aboutsummaryrefslogtreecommitdiff
path: root/src/pseccomp.c
blob: 59414d7a9cccb1acdfde7b70821e5e6ce9eaaf84 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131

#include <assert.h>
#include <sys/prctl.h>
#include <valgrind/valgrind.h>

#include "pseccomp.h"
#include "log.h"
#include "utils.h"

static const int default_allowed_syscalls[] = {
    SCMP_SYS(rt_sigreturn), SCMP_SYS(rt_sigprocmask),
    SCMP_SYS(rt_sigaction), SCMP_SYS(time), SCMP_SYS(nanosleep),
    SCMP_SYS(exit), SCMP_SYS(exit_group),
    SCMP_SYS(read), SCMP_SYS(write), SCMP_SYS(fcntl), SCMP_SYS(writev),
    SCMP_SYS(close), SCMP_SYS(wait4),
    SCMP_SYS(sigprocmask), SCMP_SYS(tgkill),
    SCMP_SYS(clone), SCMP_SYS(execve),
    SCMP_SYS(socket), SCMP_SYS(bind), SCMP_SYS(setsockopt),
    SCMP_SYS(listen), SCMP_SYS(connect), SCMP_SYS(getsockname),
    SCMP_SYS(accept), SCMP_SYS(sendto), SCMP_SYS(recvmsg), SCMP_SYS(recvfrom),
    SCMP_SYS(epoll_create1), SCMP_SYS(epoll_ctl), SCMP_SYS(epoll_pwait),
    SCMP_SYS(poll),
    SCMP_SYS(set_robust_list), SCMP_SYS(getrlimit),
    SCMP_SYS(seccomp),
    SCMP_SYS(prctl), SCMP_SYS(mmap), SCMP_SYS(brk), SCMP_SYS(madvise),
    SCMP_SYS(mprotect), SCMP_SYS(munmap), SCMP_SYS(futex),
    SCMP_SYS(open), SCMP_SYS(unlink), SCMP_SYS(fstat), SCMP_SYS(access),
    SCMP_SYS(lseek), SCMP_SYS(stat), SCMP_SYS(readlink), SCMP_SYS(getcwd),
    SCMP_SYS(lstat), SCMP_SYS(sysinfo),
    SCMP_SYS(setuid), SCMP_SYS(setgid),
    SCMP_SYS(setreuid), SCMP_SYS(setregid),
    SCMP_SYS(getuid), SCMP_SYS(geteuid), SCMP_SYS(getgid), SCMP_SYS(getegid),
    SCMP_SYS(getgroups), SCMP_SYS(getdents),
    SCMP_SYS(getpgrp), SCMP_SYS(setpgid), SCMP_SYS(getpid), SCMP_SYS(kill),
    SCMP_SYS(unshare), SCMP_SYS(chroot), SCMP_SYS(chdir), SCMP_SYS(mount),
    SCMP_SYS(umount2),
    SCMP_SYS(mknod), SCMP_SYS(mkdir), SCMP_SYS(statfs), SCMP_SYS(ioctl),
    SCMP_SYS(chown), SCMP_SYS(chmod), SCMP_SYS(setsid), SCMP_SYS(dup2),
    SCMP_SYS(sethostname), SCMP_SYS(uname), SCMP_SYS(arch_prctl)
};

static const int jail_allowed_syscalls[] = {
    SCMP_SYS(rt_sigreturn), SCMP_SYS(rt_sigprocmask),
    SCMP_SYS(rt_sigaction), SCMP_SYS(time), SCMP_SYS(nanosleep),
    SCMP_SYS(exit), SCMP_SYS(exit_group),
    SCMP_SYS(read), SCMP_SYS(write), SCMP_SYS(fcntl), SCMP_SYS(writev),
    SCMP_SYS(close), SCMP_SYS(wait4),
    SCMP_SYS(sigprocmask), SCMP_SYS(tgkill),
    SCMP_SYS(clone), SCMP_SYS(execve),
    SCMP_SYS(mmap), SCMP_SYS(brk), SCMP_SYS(madvise),
    SCMP_SYS(mprotect), SCMP_SYS(munmap), SCMP_SYS(futex),
    SCMP_SYS(open), SCMP_SYS(fstat), SCMP_SYS(access),
    SCMP_SYS(poll),
    SCMP_SYS(lseek), SCMP_SYS(stat), SCMP_SYS(readlink), SCMP_SYS(getcwd),
    SCMP_SYS(lstat), SCMP_SYS(sysinfo),
    SCMP_SYS(setuid), SCMP_SYS(setgid),
    SCMP_SYS(setreuid), SCMP_SYS(setregid),
    SCMP_SYS(getuid), SCMP_SYS(geteuid), SCMP_SYS(getgid), SCMP_SYS(getegid),
    SCMP_SYS(getgroups), SCMP_SYS(getdents),
    SCMP_SYS(getpgrp), SCMP_SYS(setpgid), SCMP_SYS(getpid), SCMP_SYS(kill),
    SCMP_SYS(chdir), SCMP_SYS(mount),
    SCMP_SYS(umount2),
    SCMP_SYS(ioctl),
    SCMP_SYS(sethostname), SCMP_SYS(uname), SCMP_SYS(arch_prctl)
};


int pseccomp_init(pseccomp_ctx **ctx)
{
    assert(ctx);

    if (!*ctx)
        *ctx = (pseccomp_ctx *) malloc(sizeof(**ctx));
    assert(*ctx);

    memset(*ctx, 0, sizeof(**ctx));
    (*ctx)->sfilter = seccomp_init(SCMP_ACT_ERRNO(EINVAL));

    return 0;
}

void pseccomp_free(pseccomp_ctx **ctx)
{
    assert(ctx && *ctx);

    seccomp_release((*ctx)->sfilter);
    free(*ctx);
    (*ctx) = NULL;
}

int pseccomp_set_immutable(void)
{
    if (prctl(PR_SET_DUMPABLE, 0) &&
        prctl(PR_SET_NO_NEW_PRIVS, 1))
    {
        FATAL("%s", "PR_SET_NO_NEW_PRIVS, PR_SET_DUMPABLE");
    }

    return 0;
}

int pseccomp_default_rules(pseccomp_ctx *ctx)
{
    size_t i;

    if (RUNNING_ON_VALGRIND) {
        W("%s", "SECCOMP: running on valgrind, disabled");
        return 0;
    }

    for (i = 0; i < SIZEOF(default_allowed_syscalls); ++i)
        seccomp_rule_add(ctx->sfilter, SCMP_ACT_ALLOW,
            default_allowed_syscalls[i], 0);

    return seccomp_load(ctx->sfilter);
}

int pseccomp_jail_rules(pseccomp_ctx *ctx)
{
    size_t i;

    if (RUNNING_ON_VALGRIND) {
        W("%s", "SECCOMP: running on valgrind, disabled");
        return 0;
    }

    for (i = 0; i < SIZEOF(jail_allowed_syscalls); ++i)
        seccomp_rule_add(ctx->sfilter, SCMP_ACT_ALLOW,
            jail_allowed_syscalls[i], 0);

    return seccomp_load(ctx->sfilter);
}
Powered by cgit, Themed by Ted Yin.