80 lines
2.6 KiB
C
80 lines
2.6 KiB
C
#include "rules.h"
|
|
#include "../err.h"
|
|
#include "../utils/log.h"
|
|
|
|
#include <fcntl.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
|
|
LIST_HEAD(seccomp_rules);
|
|
|
|
void register_rule(struct rule *rule) { list_add(&rule->list, &seccomp_rules); }
|
|
|
|
void setup_common(scmp_filter_ctx ctx, const char *exe_path) {
|
|
// allow to execute self
|
|
add_syscall_nr_arg(SCMP_SYS(execve), ctx, SCMP_ACT_ALLOW, 1, &SCMP_A0(SCMP_CMP_EQ, (scmp_datum_t)exe_path));
|
|
|
|
// allow to read files - do not allow write, readwrite, append, create
|
|
add_syscall_nr_arg(SCMP_SYS(open), ctx, SCMP_ACT_ALLOW, 1,
|
|
&SCMP_A1(SCMP_CMP_MASKED_EQ, O_WRONLY | O_RDWR | O_APPEND | O_CREAT | O_EXCL, 0));
|
|
add_syscall_nr_arg(SCMP_SYS(openat), ctx, SCMP_ACT_ALLOW, 1,
|
|
&SCMP_A2(SCMP_CMP_MASKED_EQ, O_WRONLY | O_RDWR | O_APPEND | O_CREAT | O_EXCL, 0));
|
|
|
|
// prlimit64(302) - disallow new_limit
|
|
add_syscall_nr_arg(SCMP_SYS(prlimit64), ctx, SCMP_ACT_ALLOW, 1, &SCMP_A2(SCMP_CMP_NE, 0));
|
|
|
|
// some commonly used syscall(s)
|
|
int white[] = {
|
|
SCMP_SYS(read), // 0
|
|
SCMP_SYS(write), // 1
|
|
SCMP_SYS(close), // 3
|
|
SCMP_SYS(fstat), // 5
|
|
SCMP_SYS(lseek), // 8
|
|
SCMP_SYS(mmap), // 9
|
|
SCMP_SYS(mprotect), // 10
|
|
SCMP_SYS(munmap), // 11
|
|
SCMP_SYS(brk), // 12
|
|
SCMP_SYS(pread64), // 17
|
|
SCMP_SYS(writev), // 20
|
|
SCMP_SYS(access), // 21
|
|
SCMP_SYS(nanosleep), // 35
|
|
SCMP_SYS(getpid), // 39
|
|
SCMP_SYS(clock_gettime), // 228
|
|
SCMP_SYS(clock_getres), // 229
|
|
SCMP_SYS(clock_nanosleep), // 230
|
|
SCMP_SYS(newfstatat), // 262
|
|
SCMP_SYS(getrandom), // 318
|
|
|
|
};
|
|
ADD_RULE_LIST(white, SCMP_ACT_ALLOW);
|
|
}
|
|
|
|
void setup_rule(const char *name, scmp_filter_ctx ctx, const char *exe_path) {
|
|
struct list_head *current;
|
|
struct rule *rule;
|
|
|
|
setup_common(ctx, exe_path);
|
|
|
|
list_for_each(current, &seccomp_rules) {
|
|
rule = list_entry(current, struct rule, list);
|
|
if (strcmp(rule->name, name) == 0) {
|
|
rule->setup(ctx);
|
|
return;
|
|
}
|
|
}
|
|
|
|
LOG_ERR("No rule found for %s", name);
|
|
dump_rules();
|
|
exit(ERR_NO_RULE_FOUND);
|
|
}
|
|
|
|
void dump_rules(void) {
|
|
struct list_head *current;
|
|
struct rule *rule;
|
|
LOG_INFO("Available Rules:");
|
|
list_for_each(current, &seccomp_rules) {
|
|
rule = list_entry(current, struct rule, list);
|
|
LOG_INFO("> %s", rule->name);
|
|
}
|
|
}
|