Mercurial > hg > dhcpcd
annotate src/privsep-linux.c @ 5555:0fff9309b86d draft
Linux: Fix privsep build by including sys/termios.h for all platforms
| author | Mikhail Efremov <sem@altlinux.org> |
|---|---|
| date | Tue, 08 Dec 2020 16:15:28 +0000 |
| parents | 5b709860f86c |
| children | ecfe552000c0 |
| rev | line source |
|---|---|
|
4840
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
1 /* SPDX-License-Identifier: BSD-2-Clause */ |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
2 /* |
|
5060
4539ffcdd656
spelling: Correct both privilege and separation
Roy Marples <roy@marples.name>
parents:
4957
diff
changeset
|
3 * Privilege Separation for dhcpcd, Linux driver |
| 4922 | 4 * Copyright (c) 2006-2020 Roy Marples <roy@marples.name> |
|
4840
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
5 * All rights reserved |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
6 |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
7 * Redistribution and use in source and binary forms, with or without |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
8 * modification, are permitted provided that the following conditions |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
9 * are met: |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
10 * 1. Redistributions of source code must retain the above copyright |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
11 * notice, this list of conditions and the following disclaimer. |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
12 * 2. Redistributions in binary form must reproduce the above copyright |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
13 * notice, this list of conditions and the following disclaimer in the |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
14 * documentation and/or other materials provided with the distribution. |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
15 * |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
26 * SUCH DAMAGE. |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
27 */ |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
28 |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
29 #include <sys/ioctl.h> |
|
5461
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
30 #include <sys/prctl.h> |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
31 #include <sys/syscall.h> |
|
5555
0fff9309b86d
Linux: Fix privsep build by including sys/termios.h for all platforms
Mikhail Efremov <sem@altlinux.org>
parents:
5542
diff
changeset
|
32 #include <sys/termios.h> /* For TCGETS */ |
|
5461
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
33 |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
34 #include <linux/audit.h> |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
35 #include <linux/filter.h> |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
36 #include <linux/seccomp.h> |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
37 #include <linux/sockios.h> |
|
4840
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
38 |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
39 #include <errno.h> |
|
4945
9b5c1ee2fe77
Linux: Improve privsep code a little
Roy Marples <roy@marples.name>
parents:
4943
diff
changeset
|
40 #include <fcntl.h> |
|
5461
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
41 #include <stddef.h> |
|
4840
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
42 #include <stdio.h> |
|
5519
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
43 #include <stdlib.h> |
|
4840
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
44 #include <string.h> |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
45 #include <unistd.h> |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
46 |
|
5461
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
47 #include "common.h" |
|
4840
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
48 #include "if.h" |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
49 #include "logerr.h" |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
50 #include "privsep.h" |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
51 |
|
5519
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
52 /* |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
53 * Set this to debug SECCOMP. |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
54 * Then run dhcpcd with strace -f and strace will even translate |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
55 * the failing syscall into the __NR_name define we need to use below. |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
56 * DO NOT ENABLE THIS FOR PRODUCTION BUILDS! |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
57 */ |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
58 //#define SECCOMP_FILTER_DEBUG |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
59 |
|
4840
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
60 static ssize_t |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
61 ps_root_dosendnetlink(int protocol, struct msghdr *msg) |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
62 { |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
63 struct sockaddr_nl snl = { .nl_family = AF_NETLINK }; |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
64 int s; |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
65 unsigned char buf[16 * 1024]; |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
66 struct iovec riov = { |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
67 .iov_base = buf, |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
68 .iov_len = sizeof(buf), |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
69 }; |
|
4957
2c96d2b00ed7
Linux: close the netlink privsep socket once done.
Roy Marples <roy@marples.name>
parents:
4947
diff
changeset
|
70 ssize_t retval; |
|
4840
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
71 |
|
5282
8afafcabcfa5
privsep: Drain the link socket as we can't re-open it.
Roy Marples <roy@marples.name>
parents:
5258
diff
changeset
|
72 if ((s = if_linksocket(&snl, protocol, 0)) == -1) |
|
4840
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
73 return -1; |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
74 |
|
4957
2c96d2b00ed7
Linux: close the netlink privsep socket once done.
