feat: allow to execute self
This commit is contained in:
parent
bc7b70d667
commit
14873703e5
@ -85,7 +85,7 @@ void parse(int argc, char *argv[]) {
|
||||
|
||||
void launch_child() {
|
||||
char *args[] = {config[program], NULL};
|
||||
char *env[7];
|
||||
char *env[8];
|
||||
|
||||
/* build env */ {
|
||||
env[0] = malloc(sizeof("LD_PRELOAD=") + strlen(config[sandbox_path]) + 1);
|
||||
@ -106,7 +106,10 @@ void launch_child() {
|
||||
env[5] = malloc(sizeof(SANDBOX_ACTION "=") + strlen(config[sandbox_action]) + 1);
|
||||
sprintf(env[5], SANDBOX_ACTION "=%s", config[sandbox_action]);
|
||||
|
||||
env[6] = NULL;
|
||||
env[6] = malloc(sizeof(SANDBOX_EXE_PATH "=") + strlen(config[program]) + 1);
|
||||
sprintf(env[6], SANDBOX_EXE_PATH "=%s", config[program]);
|
||||
|
||||
env[7] = NULL;
|
||||
}
|
||||
|
||||
/* build stdin */ {
|
||||
|
@ -1,5 +1,6 @@
|
||||
#include "rules.h"
|
||||
#include "../err.h"
|
||||
#include "../sandbox.h"
|
||||
#include "../utils/log.h"
|
||||
|
||||
#include <stdlib.h>
|
||||
@ -9,10 +10,18 @@ LIST_HEAD(seccomp_rules);
|
||||
|
||||
void register_rule(struct rule *rule) { list_add(&rule->list, &seccomp_rules); }
|
||||
|
||||
void setup_self(scmp_filter_ctx ctx) {
|
||||
// allow to execute self
|
||||
char *self = getenv(SANDBOX_EXE_PATH);
|
||||
if (self) add_syscall_nr_arg(SCMP_SYS(execve), ctx, SCMP_ACT_ALLOW, 1, SCMP_A0(SCMP_CMP_EQ, (scmp_datum_t)self));
|
||||
}
|
||||
|
||||
void setup_rule(char *name, scmp_filter_ctx ctx) {
|
||||
struct list_head *current;
|
||||
struct rule *rule;
|
||||
|
||||
setup_self(ctx);
|
||||
|
||||
list_for_each(current, &seccomp_rules) {
|
||||
rule = list_entry(current, struct rule, list);
|
||||
if (strcmp(rule->name, name) == 0) {
|
||||
|
36
sandbox.c
36
sandbox.c
@ -3,7 +3,8 @@
|
||||
#include "rules/rules.h"
|
||||
#include "utils/log.h"
|
||||
|
||||
#include <stdbool.h>
|
||||
#include <errno.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
|
||||
@ -15,6 +16,19 @@ void add_syscall_nr(int syscall_nr, scmp_filter_ctx ctx, uint32_t action) {
|
||||
}
|
||||
}
|
||||
|
||||
void add_syscall_nr_arg(int syscall_nr, scmp_filter_ctx ctx, uint32_t action, unsigned arg_cnt, ...) {
|
||||
va_list(args);
|
||||
va_start(args, arg_cnt);
|
||||
|
||||
if (seccomp_rule_add(ctx, action, syscall_nr, arg_cnt, args)) {
|
||||
LOG_ERR("Failed to add syscall %d", syscall_nr);
|
||||
seccomp_release(ctx);
|
||||
exit(ERR_SECCOMP_RESOLVE);
|
||||
}
|
||||
|
||||
va_end(args);
|
||||
}
|
||||
|
||||
void add_syscall_name(const char *syscall_name, scmp_filter_ctx ctx, uint32_t action) {
|
||||
int syscall_nr = seccomp_syscall_resolve_name(syscall_name);
|
||||
if (syscall_nr == __NR_SCMP_ERROR) {
|
||||
@ -32,32 +46,32 @@ void setup_seccomp(void) {
|
||||
char *template = getenv(SANDBOX_TEMPLATE);
|
||||
char *action = getenv(SANDBOX_ACTION);
|
||||
|
||||
bool kill = true;
|
||||
bool disabled = false;
|
||||
|
||||
if (action && strncmp(action, "log", sizeof("log")) == 0) kill = false;
|
||||
uint32_t act = SCMP_ACT_KILL;
|
||||
bool disabled = false;
|
||||
|
||||
if (action && strncmp(action, "log", sizeof("log")) == 0) act = SCMP_ACT_LOG;
|
||||
if (action && strncmp(action, "kill", sizeof("kill")) == 0) act = SCMP_ACT_KILL;
|
||||
if (action && strncmp(action, "ret", sizeof("ret")) == 0) act = SCMP_ACT_ERRNO(EPERM);
|
||||
if (action && strncmp(action, "disabled", sizeof("disabled")) == 0) {
|
||||
LOG_INFO("Seccomp disabled");
|
||||
disabled = true;
|
||||
kill = false;
|
||||
return;
|
||||
}
|
||||
|
||||
if (kill && !template) {
|
||||
if (!template) {
|
||||
LOG_ERR("Environment variable %s required", SANDBOX_TEMPLATE);
|
||||
dump_rules();
|
||||
exit(ERR_SECCOMP_ENV);
|
||||
}
|
||||
|
||||
scmp_filter_ctx ctx = seccomp_init(kill ? SCMP_ACT_KILL_PROCESS : SCMP_ACT_LOG);
|
||||
scmp_filter_ctx ctx = seccomp_init(act);
|
||||
if (!ctx) {
|
||||
LOG_ERR("Failed to init seccomp context");
|
||||
exit(ERR_SECCOMP_INIT);
|
||||
}
|
||||
|
||||
if (!disabled && template) setup_rule(template, ctx);
|
||||
setup_rule(template, ctx);
|
||||
|
||||
if (!disabled && seccomp_load(ctx)) {
|
||||
if (seccomp_load(ctx)) {
|
||||
LOG_ERR("Failed to load seccomp context");
|
||||
seccomp_release(ctx);
|
||||
exit(ERR_SECCOMP_LOAD);
|
||||
|
@ -7,9 +7,11 @@
|
||||
// Configuration Environment Variables
|
||||
#define SANDBOX_TEMPLATE "SANDBOX_TEMPLATE"
|
||||
#define SANDBOX_ACTION "SANDBOX_ACTION"
|
||||
#define SANDBOX_EXE_PATH "SANDBOX_EXE_PATH"
|
||||
|
||||
void setup_seccomp(void);
|
||||
void add_syscall_name(const char *syscall_name, scmp_filter_ctx ctx, uint32_t action);
|
||||
void add_syscall_nr(int syscall_nr, scmp_filter_ctx ctx, uint32_t action);
|
||||
void add_syscall_nr_arg(int syscall_nr, scmp_filter_ctx ctx, uint32_t action, unsigned arg_cnt, ...);
|
||||
void add_syscall_name(const char *syscall_name, scmp_filter_ctx ctx, uint32_t action);
|
||||
|
||||
#endif // WOJ_SANDBOX_SANDBOX_H
|
||||
|
Loading…
Reference in New Issue
Block a user