Add first seccomp implementation

src/Makefile

@@ -11,6 +11,11 @@ else
 CFLAGS += -O2
 endif
 
+ifneq ($(DISABLE_SECCOMP),)
+CFLAGS  += -DUSE_SECCOMP=1
+LDFLAGS += -lseccomp
+endif
+
 all: $(BIN_DIR) ip_data.c $(TARGET)
 
 $(BIN_DIR):

src/server.c

@@ -12,6 +12,10 @@
 #include <stdlib.h>
 #include <string.h>
 
+#ifdef USE_SECCOMP
+#include <seccomp.h>
+#endif
+
 #include "ip_to_geo.h"
 #include "protocol.h"
 
@@ -383,10 +387,25 @@ int daemonize(struct gengetopt_args_info* params)
 
     syslog(LOG_INFO, "ip_togeod started\n");
     
-    signal(SIGINT, sigint);
+    signal(SIGINT,  sigint);
     signal(SIGUSR1, sigint);
     signal(SIGUSR2, sigint);
+
+#ifdef USE_SECCOMP
+    scmp_filter_ctx seccomp_ctx = seccomp_init(SCMP_ACT_KILL);
     
+    if (seccomp_ctx == NULL)
+    {
+        syslog(LOG_ERR, "unable to initialize seccomp\n");
+        return -5;
+    }
+
+    seccomp_rule_add(seccomp_ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0);
+    seccomp_rule_add(seccomp_ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0);
+    seccomp_rule_add(seccomp_ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0);
+    seccomp_rule_add(seccomp_ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept), 0);
+#endif
+
     while (!s_stop)
     {
         sockaddr_len = sizeof(sockaddr);
@@ -413,6 +432,11 @@ int daemonize(struct gengetopt_args_info* params)
 
     closelog();
 
+#ifdef USE_SECCOMP
+    if (seccomp_ctx)
+        seccomp_release(seccomp_ctx);
+#endif
+
     return 0;
 }