Mercurial > hg > dhcpcd
annotate src/privsep-linux.c @ 5541:f233c9381c56 draft
privsep: Allow ioctl TCGETS
printf on some platforms seems to require it.
Without this, script_dump() may fault.
| author | Matthew Clarkson <mclarkson@reliablecontrols.com> |
|---|---|
| date | Thu, 19 Nov 2020 15:37:33 +0000 |
| parents | a6ee95eb8e60 |
| children | 5b709860f86c |
| rev | line source |
|---|---|
|
4840
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
1 /* SPDX-License-Identifier: BSD-2-Clause */ |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
2 /* |
|
5060
4539ffcdd656
spelling: Correct both privilege and separation
Roy Marples <roy@marples.name>
parents:
4957
diff
changeset
|
3 * Privilege Separation for dhcpcd, Linux driver |
| 4922 | 4 * Copyright (c) 2006-2020 Roy Marples <roy@marples.name> |
|
4840
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
5 * All rights reserved |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
6 |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
7 * Redistribution and use in source and binary forms, with or without |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
8 * modification, are permitted provided that the following conditions |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
9 * are met: |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
10 * 1. Redistributions of source code must retain the above copyright |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
11 * notice, this list of conditions and the following disclaimer. |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
12 * 2. Redistributions in binary form must reproduce the above copyright |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
13 * notice, this list of conditions and the following disclaimer in the |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
14 * documentation and/or other materials provided with the distribution. |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
15 * |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
26 * SUCH DAMAGE. |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
27 */ |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
28 |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
29 #include <sys/ioctl.h> |
|
5461
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
30 #include <sys/prctl.h> |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
31 #include <sys/syscall.h> |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
32 |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
33 #include <linux/audit.h> |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
34 #include <linux/filter.h> |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
35 #include <linux/seccomp.h> |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
36 #include <linux/sockios.h> |
|
4840
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
37 |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
38 #include <errno.h> |
|
4945
9b5c1ee2fe77
Linux: Improve privsep code a little
Roy Marples <roy@marples.name>
parents:
4943
diff
changeset
|
39 #include <fcntl.h> |
|
5461
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
40 #include <stddef.h> |
|
4840
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
41 #include <stdio.h> |
|
5519
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
42 #include <stdlib.h> |
|
4840
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
43 #include <string.h> |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
44 #include <unistd.h> |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
45 |
|
5461
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
46 #include "common.h" |
|
4840
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
47 #include "if.h" |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
48 #include "logerr.h" |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
49 #include "privsep.h" |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
50 |
|
5519
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
51 /* |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
52 * Set this to debug SECCOMP. |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
53 * Then run dhcpcd with strace -f and strace will even translate |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
54 * the failing syscall into the __NR_name define we need to use below. |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
55 * DO NOT ENABLE THIS FOR PRODUCTION BUILDS! |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
56 */ |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
57 //#define SECCOMP_FILTER_DEBUG |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
58 |
|
4840
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
59 static ssize_t |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
60 ps_root_dosendnetlink(int protocol, struct msghdr *msg) |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
61 { |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
62 struct sockaddr_nl snl = { .nl_family = AF_NETLINK }; |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
63 int s; |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
64 unsigned char buf[16 * 1024]; |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
65 struct iovec riov = { |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
66 .iov_base = buf, |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
67 .iov_len = sizeof(buf), |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
68 }; |
|
4957
2c96d2b00ed7
Linux: close the netlink privsep socket once done.
Roy Marples <roy@marples.name>
parents:
4947
diff
changeset
|
69 ssize_t retval; |
|
4840
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
70 |
|
5282
8afafcabcfa5
privsep: Drain the link socket as we can't re-open it.
Roy Marples <roy@marples.name>
parents:
5258
diff
changeset
|
71 if ((s = if_linksocket(&snl, protocol, 0)) == -1) |
|
4840
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
72 return -1; |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
73 |
|
4957
2c96d2b00ed7
Linux: close the netlink privsep socket once done.
Roy Marples <roy@marples.name>
parents:
4947
diff
changeset
|
74 if (sendmsg(s, msg, 0) == -1) { |
|
2c96d2b00ed7
Linux: close the netlink privsep socket once done.
Roy Marples <roy@marples.name>
parents:
4947
diff
changeset
|
75 retval = -1; |
|
2c96d2b00ed7
Linux: close the netlink privsep socket once done.
