1 files changed, 110 insertions, 5 deletions

diff --git a/src/pseccomp.c b/src/pseccomp.c
index 0b6ef15..59414d7 100644
--- a/src/pseccomp.c
+++ b/src/pseccomp.c
@@ -1,19 +1,92 @@
+#include <assert.h>
 #include <sys/prctl.h>
-#include <seccomp.h>
+#include <valgrind/valgrind.h>
 
-#include "seccomp.h"
+#include "pseccomp.h"
 #include "log.h"
+#include "utils.h"
 
-static scmp_filter_ctx ctx;
+static const int default_allowed_syscalls[] = {
+    SCMP_SYS(rt_sigreturn), SCMP_SYS(rt_sigprocmask),
+    SCMP_SYS(rt_sigaction), SCMP_SYS(time), SCMP_SYS(nanosleep),
+    SCMP_SYS(exit), SCMP_SYS(exit_group),
+    SCMP_SYS(read), SCMP_SYS(write), SCMP_SYS(fcntl), SCMP_SYS(writev),
+    SCMP_SYS(close), SCMP_SYS(wait4),
+    SCMP_SYS(sigprocmask), SCMP_SYS(tgkill),
+    SCMP_SYS(clone), SCMP_SYS(execve),
+    SCMP_SYS(socket), SCMP_SYS(bind), SCMP_SYS(setsockopt),
+    SCMP_SYS(listen), SCMP_SYS(connect), SCMP_SYS(getsockname),
+    SCMP_SYS(accept), SCMP_SYS(sendto), SCMP_SYS(recvmsg), SCMP_SYS(recvfrom),
+    SCMP_SYS(epoll_create1), SCMP_SYS(epoll_ctl), SCMP_SYS(epoll_pwait),
+    SCMP_SYS(poll),
+    SCMP_SYS(set_robust_list), SCMP_SYS(getrlimit),
+    SCMP_SYS(seccomp),
+    SCMP_SYS(prctl), SCMP_SYS(mmap), SCMP_SYS(brk), SCMP_SYS(madvise),
+    SCMP_SYS(mprotect), SCMP_SYS(munmap), SCMP_SYS(futex),
+    SCMP_SYS(open), SCMP_SYS(unlink), SCMP_SYS(fstat), SCMP_SYS(access),
+    SCMP_SYS(lseek), SCMP_SYS(stat), SCMP_SYS(readlink), SCMP_SYS(getcwd),
+    SCMP_SYS(lstat), SCMP_SYS(sysinfo),
+    SCMP_SYS(setuid), SCMP_SYS(setgid),
+    SCMP_SYS(setreuid), SCMP_SYS(setregid),
+    SCMP_SYS(getuid), SCMP_SYS(geteuid), SCMP_SYS(getgid), SCMP_SYS(getegid),
+    SCMP_SYS(getgroups), SCMP_SYS(getdents),
+    SCMP_SYS(getpgrp), SCMP_SYS(setpgid), SCMP_SYS(getpid), SCMP_SYS(kill),
+    SCMP_SYS(unshare), SCMP_SYS(chroot), SCMP_SYS(chdir), SCMP_SYS(mount),
+    SCMP_SYS(umount2),
+    SCMP_SYS(mknod), SCMP_SYS(mkdir), SCMP_SYS(statfs), SCMP_SYS(ioctl),
+    SCMP_SYS(chown), SCMP_SYS(chmod), SCMP_SYS(setsid), SCMP_SYS(dup2),
+    SCMP_SYS(sethostname), SCMP_SYS(uname), SCMP_SYS(arch_prctl)
+};
 
