@@ -198,23 +198,23 @@ std::vector<sock_filter> Policy::GetDefaultPolicy(
198198 // If user policy doesn't mention it, forbid bpf() because it's unsafe or too
199199 // risky. Users can still allow safe invocations of this syscall by using
200200 // PolicyBuilder::AllowSafeBpf(). This uses LOAD_SYSCALL_NR from above.
201- if (allow_safe_bpf_) {
202- policy.insert (policy.end (), {
203- JNE32 (__NR_bpf, JUMP (&l, past_bpf_l)),
204- ARG_32 (0 ),
205- JEQ32 (BPF_MAP_LOOKUP_ELEM, ALLOW),
206- JEQ32 (BPF_OBJ_GET, ALLOW),
207- JEQ32 (BPF_MAP_GET_NEXT_KEY, ALLOW),
208- JEQ32 (BPF_MAP_GET_NEXT_ID, ALLOW),
209- JEQ32 (BPF_MAP_GET_FD_BY_ID, ALLOW),
210- JEQ32 (BPF_OBJ_GET_INFO_BY_FD, ALLOW),
211- LABEL (&l, past_bpf_l),
212- LOAD_SYSCALL_NR,
213- });
214- }
215- if (!user_policy_handles_bpf_) {
216- policy.insert (policy.end (), {JEQ32 (__NR_bpf, DENY)});
217- }
201+ if (allow_safe_bpf_) {
202+ policy.insert (policy.end (), {
203+ JNE32 (__NR_bpf, JUMP (&l, past_bpf_l)),
204+ ARG_32 (0 ),
205+ JEQ32 (BPF_MAP_LOOKUP_ELEM, ALLOW),
206+ JEQ32 (BPF_OBJ_GET, ALLOW),
207+ JEQ32 (BPF_MAP_GET_NEXT_KEY, ALLOW),
208+ JEQ32 (BPF_MAP_GET_NEXT_ID, ALLOW),
209+ JEQ32 (BPF_MAP_GET_FD_BY_ID, ALLOW),
210+ JEQ32 (BPF_OBJ_GET_INFO_BY_FD, ALLOW),
211+ LABEL (&l, past_bpf_l),
212+ LOAD_SYSCALL_NR,
213+ });
214+ }
215+ if (!user_policy_handles_bpf_) {
216+ policy.insert (policy.end (), {JEQ32 (__NR_bpf, DENY)});
217+ }
218218
219219 if (!allow_map_exec_) {
220220 policy.insert (
0 commit comments