Roy Marples <roy@marples.name>
parents:
4947
diff
changeset
|
76 goto out; |
|
2c96d2b00ed7
Linux: close the netlink privsep socket once done.
Roy Marples <roy@marples.name>
parents:
4947
diff
changeset
|
77 } |
|
4840
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
78 |
|
4957
2c96d2b00ed7
Linux: close the netlink privsep socket once done.
Roy Marples <roy@marples.name>
parents:
4947
diff
changeset
|
79 retval = if_getnetlink(NULL, &riov, s, 0, NULL, NULL); |
|
2c96d2b00ed7
Linux: close the netlink privsep socket once done.
Roy Marples <roy@marples.name>
parents:
4947
diff
changeset
|
80 out: |
|
2c96d2b00ed7
Linux: close the netlink privsep socket once done.
Roy Marples <roy@marples.name>
parents:
4947
diff
changeset
|
81 close(s); |
|
2c96d2b00ed7
Linux: close the netlink privsep socket once done.
Roy Marples <roy@marples.name>
parents:
4947
diff
changeset
|
82 return retval; |
|
4840
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
83 } |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
84 |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
85 ssize_t |
|
5302
ef799c0ff5cb
privsep: Fix returning indirect ioctl data
Roy Marples <roy@marples.name>
parents:
5282
diff
changeset
|
86 ps_root_os(struct ps_msghdr *psm, struct msghdr *msg, |
|
5303
873d4c26c32a
Fix warning for prior on Linux
Roy Marples <roy@marples.name>
parents:
5302
diff
changeset
|
87 __unused void **rdata, __unused size_t *rlen) |
|
4840
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
88 { |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
89 |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
90 switch (psm->ps_cmd) { |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
91 case PS_ROUTE: |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
92 return ps_root_dosendnetlink((int)psm->ps_flags, msg); |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
93 default: |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
94 errno = ENOTSUP; |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
95 return -1; |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
96 } |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
97 } |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
98 |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
99 ssize_t |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
100 ps_root_sendnetlink(struct dhcpcd_ctx *ctx, int protocol, struct msghdr *msg) |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
101 { |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
102 |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
103 if (ps_sendmsg(ctx, ctx->ps_root_fd, PS_ROUTE, |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
104 (unsigned long)protocol, msg) == -1) |
|
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
105 return -1; |
|
5202
318cd9e48312
privsep: Copy back ioctl data
Roy Marples <roy@marples.name>
parents:
5060
diff
changeset
|
106 return ps_root_readerror(ctx, NULL, 0); |
|
4840
073fcd86db9b
privsep: Add support for priviledge separation
Roy Marples <roy@marples.name>
parents:
diff
changeset
|
107 } |
|
5461
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
108 |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
109 #if (BYTE_ORDER == LITTLE_ENDIAN) |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
110 # define SECCOMP_ARG_LO 0 |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
111 # define SECCOMP_ARG_HI sizeof(uint32_t) |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
112 #elif (BYTE_ORDER == BIG_ENDIAN) |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
113 # define SECCOMP_ARG_LO sizeof(uint32_t) |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
114 # define SECCOMP_ARG_HI 0 |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
115 #else |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
116 # error "Uknown endian" |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
117 #endif |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
118 |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
119 #define SECCOMP_ALLOW(_nr) \ |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
120 BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, (_nr), 0, 1), \ |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
121 BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW) |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
122 |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
123 #define SECCOMP_ALLOW_ARG(_nr, _arg, _val) \ |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
124 BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, (_nr), 0, 6), \ |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
125 BPF_STMT(BPF_LD + BPF_W + BPF_ABS, \ |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
126 offsetof(struct seccomp_data, args[(_arg)]) + SECCOMP_ARG_LO), \ |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
127 BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, \ |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
128 ((_val) & 0xffffffff), 0, 3), \ |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
129 BPF_STMT(BPF_LD + BPF_W + BPF_ABS, \ |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
