" (108) [priority: 65535] if ($syscall == 108) action ALLOW; # filter for syscall "geteuid" (107) [priority: 65535] if ($syscall == 107) action ALLOW; # filter for syscall "getgid" (104) [priority: 65535] if ($syscall == 104) action ALLOW; # filter for syscall "getuid" (102) [priority: 65535] if ($syscall == 102) action ALLOW; # filter for syscall "sysinfo" (99) [priority: 65535] if ($syscall == 99) action ALLOW; # filter for syscall "getrlimit" (97) [priority: 65535] if ($syscall == 97) action ALLOW; # filter for syscall "gettimeofday" (96) [priority: 65535] if ($syscall == 96) action ALLOW; # filter for syscall "fchmod" (91) [priority: 65535] if ($syscall == 91) action ALLOW; # filter for syscall "unlink" (87) [priority: 65535] if ($syscall == 87) action ALLOW; # filter for syscall "mkdir" (83) [priority: 65535] if ($syscall == 83) action ALLOW; # filter for syscall "getdents" (78) [priority: 65535] if ($syscall == 78) action ALLOW; # filter for syscall "fcntl" (72) [priority: 65535] if ($syscall == 72) action ALLOW; # filter for syscall "uname" (63) [priority: 65535] if ($syscall == 63) action ALLOW; # filter for syscall "wait4" (61) [priority: 65535] if ($syscall == 61) action ALLOW; # filter for syscall "exit" (60) [priority: 65535] if ($syscall == 60) action ALLOW; # filter for syscall "clone" (56) [priority: 65535] if ($syscall == 56) action ALLOW; # filter for syscall "getsockname" (51) [priority: 65535] if ($syscall == 51) action ALLOW; # filter for syscall "listen" (50) [priority: 65535] if ($syscall == 50) action ALLOW; # filter for syscall "bind" (49) [priority: 65535] if ($syscall == 49) action ALLOW; # filter for syscall "shutdown" (48) [priority: 65535] if ($syscall == 48) action ALLOW; # filter for syscall "recvmsg" (47) [priority: 65535] if ($syscall == 47) action ALLOW; # filter for syscall "sendmsg" (46) [priority: 65535] if ($syscall == 46) action ALLOW; # filter for syscall "recvfrom" (45) [priority: 65535] if ($syscall == 45) action ALLOW; # filter for syscall "sendto" (44) [priority: 65535] if ($syscall == 44) action ALLOW; # filter for syscall "connect" (42) [priority: 65535] if ($syscall == 42) action ALLOW; # filter for syscall "getpid" (39) [priority: 65535] if ($syscall == 39) action ALLOW; # filter for syscall "nanosleep" (35) [priority: 65535] if ($syscall == 35) action ALLOW; # filter for syscall "madvise" (28) [priority: 65535] if ($syscall == 28) action ALLOW; # filter for syscall "sched_yield" (24) [priority: 65535] if ($syscall == 24) action ALLOW; # filter for syscall "pipe" (22) [priority: 65535] if ($syscall == 22) action ALLOW; # filter for syscall "access" (21) [priority: 65535] if ($syscall == 21) action ALLOW; # filter for syscall "writev" (20) [priority: 65535] if ($syscall == 20) action ALLOW; # filter for syscall "rt_sigreturn" (15) [priority: 65535] if ($syscall == 15) action ALLOW; # filter for syscall "brk" (12) [priority: 65535] if ($syscall == 12) action ALLOW; # filter for syscall "munmap" (11) [priority: 65535] if ($syscall == 11) action ALLOW; # filter for syscall "mmap" (9) [priority: 65535] if ($syscall == 9) action ALLOW; # filter for syscall "lseek" (8) [priority: 65535] if ($syscall == 8) action ALLOW; # filter for syscall "poll" (7) [priority: 65535] if ($syscall == 7) action ALLOW; # filter for syscall "fstat" (5) [priority: 65535] if ($syscall == 5) action