Archives/xmppipe
2
0
Fork 0
mirror of https://github.com/msantos/xmppipe synced 2024-11-13 13:10:32 +00:00
Code Issues Releases Wiki Activity

seccomp: pre-connect sandbox

Browse Source 
Preliminary pre-connect sandbox for Linux. Tested on 32-bit ARM,
requires testing on other platforms.
This commit is contained in:
Michael Santos 2017-04-17 08:59:18 -04:00
parent 140470458f
commit e3e3d0bcf9
1 changed files with 180 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

183
src/xmppipe_sandbox_seccomp.c
View File

@ -76,6 +76,186 @@
int
xmppipe_sandbox_init(xmppipe_state_t *state)
{
struct sock_filter filter[] = {
/* Ensure the syscall arch convention is as expected. */
BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
offsetof(struct seccomp_data, arch)),
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SECCOMP_AUDIT_ARCH, 1, 0),
BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
/* Load the syscall number for checking. */
BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
offsetof(struct seccomp_data, nr)),
/* Syscalls to allow */
/* dns */
#ifdef __NR_socket
SC_ALLOW(socket),
#endif
#ifdef __NR_recvfrom
SC_ALLOW(recvfrom),
#endif
#ifdef __NR_recv
SC_ALLOW(recv),
#endif
#ifdef __NR_recvmsg
SC_ALLOW(recvmsg),
#endif
#ifdef __NR_sendto
SC_ALLOW(sendto),
#endif
#ifdef __NR_send
SC_ALLOW(send),
#endif
#ifdef __NR_connect
SC_ALLOW(connect),
#endif
#ifdef __NR_bind
SC_ALLOW(bind),
#endif
#ifdef __NR_stat
SC_ALLOW(stat),
#endif
#ifdef __NR_stat64
SC_ALLOW(stat64),
#endif
#ifdef __NR_uname
SC_ALLOW(uname),
#endif
/* /etc/resolv.conf */
#ifdef __NR_open
SC_ALLOW(open),
#endif
#ifdef __NR_close
SC_ALLOW(close),
#endif
/* inet */
#ifdef __NR_getpeername
SC_ALLOW(getpeername),
#endif
#ifdef __NR_getsockname
SC_ALLOW(getsockname),
#endif
#ifdef __NR_setsockopt
SC_ALLOW(setsockopt),
#endif
#ifdef __NR_getsockopt
SC_ALLOW(getsockopt),
#endif
/* uuid */
#ifdef __NR_gettimeofday
SC_ALLOW(gettimeofday),
#endif
#ifdef __NR_getpid
SC_ALLOW(getpid),
#endif
#ifdef __NR_brk
SC_ALLOW(brk),
#endif
#ifdef __NR_clock_gettime
SC_ALLOW(clock_gettime),
#endif
#ifdef __NR_exit_group
SC_ALLOW(exit_group),
#endif
#ifdef __NR_fcntl
SC_ALLOW(fcntl),
#endif
#ifdef __NR_fcntl64
SC_ALLOW(fcntl64),
#endif
#ifdef __NR_fstat
SC_ALLOW(fstat),
#endif
#ifdef __NR_fstat64
SC_ALLOW(fstat64),
#endif
#ifdef __NR_getppid
SC_ALLOW(getppid),
#endif
#ifdef __NR_gettid
SC_ALLOW(gettid),
#endif
#ifdef __NR_gettimeofday
SC_ALLOW(gettimeofday),
#endif
#ifdef __NR_getuid
SC_ALLOW(getuid),
#endif
#ifdef __NR_getuid32
SC_ALLOW(getuid32),
#endif
#ifdef __NR_ioctl
SC_ALLOW(ioctl),
#endif
#ifdef __NR_mmap
SC_ALLOW(mmap),
#endif
#ifdef __NR_munmap
SC_ALLOW(munmap),
#endif
#ifdef __NR_mprotect
SC_ALLOW(mprotect),
#endif
#ifdef __NR_poll
SC_ALLOW(poll),
#endif
#ifdef __NR_read
SC_ALLOW(read),
#endif
#ifdef __NR__newselect
SC_ALLOW(_newselect),
#endif
#ifdef __NR_select
SC_ALLOW(select),
#endif
#ifdef __NR_stat
SC_ALLOW(stat),
#endif
#ifdef __NR_stat64
SC_ALLOW(stat64),
#endif
#ifdef __NR_write
SC_ALLOW(write),
#endif
#ifdef __NR_mmap
SC_ALLOW(mmap),
#endif
#ifdef __NR_mmap2
SC_ALLOW(mmap2),
#endif
#ifdef __NR_access
SC_ALLOW(access),
#endif
#ifdef __NR_lseek
SC_ALLOW(lseek),
#endif
#ifdef __NR_prctl
SC_ALLOW(prctl),
#endif
/* Default deny */
BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL)
};
struct sock_fprog prog = {
.len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
.filter = filter,
};
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0)
return -1;
if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog))
return -1;
return 0;
}
@ -182,9 +362,6 @@ xmppipe_sandbox_stdin(xmppipe_state_t *state)
.filter = filter,
};
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0)
return -1;
if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog))
return -1;