Roy Marples <roy@marples.name>
parents:
4947
diff
changeset
|
75 if (sendmsg(s, msg, 0) == -1) { |
|
2c96d2b00ed7
Linux: close the netlink privsep socket once done.
Roy Marples <roy@marples.name>
parents:
4947
diff
changeset
|
76 retval = -1; |
|
2c96d2b00ed7
Linux: close the netlink privsep socket once done.
Roy Marples <roy@marples.name>
parents:
4947
diff
changeset
|
77 goto out; |
|
2c96d2b00ed7
Linux: close the netlink privsep socket once done.
Roy Marples <roy@marples.name>
parents:
4947
diff
changeset
|
78 } |
|
4840
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
79 |
|
4957
2c96d2b00ed7
Linux: close the netlink privsep socket once done.
Roy Marples <roy@marples.name>
parents:
4947
diff
changeset
|
80 retval = if_getnetlink(NULL, &riov, s, 0, NULL, NULL); |
|
2c96d2b00ed7
Linux: close the netlink privsep socket once done.
Roy Marples <roy@marples.name>
parents:
4947
diff
changeset
|
81 out: |
|
2c96d2b00ed7
Linux: close the netlink privsep socket once done.
Roy Marples <roy@marples.name>
parents:
4947
diff
changeset
|
82 close(s); |
|
2c96d2b00ed7
Linux: close the netlink privsep socket once done.
Roy Marples <roy@marples.name>
parents:
4947
diff
changeset
|
83 return retval; |
|
4840
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
84 } |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
85 |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
86 ssize_t |
|
5302
ef799c0ff5cb
privsep: Fix returning indirect ioctl data
Roy Marples <roy@marples.name>
parents:
5282
diff
changeset
|
87 ps_root_os(struct ps_msghdr *psm, struct msghdr *msg, |
|
5303
873d4c26c32a
Fix warning for prior on Linux
Roy Marples <roy@marples.name>
parents:
5302
diff
changeset
|
88 __unused void **rdata, __unused size_t *rlen) |
|
4840
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
89 { |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
90 |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
91 switch (psm->ps_cmd) { |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
92 case PS_ROUTE: |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
93 return ps_root_dosendnetlink((int)psm->ps_flags, msg); |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
94 default: |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
95 errno = ENOTSUP; |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
96 return -1; |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
97 } |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
98 } |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
99 |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
100 ssize_t |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
101 ps_root_sendnetlink(struct dhcpcd_ctx *ctx, int protocol, struct msghdr *msg) |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
102 { |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
103 |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
104 if (ps_sendmsg(ctx, ctx->ps_root_fd, PS_ROUTE, |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
105 (unsigned long)protocol, msg) == -1) |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
106 return -1; |
|
5202
318cd9e48312
privsep: Copy back ioctl data
Roy Marples <roy@marples.name>
parents:
5060
diff
changeset
|
107 return ps_root_readerror(ctx, NULL, 0); |
|
4840
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
108 } |
|
5461
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
109 |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
110 #if (BYTE_ORDER == LITTLE_ENDIAN) |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
111 # define SECCOMP_ARG_LO 0 |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
112 # define SECCOMP_ARG_HI sizeof(uint32_t) |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
113 #elif (BYTE_ORDER == BIG_ENDIAN) |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
114 # define SECCOMP_ARG_LO sizeof(uint32_t) |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
115 # define SECCOMP_ARG_HI 0 |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
116 #else |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
117 # error "Uknown endian" |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
118 #endif |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
119 |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
120 #define SECCOMP_ALLOW(_nr) \ |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
121 BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, (_nr), 0, 1), \ |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
122 BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW) |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
123 |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
124 #define SECCOMP_ALLOW_ARG(_nr, _arg, _val) \ |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
125 BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, (_nr), 0, 6), \ |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
126 BPF_STMT(BPF_LD + BPF_W + BPF_ABS, \ |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
127 offsetof(struct seccomp_data, args[(_arg)]) + SECCOMP_ARG_LO), \ |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
128 BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, \ |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