130 offsetof(struct seccomp_data, args[(_arg)]) + SECCOMP_ARG_HI), \ |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
131 BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, \ |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
132 (((uint32_t)((uint64_t)(_val) >> 32)) & 0xffffffff), 0, 1), \ |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
133 BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW), \ |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
134 BPF_STMT(BPF_LD + BPF_W + BPF_ABS, \ |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
135 offsetof(struct seccomp_data, nr)) |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
136 |
|
5519
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
137 #ifdef SECCOMP_FILTER_DEBUG |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
138 #define SECCOMP_FILTER_FAIL SECCOMP_RET_TRAP |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
139 #else |
|
5461
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
140 #define SECCOMP_FILTER_FAIL SECCOMP_RET_KILL |
|
5519
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
141 #endif |
|
5461
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
142 |
|
5469
f9a05c95d611
privsep: Add more platforms for seccomp
Roy Marples <roy@marples.name>
parents:
5468
diff
changeset
|
143 /* I personally find this quite nutty. |
|
f9a05c95d611
privsep: Add more platforms for seccomp
Roy Marples <roy@marples.name>
parents:
5468
diff
changeset
|
144 * Why can a system header not define a default for this? */ |
|
5461
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
145 #if defined(__i386__) |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
146 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_I386 |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
147 #elif defined(__x86_64__) |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
148 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_X86_64 |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
149 #elif defined(__arm__) |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
150 # ifndef EM_ARM |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
151 # define EM_ARM 40 |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
152 # endif |
|
5469
f9a05c95d611
privsep: Add more platforms for seccomp
Roy Marples <roy@marples.name>
parents:
5468
diff
changeset
|
153 # if (BYTE_ORDER == LITTLE_ENDIAN) |
|
f9a05c95d611
privsep: Add more platforms for seccomp
Roy Marples <roy@marples.name>
parents:
5468
diff
changeset
|
154 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARM |
|
f9a05c95d611
privsep: Add more platforms for seccomp
Roy Marples <roy@marples.name>
parents:
5468
diff
changeset
|
155 # else |
|
f9a05c95d611
privsep: Add more platforms for seccomp
Roy Marples <roy@marples.name>
parents:
5468
diff
changeset
|
156 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARMEB |
|
f9a05c95d611
privsep: Add more platforms for seccomp
Roy Marples <roy@marples.name>
parents:
5468
diff
changeset
|
157 # endif |
|
5461
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
158 #elif defined(__aarch64__) |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
159 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_AARCH64 |
|
5469
f9a05c95d611
privsep: Add more platforms for seccomp
Roy Marples <roy@marples.name>
parents:
5468
diff
changeset
|
160 #elif defined(__alpha__) |
|
f9a05c95d611
privsep: Add more platforms for seccomp
Roy Marples <roy@marples.name>
parents:
5468
diff
changeset
|
161 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ALPHA |
|
f9a05c95d611
privsep: Add more platforms for seccomp
Roy Marples <roy@marples.name>
parents:
5468
diff
changeset
|
162 #elif defined(__hppa__) |
|
f9a05c95d611
privsep: Add more platforms for seccomp
Roy Marples <roy@marples.name>
parents:
5468
diff
changeset
|
163 # if defined(__LP64__) |
|
f9a05c95d611
privsep: Add more platforms for seccomp
Roy Marples <roy@marples.name>
parents:
5468
diff
changeset
|
164 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PARISC64 |
|
f9a05c95d611
privsep: Add more platforms for seccomp
Roy Marples <roy@marples.name>
parents:
5468
diff
changeset
|
165 # else |
|
f9a05c95d611
privsep: Add more platforms for seccomp
Roy Marples <roy@marples.name>
parents:
5468
diff
changeset
|
166 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PARISC |
|
f9a05c95d611
privsep: Add more platforms for seccomp
Roy Marples <roy@marples.name>
parents:
5468
diff
changeset
|
167 # endif |
|
f9a05c95d611
privsep: Add more platforms for seccomp
Roy Marples <roy@marples.name>
parents:
5468
diff
changeset
|
168 #elif defined(__ia64__) |
|
f9a05c95d611
privsep: Add more platforms for seccomp
Roy Marples <roy@marples.name>
parents:
5468
diff
changeset
|
169 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_IA64 |
|
5461
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
170 #elif defined(__mips__) |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
171 # if defined(__MIPSEL__) |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
172 # if defined(__LP64__) |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
173 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL64 |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
