diff options
| author | Toni Uhlig <matzeton@googlemail.com> | 2018-05-19 17:36:57 +0200 |
|---|---|---|
| committer | Toni Uhlig <matzeton@googlemail.com> | 2018-05-19 17:36:57 +0200 |
| commit | 84d818f280f3a398fc91ca82699bc380d37d99cf (patch) | |
| tree | eda5dd74cc99e43fa8320d1ec30b41fb2c5c3d47 | |
| parent | f48123bfaa46f5c93fe4b56423c6b52153e5c9b1 (diff) | |
POTD skeleton #62.
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
| -rw-r--r-- | configure.ac | 8 | ||||
| -rw-r--r-- | src/Makefile.am | 6 | ||||
| -rw-r--r-- | src/main.c | 6 | ||||
| -rw-r--r-- | src/pseccomp.c | 26 | ||||
| -rw-r--r-- | src/pseccomp.h | 8 |
5 files changed, 49 insertions, 5 deletions
diff --git a/configure.ac b/configure.ac index 790329c..719fa38 100644 --- a/configure.ac +++ b/configure.ac @@ -6,7 +6,7 @@ AM_SILENT_RULES([yes]) AM_MAINTAINER_MODE if test -z "$CFLAGS"; then - CFLAGS="-Os" + CFLAGS="-Os -g" fi AC_CANONICAL_HOST @@ -41,10 +41,16 @@ AC_SUBST(SYMBOL_VISIBILITY) AC_CHECK_LIB(socket, connect) AC_CHECK_LIB(pthread, pthread_create) +dnl libssh-dev PKG_CHECK_MODULES([libssh], [libssh >= 0.7.3]) AC_SUBST([libssh_CFLAGS]) AC_SUBST([libssh_LIBS]) +dnl libseccomp-dev +PKG_CHECK_MODULES([libseccomp], [libseccomp >= 2.3.1]) +AC_SUBST([libseccomp_CFLAGS]) +AC_SUBST([libseccomp_LIBS]) + dnl Check for std header files AC_CHECK_HEADERS([stdio.h stdlib.h unistd.h string.h ctype.h assert.h sched.h signal.h errno.h]) diff --git a/src/Makefile.am b/src/Makefile.am index 61272a6..f3491cf 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -1,5 +1,5 @@ -AM_CFLAGS = -pedantic -Wall -std=gnu99 -fstrict-aliasing -D_GNU_SOURCE=1 $(libssh_CFLAGS) $(SPECTRE_MIT) $(SYMBOL_VISIBILITY) -AM_LDFLAGS = $(libssh_LIBS) +AM_CFLAGS = -pedantic -Wall -std=gnu99 -fstrict-aliasing -D_GNU_SOURCE=1 $(libssh_CFLAGS) $(libseccomp_CFLAGS) $(SPECTRE_MIT) $(SYMBOL_VISIBILITY) +AM_LDFLAGS = $(libssh_LIBS) $(libseccomp_LIBS) sbin_PROGRAMS = potd -potd_SOURCES = utils.c log.c log_colored.c socket.c pevent.c capabilities.c jail.c forward.c redirector.c protocol.c protocol_ssh.c main.c +potd_SOURCES = utils.c log.c log_colored.c socket.c pevent.c capabilities.c pseccomp.c jail.c forward.c redirector.c protocol.c protocol_ssh.c main.c @@ -2,6 +2,7 @@ #include <sys/types.h> #include <sys/wait.h> +#include "pseccomp.h" #include "capabilities.h" #include "log.h" #include "log_colored.h" @@ -34,11 +35,14 @@ int main(int argc, char *argv[]) (void) argc; (void) argv; arg0 = argv[0]; - caps_default_filter(); LOG_SET_FUNCS_VA(LOG_COLORED_FUNCS); N("%s (C) 2018 Toni Uhlig (%s)", PACKAGE_STRING, PACKAGE_BUGREPORT); + pseccomp_init(); + pseccomp_set_immutable(); + caps_default_filter(); + D("%s", "Forking into background/foreground"); daemon_pid = daemonize(1); ABORT_ON_FATAL( daemon_pid > 0, "Forking" ); diff --git a/src/pseccomp.c b/src/pseccomp.c new file mode 100644 index 0000000..0b6ef15 --- /dev/null +++ b/src/pseccomp.c @@ -0,0 +1,26 @@ +#include <sys/prctl.h> +#include <seccomp.h> + +#include "seccomp.h" +#include "log.h" + +static scmp_filter_ctx ctx; + + +int pseccomp_init(void) +{ + //ctx = seccomp_init(SCMP_ACT_ERRNO(EINVAL)); + + return 0; +} + +int pseccomp_set_immutable(void) +{ + if (prctl(PR_SET_DUMPABLE, 0) && + prctl(PR_SET_NO_NEW_PRIVS, 1)) + { + FATAL("%s", "PR_SET_NO_NEW_PRIVS, PR_SET_DUMPABLE"); + } + + return 0; +} diff --git a/src/pseccomp.h b/src/pseccomp.h new file mode 100644 index 0000000..76889b6 --- /dev/null +++ b/src/pseccomp.h @@ -0,0 +1,8 @@ +#ifndef POTD_SECCOMP_H +#define POTD_SECCOMP_H 1 + +int pseccomp_init(void); + +int pseccomp_set_immutable(void); + +#endif |