1 files changed, 34 insertions, 7 deletions

diff --git a/src/pseccomp.c b/src/pseccomp.c
index 1626721..07f4152 100644
--- a/src/pseccomp.c
+++ b/src/pseccomp.c
@@ -14,6 +14,23 @@
 
 static int pseccomp_using_valgrind(void);
 
+static const int minimum_disabled_syscalls[] = {
+    SCMP_SYS(mount),
+    SCMP_SYS(umount), SCMP_SYS(umount2),
+    SCMP_SYS(ptrace),
+    SCMP_SYS(kexec_load),
+    SCMP_SYS(open_by_handle_at),
+    SCMP_SYS(init_module),
+    SCMP_SYS(finit_module),
+    SCMP_SYS(delete_module),
+    SCMP_SYS(iopl),
+    SCMP_SYS(swapon),
+    SCMP_SYS(swapoff),
+    SCMP_SYS(syslog),
+    SCMP_SYS(nice),
+    SCMP_SYS(kcmp)
+};
+
 static const int default_allowed_syscalls[] = {
     SCMP_SYS(signalfd), SCMP_SYS(signalfd4),
     SCMP_SYS(rt_sigreturn), SCMP_SYS(rt_sigprocmask),
@@ -49,7 +66,8 @@ static const int default_allowed_syscalls[] = {
     SCMP_SYS(getgid), SCMP_SYS(getgid32), SCMP_SYS(getegid), SCMP_SYS(getegid),
     SCMP_SYS(getgroups), SCMP_SYS(getdents),
     /* operations on processes */
-    SCMP_SYS(getpgrp), SCMP_SYS(setpgid), SCMP_SYS(getpid), SCMP_SYS(kill),
+    SCMP_SYS(getpgrp), SCMP_SYS(setpgid), SCMP_SYS(getpid), SCMP_SYS(getppid),
+    SCMP_SYS(kill),
     /* other */
     SCMP_SYS(unshare), SCMP_SYS(setns),
     SCMP_SYS(chroot), SCMP_SYS(chdir), SCMP_SYS(mount), SCMP_SYS(umount2),
@@ -68,6 +86,7 @@ static const int jail_allowed_syscalls[] = {
     SCMP_SYS(signalfd), SCMP_SYS(signalfd4),
     SCMP_SYS(rt_sigreturn), SCMP_SYS(rt_sigprocmask),
     SCMP_SYS(rt_sigaction), SCMP_SYS(time), SCMP_SYS(nanosleep),
+    SCMP_SYS(clock_gettime), SCMP_SYS(set_tid_address),
     SCMP_SYS(exit), SCMP_SYS(exit_group),
     SCMP_SYS(read), SCMP_SYS(write), SCMP_SYS(writev),
     SCMP_SYS(fcntl), SCMP_SYS(fcntl64),
@@ -84,7 +103,8 @@ static const int jail_allowed_syscalls[] = {
     SCMP_SYS(setresuid), SCMP_SYS(setresgid),
     SCMP_SYS(getuid), SCMP_SYS(geteuid), SCMP_SYS(getgid), SCMP_SYS(getegid),
     SCMP_SYS(getgroups), SCMP_SYS(getdents),
-    SCMP_SYS(getpgrp), SCMP_SYS(setpgid), SCMP_SYS(getpid), SCMP_SYS(kill),
+    SCMP_SYS(getpgrp), SCMP_SYS(setpgid), SCMP_SYS(getpid), SCMP_SYS(getppid),
+    SCMP_SYS(kill),
     SCMP_SYS(chdir), SCMP_SYS(mount),
     SCMP_SYS(umount2),
     SCMP_SYS(ioctl),
@@ -104,7 +124,7 @@ static int pseccomp_using_valgrind(void)
     return 0;
 }
 
-int pseccomp_init(pseccomp_ctx **ctx, unsigned int defact_allow)
+int pseccomp_init(pseccomp_ctx **ctx, unsigned flags)
 {
     assert(ctx);
 
@@ -114,7 +134,8 @@ int pseccomp_init(pseccomp_ctx **ctx, unsigned int defact_allow)
 
     memset(*ctx, 0, sizeof(**ctx));
     (*ctx)->sfilter = seccomp_init(
-        (defact_allow ? SCMP_ACT_ALLOW : SCMP_ACT_ERRNO(EINVAL))
+        (flags & PS_ALLOW || flags & PS_MINIMUM ?
+            SCMP_ACT_ALLOW : SCMP_ACT_ERRNO(EINVAL))
     );
 
     return 0;
@@ -147,9 +168,15 @@ int pseccomp_default_rules(pseccomp_ctx *ctx)
     if (pseccomp_using_valgrind())
         return 0;
 
-    for (i = 0; i < SIZEOF(default_allowed_syscalls); ++i)
-        seccomp_rule_add(ctx->sfilter, SCMP_ACT_ALLOW,
-            default_allowed_syscalls[i], 0);
+    if (ctx->flags & PS_MINIMUM) {
+        for (i = 0; i < SIZEOF(minimum_disabled_syscalls); ++i)
+            seccomp_rule_add(ctx->sfilter, SCMP_ACT_ERRNO(EINVAL),
+                minimum_disabled_syscalls[i], 0);
+    } else {
+        for (i = 0; i < SIZEOF(default_allowed_syscalls); ++i)
+            seccomp_rule_add(ctx->sfilter, SCMP_ACT_ALLOW,
+                default_allowed_syscalls[i], 0);
+    }
 
     return seccomp_load(ctx->sfilter);
 }