feat: adjust syscall whitelist

This commit is contained in:
Mikucat 2024-01-14 15:30:06 +08:00
parent fd92d0365f
commit 8cd0bd1116
No known key found for this signature in database
GPG Key ID: CE6B09A6F462E04D

View File

@ -9,41 +9,55 @@
int _c_cpp_seccomp_rules(struct config *_config, bool allow_write_file) { int _c_cpp_seccomp_rules(struct config *_config, bool allow_write_file) {
int syscalls_whitelist[] = {SCMP_SYS(read), SCMP_SYS(fstat), int syscalls_whitelist[] = {
SCMP_SYS(mmap), SCMP_SYS(mprotect), SCMP_SYS(access),
SCMP_SYS(munmap), SCMP_SYS(uname), SCMP_SYS(arch_prctl),
SCMP_SYS(arch_prctl), SCMP_SYS(brk), SCMP_SYS(brk),
SCMP_SYS(access), SCMP_SYS(exit_group), SCMP_SYS(clock_gettime),
SCMP_SYS(close), SCMP_SYS(readlink), SCMP_SYS(close),
SCMP_SYS(sysinfo), SCMP_SYS(write), SCMP_SYS(exit_group),
SCMP_SYS(writev), SCMP_SYS(lseek), SCMP_SYS(faccessat),
SCMP_SYS(clock_gettime), SCMP_SYS(pread64)}; // add extra rule for pread64 SCMP_SYS(fstat),
SCMP_SYS(futex),
SCMP_SYS(getrandom),
SCMP_SYS(lseek),
SCMP_SYS(mmap),
SCMP_SYS(mprotect),
SCMP_SYS(munmap),
SCMP_SYS(newfstatat),
SCMP_SYS(pread64),
SCMP_SYS(prlimit64),
SCMP_SYS(read),
SCMP_SYS(readlink),
SCMP_SYS(readv),
SCMP_SYS(rseq),
SCMP_SYS(set_robust_list),
SCMP_SYS(set_tid_address),
SCMP_SYS(write),
SCMP_SYS(writev)
};
int syscalls_whitelist_length = sizeof(syscalls_whitelist) / sizeof(int); int syscalls_whitelist_length = sizeof(syscalls_whitelist) / sizeof(int);
scmp_filter_ctx ctx = NULL; scmp_filter_ctx ctx = NULL;
// load seccomp rules // load seccomp rules
ctx = seccomp_init(SCMP_ACT_KILL); ctx = seccomp_init(SCMP_ACT_KILL);
if (!ctx) { if (!ctx) {
return LOAD_SECCOMP_FAILED; return LOAD_SECCOMP_FAILED;
} }
for (int i = 0; i < syscalls_whitelist_length; i++) { for (int i = 0; i < syscalls_whitelist_length; i++) {
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, syscalls_whitelist[i], 0) != 0) { if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, syscalls_whitelist[i], 0) != 0) {
return LOAD_SECCOMP_FAILED; return LOAD_SECCOMP_FAILED;
} }
} }
// add extra rule for execve
// extra rule for execve
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(execve), 1, SCMP_A0(SCMP_CMP_EQ, (scmp_datum_t)(_config->exe_path))) != 0) { if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(execve), 1, SCMP_A0(SCMP_CMP_EQ, (scmp_datum_t)(_config->exe_path))) != 0) {
return LOAD_SECCOMP_FAILED; return LOAD_SECCOMP_FAILED;
} }
if (!allow_write_file) {
// do not allow "w" and "rw" if (allow_write_file) {
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 1, SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_WRONLY | O_RDWR, 0)) != 0) {
return LOAD_SECCOMP_FAILED;
}
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1, SCMP_CMP(2, SCMP_CMP_MASKED_EQ, O_WRONLY | O_RDWR, 0)) != 0) {
return LOAD_SECCOMP_FAILED;
}
} else {
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0) != 0) { if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0) != 0) {
return LOAD_SECCOMP_FAILED; return LOAD_SECCOMP_FAILED;
} }
@ -59,7 +73,16 @@ int _c_cpp_seccomp_rules(struct config *_config, bool allow_write_file) {
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(dup3), 0) != 0) { if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(dup3), 0) != 0) {
return LOAD_SECCOMP_FAILED; return LOAD_SECCOMP_FAILED;
} }
} else {
// do not allow "w" and "rw"
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 1, SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_WRONLY | O_RDWR, 0)) != 0) {
return LOAD_SECCOMP_FAILED;
}
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1, SCMP_CMP(2, SCMP_CMP_MASKED_EQ, O_WRONLY | O_RDWR, 0)) != 0) {
return LOAD_SECCOMP_FAILED;
}
} }
if (seccomp_load(ctx) != 0) { if (seccomp_load(ctx) != 0) {
return LOAD_SECCOMP_FAILED; return LOAD_SECCOMP_FAILED;
} }
@ -67,7 +90,6 @@ int _c_cpp_seccomp_rules(struct config *_config, bool allow_write_file) {
return 0; return 0;
} }
int c_cpp_seccomp_rules(struct config *_config, bool allow_write_file) { int c_cpp_seccomp_rules(struct config *_config, bool allow_write_file) {
return _c_cpp_seccomp_rules(_config, false); return _c_cpp_seccomp_rules(_config, false);
} }