2022-10-02 14:09:25 +08:00
|
|
|
#include "sandbox.h"
|
|
|
|
|
#include "err.h"
|
|
|
|
|
#include "rules/rules.h"
|
|
|
|
|
#include "utils/log.h"
|
|
|
|
|
|
2023-12-27 23:16:19 +08:00
|
|
|
#include <errno.h>
|
|
|
|
|
#include <stdarg.h>
|
2022-10-02 14:09:25 +08:00
|
|
|
#include <stdlib.h>
|
|
|
|
|
#include <string.h>
|
|
|
|
|
|
|
|
|
|
void add_syscall_nr(int syscall_nr, scmp_filter_ctx ctx, uint32_t action) {
|
|
|
|
|
if (seccomp_rule_add_exact(ctx, action, syscall_nr, 0)) {
|
|
|
|
|
LOG_ERR("Failed to add syscall %d", syscall_nr);
|
|
|
|
|
seccomp_release(ctx);
|
|
|
|
|
exit(ERR_SECCOMP_RESOLVE);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-12-27 23:16:19 +08:00
|
|
|
void add_syscall_nr_arg(int syscall_nr, scmp_filter_ctx ctx, uint32_t action, unsigned arg_cnt, ...) {
|
|
|
|
|
va_list(args);
|
|
|
|
|
va_start(args, arg_cnt);
|
|
|
|
|
|
|
|
|
|
if (seccomp_rule_add(ctx, action, syscall_nr, arg_cnt, args)) {
|
|
|
|
|
LOG_ERR("Failed to add syscall %d", syscall_nr);
|
|
|
|
|
seccomp_release(ctx);
|
|
|
|
|
exit(ERR_SECCOMP_RESOLVE);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
va_end(args);
|
|
|
|
|
}
|
|
|
|
|
|
2022-10-09 00:06:07 +08:00
|
|
|
void add_syscall_name(const char *syscall_name, scmp_filter_ctx ctx, uint32_t action) {
|
2022-10-02 14:09:25 +08:00
|
|
|
int syscall_nr = seccomp_syscall_resolve_name(syscall_name);
|
|
|
|
|
if (syscall_nr == __NR_SCMP_ERROR) {
|
|
|
|
|
LOG_ERR("Failed to resolve syscall %s", syscall_name);
|
|
|
|
|
seccomp_release(ctx);
|
|
|
|
|
exit(ERR_SECCOMP_RESOLVE);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
add_syscall_nr(syscall_nr, ctx, action);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void setup_seccomp(void) {
|
|
|
|
|
LOG_INFO("Setting seccomp rules...");
|
|
|
|
|
|
|
|
|
|
char *template = getenv(SANDBOX_TEMPLATE);
|
|
|
|
|
char *action = getenv(SANDBOX_ACTION);
|
|
|
|
|
|
2023-12-27 23:16:19 +08:00
|
|
|
uint32_t act = SCMP_ACT_KILL;
|
|
|
|
|
bool disabled = false;
|
2022-10-09 00:06:07 +08:00
|
|
|
|
2023-12-27 23:16:19 +08:00
|
|
|
if (action && strncmp(action, "log", sizeof("log")) == 0) act = SCMP_ACT_LOG;
|
|
|
|
|
if (action && strncmp(action, "kill", sizeof("kill")) == 0) act = SCMP_ACT_KILL;
|
|
|
|
|
if (action && strncmp(action, "ret", sizeof("ret")) == 0) act = SCMP_ACT_ERRNO(EPERM);
|
2022-10-09 00:06:07 +08:00
|
|
|
if (action && strncmp(action, "disabled", sizeof("disabled")) == 0) {
|
|
|
|
|
LOG_INFO("Seccomp disabled");
|
2023-12-27 23:16:19 +08:00
|
|
|
return;
|
2022-10-02 14:09:25 +08:00
|
|
|
}
|
|
|
|
|
|
2023-12-27 23:16:19 +08:00
|
|
|
if (!template) {
|
2022-10-02 14:09:25 +08:00
|
|
|
LOG_ERR("Environment variable %s required", SANDBOX_TEMPLATE);
|
|
|
|
|
dump_rules();
|
|
|
|
|
exit(ERR_SECCOMP_ENV);
|
|
|
|
|
}
|
|
|
|
|
|
2023-12-27 23:16:19 +08:00
|
|
|
scmp_filter_ctx ctx = seccomp_init(act);
|
2022-10-02 14:09:25 +08:00
|
|
|
if (!ctx) {
|
|
|
|
|
LOG_ERR("Failed to init seccomp context");
|
|
|
|
|
exit(ERR_SECCOMP_INIT);
|
|
|
|
|
}
|
|
|
|
|
|
2023-12-27 23:16:19 +08:00
|
|
|
setup_rule(template, ctx);
|
2022-10-02 14:09:25 +08:00
|
|
|
|
2023-12-27 23:16:19 +08:00
|
|
|
if (seccomp_load(ctx)) {
|
2022-10-02 14:09:25 +08:00
|
|
|
LOG_ERR("Failed to load seccomp context");
|
|
|
|
|
seccomp_release(ctx);
|
|
|
|
|
exit(ERR_SECCOMP_LOAD);
|
|
|
|
|
}
|
|
|
|
|
seccomp_release(ctx);
|
|
|
|
|
|
|
|
|
|
LOG_INFO("Preload Done");
|
|
|
|
|
}
|
