mirror of
https://github.com/InfrastructureServices/vsftpd.git
synced 2025-04-19 01:24:02 +03:00
726 lines
16 KiB
C
726 lines
16 KiB
C
/*
|
|
* Part of Very Secure FTPd
|
|
* Licence: GPL v2
|
|
* Author: Chris Evans
|
|
* seccompsandbox.c
|
|
*
|
|
* Code to lock down the accessible kernel API in a Linux seccomp filter
|
|
* sandbox. Works in Ubuntu 11.10 and newer.
|
|
*/
|
|
|
|
#include "seccompsandbox.h"
|
|
|
|
#if defined(__linux__) && defined(__x86_64__)
|
|
|
|
#include "session.h"
|
|
#include "sysutil.h"
|
|
#include "tunables.h"
|
|
#include "utility.h"
|
|
|
|
#include <errno.h>
|
|
|
|
#include <netinet/in.h>
|
|
#include <netinet/tcp.h>
|
|
|
|
#include <sys/fcntl.h>
|
|
#include <sys/mman.h>
|
|
#include <sys/prctl.h>
|
|
#include <sys/socket.h>
|
|
#include <sys/types.h>
|
|
|
|
#include <linux/filter.h>
|
|
|
|
#include <asm/unistd.h>
|
|
|
|
/* #define DEBUG_SIGSYS 1 */
|
|
|
|
#ifndef PR_SET_SECCOMP
|
|
#define PR_SET_SECCOMP 22
|
|
#endif
|
|
|
|
#ifndef PR_SET_NO_NEW_PRIVS
|
|
#define PR_SET_NO_NEW_PRIVS 38
|
|
#endif
|
|
|
|
#ifndef __NR_openat
|
|
#define __NR_openat 257
|
|
#endif
|
|
|
|
#ifndef O_LARGEFILE
|
|
#define O_LARGEFILE 00100000
|
|
#endif
|
|
|
|
#ifndef O_DIRECTORY
|
|
#define O_DIRECTORY 00200000
|
|
#endif
|
|
|
|
#ifndef O_CLOEXEC
|
|
#define O_CLOEXEC 002000000
|
|
#endif
|
|
|
|
#define kMaxSyscalls 100
|
|
|
|
#ifdef DEBUG_SIGSYS
|
|
|
|
#include <signal.h>
|
|
#include <string.h>
|
|
|
|
void
|
|
handle_sigsys(int sig)
|
|
{
|
|
(void) sig;
|
|
}
|
|
#endif
|
|
|
|
static const int kOpenFlags =
|
|
O_CREAT|O_EXCL|O_APPEND|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_LARGEFILE;
|
|
|
|
static size_t s_syscall_index;
|
|
static size_t s_1_arg_validations;
|
|
static size_t s_2_arg_validations;
|
|
static size_t s_3_arg_validations;
|
|
static int s_syscalls[kMaxSyscalls];
|
|
static int s_errnos[kMaxSyscalls];
|
|
static int s_args_1[kMaxSyscalls];
|
|
static int s_vals_1[kMaxSyscalls];
|
|
static int s_args_2[kMaxSyscalls];
|
|
static int s_vals_2[kMaxSyscalls];
|
|
static int s_args_3[kMaxSyscalls];
|
|
static int s_vals_3[kMaxSyscalls];
|
|
|
|
static void
|
|
allow_nr(int nr)
|
|
{
|
|
if (s_syscall_index >= kMaxSyscalls)
|
|
{
|
|
bug("out of syscall space");
|
|
}
|
|
if (nr < 0)
|
|
{
|
|
bug("negative syscall");
|
|
}
|
|
s_errnos[s_syscall_index] = 0;
|
|
s_syscalls[s_syscall_index++] = nr;
|
|
}
|
|
|
|
static void
|
|
reject_nr(int nr, int errcode)
|
|
{
|
|
if (s_syscall_index >= kMaxSyscalls)
|
|
{
|
|
bug("out of syscall space");
|
|
}
|
|
if (nr < 0)
|
|
{
|
|
bug("negative syscall");
|
|
}
|
|
if (errcode < 0 || errcode > 255)
|
|
{
|
|
bug("bad errcode");
|
|
}
|
|
s_errnos[s_syscall_index] = errcode;
|
|
s_syscalls[s_syscall_index++] = nr;