129 ((_val) & 0xffffffff), 0, 3), \ |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
130 BPF_STMT(BPF_LD + BPF_W + BPF_ABS, \ |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
131 offsetof(struct seccomp_data, args[(_arg)]) + SECCOMP_ARG_HI), \ |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
132 BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, \ |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
133 (((uint32_t)((uint64_t)(_val) >> 32)) & 0xffffffff), 0, 1), \ |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
134 BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW), \ |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
135 BPF_STMT(BPF_LD + BPF_W + BPF_ABS, \ |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
136 offsetof(struct seccomp_data, nr)) |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
137 |
|
5519
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
138 #ifdef SECCOMP_FILTER_DEBUG |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
139 #define SECCOMP_FILTER_FAIL SECCOMP_RET_TRAP |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
140 #else |
|
5461
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
141 #define SECCOMP_FILTER_FAIL SECCOMP_RET_KILL |
|
5519
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
142 #endif |
|
5461
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
143 |
|
5469
f9a05c95d611
privsep: Add more platforms for seccomp
Roy Marples <roy@marples.name>
parents:
5468
diff
changeset
|
144 /* I personally find this quite nutty. |
|
f9a05c95d611
privsep: Add more platforms for seccomp
Roy Marples <roy@marples.name>
parents:
5468
diff
changeset
|
145 * Why can a system header not define a default for this? */ |
|
5461
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
146 #if defined(__i386__) |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
147 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_I386 |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
148 #elif defined(__x86_64__) |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
149 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_X86_64 |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
150 #elif defined(__arm__) |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
151 # ifndef EM_ARM |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
152 # define EM_ARM 40 |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
153 # endif |
|
5469
f9a05c95d611
privsep: Add more platforms for seccomp
Roy Marples <roy@marples.name>
parents:
5468
diff
changeset
|
154 # if (BYTE_ORDER == LITTLE_ENDIAN) |
|
f9a05c95d611
privsep: Add more platforms for seccomp
Roy Marples <roy@marples.name>
parents:
5468
diff
changeset
|
155 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARM |
|
f9a05c95d611
privsep: Add more platforms for seccomp
Roy Marples <roy@marples.name>
parents:
5468
diff
changeset
|
156 # else |
|
f9a05c95d611
privsep: Add more platforms for seccomp
Roy Marples <roy@marples.name>
parents:
5468
diff
changeset
|
157 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARMEB |
|
f9a05c95d611
privsep: Add more platforms for seccomp
Roy Marples <roy@marples.name>
parents:
5468
diff
changeset
|
158 # endif |
|
5461
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
159 #elif defined(__aarch64__) |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
160 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_AARCH64 |
|
5469
f9a05c95d611
privsep: Add more platforms for seccomp
Roy Marples <roy@marples.name>
parents:
5468
diff
changeset
|
161 #elif defined(__alpha__) |
|
f9a05c95d611
privsep: Add more platforms for seccomp
Roy Marples <roy@marples.name>
parents:
5468
diff
changeset
|
162 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ALPHA |
|
f9a05c95d611
privsep: Add more platforms for seccomp
Roy Marples <roy@marples.name>
parents:
5468
diff
changeset
|
163 #elif defined(__hppa__) |
|
f9a05c95d611
privsep: Add more platforms for seccomp
Roy Marples <roy@marples.name>
parents:
5468
diff
changeset
|
164 # if defined(__LP64__) |
|
f9a05c95d611
privsep: Add more platforms for seccomp
Roy Marples <roy@marples.name>
parents:
5468
diff
changeset
|
165 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PARISC64 |
|
f9a05c95d611
privsep: Add more platforms for seccomp
Roy Marples <roy@marples.name>
parents:
5468
diff
changeset
|
166 # else |
|
f9a05c95d611
privsep: Add more platforms for seccomp
Roy Marples <roy@marples.name>
parents:
5468
diff
changeset
|
167 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PARISC |
|
f9a05c95d611
privsep: Add more platforms for seccomp
Roy Marples <roy@marples.name>
parents:
5468
diff
changeset
|
168 # endif |
|
f9a05c95d611
privsep: Add more platforms for seccomp
Roy Marples <roy@marples.name>
parents:
5468
diff
changeset
|
169 #elif defined(__ia64__) |
|
f9a05c95d611
privsep: Add more platforms for seccomp
Roy Marples <roy@marples.name>
parents:
5468
diff
changeset
|
170 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_IA64 |
|
5461
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
171 #elif defined(__mips__) |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
172 # if defined(__MIPSEL__) |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
