sandbox: add support for SECCOMP_FILTER_FLAG_LOG
This commit is contained in:
parent
c365eb1766
commit
4394fa725e
@ -131,6 +131,7 @@ struct custom_option custom_opts[] = {
|
||||
{ { "proc_rw", no_argument, NULL, 0x0606 }, "Is procfs mounted as R/W (default: R/O)" },
|
||||
{ { "seccomp_policy", required_argument, NULL, 'P' }, "Path to file containing seccomp-bpf policy (see kafel/)" },
|
||||
{ { "seccomp_string", required_argument, NULL, 0x0901 }, "String with kafel seccomp-bpf policy (see kafel/)" },
|
||||
{ { "seccomp_log", no_argument, NULL, 0x0902 }, "Use SECCOMP_FILTER_FLAG_LOG. Log all actions except SECCOMP_RET_ALLOW)" },
|
||||
{ { "cgroup_mem_max", required_argument, NULL, 0x0801 }, "Maximum number of bytes to use in the group (default: '0' - disabled)" },
|
||||
{ { "cgroup_mem_mount", required_argument, NULL, 0x0802 }, "Location of memory cgroup FS (default: '/sys/fs/cgroup/memory')" },
|
||||
{ { "cgroup_mem_parent", required_argument, NULL, 0x0803 }, "Which pre-existing memory cgroup to use as a parent (default: 'NSJAIL')" },
|
||||
@ -449,6 +450,7 @@ std::unique_ptr<nsjconf_t> parseArgs(int argc, char* argv[]) {
|
||||
nsjconf->num_cpus = sysconf(_SC_NPROCESSORS_ONLN);
|
||||
nsjconf->seccomp_fprog.filter = NULL;
|
||||
nsjconf->seccomp_fprog.len = 0;
|
||||
nsjconf->seccomp_log = false;
|
||||
|
||||
nsjconf->openfds.push_back(STDIN_FILENO);
|
||||
nsjconf->openfds.push_back(STDOUT_FILENO);
|
||||
@ -818,6 +820,9 @@ std::unique_ptr<nsjconf_t> parseArgs(int argc, char* argv[]) {
|
||||
case 0x901:
|
||||
nsjconf->kafel_string = optarg;
|
||||
break;
|
||||
case 0x902:
|
||||
nsjconf->seccomp_log = true;
|
||||
break;
|
||||
default:
|
||||
cmdlineUsage(argv[0]);
|
||||
return nullptr;
|
||||
|
1
nsjail.h
1
nsjail.h
@ -143,6 +143,7 @@ struct nsjconf_t {
|
||||
std::string kafel_file_path;
|
||||
std::string kafel_string;
|
||||
struct sock_fprog seccomp_fprog;
|
||||
bool seccomp_log;
|
||||
long num_cpus;
|
||||
uid_t orig_uid;
|
||||
std::vector<mount_t> mountpts;
|
||||
|
31
sandbox.cc
31
sandbox.cc
@ -26,6 +26,8 @@
|
||||
#include <stddef.h>
|
||||
#include <stdlib.h>
|
||||
#include <sys/prctl.h>
|
||||
#include <sys/syscall.h>
|
||||
#include <unistd.h>
|
||||
|
||||
extern "C" {
|
||||
#include "kafel.h"
|
||||
@ -38,6 +40,14 @@ namespace sandbox {
|
||||
#define PR_SET_NO_NEW_PRIVS 38
|
||||
#endif /* PR_SET_NO_NEW_PRIVS */
|
||||
|
||||
#ifndef SECCOMP_FILTER_FLAG_TSYNC
|
||||
#define SECCOMP_FILTER_FLAG_TSYNC (1UL << 0)
|
||||
#endif /* SECCOMP_FILTER_FLAG_TSYNC */
|
||||
|
||||
#ifndef SECCOMP_FILTER_FLAG_LOG
|
||||
#define SECCOMP_FILTER_FLAG_LOG (1UL << 1)
|
||||
#endif /* SECCOMP_FILTER_FLAG_LOG */
|
||||
|
||||
static bool prepareAndCommit(nsjconf_t* nsjconf) {
|
||||
if (nsjconf->kafel_file_path.empty() && nsjconf->kafel_string.empty()) {
|
||||
return true;
|
||||
@ -47,7 +57,26 @@ static bool prepareAndCommit(nsjconf_t* nsjconf) {
|
||||
PLOG_W("prctl(PR_SET_NO_NEW_PRIVS, 1) failed");
|
||||
return false;
|
||||
}
|
||||
if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &nsjconf->seccomp_fprog, 0, 0)) {
|
||||
if (nsjconf->seccomp_log) {
|
||||
#ifndef __NR_seccomp
|
||||
LOG_E(
|
||||
"The __NR_seccomp is not defined with this kernel header files (kernel headers "
|
||||
"too old?)");
|
||||
return false;
|
||||
#else
|
||||
if (syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER,
|
||||
SECCOMP_FILTER_FLAG_TSYNC | SECCOMP_FILTER_FLAG_LOG,
|
||||
&nsjconf->seccomp_fprog) == -1) {
|
||||
PLOG_E(
|
||||
"seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC | "
|
||||
"SECCOMP_FILTER_FLAG_LOG) failed");
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
#endif /* __NR_seccomp */
|
||||
}
|
||||
|
||||
if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &nsjconf->seccomp_fprog, 0UL, 0UL)) {
|
||||
PLOG_W("prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER) failed");
|
||||
return false;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user