diff options
| author | Toni Uhlig <matzeton@googlemail.com> | 2018-06-13 12:37:59 +0200 |
|---|---|---|
| committer | Toni Uhlig <matzeton@googlemail.com> | 2018-06-13 12:37:59 +0200 |
| commit | 4f7d9bf759bc38fc363155643e9b7bb8fcdf0724 (patch) | |
| tree | 2032a3aacd3a8d57fd2d0b85c3a449bbfb74bf69 | |
| parent | 436983fe412b9e764f6bec422317b8588d175a86 (diff) | |
POTD skeleton #104.
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
| -rw-r--r-- | configure.ac | 2 | ||||
| -rw-r--r-- | src/options.c | 37 | ||||
| -rw-r--r-- | src/pseccomp.c | 15 |
3 files changed, 51 insertions, 3 deletions
diff --git a/configure.ac b/configure.ac index 1f28194..a152440 100644 --- a/configure.ac +++ b/configure.ac @@ -111,7 +111,7 @@ AC_CHECK_HEADERS([stdio.h ctype.h assert.h sched.h signal.h time.h errno.h pwd.h [ AC_MSG_ERROR([required std header not available]) ]) dnl Check for system specific header files -AC_CHECK_HEADERS([pty.h linux/capability.h sys/wait.h sys/ioctl.h net/if.h netinet/in.h], [], +AC_CHECK_HEADERS([pty.h linux/capability.h sys/wait.h sys/ioctl.h net/if.h netinet/in.h libgen.h], [], [ AC_MSG_ERROR([required system specific header not available]) ]) AC_CHECK_HEADERS([libutil.h pthread.h syslog.h sys/prctl.h linux/limits.h \ sys/uio.h poll.h sys/epoll.h sys/sysmacros.h sys/mount.h util.h]) diff --git a/src/options.c b/src/options.c index 0f23f4d..a9b96f7 100644 --- a/src/options.c +++ b/src/options.c @@ -10,6 +10,9 @@ #include <string.h> #include <assert.h> #include <getopt.h> +#include <linux/limits.h> +#include <libgen.h> +#include <errno.h> #include "options.h" @@ -99,6 +102,37 @@ static size_t snprint_multilined_ljust(const char *prefix, static void usage(const char *arg0, int print_copyright); +static int parse_path(opt_ptr *d, char *some_path) +{ + int rc = 1; + char path[PATH_MAX]; + char *dir, *base; + + d->str_dup = realpath(some_path, NULL); + if (!d->str_dup && errno == ENOENT) { + snprintf(path, sizeof path, "%s", some_path); + dir = dirname(path); + if (!dir) + return 1; + dir = realpath(dir, NULL); + if (!dir) + return 1; + snprintf(path, sizeof path, "%s", some_path); + base = basename(path); + if (!base) + goto error; + snprintf(path, sizeof path, "%s/%s", dir, base); + d->str_dup = strndup(path, strnlen(path, sizeof path)); +error: + free(dir); + } + + if (d->str_dup) + rc = 0; + + return rc; +} + static int opt_convert(opt_type t, opt_ptr *d) { char *endptr = NULL; @@ -114,7 +148,8 @@ static int opt_convert(opt_type t, opt_ptr *d) d->str_dup = strdup(optarg); break; case OT_PATH: - d->str_dup = realpath(optarg, NULL); + if (parse_path(d, optarg)) + return 1; break; case OT_NOARG: case OT_INVALID: diff --git a/src/pseccomp.c b/src/pseccomp.c index 07f4152..a08bc11 100644 --- a/src/pseccomp.c +++ b/src/pseccomp.c @@ -15,11 +15,14 @@ static int pseccomp_using_valgrind(void); static const int minimum_disabled_syscalls[] = { + SCMP_SYS(reboot), SCMP_SYS(mount), SCMP_SYS(umount), SCMP_SYS(umount2), SCMP_SYS(ptrace), SCMP_SYS(kexec_load), + SCMP_SYS(kexec_file_load), SCMP_SYS(open_by_handle_at), + SCMP_SYS(create_module), SCMP_SYS(init_module), SCMP_SYS(finit_module), SCMP_SYS(delete_module), @@ -28,10 +31,19 @@ static const int minimum_disabled_syscalls[] = { SCMP_SYS(swapoff), SCMP_SYS(syslog), SCMP_SYS(nice), - SCMP_SYS(kcmp) + SCMP_SYS(kcmp), + SCMP_SYS(unshare), + SCMP_SYS(setns), + SCMP_SYS(pivot_root), + SCMP_SYS(chroot), + SCMP_SYS(fchdir), + SCMP_SYS(capset), + SCMP_SYS(mknod), + SCMP_SYS(mknodat) }; static const int default_allowed_syscalls[] = { + SCMP_SYS(restart_syscall), SCMP_SYS(signalfd), SCMP_SYS(signalfd4), SCMP_SYS(rt_sigreturn), SCMP_SYS(rt_sigprocmask), SCMP_SYS(rt_sigaction), SCMP_SYS(time), SCMP_SYS(nanosleep), @@ -83,6 +95,7 @@ static const int protocol_disabled_syscalls[] = { }; static const int jail_allowed_syscalls[] = { + SCMP_SYS(restart_syscall), SCMP_SYS(signalfd), SCMP_SYS(signalfd4), SCMP_SYS(rt_sigreturn), SCMP_SYS(rt_sigprocmask), SCMP_SYS(rt_sigaction), SCMP_SYS(time), SCMP_SYS(nanosleep), |