173 # if defined(__LP64__) |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
174 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL64 |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
175 # else |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
176 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
177 # endif |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
178 # elif defined(__LP64__) |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
179 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS64 |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
180 # else |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
181 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
182 # endif |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
183 #elif defined(__powerpc64__) |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
184 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC64 |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
185 #elif defined(__powerpc__) |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
186 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC |
|
5469
f9a05c95d611
privsep: Add more platforms for seccomp
Roy Marples <roy@marples.name>
parents:
5468
diff
changeset
|
187 #elif defined(__riscv) |
|
f9a05c95d611
privsep: Add more platforms for seccomp
Roy Marples <roy@marples.name>
parents:
5468
diff
changeset
|
188 # if defined(__LP64__) |
|
f9a05c95d611
privsep: Add more platforms for seccomp
Roy Marples <roy@marples.name>
parents:
5468
diff
changeset
|
189 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_RISCV64 |
|
f9a05c95d611
privsep: Add more platforms for seccomp
Roy Marples <roy@marples.name>
parents:
5468
diff
changeset
|
190 # else |
|
f9a05c95d611
privsep: Add more platforms for seccomp
Roy Marples <roy@marples.name>
parents:
5468
diff
changeset
|
191 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_RISCV32 |
|
f9a05c95d611
privsep: Add more platforms for seccomp
Roy Marples <roy@marples.name>
parents:
5468
diff
changeset
|
192 # endif |
|
5461
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
193 #elif defined(__s390x__) |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
194 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_S390X |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
195 #elif defined(__s390__) |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
196 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_S390 |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
197 #elif defined(__sparc__) |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
198 # if defined(__arch64__) |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
199 # define AUDIT_ARCH_SPARC64 |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
200 # else |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
201 # define AUDIT_ARCH_SPARC |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
202 # endif |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
203 #else |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
204 # error "Platform does not support seccomp filter yet" |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
205 #endif |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
206 |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
207 static struct sock_filter ps_seccomp_filter[] = { |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
208 /* Check syscall arch */ |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
209 BPF_STMT(BPF_LD + BPF_W + BPF_ABS, |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
210 offsetof(struct seccomp_data, arch)), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
211 BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, SECCOMP_AUDIT_ARCH, 1, 0), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
212 BPF_STMT(BPF_RET + BPF_K, SECCOMP_FILTER_FAIL), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
213 /* Allow syscalls */ |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
214 BPF_STMT(BPF_LD + BPF_W + BPF_ABS, |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
215 offsetof(struct seccomp_data, nr)), |
|
5468
a2d2d095088f
privsep: Allow more syscalls for seccomp
Roy Marples <roy@marples.name>
parents:
5464
diff
changeset
|
216 #ifdef __NR_accept |
|
a2d2d095088f
privsep: Allow more syscalls for seccomp
Roy Marples <roy@marples.name>
parents:
5464
diff
changeset
|
217 SECCOMP_ALLOW(__NR_accept), |
|
a2d2d095088f
privsep: Allow more syscalls for seccomp
Roy Marples <roy@marples.name>
parents:
5464
diff
changeset
|
218 #endif |
|
5461
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
219 #ifdef __NR_brk |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
220 SECCOMP_ALLOW(__NR_brk), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
221 #endif |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
222 #ifdef __NR_clock_gettime |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
223 SECCOMP_ALLOW(__NR_clock_gettime), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
224 #endif |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
225 #if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT) |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