ALLOW; # filter for syscall "stat" (4) [priority: 65535] if ($syscall == 4) action ALLOW; # filter for syscall "close" (3) [priority: 65535] if ($syscall == 3) action ALLOW; # filter for syscall "write" (1) [priority: 65535] if ($syscall == 1) action ALLOW; # filter for syscall "read" (0) [priority: 65535] if ($syscall == 0) action ALLOW; # filter for syscall "accept4" (288) [priority: 65533] if ($syscall == 288) if ($a3.hi32 & 0xffffffff == 0) if ($a3.lo32 & 0xfff7f7ff == 0) action ALLOW; # filter for syscall "time" (201) [priority: 65533] if ($syscall == 201) if ($a0.hi32 == 0) if ($a0.lo32 == 0) action ALLOW; # filter for syscall "prctl" (157) [priority: 65533] if ($syscall == 157) if ($a0.hi32 == 0) if ($a0.lo32 == 4) action ALLOW; # filter for syscall "chown" (92) [priority: 65533] if ($syscall == 92) if ($a0.hi32 == 31674) if ($a0.lo32 == 174182400) action ALLOW; # filter for syscall "chmod" (90) [priority: 65533] if ($syscall == 90) if ($a0.hi32 == 31674) if ($a0.lo32 == 174182400) action ALLOW; # filter for syscall "kill" (62) [priority: 65533] if ($syscall == 62) if ($a1.hi32 == 0) if ($a1.lo32 == 0) action ALLOW; # filter for syscall "ioctl" (16) [priority: 65533] if ($syscall == 16) if ($a1.hi32 == 0) if ($a1.lo32 == 35147) action ALLOW; # filter for syscall "open" (2) [priority: 65533] if ($syscall == 2) if ($a1.hi32 & 0xffffffff == 0) if ($a1.lo32 & 0xfff5f6ff == 0) action ERRNO(13); # filter for syscall "flock" (73) [priority: 65532] if ($syscall == 73) if ($a1.hi32 == 0) if ($a1.lo32 == 8) action ALLOW; if ($a1.lo32 == 6) action ALLOW; # filter for syscall "rt_sigprocmask" (14) [priority: 65532] if ($syscall == 14) if ($a0.hi32 == 0) if ($a0.lo32 == 2) action ALLOW; if ($a0.lo32 == 1) action ALLOW; # filter for syscall "epoll_ctl" (233) [priority: 65531] if ($syscall == 233) if ($a1.hi32 == 0) if ($a1.lo32 == 2) action ALLOW; if ($a1.lo32 == 3) action ALLOW; if ($a1.lo32 == 1) action ALLOW; # filter for syscall "socketpair" (53) [priority: 65531] if ($syscall == 53) if ($a0.hi32 == 0) if ($a0.lo32 == 1) if ($a1.hi32 == 0) if ($a1.lo32 == 524289) action ALLOW; # filter for syscall "mremap" (25) [priority: 65531] if ($syscall == 25) if ($a0.hi32 == 31674) if ($a0.lo32 == 153210880) action KILL; if ($a3.hi32 == 0) if ($a3.lo32 == 1) action ALLOW; # filter for syscall "fcntl64" (-10009) [priority: 65526] if ($syscall == -10009) if ($a1.hi32 == 0) if ($a1.lo32 == 2) if ($a2.hi32 == 0) if ($a2.lo32 == 1) action ALLOW; if ($a1.lo32 == 1) action ALLOW; if ($a1.lo32 == 4) if ($a2.hi32 == 0) if ($a2.lo32 == 2050) action ALLOW; if ($a1.lo32 == 3) action ALLOW; # filter for syscall "rt_sigaction" (13) [priority: 65526] if ($syscall == 13) if ($a0.hi32 == 0) if ($a0.lo32 == 25) action ALLOW; if ($a0.lo32 == 17) action ALLOW; if ($a0.lo32 == 1) action ALLOW; if ($a0.lo32 == 12) action ALLOW; if ($a0.lo32 == 10) action ALLOW; if ($a0.lo32 == 13) action ALLOW; if ($a0.lo32 == 15) action ALLOW; if ($a0.lo32 == 2) action ALLOW; # filter for syscall "setsockopt" (54) [priority: 65522] if ($syscall == 54) if ($a1.hi32 == 0) if ($a1.lo32 == 41) if ($a2.hi32 == 0) if ($a2.lo32 == 26) action ALLOW; if ($a1.lo32 == 0) if ($a2.hi32 == 0) if ($a2.lo32 == 19) action ALLOW; if ($a1.lo32 == 1) if ($a2.hi32 == 0) if ($a2.lo32 == 32) action ALLOW; if ($a2.lo32 == 8) action ALLOW; if ($a2.lo32 == 7) action ALLOW; if ($a2.lo32 == 2) action