|
|
}
|
|
|
|
static void
|
|
allow_nr_1_arg_match(int nr, int arg, int val)
|
|
{
|
|
if (s_syscall_index >= kMaxSyscalls)
|
|
{
|
|
bug("out of syscall space");
|
|
}
|
|
if (nr < 0)
|
|
{
|
|
bug("negative syscall");
|
|
}
|
|
if (arg < 1 || arg > 6)
|
|
{
|
|
bug("arg out of range");
|
|
}
|
|
s_args_1[s_syscall_index] = arg;
|
|
s_vals_1[s_syscall_index] = val;
|
|
s_errnos[s_syscall_index] = 0;
|
|
s_syscalls[s_syscall_index++] = nr;
|
|
s_1_arg_validations++;
|
|
}
|
|
|
|
static void
|
|
allow_nr_1_arg_mask(int nr, int arg, int val)
|
|
{
|
|
if (s_syscall_index >= kMaxSyscalls)
|
|
{
|
|
bug("out of syscall space");
|
|
}
|
|
if (nr < 0)
|
|
{
|
|
bug("negative syscall");
|
|
}
|
|
if (arg < 1 || arg > 6)
|
|
{
|
|
bug("arg out of range");
|
|
}
|
|
s_args_1[s_syscall_index] = 100 + arg;
|
|
s_vals_1[s_syscall_index] = val;
|
|
s_errnos[s_syscall_index] = 0;
|
|
s_syscalls[s_syscall_index++] = nr;
|
|
s_1_arg_validations++;
|
|
}
|
|
|
|
static void
|
|
allow_nr_2_arg_match(int nr, int arg1, int val1, int arg2, int val2)
|
|
{
|
|
if (s_syscall_index >= kMaxSyscalls)
|
|
{
|
|
bug("out of syscall space");
|
|
}
|
|
if (nr < 0)
|
|
{
|
|
bug("negative syscall");
|
|
}
|
|
if (arg1 < 1 || arg1 > 6)
|
|
{
|
|
bug("arg1 out of range");
|
|
}
|
|
if (arg2 < 1 || arg2 > 6)
|
|
{
|
|
bug("arg2 out of range");
|
|
}
|
|
s_args_1[s_syscall_index] = arg1;
|
|
s_vals_1[s_syscall_index] = val1;
|
|
s_args_2[s_syscall_index] = arg2;
|
|
s_vals_2[s_syscall_index] = val2;
|
|
s_errnos[s_syscall_index] = 0;
|
|
s_syscalls[s_syscall_index++] = nr;
|
|
s_2_arg_validations++;
|
|
}
|
|
|
|
static void
|
|
allow_nr_2_arg_mask_match(int nr, int arg1, int val1, int arg2, int val2)
|
|
{
|
|
if (s_syscall_index >= kMaxSyscalls)
|
|
{
|
|
bug("out of syscall space");
|
|
}
|
|
if (nr < 0)
|
|
{
|
|
bug("negative syscall");
|
|
}
|
|
if (arg1 < 1 || arg1 > 6)
|
|
{
|
|
bug("arg1 out of range");
|
|
}
|
|
if (arg2 < 1 || arg2 > 6)
|
|
{
|
|
bug("arg2 out of range");
|
|
}
|
|
s_args_1[s_syscall_index] = 100 + arg1;
|
|
s_vals_1[s_syscall_index] = val1;
|
|
s_args_2[s_syscall_index] = arg2;
|
|
s_vals_2[s_syscall_index] = val2;
|
|
s_errnos[s_syscall_index] = 0;
|
|
s_syscalls[s_syscall_index++] = nr;
|
|
s_2_arg_validations++;
|
|
}
|
|
|
|
static void
|
|
allow_nr_3_arg_match(int nr, int arg1, int val1, int arg2, int val2, int arg3,
|
|
int val3)
|
|
{
|
|
if (s_syscall_index >= kMaxSyscalls)
|
|
{
|
|
bug("out of syscall space");
|
|
}
|
|
if (nr < 0)
|
|
{
|
|
bug("negative syscall");
|
|
}
|
|
if (arg1 < 1 || arg1 > 6)
|
|
{
|
|
bug("arg1 out of range");
|
|
}
|
|
if (arg2 < 1 || arg2 > 6)
|
|
{
|
|
bug("arg2 out of range");
|
|
}
|
|
if (arg3 < 1 || arg3 > 6)
|
|
{
|
|
bug("arg3 out of range");
|
|
}
|
