Add more seccomp syscalls

This commit is contained in:
Grégory Soutadé 2016-02-17 18:15:04 +01:00
parent 3f69fdc7fb
commit 3152fbf947
3 changed files with 35 additions and 2 deletions

4
README
View File

@ -16,4 +16,8 @@ To compile it :
make data src make data src
Makefile flags :
* DEBUG=1 to compile in debug mode
* USE_SECCOMP=1 to compile with seccomp support
More information can be found at http://indefero.soutade.fr/p/iptogeo More information can be found at http://indefero.soutade.fr/p/iptogeo

View File

@ -11,7 +11,7 @@ else
CFLAGS += -O2 CFLAGS += -O2
endif endif
ifneq ($(DISABLE_SECCOMP),) ifeq ($(USE_SECCOMP),1)
CFLAGS += -DUSE_SECCOMP=1 CFLAGS += -DUSE_SECCOMP=1
LDFLAGS += -lseccomp LDFLAGS += -lseccomp
endif endif

View File

@ -22,6 +22,7 @@
#include <sys/socket.h> #include <sys/socket.h>
#include <sys/select.h> #include <sys/select.h>
#include <sys/time.h> #include <sys/time.h>
#include <sys/stat.h>
#include <arpa/inet.h> #include <arpa/inet.h>
#include <netinet/in.h> #include <netinet/in.h>
#include <time.h> #include <time.h>
@ -33,6 +34,7 @@
#include <stdlib.h> #include <stdlib.h>
#include <string.h> #include <string.h>
#include <poll.h> #include <poll.h>
#include <fcntl.h>
#ifdef USE_SECCOMP #ifdef USE_SECCOMP
#include <seccomp.h> #include <seccomp.h>
@ -466,7 +468,7 @@ int daemonize(struct gengetopt_args_info* params)
signal(SIGUSR2, sigint); signal(SIGUSR2, sigint);
#ifdef USE_SECCOMP #ifdef USE_SECCOMP
scmp_filter_ctx seccomp_ctx = seccomp_init(SCMP_ACT_KILL); scmp_filter_ctx seccomp_ctx = seccomp_init(SCMP_ACT_KILL/*SCMP_ACT_TRAP*/);
if (seccomp_ctx == NULL) if (seccomp_ctx == NULL)
{ {
@ -474,10 +476,37 @@ int daemonize(struct gengetopt_args_info* params)
return -5; return -5;
} }
seccomp_rule_add(seccomp_ctx, SCMP_ACT_ALLOW, SCMP_SYS(poll), 0);
seccomp_rule_add(seccomp_ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0); seccomp_rule_add(seccomp_ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0);
seccomp_rule_add(seccomp_ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0); seccomp_rule_add(seccomp_ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0);
seccomp_rule_add(seccomp_ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0); seccomp_rule_add(seccomp_ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0);
seccomp_rule_add(seccomp_ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept), 0); seccomp_rule_add(seccomp_ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept), 0);
seccomp_rule_add(seccomp_ctx, SCMP_ACT_ALLOW, SCMP_SYS(syncfs), 0);
seccomp_rule_add(seccomp_ctx, SCMP_ACT_ALLOW, SCMP_SYS(nanosleep), 0);
seccomp_rule_add(seccomp_ctx, SCMP_ACT_ALLOW, SCMP_SYS(restart_syscall), 0); // for usleep
seccomp_rule_add(seccomp_ctx, SCMP_ACT_ALLOW, SCMP_SYS(syslog), 0);
seccomp_rule_add(seccomp_ctx, SCMP_ACT_ALLOW, SCMP_SYS(sendto), 0); // For syslog
seccomp_rule_add(seccomp_ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 1, SCMP_A1(SCMP_CMP_EQ , O_RDONLY|O_CLOEXEC));
// For create_thread
seccomp_rule_add(seccomp_ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap), 0);
seccomp_rule_add(seccomp_ctx, SCMP_ACT_ALLOW, SCMP_SYS(munmap), 0);
seccomp_rule_add(seccomp_ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect), 0);
seccomp_rule_add(seccomp_ctx, SCMP_ACT_ALLOW, SCMP_SYS(clone), 0);
seccomp_rule_add(seccomp_ctx, SCMP_ACT_ALLOW, SCMP_SYS(fstat), 0);
seccomp_rule_add(seccomp_ctx, SCMP_ACT_ALLOW, SCMP_SYS(access), 0);
seccomp_rule_add(seccomp_ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit), 0);
seccomp_rule_add(seccomp_ctx, SCMP_ACT_ALLOW, SCMP_SYS(set_robust_list), 0);
seccomp_rule_add(seccomp_ctx, SCMP_ACT_ALLOW, SCMP_SYS(madvise), 0);
seccomp_rule_add(seccomp_ctx, SCMP_ACT_ALLOW, SCMP_SYS(munlock), 0);
seccomp_rule_add(seccomp_ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex), 0);
ret = seccomp_load(seccomp_ctx);
if (ret < 0)
{
syslog(LOG_ERR, "Error seccomp load %d\n", ret);
return -6;
}
#endif #endif
while (!s_stop) while (!s_stop)