#include "sandbox.h" #include "err.h" #include "rules/rules.h" #include "utils/log.h" #include #include #include #include void add_syscall_nr(int syscall_nr, scmp_filter_ctx ctx, uint32_t action) { if (seccomp_rule_add_exact(ctx, action, syscall_nr, 0)) { LOG_ERR("Failed to add syscall %d", syscall_nr); seccomp_release(ctx); exit(ERR_SECCOMP_RESOLVE); } } void add_syscall_nr_arg(int syscall_nr, scmp_filter_ctx ctx, uint32_t action, unsigned arg_cnt, ...) { va_list(args); va_start(args, arg_cnt); if (seccomp_rule_add(ctx, action, syscall_nr, arg_cnt, args)) { LOG_ERR("Failed to add syscall %d", syscall_nr); seccomp_release(ctx); exit(ERR_SECCOMP_RESOLVE); } va_end(args); } void add_syscall_name(const char *syscall_name, scmp_filter_ctx ctx, uint32_t action) { int syscall_nr = seccomp_syscall_resolve_name(syscall_name); if (syscall_nr == __NR_SCMP_ERROR) { LOG_ERR("Failed to resolve syscall %s", syscall_name); seccomp_release(ctx); exit(ERR_SECCOMP_RESOLVE); } add_syscall_nr(syscall_nr, ctx, action); } void setup_seccomp(void) { LOG_INFO("Setting seccomp rules..."); char *template = getenv(SANDBOX_TEMPLATE); char *action = getenv(SANDBOX_ACTION); uint32_t act = SCMP_ACT_KILL; bool disabled = false; if (action && strncmp(action, "log", sizeof("log")) == 0) act = SCMP_ACT_LOG; if (action && strncmp(action, "kill", sizeof("kill")) == 0) act = SCMP_ACT_KILL; if (action && strncmp(action, "ret", sizeof("ret")) == 0) act = SCMP_ACT_ERRNO(EPERM); if (action && strncmp(action, "disabled", sizeof("disabled")) == 0) { LOG_INFO("Seccomp disabled"); return; } if (!template) { LOG_ERR("Environment variable %s required", SANDBOX_TEMPLATE); dump_rules(); exit(ERR_SECCOMP_ENV); } scmp_filter_ctx ctx = seccomp_init(act); if (!ctx) { LOG_ERR("Failed to init seccomp context"); exit(ERR_SECCOMP_INIT); } setup_rule(template, ctx); if (seccomp_load(ctx)) { LOG_ERR("Failed to load seccomp context"); seccomp_release(ctx); exit(ERR_SECCOMP_LOAD); } seccomp_release(ctx); LOG_INFO("Preload Done"); }