|
s_args_1[s_syscall_index] = arg1;
|
|
s_vals_1[s_syscall_index] = val1;
|
|
s_args_2[s_syscall_index] = arg2;
|
|
s_vals_2[s_syscall_index] = val2;
|
|
s_args_3[s_syscall_index] = arg3;
|
|
s_vals_3[s_syscall_index] = val3;
|
|
s_errnos[s_syscall_index] = 0;
|
|
s_syscalls[s_syscall_index++] = nr;
|
|
s_3_arg_validations++;
|
|
}
|
|
|
|
static void
|
|
seccomp_sandbox_setup_data_connections()
|
|
{
|
|
allow_nr_3_arg_match(__NR_socket, 1, PF_INET, 2, SOCK_STREAM, 3, IPPROTO_TCP);
|
|
allow_nr_3_arg_match(__NR_socket,
|
|
1, PF_INET6,
|
|
2, SOCK_STREAM,
|
|
3, IPPROTO_TCP);
|
|
allow_nr(__NR_bind);
|
|
allow_nr(__NR_select);
|
|
if (tunable_port_enable)
|
|
{
|
|
allow_nr(__NR_connect);
|
|
allow_nr_2_arg_match(__NR_getsockopt, 2, SOL_SOCKET, 3, SO_ERROR);
|
|
allow_nr_2_arg_match(__NR_setsockopt, 2, SOL_SOCKET, 3, SO_REUSEADDR);
|
|
allow_nr_1_arg_match(__NR_fcntl, 2, F_GETFL);
|
|
allow_nr_2_arg_match(__NR_fcntl, 2, F_SETFL, 3, O_RDWR|O_NONBLOCK);
|
|
allow_nr_2_arg_match(__NR_fcntl, 2, F_SETFL, 3, O_RDWR);
|
|
}
|
|
if (tunable_pasv_enable)
|
|
{
|
|
allow_nr(__NR_listen);
|
|
allow_nr(__NR_accept);
|
|
}
|
|
}
|
|
|
|
static void
|
|
seccomp_sandbox_setup_base()
|
|
{
|
|
/* Simple reads and writes on existing descriptors. */
|
|
allow_nr(__NR_read);
|
|
allow_nr(__NR_write);
|
|
|
|
/* Needed for memory management. */
|
|
allow_nr_2_arg_match(__NR_mmap,
|
|
3, PROT_READ|PROT_WRITE,
|
|
4, MAP_PRIVATE|MAP_ANON);
|
|
allow_nr_1_arg_mask(__NR_mprotect, 3, PROT_READ);
|
|
allow_nr(__NR_munmap);
|
|
allow_nr(__NR_brk);
|
|
/* glibc falls back gracefully if mremap() fails during realloc(). */
|
|
reject_nr(__NR_mremap, ENOSYS);
|
|
|
|
/* Misc simple low-risk calls. */
|
|
allow_nr(__NR_gettimeofday); /* Used by logging. */
|
|
allow_nr(__NR_rt_sigreturn); /* Used to handle SIGPIPE. */
|
|
allow_nr(__NR_restart_syscall);
|
|
allow_nr(__NR_close);
|
|
|
|
/* Always need to be able to exit ! */
|
|
allow_nr(__NR_exit_group);
|
|
}
|
|
|
|
void
|
|
seccomp_sandbox_init()
|
|
{
|
|
if (s_syscall_index != 0)
|
|
{
|
|
bug("bad state in seccomp_sandbox_init");
|
|
}
|
|
}
|
|
|
|
void
|
|
seccomp_sandbox_setup_prelogin(const struct vsf_session* p_sess)
|
|
{
|
|
(void) p_sess;
|
|
|
|
seccomp_sandbox_setup_base();
|
|
|
|
/* Peeking FTP commands from the network. */
|
|
allow_nr_1_arg_match(__NR_recvfrom, 4, MSG_PEEK);
|
|
|
|
/* Misc simple low-risk calls */
|
|
allow_nr(__NR_nanosleep); /* Used for bandwidth / login throttling. */
|
|
allow_nr(__NR_getpid); /* Used by logging. */
|
|
allow_nr(__NR_shutdown); /* Used for QUIT or a timeout. */
|
|
allow_nr_1_arg_match(__NR_fcntl, 2, F_GETFL);
|
|
/* It's safe to allow O_RDWR in fcntl because these flags cannot be changed.
|
|
* Also, sockets are O_RDWR.
