aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorToni Uhlig <matzeton@googlemail.com>2018-05-19 17:36:57 +0200
committerToni Uhlig <matzeton@googlemail.com>2018-05-19 17:36:57 +0200
commit84d818f280f3a398fc91ca82699bc380d37d99cf (patch)
treeeda5dd74cc99e43fa8320d1ec30b41fb2c5c3d47
parentf48123bfaa46f5c93fe4b56423c6b52153e5c9b1 (diff)
POTD skeleton #62.
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
-rw-r--r--configure.ac8
-rw-r--r--src/Makefile.am6
-rw-r--r--src/main.c6
-rw-r--r--src/pseccomp.c26
-rw-r--r--src/pseccomp.h8
5 files changed, 49 insertions, 5 deletions
diff --git a/configure.ac b/configure.ac
index 790329c..719fa38 100644
--- a/configure.ac
+++ b/configure.ac
@@ -6,7 +6,7 @@ AM_SILENT_RULES([yes])
AM_MAINTAINER_MODE
if test -z "$CFLAGS"; then
- CFLAGS="-Os"
+ CFLAGS="-Os -g"
fi
AC_CANONICAL_HOST
@@ -41,10 +41,16 @@ AC_SUBST(SYMBOL_VISIBILITY)
AC_CHECK_LIB(socket, connect)
AC_CHECK_LIB(pthread, pthread_create)
+dnl libssh-dev
PKG_CHECK_MODULES([libssh], [libssh >= 0.7.3])
AC_SUBST([libssh_CFLAGS])
AC_SUBST([libssh_LIBS])
+dnl libseccomp-dev
+PKG_CHECK_MODULES([libseccomp], [libseccomp >= 2.3.1])
+AC_SUBST([libseccomp_CFLAGS])
+AC_SUBST([libseccomp_LIBS])
+
dnl Check for std header files
AC_CHECK_HEADERS([stdio.h stdlib.h unistd.h string.h ctype.h assert.h sched.h signal.h errno.h])
diff --git a/src/Makefile.am b/src/Makefile.am
index 61272a6..f3491cf 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -1,5 +1,5 @@
-AM_CFLAGS = -pedantic -Wall -std=gnu99 -fstrict-aliasing -D_GNU_SOURCE=1 $(libssh_CFLAGS) $(SPECTRE_MIT) $(SYMBOL_VISIBILITY)
-AM_LDFLAGS = $(libssh_LIBS)
+AM_CFLAGS = -pedantic -Wall -std=gnu99 -fstrict-aliasing -D_GNU_SOURCE=1 $(libssh_CFLAGS) $(libseccomp_CFLAGS) $(SPECTRE_MIT) $(SYMBOL_VISIBILITY)
+AM_LDFLAGS = $(libssh_LIBS) $(libseccomp_LIBS)
sbin_PROGRAMS = potd
-potd_SOURCES = utils.c log.c log_colored.c socket.c pevent.c capabilities.c jail.c forward.c redirector.c protocol.c protocol_ssh.c main.c
+potd_SOURCES = utils.c log.c log_colored.c socket.c pevent.c capabilities.c pseccomp.c jail.c forward.c redirector.c protocol.c protocol_ssh.c main.c
diff --git a/src/main.c b/src/main.c
index 4e34aa5..3d34228 100644
--- a/src/main.c
+++ b/src/main.c
@@ -2,6 +2,7 @@
#include <sys/types.h>
#include <sys/wait.h>
+#include "pseccomp.h"
#include "capabilities.h"
#include "log.h"
#include "log_colored.h"
@@ -34,11 +35,14 @@ int main(int argc, char *argv[])
(void) argc;
(void) argv;
arg0 = argv[0];
- caps_default_filter();
LOG_SET_FUNCS_VA(LOG_COLORED_FUNCS);
N("%s (C) 2018 Toni Uhlig (%s)", PACKAGE_STRING, PACKAGE_BUGREPORT);
+ pseccomp_init();
+ pseccomp_set_immutable();
+ caps_default_filter();
+
D("%s", "Forking into background/foreground");
daemon_pid = daemonize(1);
ABORT_ON_FATAL( daemon_pid > 0, "Forking" );
diff --git a/src/pseccomp.c b/src/pseccomp.c
new file mode 100644
index 0000000..0b6ef15
--- /dev/null
+++ b/src/pseccomp.c
@@ -0,0 +1,26 @@
+#include <sys/prctl.h>
+#include <seccomp.h>
+
+#include "seccomp.h"
+#include "log.h"
+
+static scmp_filter_ctx ctx;
+
+
+int pseccomp_init(void)
+{
+ //ctx = seccomp_init(SCMP_ACT_ERRNO(EINVAL));
+
+ return 0;
+}
+
+int pseccomp_set_immutable(void)
+{
+ if (prctl(PR_SET_DUMPABLE, 0) &&
+ prctl(PR_SET_NO_NEW_PRIVS, 1))
+ {
+ FATAL("%s", "PR_SET_NO_NEW_PRIVS, PR_SET_DUMPABLE");
+ }
+
+ return 0;
+}
diff --git a/src/pseccomp.h b/src/pseccomp.h
new file mode 100644
index 0000000..76889b6
--- /dev/null
+++ b/src/pseccomp.h
@@ -0,0 +1,8 @@
+#ifndef POTD_SECCOMP_H
+#define POTD_SECCOMP_H 1
+
+int pseccomp_init(void);
+
+int pseccomp_set_immutable(void);
+
+#endif