174 # else |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
175 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
176 # endif |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
177 # elif defined(__LP64__) |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
178 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS64 |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
179 # else |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
180 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
181 # endif |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
182 #elif defined(__powerpc64__) |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
183 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC64 |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
184 #elif defined(__powerpc__) |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
185 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC |
|
5469
f9a05c95d611
privsep: Add more platforms for seccomp
Roy Marples <roy@marples.name>
parents:
5468
diff
changeset
|
186 #elif defined(__riscv) |
|
f9a05c95d611
privsep: Add more platforms for seccomp
Roy Marples <roy@marples.name>
parents:
5468
diff
changeset
|
187 # if defined(__LP64__) |
|
f9a05c95d611
privsep: Add more platforms for seccomp
Roy Marples <roy@marples.name>
parents:
5468
diff
changeset
|
188 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_RISCV64 |
|
f9a05c95d611
privsep: Add more platforms for seccomp
Roy Marples <roy@marples.name>
parents:
5468
diff
changeset
|
189 # else |
|
f9a05c95d611
privsep: Add more platforms for seccomp
Roy Marples <roy@marples.name>
parents:
5468
diff
changeset
|
190 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_RISCV32 |
|
f9a05c95d611
privsep: Add more platforms for seccomp
Roy Marples <roy@marples.name>
parents:
5468
diff
changeset
|
191 # endif |
|
5461
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
192 #elif defined(__s390x__) |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
193 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_S390X |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
194 #elif defined(__s390__) |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
195 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_S390 |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
196 #elif defined(__sparc__) |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
197 # if defined(__arch64__) |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
198 # define AUDIT_ARCH_SPARC64 |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
199 # else |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
200 # define AUDIT_ARCH_SPARC |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
201 # endif |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
202 #else |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
203 # error "Platform does not support seccomp filter yet" |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
204 #endif |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
205 |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
206 static struct sock_filter ps_seccomp_filter[] = { |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
207 /* Check syscall arch */ |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
208 BPF_STMT(BPF_LD + BPF_W + BPF_ABS, |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
209 offsetof(struct seccomp_data, arch)), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
210 BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, SECCOMP_AUDIT_ARCH, 1, 0), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
211 BPF_STMT(BPF_RET + BPF_K, SECCOMP_FILTER_FAIL), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
212 /* Allow syscalls */ |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
213 BPF_STMT(BPF_LD + BPF_W + BPF_ABS, |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
214 offsetof(struct seccomp_data, nr)), |
|
5468
a2d2d095088f
privsep: Allow more syscalls for seccomp
Roy Marples <roy@marples.name>
parents:
5464
diff
changeset
|
215 #ifdef __NR_accept |
|
a2d2d095088f
privsep: Allow more syscalls for seccomp
Roy Marples <roy@marples.name>
parents:
5464
diff
changeset
|
216 SECCOMP_ALLOW(__NR_accept), |
|
a2d2d095088f
privsep: Allow more syscalls for seccomp
Roy Marples <roy@marples.name>
parents:
5464
diff
changeset
|
217 #endif |
|
5461
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
218 #ifdef __NR_brk |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
219 SECCOMP_ALLOW(__NR_brk), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
220 #endif |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
221 #ifdef __NR_clock_gettime |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
222 SECCOMP_ALLOW(__NR_clock_gettime), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
223 #endif |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
224 #if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT) |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
225 SECCOMP_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
226 #endif |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
227 #ifdef __NR_clock_gettime64 |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