ALLOW; # filter for syscall "getsockopt" (55) [priority: 65520] if ($syscall == 55) if ($a1.hi32 == 0) if ($a1.lo32 == 6) if ($a2.hi32 == 0) if ($a2.lo32 == 11) action ALLOW; if ($a1.lo32 == 41) if ($a2.hi32 == 0) if ($a2.lo32 == 80) action ALLOW; if ($a1.lo32 == 0) if ($a2.hi32 == 0) if ($a2.lo32 == 80) action ALLOW; if ($a1.lo32 == 1) if ($a2.hi32 == 0) if ($a2.lo32 == 7) action ALLOW; if ($a2.lo32 == 30) action ALLOW; if ($a2.lo32 == 4) action ALLOW; # filter for syscall "mprotect" (10) [priority: 65520] if ($syscall == 10) if ($a0.hi32 >= 31674) if ($a0.lo32 > 174185529) if ($a1.hi32 >= 0) if ($a1.lo32 > 20971520) else if ($a2.hi32 == 0) if ($a2.lo32 == 3) action ALLOW; else if ($a2.hi32 == 0) if ($a2.lo32 == 3) action ALLOW; if ($a0.lo32 >= 153210880) else if ($a1.hi32 >= 0) if ($a1.lo32 > 20971520) else if ($a2.hi32 == 0) if ($a2.lo32 == 3) action ALLOW; else if ($a2.hi32 == 0) if ($a2.lo32 == 3) action ALLOW; else if ($a1.hi32 >= 0) if ($a1.lo32 > 20971520) else if ($a2.hi32 == 0) if ($a2.lo32 == 3) action ALLOW; else if ($a2.hi32 == 0) if ($a2.lo32 == 3) action ALLOW; if ($a2.hi32 == 0) if ($a2.lo32 == 0) action ALLOW; if ($a2.hi32 == 0) if ($a2.lo32 == 1) action ALLOW; # filter for syscall "mmap2" (-10029) [priority: 65519] if ($syscall == -10029) if ($a2.hi32 == 0) if ($a2.lo32 == 5) if ($a3.hi32 == 0) if ($a3.lo32 == 2050) action ALLOW; if ($a2.lo32 == 3) if ($a3.hi32 == 0) if ($a3.lo32 == 50) action ALLOW; if ($a3.lo32 == 2066) action ALLOW; if ($a3.lo32 == 131106) action ALLOW; if ($a3.lo32 == 34) action ALLOW; if ($a2.lo32 == 0) if ($a3.hi32 == 0) if ($a3.lo32 == 16418) action ALLOW; if ($a2.lo32 == 1) if ($a3.hi32 == 0) if ($a3.lo32 == 2) action ALLOW; # filter for syscall "socket" (41) [priority: 65505] if ($syscall == 41) if ($a0.hi32 == 0) if ($a0.lo32 == 16) if ($a1.hi32 & 0xffffffff == 0) if ($a1.lo32 & 0xfff7ffff == 3) if ($a2.hi32 == 0) if ($a2.lo32 == 0) action ALLOW; if ($a0.lo32 == 2) if ($a1.hi32 & 0xffffffff == 0) if ($a1.lo32 & 0xfff7f7ff == 2) if ($a2.hi32 == 0) if ($a2.lo32 == 17) action ALLOW; if ($a2.lo32 == 0) action ALLOW; if ($a1.lo32 & 0xfff7f7ff == 1) if ($a2.hi32 == 0) if ($a2.lo32 == 6) action ALLOW; if ($a0.lo32 == 10) if ($a1.hi32 & 0xffffffff == 0) if ($a1.lo32 & 0xfff7f7ff == 2) if ($a2.hi32 == 0) if ($a2.lo32 == 17) action ALLOW; if ($a2.lo32 == 0) action ALLOW; if ($a1.lo32 & 0xfff7f7ff == 1) if ($a2.hi32 == 0) if ($a2.lo32 == 6) action ALLOW; if ($a0.lo32 == 1) if ($a1.hi32 & 0xffffffff == 0) if ($a1.lo32 & 0xfff7f7ff == 2) if ($a2.hi32 == 0) if ($a2.lo32 == 0) action ALLOW; if ($a1.lo32 & 0xfff7f7ff == 1) action ALLOW; # filter for syscall "rename" (82) [priority: 65480] if ($syscall == 82) if ($a0.hi32 == 31674) if ($a0.lo32 == 174183673) if ($a1.hi32 == 31674) if ($a1.lo32 == 174183708) action ALLOW; if ($a0.lo32 == 174183599) if ($a1.hi32 == 31674) if ($a1.lo32 == 174183638) action ALLOW; if ($a0.lo32 == 174183517) if ($a1.hi32 == 31674) if ($a1.lo32 == 174183560) action ALLOW; if ($a0.lo32 == 174183415) if ($a1.hi32 == 31674) if ($a1.lo32 == 174183468) action ALLOW; if ($a0.lo32 == 174183321) if ($a1.hi32 == 31674) if ($a1.lo32 == 174183370) action ALLOW; if ($a0.lo32 == 174183281) if ($a1.hi32 == 31674) if ($a1.lo32 == 174183245) action ALLOW; if ($a0.lo32 == 174183205) if ($a1.hi32 == 31674) if ($a1.lo32 == 174183245) action ALLOW; if ($a0.lo32 == 174183161) if ($a1.hi32 == 31674) if ($a1.lo32 == 174183205) action ALLOW; if ($a0.lo32 == 174183120) if ($a1.hi32 == 31674) if ($a1.lo32 == 174183083) action ALLOW; if ($a0.lo32 == 174183042) if ($a1.hi32 == 31674) if ($a1.lo32 == 174183083) action ALLOW; if ($a0.lo32 == 174182997) if ($a1.hi32 == 31674) if ($a1.lo32 == 174183042) action ALLOW; if ($a0.lo32 == 174182958) if ($a1.hi32 == 31674) if ($a1.lo32 == 174182923) action ALLOW; if ($a0.lo32 == 174182509) if ($a1.hi32 == 31674) if ($a1.lo32 == 174182923) action ALLOW; if ($a0.lo32 == 174182880) if ($a1.hi32 == 31674) if ($a1.lo32 == 174182509) action ALLOW; if ($a0.lo32 == 174182852) if ($a1.hi32 == 31674) if ($a1.lo32 == 174182583) action ALLOW; if ($a0.lo32 == 174182794) if ($a1.hi32 == 31674) if ($a1.lo32 == 174182825) action ALLOW; if ($a0.lo32 == 174182720) if ($a1.hi32 == 31674) if ($a1.lo32 == 174182759) action ALLOW; if ($a0.lo32 == 174182648) if ($a1.hi32 == 31674) if ($a1.lo32 == 174182686) action ALLOW; # filter for syscall "openat" (257) [priority: 65477] if ($syscall == 257) if ($a0.hi32 == 4294967295) if ($a0.lo32 == 4294967196) if ($a1.hi32 == 31674) if ($a1.lo32 == 174184017) if ($a2.hi32 == 0) if ($a2.lo32 == 591872) action ALLOW; if ($a0.hi32 == 0) if ($a0.lo32 == 4294967196) if ($a1.hi32 == 31674) if ($a1.lo32 == 174182630) action ALLOW; if ($a1.lo32 == 174183994) action ALLOW; if ($a1.lo32 == 174183708) action ALLOW; if ($a1.lo32 == 174183673) action ALLOW; if ($a1.lo32 == 174183638) action ALLOW; if ($a1.lo32 == 174183599) action ALLOW; if ($a1.lo32 == 174183560) action ALLOW; if ($a1.lo32 == 174183517) action ALLOW; if ($a1.lo32 == 174183468) action ALLOW; if ($a1.lo32 == 174183415) action ALLOW; if ($a1.lo32 == 174183370) action ALLOW; if ($a1.lo32 == 174183321) action ALLOW; if ($a1.lo32 == 174183245) action ALLOW; if ($a1.lo32 == 174183281) action ALLOW; if ($a1.lo32 == 174183205) action ALLOW; if ($a1.lo32 == 174183161) action ALLOW; if ($a1.lo32 == 174183083) action ALLOW; if ($a1.lo32 == 174183120) action ALLOW; if ($a1.lo32 == 174183042) action ALLOW; if ($a1.lo32 == 174182997) action ALLOW; if ($a1.lo32 == 174183949) action ALLOW; if ($a1.lo32 == 174182923) action ALLOW; if ($a1.lo32 == 174182958) action ALLOW; if ($a1.lo32 == 174182509) action ALLOW; if ($a1.lo32 == 174182880) action ALLOW; if ($a1.lo32 == 174183906) action ALLOW; if ($a1.lo32 == 174182583) action ALLOW; if ($a1.lo32 == 174182852) action ALLOW; if ($a1.lo32 == 174182825) action ALLOW; if ($a1.lo32 == 174182794) action ALLOW; if ($a1.lo32 == 174182759) action ALLOW; if ($a1.lo32 == 174182720) action ALLOW; if ($a1.lo32 == 174182686) action ALLOW; if ($a1.lo32 == 174182648) action ALLOW; if ($a1.lo32 == 174183868) action ALLOW; if ($a1.lo32 == 174183855) action ALLOW; if ($a1.lo32 == 174183842) action ALLOW; if ($a1.lo32 == 174183830) action ALLOW; if ($a1.lo32 == 174183819) action ALLOW; if ($a1.lo32 == 174183805) action ALLOW; if ($a1.lo32 == 174183788) action ALLOW; if ($a1.lo32 == 174183773) action ALLOW; if ($a1.lo32 == 174183739) action ALLOW; if ($a1.lo32 == 174182500) action ALLOW; if ($a1.lo32 == 174182472) action ALLOW; if ($a1.lo32 == 174182426) action ALLOW; if ($a1.lo32 == 174182417) action ALLOW; if ($a2.hi32 & 0xffffffff == 0) if ($a2.lo32 & 0xfff5f6ff == 0) action ERRNO(13); # default action action TRAP; # invalid architecture action action KILL; # # pseudo filter code end #