|
|
*/
|
|
allow_nr_2_arg_mask_match(__NR_fcntl, 3, kOpenFlags|O_ACCMODE, 2, F_SETFL);
|
|
|
|
/* Config-dependent items follow. */
|
|
if (tunable_idle_session_timeout > 0)
|
|
{
|
|
allow_nr(__NR_rt_sigaction);
|
|
allow_nr(__NR_alarm);
|
|
}
|
|
if (tunable_xferlog_enable || tunable_dual_log_enable)
|
|
{
|
|
/* For file locking. */
|
|
allow_nr_1_arg_match(__NR_fcntl, 2, F_SETLKW);
|
|
allow_nr_1_arg_match(__NR_fcntl, 2, F_SETLK);
|
|
}
|
|
if (tunable_ssl_enable)
|
|
{
|
|
allow_nr_1_arg_match(__NR_recvmsg, 3, 0);
|
|
allow_nr_2_arg_match(__NR_setsockopt, 2, IPPROTO_TCP, 3, TCP_NODELAY);
|
|
}
|
|
if (tunable_syslog_enable)
|
|
{
|
|
reject_nr(__NR_socket, EACCES);
|
|
}
|
|
}
|
|
|
|
void
|
|
seccomp_sandbox_setup_postlogin(const struct vsf_session* p_sess)
|
|
{
|
|
int is_anon = p_sess->is_anonymous;
|
|
int open_flag = kOpenFlags;
|
|
if (tunable_write_enable)
|
|
{
|
|
open_flag |= O_ACCMODE;
|
|
}
|
|
|
|
/* Put lstat() first because it is a very hot syscall for large directory
|
|
* listings. And the current BPF only allows a linear scan of allowed
|
|
* syscalls.
|
|
*/
|
|
allow_nr(__NR_lstat);
|
|
|
|
/* Allow all the simple pre-login things and then expand upon them. */
|
|
seccomp_sandbox_setup_prelogin(p_sess);
|
|
|
|
/* Simple file descriptor-based operations. */
|
|
if (tunable_xferlog_enable || tunable_dual_log_enable ||
|
|
tunable_lock_upload_files)
|
|
{
|
|
allow_nr_1_arg_match(__NR_fcntl, 2, F_SETLKW);
|
|
allow_nr_1_arg_match(__NR_fcntl, 2, F_SETLK);
|
|
}
|
|
if (tunable_async_abor_enable)
|
|
{
|
|
allow_nr_2_arg_match(__NR_fcntl, 2, F_SETOWN, 3, vsf_sysutil_getpid());
|
|
}
|
|
allow_nr_2_arg_match(__NR_setsockopt, 2, SOL_SOCKET, 3, SO_KEEPALIVE);
|
|
allow_nr_2_arg_match(__NR_setsockopt, 2, SOL_SOCKET, 3, SO_LINGER);
|
|
allow_nr_2_arg_match(__NR_setsockopt, 2, IPPROTO_IP, 3, IP_TOS);
|
|
allow_nr(__NR_fstat);
|
|
allow_nr(__NR_lseek);
|
|
/* Since we use chroot() to restrict filesystem access, we can just blanket
|
|
* allow open().
|
|
*/
|
|
allow_nr_1_arg_mask(__NR_open, 2, open_flag);
|
|
allow_nr_1_arg_mask(__NR_openat, 3, open_flag);
|
|
/* Other pathname-based metadata queries. */
|
|
allow_nr(__NR_stat);
|
|
allow_nr(__NR_readlink);
|
|
/* Directory handling: query, change, read. */
|
|
allow_nr(__NR_getcwd);
|
|
allow_nr(__NR_chdir);
|
|
allow_nr(__NR_getdents);
|
|
/* Misc */
|
|
allow_nr(__NR_umask);
|
|
|
|
/* Config-dependent items follow. */
|
|
if (tunable_use_sendfile)
|
|
{
|
|
allow_nr(__NR_sendfile);
|
|
}
|
|
if (tunable_idle_session_timeout > 0 ||
|
|
tunable_data_connection_timeout > 0 ||
|
|
tunable_async_abor_enable)
|
|
{
|
|
allow_nr(__NR_rt_sigaction);
|
|
}
|
|
if (tunable_idle_session_timeout > 0 || tunable_data_connection_timeout > 0)
|
|
{
|
|
allow_nr(__NR_alarm);
|
|
}
|
|
|
|
if (tunable_one_process_model)
|
|
{
|
|
seccomp_sandbox_setup_data_connections();
|
|
if (is_anon && tunable_chown_uploads)
|
|
{
|
|
allow_nr(__NR_fchmod);
|
|
allow_nr(__NR_fchown);
|
|
}
|
|
}
|
|
else
|
|
{
|
|
/* Need to receieve file descriptors from privileged broker. */
|
|
allow_nr_1_arg_match(__NR_recvmsg, 3, 0);
|
|
if ((is_anon && tunable_chown_uploads) || tunable_ssl_enable)
|
|
{
|
|
/* Need to send file descriptors to privileged broker. */
|
|
allow_nr_1_arg_match(__NR_sendmsg, 3, 0);
|
|
}
|
|
}
|
|
|
|
if (tunable_syslog_enable)
|
|
{
|
|
/* The ability to pass an address spec isn't needed so disable it. We ensure
|
|
* the 6th arg (socklen) is 0. We could have checked the 5th arg (sockptr)
|
|
* but I don't know if 64-bit compares work in the kernel filter, so we're
|
|
* happy to check the socklen arg, which is 32 bits.