228 SECCOMP_ALLOW(__NR_clock_gettime64), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
229 #endif |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
230 #ifdef __NR_close |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
231 SECCOMP_ALLOW(__NR_close), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
232 #endif |
|
5470
d7a5671d08c5
privsep: Don't remove pidfile at exit
Roy Marples <roy@marples.name>
parents:
5469
diff
changeset
|
233 #ifdef __NR_exit_group |
|
d7a5671d08c5
privsep: Don't remove pidfile at exit
Roy Marples <roy@marples.name>
parents:
5469
diff
changeset
|
234 SECCOMP_ALLOW(__NR_exit_group), |
|
d7a5671d08c5
privsep: Don't remove pidfile at exit
Roy Marples <roy@marples.name>
parents:
5469
diff
changeset
|
235 #endif |
|
5468
a2d2d095088f
privsep: Allow more syscalls for seccomp
Roy Marples <roy@marples.name>
parents:
5464
diff
changeset
|
236 #ifdef __NR_fcntl |
|
a2d2d095088f
privsep: Allow more syscalls for seccomp
Roy Marples <roy@marples.name>
parents:
5464
diff
changeset
|
237 SECCOMP_ALLOW(__NR_fcntl), |
|
a2d2d095088f
privsep: Allow more syscalls for seccomp
Roy Marples <roy@marples.name>
parents:
5464
diff
changeset
|
238 #endif |
|
5540
a6ee95eb8e60
privsep: Allow fcntl64 and fstat64 to fix ARM32 talking to the controller
Matthew Clarkson <mclarkson@reliablecontrols.com>
parents:
5519
diff
changeset
|
239 #ifdef __NR_fcntl64 |
|
a6ee95eb8e60
privsep: Allow fcntl64 and fstat64 to fix ARM32 talking to the controller
Matthew Clarkson <mclarkson@reliablecontrols.com>
parents:
5519
diff
changeset
|
240 SECCOMP_ALLOW(__NR_fcntl64), |
|
a6ee95eb8e60
privsep: Allow fcntl64 and fstat64 to fix ARM32 talking to the controller
Matthew Clarkson <mclarkson@reliablecontrols.com>
parents:
5519
diff
changeset
|
241 #endif |
|
5468
a2d2d095088f
privsep: Allow more syscalls for seccomp
Roy Marples <roy@marples.name>
parents:
5464
diff
changeset
|
242 #ifdef __NR_fstat |
|
a2d2d095088f
privsep: Allow more syscalls for seccomp
Roy Marples <roy@marples.name>
parents:
5464
diff
changeset
|
243 SECCOMP_ALLOW(__NR_fstat), |
|
a2d2d095088f
privsep: Allow more syscalls for seccomp
Roy Marples <roy@marples.name>
parents:
5464
diff
changeset
|
244 #endif |
|
5540
a6ee95eb8e60
privsep: Allow fcntl64 and fstat64 to fix ARM32 talking to the controller
Matthew Clarkson <mclarkson@reliablecontrols.com>
parents:
5519
diff
changeset
|
245 #ifdef __NR_fstat64 |
|
a6ee95eb8e60
privsep: Allow fcntl64 and fstat64 to fix ARM32 talking to the controller
Matthew Clarkson <mclarkson@reliablecontrols.com>
parents:
5519
diff
changeset
|
246 SECCOMP_ALLOW(__NR_fstat64), |
|
a6ee95eb8e60
privsep: Allow fcntl64 and fstat64 to fix ARM32 talking to the controller
Matthew Clarkson <mclarkson@reliablecontrols.com>
parents:
5519
diff
changeset
|
247 #endif |
|
5512
adb3ad34082f
privsep: allow gettimeofday for SECCOMP
Roy Marples <roy@marples.name>
parents:
5471
diff
changeset
|
248 #ifdef __NR_gettimeofday |
|
adb3ad34082f
privsep: allow gettimeofday for SECCOMP
Roy Marples <roy@marples.name>
parents:
5471
diff
changeset
|
249 SECCOMP_ALLOW(__NR_gettimeofday), |
|
adb3ad34082f
privsep: allow gettimeofday for SECCOMP
Roy Marples <roy@marples.name>
parents:
5471
diff
changeset
|
250 #endif |
|
5461
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
251 #ifdef __NR_getpid |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
252 SECCOMP_ALLOW(__NR_getpid), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
253 #endif |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
254 #ifdef __NR_ioctl |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
255 SECCOMP_ALLOW_ARG(__NR_ioctl, 1, SIOCGIFFLAGS), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
256 SECCOMP_ALLOW_ARG(__NR_ioctl, 1, SIOCGIFHWADDR), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
257 SECCOMP_ALLOW_ARG(__NR_ioctl, 1, SIOCGIFINDEX), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
258 SECCOMP_ALLOW_ARG(__NR_ioctl, 1, SIOCGIFMTU), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
259 SECCOMP_ALLOW_ARG(__NR_ioctl, 1, SIOCGIFVLAN), |
|
5541
f233c9381c56
privsep: Allow ioctl TCGETS
Matthew Clarkson <mclarkson@reliablecontrols.com>
parents:
5540
diff
changeset
|
260 /* printf on some platforms seems to use this ioctl */ |
|
f233c9381c56
privsep: Allow ioctl TCGETS
Matthew Clarkson <mclarkson@reliablecontrols.com>
parents:
5540
diff
changeset
|
261 SECCOMP_ALLOW_ARG(__NR_ioctl, 1, TCGETS), |
|
5461
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
262 /* SECCOMP BPF is newer than nl80211 so we don't need SIOCGIWESSID |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
263 * which lives in the impossible to include linux/wireless.h header */ |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
264 #endif |
|
5471
5de03fd31eb1
privsep: Allow __NR_mmap for seccomp
Roy Marples <roy@marples.name>
parents:
5470
diff
changeset
|
265 #ifdef __NR_mmap |
|
5de03fd31eb1
privsep: Allow __NR_mmap for seccomp
Roy Marples <roy@marples.name>
parents:
5470
diff
changeset
|
266 SECCOMP_ALLOW(__NR_mmap), |
|
5de03fd31eb1
privsep: Allow __NR_mmap for seccomp
Roy Marples <roy@marples.name>
parents:
5470
diff
changeset
|
267 #endif |
|
5470
d7a5671d08c5