226 SECCOMP_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
227 #endif |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
228 #ifdef __NR_clock_gettime64 |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
229 SECCOMP_ALLOW(__NR_clock_gettime64), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
230 #endif |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
231 #ifdef __NR_close |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
232 SECCOMP_ALLOW(__NR_close), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
233 #endif |
|
5470
d7a5671d08c5
privsep: Don't remove pidfile at exit
Roy Marples <roy@marples.name>
parents:
5469
diff
changeset
|
234 #ifdef __NR_exit_group |
|
d7a5671d08c5
privsep: Don't remove pidfile at exit
Roy Marples <roy@marples.name>
parents:
5469
diff
changeset
|
235 SECCOMP_ALLOW(__NR_exit_group), |
|
d7a5671d08c5
privsep: Don't remove pidfile at exit
Roy Marples <roy@marples.name>
parents:
5469
diff
changeset
|
236 #endif |
|
5468
a2d2d095088f
privsep: Allow more syscalls for seccomp
Roy Marples <roy@marples.name>
parents:
5464
diff
changeset
|
237 #ifdef __NR_fcntl |
|
a2d2d095088f
privsep: Allow more syscalls for seccomp
Roy Marples <roy@marples.name>
parents:
5464
diff
changeset
|
238 SECCOMP_ALLOW(__NR_fcntl), |
|
a2d2d095088f
privsep: Allow more syscalls for seccomp
Roy Marples <roy@marples.name>
parents:
5464
diff
changeset
|
239 #endif |
|
5540
a6ee95eb8e60
privsep: Allow fcntl64 and fstat64 to fix ARM32 talking to the controller
Matthew Clarkson <mclarkson@reliablecontrols.com>
parents:
5519
diff
changeset
|
240 #ifdef __NR_fcntl64 |
|
a6ee95eb8e60
privsep: Allow fcntl64 and fstat64 to fix ARM32 talking to the controller
Matthew Clarkson <mclarkson@reliablecontrols.com>
parents:
5519
diff
changeset
|
241 SECCOMP_ALLOW(__NR_fcntl64), |
|
a6ee95eb8e60
privsep: Allow fcntl64 and fstat64 to fix ARM32 talking to the controller
Matthew Clarkson <mclarkson@reliablecontrols.com>
parents:
5519
diff
changeset
|
242 #endif |
|
5468
a2d2d095088f
privsep: Allow more syscalls for seccomp
Roy Marples <roy@marples.name>
parents:
5464
diff
changeset
|
243 #ifdef __NR_fstat |
|
a2d2d095088f
privsep: Allow more syscalls for seccomp
Roy Marples <roy@marples.name>
parents:
5464
diff
changeset
|
244 SECCOMP_ALLOW(__NR_fstat), |
|
a2d2d095088f
privsep: Allow more syscalls for seccomp
Roy Marples <roy@marples.name>
parents:
5464
diff
changeset
|
245 #endif |
|
5540
a6ee95eb8e60
privsep: Allow fcntl64 and fstat64 to fix ARM32 talking to the controller
Matthew Clarkson <mclarkson@reliablecontrols.com>
parents:
5519
diff
changeset
|
246 #ifdef __NR_fstat64 |
|
a6ee95eb8e60
privsep: Allow fcntl64 and fstat64 to fix ARM32 talking to the controller
Matthew Clarkson <mclarkson@reliablecontrols.com>
parents:
5519
diff
changeset
|
247 SECCOMP_ALLOW(__NR_fstat64), |
|
a6ee95eb8e60
privsep: Allow fcntl64 and fstat64 to fix ARM32 talking to the controller
Matthew Clarkson <mclarkson@reliablecontrols.com>
parents:
5519
diff
changeset
|
248 #endif |
|
5512
adb3ad34082f
privsep: allow gettimeofday for SECCOMP
Roy Marples <roy@marples.name>
parents:
5471
diff
changeset
|
249 #ifdef __NR_gettimeofday |
|
adb3ad34082f
privsep: allow gettimeofday for SECCOMP
Roy Marples <roy@marples.name>
parents:
5471
diff
changeset
|
250 SECCOMP_ALLOW(__NR_gettimeofday), |
|
adb3ad34082f
privsep: allow gettimeofday for SECCOMP
Roy Marples <roy@marples.name>
parents:
5471
diff
changeset
|
251 #endif |
|
5461
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
252 #ifdef __NR_getpid |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
253 SECCOMP_ALLOW(__NR_getpid), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
254 #endif |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
255 #ifdef __NR_ioctl |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
256 SECCOMP_ALLOW_ARG(__NR_ioctl, 1, SIOCGIFFLAGS), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
257 SECCOMP_ALLOW_ARG(__NR_ioctl, 1, SIOCGIFHWADDR), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
258 SECCOMP_ALLOW_ARG(__NR_ioctl, 1, SIOCGIFINDEX), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
259 SECCOMP_ALLOW_ARG(__NR_ioctl, 1, SIOCGIFMTU), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
260 SECCOMP_ALLOW_ARG(__NR_ioctl, 1, SIOCGIFVLAN), |
|
5542
5b709860f86c
privsep: adjust comment for prior
Matthew Clarkson <mclarkson@reliablecontrols.com>
parents:
5541
diff
changeset
|
261 /* printf over serial terminal requires this */ |
|
5541
f233c9381c56
privsep: Allow ioctl TCGETS
Matthew Clarkson <mclarkson@reliablecontrols.com>
parents:
5540
diff
changeset
|
262 SECCOMP_ALLOW_ARG(__NR_ioctl, 1, TCGETS), |
|
5461
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
263 /* SECCOMP BPF is newer than nl80211 so we don't need SIOCGIWESSID |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
264 * which lives in the impossible to include linux/wireless.h header */ |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
265 #endif |
|
5471
5de03fd31eb1
privsep: Allow __NR_mmap for seccomp
Roy Marples <roy@marples.name>
parents:
5470
diff
changeset
|
266 #ifdef __NR_mmap |
|
5de03fd31eb1
privsep: Allow __NR_mmap for seccomp
Roy Marples <roy@marples.name>
parents:
5470
