From 84d818f280f3a398fc91ca82699bc380d37d99cf Mon Sep 17 00:00:00 2001
From: Toni Uhlig <matzeton@googlemail.com>
Date: Sat, 19 May 2018 17:36:57 +0200
Subject: POTD skeleton #62.

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
---
 src/Makefile.am |  6 +++---
 src/main.c      |  6 +++++-
 src/pseccomp.c  | 26 ++++++++++++++++++++++++++
 src/pseccomp.h  |  8 ++++++++
 4 files changed, 42 insertions(+), 4 deletions(-)
 create mode 100644 src/pseccomp.c
 create mode 100644 src/pseccomp.h

(limited to 'src')

diff --git a/src/Makefile.am b/src/Makefile.am
index 61272a6..f3491cf 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -1,5 +1,5 @@
-AM_CFLAGS = -pedantic -Wall -std=gnu99 -fstrict-aliasing -D_GNU_SOURCE=1 $(libssh_CFLAGS) $(SPECTRE_MIT) $(SYMBOL_VISIBILITY)
-AM_LDFLAGS = $(libssh_LIBS)
+AM_CFLAGS = -pedantic -Wall -std=gnu99 -fstrict-aliasing -D_GNU_SOURCE=1 $(libssh_CFLAGS) $(libseccomp_CFLAGS) $(SPECTRE_MIT) $(SYMBOL_VISIBILITY)
+AM_LDFLAGS = $(libssh_LIBS) $(libseccomp_LIBS)
 
 sbin_PROGRAMS = potd
-potd_SOURCES = utils.c log.c log_colored.c socket.c pevent.c capabilities.c jail.c forward.c redirector.c protocol.c protocol_ssh.c main.c
+potd_SOURCES = utils.c log.c log_colored.c socket.c pevent.c capabilities.c pseccomp.c jail.c forward.c redirector.c protocol.c protocol_ssh.c main.c
diff --git a/src/main.c b/src/main.c
index 4e34aa5..3d34228 100644
--- a/src/main.c
+++ b/src/main.c
@@ -2,6 +2,7 @@
 #include <sys/types.h>
 #include <sys/wait.h>
 
+#include "pseccomp.h"
 #include "capabilities.h"
 #include "log.h"
 #include "log_colored.h"
@@ -34,11 +35,14 @@ int main(int argc, char *argv[])
     (void) argc;
     (void) argv;
     arg0 = argv[0];
-    caps_default_filter();
 
     LOG_SET_FUNCS_VA(LOG_COLORED_FUNCS);
     N("%s (C) 2018 Toni Uhlig (%s)", PACKAGE_STRING, PACKAGE_BUGREPORT);
 
+    pseccomp_init();
+    pseccomp_set_immutable();
+    caps_default_filter();
+
     D("%s", "Forking into background/foreground");
     daemon_pid = daemonize(1);
     ABORT_ON_FATAL( daemon_pid > 0, "Forking" );
diff --git a/src/pseccomp.c b/src/pseccomp.c
new file mode 100644
index 0000000..0b6ef15
--- /dev/null
+++ b/src/pseccomp.c
@@ -0,0 +1,26 @@
+#include <sys/prctl.h>
+#include <seccomp.h>
+
+#include "seccomp.h"
+#include "log.h"
+
+static scmp_filter_ctx ctx;
+
+
+int pseccomp_init(void)
+{
+    //ctx = seccomp_init(SCMP_ACT_ERRNO(EINVAL));
+
+    return 0;
+}
+
+int pseccomp_set_immutable(void)
+{
+    if (prctl(PR_SET_DUMPABLE, 0) &&
+        prctl(PR_SET_NO_NEW_PRIVS, 1))
+    {
+        FATAL("%s", "PR_SET_NO_NEW_PRIVS, PR_SET_DUMPABLE");
+    }
+
+    return 0;
+}
diff --git a/src/pseccomp.h b/src/pseccomp.h
new file mode 100644
index 0000000..76889b6
--- /dev/null
+++ b/src/pseccomp.h
@@ -0,0 +1,8 @@
+#ifndef POTD_SECCOMP_H
+#define POTD_SECCOMP_H 1
+
+int pseccomp_init(void);
+
+int pseccomp_set_immutable(void);
+
+#endif
-- 
cgit v1.2.3