privsep: Don't remove pidfile at exit
Roy Marples <roy@marples.name>
parents:
5469
diff
changeset
|
268 #ifdef __NR_munmap |
|
d7a5671d08c5
privsep: Don't remove pidfile at exit
Roy Marples <roy@marples.name>
parents:
5469
diff
changeset
|
269 SECCOMP_ALLOW(__NR_munmap), |
|
d7a5671d08c5
privsep: Don't remove pidfile at exit
Roy Marples <roy@marples.name>
parents:
5469
diff
changeset
|
270 #endif |
|
5519
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
271 #ifdef __NR_nanosleep |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
272 SECCOMP_ALLOW(__NR_nanosleep), /* XXX should use ppoll instead */ |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
273 #endif |
|
5461
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
274 #ifdef __NR_ppoll |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
275 SECCOMP_ALLOW(__NR_ppoll), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
276 #endif |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
277 #ifdef __NR_ppoll_time64 |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
278 SECCOMP_ALLOW(__NR_ppoll_time64), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
279 #endif |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
280 #ifdef __NR_read |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
281 SECCOMP_ALLOW(__NR_read), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
282 #endif |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
283 #ifdef __NR_readv |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
284 SECCOMP_ALLOW(__NR_readv), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
285 #endif |
|
5519
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
286 #ifdef __NR_recv |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
287 SECCOMP_ALLOW(__NR_recv), |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
288 #endif |
|
5461
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
289 #ifdef __NR_recvfrom |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
290 SECCOMP_ALLOW(__NR_recvfrom), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
291 #endif |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
292 #ifdef __NR_recvmsg |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
293 SECCOMP_ALLOW(__NR_recvmsg), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
294 #endif |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
295 #ifdef __NR_rt_sigreturn |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
296 SECCOMP_ALLOW(__NR_rt_sigreturn), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
297 #endif |
|
5519
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
298 #ifdef __NR_send |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
299 SECCOMP_ALLOW(__NR_send), |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
300 #endif |
|
5461
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
301 #ifdef __NR_sendmsg |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
302 SECCOMP_ALLOW(__NR_sendmsg), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
303 #endif |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
304 #ifdef __NR_sendto |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
305 SECCOMP_ALLOW(__NR_sendto), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
306 #endif |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
307 #ifdef __NR_shutdown |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
308 SECCOMP_ALLOW(__NR_shutdown), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
309 #endif |
|
5519
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
310 #ifdef __NR_time |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
311 SECCOMP_ALLOW(__NR_time), |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
312 #endif |
|
5468
a2d2d095088f
privsep: Allow more syscalls for seccomp
Roy Marples <roy@marples.name>
parents:
5464
diff
changeset
|
313 #ifdef __NR_wait4 |
|
a2d2d095088f
privsep: Allow more syscalls for seccomp
Roy Marples <roy@marples.name>
parents:
5464
diff
changeset
|
314 SECCOMP_ALLOW(__NR_wait4), |
|
a2d2d095088f
privsep: Allow more syscalls for seccomp
Roy Marples <roy@marples.name>
parents:
5464
diff
changeset
|
315 #endif |
|
5519
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
316 #ifdef __NR_waitpid |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
317 SECCOMP_ALLOW(__NR_waitpid), |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
318 #endif |
|
5461
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
319 #ifdef __NR_write |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
320 SECCOMP_ALLOW(__NR_write), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
321 #endif |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
322 #ifdef __NR_writev |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
323 SECCOMP_ALLOW(__NR_writev), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
324 #endif |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
325 #ifdef __NR_uname |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
326 SECCOMP_ALLOW(__NR_uname), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
327 #endif |
|
5464
4a1e66b07201
privsep: Avoid "unconfined" seccomp warnings
Roy Marples <roy@marples.name>
parents:
5462
diff
changeset
|
328 |
|