+static const int jail_allowed_syscalls[] = {
+    SCMP_SYS(rt_sigreturn), SCMP_SYS(rt_sigprocmask),
+    SCMP_SYS(rt_sigaction), SCMP_SYS(time), SCMP_SYS(nanosleep),
+    SCMP_SYS(exit), SCMP_SYS(exit_group),
+    SCMP_SYS(read), SCMP_SYS(write), SCMP_SYS(fcntl), SCMP_SYS(writev),
+    SCMP_SYS(close), SCMP_SYS(wait4),
+    SCMP_SYS(sigprocmask), SCMP_SYS(tgkill),
+    SCMP_SYS(clone), SCMP_SYS(execve),
+    SCMP_SYS(mmap), SCMP_SYS(brk), SCMP_SYS(madvise),
+    SCMP_SYS(mprotect), SCMP_SYS(munmap), SCMP_SYS(futex),
+    SCMP_SYS(open), SCMP_SYS(fstat), SCMP_SYS(access),
+    SCMP_SYS(poll),
+    SCMP_SYS(lseek), SCMP_SYS(stat), SCMP_SYS(readlink), SCMP_SYS(getcwd),
+    SCMP_SYS(lstat), SCMP_SYS(sysinfo),
+    SCMP_SYS(setuid), SCMP_SYS(setgid),
+    SCMP_SYS(setreuid), SCMP_SYS(setregid),
+    SCMP_SYS(getuid), SCMP_SYS(geteuid), SCMP_SYS(getgid), SCMP_SYS(getegid),
+    SCMP_SYS(getgroups), SCMP_SYS(getdents),
+    SCMP_SYS(getpgrp), SCMP_SYS(setpgid), SCMP_SYS(getpid), SCMP_SYS(kill),
+    SCMP_SYS(chdir), SCMP_SYS(mount),
+    SCMP_SYS(umount2),
+    SCMP_SYS(ioctl),
+    SCMP_SYS(sethostname), SCMP_SYS(uname), SCMP_SYS(arch_prctl)
+};
 
-int pseccomp_init(void)
+
+int pseccomp_init(pseccomp_ctx **ctx)
 {
-    //ctx = seccomp_init(SCMP_ACT_ERRNO(EINVAL));
+    assert(ctx);
+
+    if (!*ctx)
+        *ctx = (pseccomp_ctx *) malloc(sizeof(**ctx));
+    assert(*ctx);
+
+    memset(*ctx, 0, sizeof(**ctx));
+    (*ctx)->sfilter = seccomp_init(SCMP_ACT_ERRNO(EINVAL));
 
     return 0;
 }
 
+void pseccomp_free(pseccomp_ctx **ctx)
+{
+    assert(ctx && *ctx);
+
+    seccomp_release((*ctx)->sfilter);
+    free(*ctx);
+    (*ctx) = NULL;
+}
+
 int pseccomp_set_immutable(void)
 {
     if (prctl(PR_SET_DUMPABLE, 0) &&
@@ -24,3 +97,35 @@ int pseccomp_set_immutable(void)
 
     return 0;
 }
+
+int pseccomp_default_rules(pseccomp_ctx *ctx)
+{
+    size_t i;
+
+    if (RUNNING_ON_VALGRIND) {
+        W("%s", "SECCOMP: running on valgrind, disabled");
+        return 0;
+    }
+
+    for (i = 0; i < SIZEOF(default_allowed_syscalls); ++i)
+        seccomp_rule_add(ctx->sfilter, SCMP_ACT_ALLOW,
+            default_allowed_syscalls[i], 0);
+
+    return seccomp_load(ctx->sfilter);
+}
+
+int pseccomp_jail_rules(pseccomp_ctx *ctx)
+{
+    size_t i;
+
+    if (RUNNING_ON_VALGRIND) {
+        W("%s", "SECCOMP: running on valgrind, disabled");
+        return 0;
+    }
+
+    for (i = 0; i < SIZEOF(jail_allowed_syscalls); ++i)
+        seccomp_rule_add(ctx->sfilter, SCMP_ACT_ALLOW,
+            jail_allowed_syscalls[i], 0);
+
+    return seccomp_load(ctx->sfilter);
+}