diff
changeset
|
267 SECCOMP_ALLOW(__NR_mmap), |
|
5de03fd31eb1
privsep: Allow __NR_mmap for seccomp
Roy Marples <roy@marples.name>
parents:
5470
diff
changeset
|
268 #endif |
|
5470
d7a5671d08c5
privsep: Don't remove pidfile at exit
Roy Marples <roy@marples.name>
parents:
5469
diff
changeset
|
269 #ifdef __NR_munmap |
|
d7a5671d08c5
privsep: Don't remove pidfile at exit
Roy Marples <roy@marples.name>
parents:
5469
diff
changeset
|
270 SECCOMP_ALLOW(__NR_munmap), |
|
d7a5671d08c5
privsep: Don't remove pidfile at exit
Roy Marples <roy@marples.name>
parents:
5469
diff
changeset
|
271 #endif |
|
5519
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
272 #ifdef __NR_nanosleep |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
273 SECCOMP_ALLOW(__NR_nanosleep), /* XXX should use ppoll instead */ |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
274 #endif |
|
5461
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
275 #ifdef __NR_ppoll |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
276 SECCOMP_ALLOW(__NR_ppoll), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
277 #endif |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
278 #ifdef __NR_ppoll_time64 |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
279 SECCOMP_ALLOW(__NR_ppoll_time64), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
280 #endif |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
281 #ifdef __NR_read |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
282 SECCOMP_ALLOW(__NR_read), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
283 #endif |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
284 #ifdef __NR_readv |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
285 SECCOMP_ALLOW(__NR_readv), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
286 #endif |
|
5519
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
287 #ifdef __NR_recv |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
288 SECCOMP_ALLOW(__NR_recv), |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
289 #endif |
|
5461
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
290 #ifdef __NR_recvfrom |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
291 SECCOMP_ALLOW(__NR_recvfrom), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
292 #endif |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
293 #ifdef __NR_recvmsg |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
294 SECCOMP_ALLOW(__NR_recvmsg), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
295 #endif |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
296 #ifdef __NR_rt_sigreturn |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
297 SECCOMP_ALLOW(__NR_rt_sigreturn), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
298 #endif |
|
5519
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
299 #ifdef __NR_send |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
300 SECCOMP_ALLOW(__NR_send), |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
301 #endif |
|
5461
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
302 #ifdef __NR_sendmsg |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
303 SECCOMP_ALLOW(__NR_sendmsg), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
304 #endif |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
305 #ifdef __NR_sendto |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
306 SECCOMP_ALLOW(__NR_sendto), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
307 #endif |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
308 #ifdef __NR_shutdown |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
309 SECCOMP_ALLOW(__NR_shutdown), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
310 #endif |
|
5519
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
311 #ifdef __NR_time |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
312 SECCOMP_ALLOW(__NR_time), |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
313 #endif |
|
5468
a2d2d095088f
privsep: Allow more syscalls for seccomp
Roy Marples <roy@marples.name>
parents:
5464
diff
changeset
|
314 #ifdef __NR_wait4 |
|
a2d2d095088f
privsep: Allow more syscalls for seccomp
Roy Marples <roy@marples.name>
parents:
5464
diff
changeset
|
315 SECCOMP_ALLOW(__NR_wait4), |
|
a2d2d095088f
privsep: Allow more syscalls for seccomp
Roy Marples <roy@marples.name>
parents:
5464
diff
changeset
|
316 #endif |
|
5519
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
317 #ifdef __NR_waitpid |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
318 SECCOMP_ALLOW(__NR_waitpid), |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
319 #endif |
|
5461
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
320 #ifdef __NR_write |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
321 SECCOMP_ALLOW(__NR_write), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
322 #endif |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
323 #ifdef __NR_writev |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
324 SECCOMP_ALLOW(__NR_writev), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
325 #endif |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
326 #ifdef __NR_uname |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
327 SECCOMP_ALLOW(__NR_uname), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