5461
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
329 /* Deny everything else */ |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
330 BPF_STMT(BPF_RET + BPF_K, SECCOMP_FILTER_FAIL), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
331 }; |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
332 |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
333 static struct sock_fprog ps_seccomp_prog = { |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
334 .len = (unsigned short)__arraycount(ps_seccomp_filter), |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
335 .filter = ps_seccomp_filter, |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
336 }; |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
337 |
|
5519
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
338 #ifdef SECCOMP_FILTER_DEBUG |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
339 static void |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
340 ps_seccomp_violation(__unused int signum, siginfo_t *si, __unused void *context) |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
341 { |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
342 |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
343 logerrx("%s: unexpected syscall %d (arch=0x%x)", |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
344 __func__, si->si_syscall, si->si_arch); |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
345 _exit(EXIT_FAILURE); |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
346 } |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
347 |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
348 static int |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
349 ps_seccomp_debug(void) |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
350 { |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
351 struct sigaction sa = { |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
352 .sa_flags = SA_SIGINFO, |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
353 .sa_sigaction = &ps_seccomp_violation, |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
354 }; |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
355 sigset_t mask; |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
356 |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
357 /* Install a signal handler to catch any issues with our filter. */ |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
358 sigemptyset(&mask); |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
359 sigaddset(&mask, SIGSYS); |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
360 if (sigaction(SIGSYS, &sa, NULL) == -1 || |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
361 sigprocmask(SIG_UNBLOCK, &mask, NULL) == -1) |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
362 return -1; |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
363 |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
364 return 0; |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
365 } |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
366 #endif |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
367 |
|
5461
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
368 int |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
369 ps_seccomp_enter(void) |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
370 { |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
371 |
|
5519
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
372 #ifdef SECCOMP_FILTER_DEBUG |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
373 ps_seccomp_debug(); |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
374 #endif |
|
a5c61a48ae3c
privsep: Allow more syscalls through SECCOMP and add a debugger
Roy Marples <roy@marples.name>
parents:
5512
diff
changeset
|
375 |
|
5462
6e80b8c6f70c
privsep: Log if the platform sandbox is unavailable or available
Roy Marples <roy@marples.name>
parents:
5461
diff
changeset
|
376 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1 || |
|
6e80b8c6f70c
privsep: Log if the platform sandbox is unavailable or available
Roy Marples <roy@marples.name>
parents:
5461
diff
changeset
|
377 prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &ps_seccomp_prog) == -1) |
|
6e80b8c6f70c
privsep: Log if the platform sandbox is unavailable or available
Roy Marples <roy@marples.name>
parents:
5461
diff
changeset
|
378 { |
|
6e80b8c6f70c
privsep: Log if the platform sandbox is unavailable or available
Roy Marples <roy@marples.name>
parents:
5461
diff
changeset
|
379 if (errno == EINVAL) |
|
6e80b8c6f70c
privsep: Log if the platform sandbox is unavailable or available
Roy Marples <roy@marples.name>
parents:
5461
diff
changeset
|
380 errno = ENOSYS; |
|
6e80b8c6f70c
privsep: Log if the platform sandbox is unavailable or available
Roy Marples <roy@marples.name>
parents:
5461
diff
changeset
|
381 return -1; |
|
6e80b8c6f70c
privsep: Log if the platform sandbox is unavailable or available
Roy Marples <roy@marples.name>
parents:
5461
diff
changeset
|
382 } |
|
5461
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
383 return 0; |
|
30f55aaa5fd6
privsep: Add the SECCOMP BPF sandbox for Linux
Roy Marples <roy@marples.name>
parents:
5303
diff
changeset
|
384 } |