diff options
| author | lns <matzeton@googlemail.com> | 2018-05-21 23:44:40 +0200 |
|---|---|---|
| committer | lns <matzeton@googlemail.com> | 2018-05-21 23:44:40 +0200 |
| commit | 72167a82f780f2ae11b70f89726df4e7705bd9f3 (patch) | |
| tree | 9721bd6b5250554ec3f35b3e9cf53d3eaad5d769 | |
| parent | df51d291e00dee15b220973f1d9a0b2add482a81 (diff) | |
POTD skeleton #74.
Signed-off-by: lns <matzeton@googlemail.com>
| -rw-r--r-- | src/jail.c | 6 | ||||
| -rw-r--r-- | src/pseccomp.c | 7 | ||||
| -rw-r--r-- | src/utils.c | 6 |
3 files changed, 15 insertions, 4 deletions
@@ -91,6 +91,12 @@ int jail_validate_ctx(const jail_ctx *ctx) assert(ctx); assert(ctx->fwd_ctx.sock.addr_len > 0); assert(ctx->stack_ptr); + assert(ctx->newroot); + + if (access(ctx->newroot, R_OK|X_OK)) { + E_STRERR("new root directory access to '%s'", ctx->newroot); + return 1; + } return 0; } diff --git a/src/pseccomp.c b/src/pseccomp.c index e991d46..ae7c718 100644 --- a/src/pseccomp.c +++ b/src/pseccomp.c @@ -18,6 +18,7 @@ static const int default_allowed_syscalls[] = { SCMP_SYS(signalfd), SCMP_SYS(signalfd4), SCMP_SYS(rt_sigreturn), SCMP_SYS(rt_sigprocmask), SCMP_SYS(rt_sigaction), SCMP_SYS(time), SCMP_SYS(nanosleep), + SCMP_SYS(clock_gettime), SCMP_SYS(set_tid_address), SCMP_SYS(exit), SCMP_SYS(exit_group), SCMP_SYS(read), SCMP_SYS(write), SCMP_SYS(fcntl), SCMP_SYS(writev), SCMP_SYS(close), SCMP_SYS(wait4), @@ -29,10 +30,12 @@ static const int default_allowed_syscalls[] = { SCMP_SYS(epoll_create1), SCMP_SYS(epoll_ctl), SCMP_SYS(epoll_pwait), SCMP_SYS(poll), SCMP_SYS(set_robust_list), SCMP_SYS(getrlimit), - SCMP_SYS(seccomp), + SCMP_SYS(seccomp), SCMP_SYS(getrusage), SCMP_SYS(prctl), SCMP_SYS(mmap), SCMP_SYS(brk), SCMP_SYS(madvise), + SCMP_SYS(mlock), SCMP_SYS(getrandom), SCMP_SYS(mprotect), SCMP_SYS(munmap), SCMP_SYS(futex), - SCMP_SYS(open), SCMP_SYS(unlink), SCMP_SYS(fstat), SCMP_SYS(access), + SCMP_SYS(open), SCMP_SYS(openat), + SCMP_SYS(unlink), SCMP_SYS(fstat), SCMP_SYS(access), SCMP_SYS(lseek), SCMP_SYS(stat), SCMP_SYS(readlink), SCMP_SYS(getcwd), SCMP_SYS(lstat), SCMP_SYS(sysinfo), SCMP_SYS(setuid), SCMP_SYS(setgid), diff --git a/src/utils.c b/src/utils.c index 9fd1a24..ca19c24 100644 --- a/src/utils.c +++ b/src/utils.c @@ -80,6 +80,7 @@ static void sighandler_master(int signo) static int exiting = 0; switch (signo) { + case SIGSEGV: case SIGINT: case SIGTERM: case SIGABRT: @@ -96,6 +97,7 @@ int set_master_sighandler(void) { int s = 0; + s |= signal(SIGSEGV, sighandler_master) == SIG_ERR; s |= signal(SIGINT, sighandler_master) == SIG_ERR; s |= signal(SIGTERM, sighandler_master) == SIG_ERR; s |= signal(SIGABRT, sighandler_master) == SIG_ERR; @@ -334,8 +336,7 @@ void chk_chroot(void) void mount_root(void) { int s; - - s = mount("none", "/", "", MS_SLAVE|MS_REC, NULL); + s = mount("none", "/", NULL, MS_SLAVE|MS_REC, NULL); if (s) chk_chroot(); } @@ -458,6 +459,7 @@ static int cgroups_write_file(const char *cdir, const char *csub, int cgroups_set(void) { int s = 0; + const char maxmem[] = "memory.limit_in_bytes"; const char maxmem_soft[] = "memory.soft_limit_in_bytes"; const char kmem[] = "memory.kmem.limit_in_bytes"; |