328 #endif |
|
5464
4a1e66b07201
privsep: Avoid "unconfined" seccomp warnings
Roy Marples <roy@marples.name>
parents:
5462
diff
changeset
|
329 |
|
5461
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
330 /* Deny everything else */ |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
331 BPF_STMT(BPF_RET + BPF_K, SECCOMP_FILTER_FAIL), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
332 }; |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
333 |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
334 static struct sock_fprog ps_seccomp_prog = { |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
335 .len = (unsigned short)__arraycount(ps_seccomp_filter), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
336 .filter = ps_seccomp_filter, |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
337 }; |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
338 |
|
5519
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
339 #ifdef SECCOMP_FILTER_DEBUG |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
340 static void |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
341 ps_seccomp_violation(__unused int signum, siginfo_t *si, __unused void *context) |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
342 { |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
343 |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
344 logerrx("%s: unexpected syscall %d (arch=0x%x)", |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
345 __func__, si->si_syscall, si->si_arch); |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
346 _exit(EXIT_FAILURE); |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
347 } |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
348 |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
349 static int |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
350 ps_seccomp_debug(void) |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
351 { |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
352 struct sigaction sa = { |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
353 .sa_flags = SA_SIGINFO, |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
354 .sa_sigaction = &ps_seccomp_violation, |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
355 }; |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
356 sigset_t mask; |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
357 |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
358 /* Install a signal handler to catch any issues with our filter. */ |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
359 sigemptyset(&mask); |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
360 sigaddset(&mask, SIGSYS); |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
361 if (sigaction(SIGSYS, &sa, NULL) == -1 || |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
362 sigprocmask(SIG_UNBLOCK, &mask, NULL) == -1) |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
363 return -1; |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
364 |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
365 return 0; |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
366 } |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
367 #endif |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
368 |
|
5461
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
369 int |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
370 ps_seccomp_enter(void) |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
371 { |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
372 |
|
5519
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
373 #ifdef SECCOMP_FILTER_DEBUG |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
374 ps_seccomp_debug(); |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
375 #endif |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
376 |
|
5462
6e80b8c6f70c
privsep: Log if the platform sandbox is unavailable or available
Roy Marples <roy@marples.name>
parents:
5461
diff
changeset
|
377 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1 || |
|
6e80b8c6f70c
privsep: Log if the platform sandbox is unavailable or available
Roy Marples <roy@marples.name>
parents:
5461
diff
changeset
|
378 prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &ps_seccomp_prog) == -1) |
|
6e80b8c6f70c
privsep: Log if the platform sandbox is unavailable or available
Roy Marples <roy@marples.name>
parents:
5461
diff
changeset
|
379 { |
|
6e80b8c6f70c
privsep: Log if the platform sandbox is unavailable or available
Roy Marples <roy@marples.name>
parents:
5461
diff
changeset
|
380 if (errno == EINVAL) |
|
6e80b8c6f70c
privsep: Log if the platform sandbox is unavailable or available
Roy Marples <roy@marples.name>
parents:
5461
diff
changeset
|
381 errno = ENOSYS; |
|
6e80b8c6f70c
privsep: Log if the platform sandbox is unavailable or available
Roy Marples <roy@marples.name>
parents:
5461
diff
changeset
|
382 return -1; |
|
6e80b8c6f70c
privsep: Log if the platform sandbox is unavailable or available
Roy Marples <roy@marples.name>
parents:
5461
diff
changeset
|
383 } |
|
5461
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
384 return 0; |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
385 } |