From feb89ff6b38db812f55a9fc4c57e4f827b9485f2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gr=C3=A9gory=20Soutad=C3=A9?= Date: Thu, 4 Feb 2016 20:39:50 +0100 Subject: [PATCH] Add first seccomp implementation --- src/Makefile | 5 +++++ src/server.c | 26 +++++++++++++++++++++++++- 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/src/Makefile b/src/Makefile index 6a8efec..057fca7 100644 --- a/src/Makefile +++ b/src/Makefile @@ -11,6 +11,11 @@ else CFLAGS += -O2 endif +ifneq ($(DISABLE_SECCOMP),) +CFLAGS += -DUSE_SECCOMP=1 +LDFLAGS += -lseccomp +endif + all: $(BIN_DIR) ip_data.c $(TARGET) $(BIN_DIR): diff --git a/src/server.c b/src/server.c index 8d7d72f..c6bcf53 100644 --- a/src/server.c +++ b/src/server.c @@ -12,6 +12,10 @@ #include #include +#ifdef USE_SECCOMP +#include +#endif + #include "ip_to_geo.h" #include "protocol.h" @@ -383,10 +387,25 @@ int daemonize(struct gengetopt_args_info* params) syslog(LOG_INFO, "ip_togeod started\n"); - signal(SIGINT, sigint); + signal(SIGINT, sigint); signal(SIGUSR1, sigint); signal(SIGUSR2, sigint); + +#ifdef USE_SECCOMP + scmp_filter_ctx seccomp_ctx = seccomp_init(SCMP_ACT_KILL); + if (seccomp_ctx == NULL) + { + syslog(LOG_ERR, "unable to initialize seccomp\n"); + return -5; + } + + seccomp_rule_add(seccomp_ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0); + seccomp_rule_add(seccomp_ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0); + seccomp_rule_add(seccomp_ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0); + seccomp_rule_add(seccomp_ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept), 0); +#endif + while (!s_stop) { sockaddr_len = sizeof(sockaddr); @@ -413,6 +432,11 @@ int daemonize(struct gengetopt_args_info* params) closelog(); +#ifdef USE_SECCOMP + if (seccomp_ctx) + seccomp_release(seccomp_ctx); +#endif + return 0; }