|
|
*/
|
|
allow_nr_1_arg_match(__NR_sendto, 6, 0);
|
|
}
|
|
|
|
if (tunable_text_userdb_names)
|
|
{
|
|
reject_nr(__NR_socket, EACCES);
|
|
allow_nr_2_arg_match(__NR_mmap, 3, PROT_READ, 4, MAP_SHARED);
|
|
}
|
|
|
|
if (tunable_write_enable)
|
|
{
|
|
if (!is_anon || tunable_anon_mkdir_write_enable)
|
|
{
|
|
allow_nr(__NR_mkdir);
|
|
}
|
|
if (!is_anon ||
|
|
tunable_anon_other_write_enable ||
|
|
tunable_delete_failed_uploads)
|
|
{
|
|
allow_nr(__NR_unlink);
|
|
}
|
|
if (!is_anon || tunable_anon_other_write_enable)
|
|
{
|
|
allow_nr(__NR_rmdir);
|
|
allow_nr(__NR_rename);
|
|
allow_nr(__NR_ftruncate);
|
|
if (tunable_mdtm_write)
|
|
{
|
|
allow_nr(__NR_utime);
|
|
allow_nr(__NR_utimes);
|
|
}
|
|
}
|
|
if (!is_anon && tunable_chmod_enable)
|
|
{
|
|
allow_nr(__NR_chmod);
|
|
}
|
|
}
|
|
}
|
|
|
|
void
|
|
seccomp_sandbox_setup_postlogin_broker()
|
|
{
|
|
seccomp_sandbox_setup_base();
|
|
seccomp_sandbox_setup_data_connections();
|
|
allow_nr_1_arg_match(__NR_sendmsg, 3, 0);
|
|
}
|
|
|
|
void
|
|
seccomp_sandbox_lockdown()
|
|
{
|
|
size_t len = (s_syscall_index * 2) +
|
|
(s_1_arg_validations * 3) +
|
|
(s_2_arg_validations * 5) +
|
|
(s_3_arg_validations * 7) +
|
|
5;
|
|
struct sock_filter filters[len];
|
|
struct sock_filter* p_filter = filters;
|
|
struct sock_fprog prog;
|
|
size_t i;
|
|
int ret;
|
|
|
|
prog.len = len;
|
|
prog.filter = filters;
|
|
/* Validate the syscall architecture. */
|
|
p_filter->code = BPF_LD+BPF_W+BPF_ABS;
|
|
p_filter->jt = 0;
|
|
p_filter->jf = 0;
|
|
/* Offset 4 for syscall architecture. */
|
|
p_filter->k = 4;
|
|
p_filter++;
|
|
p_filter->code = BPF_JMP+BPF_JEQ+BPF_K;
|
|
p_filter->jt = 1;
|
|
p_filter->jf = 0;
|
|
/* AUDIT_ARCH_X86_64 */
|
|
p_filter->k = 0xc000003e;
|
|
p_filter++;
|
|
p_filter->code = BPF_RET+BPF_K;
|
|
p_filter->jt = 0;
|
|
p_filter->jf = 0;
|
|
/* SECCOMP_RET_KILL */
|
|
p_filter->k = 0;
|
|
p_filter++;
|
|
|
|
/* Load the syscall number. */
|
|
p_filter->code = BPF_LD+BPF_W+BPF_ABS;
|
|
p_filter->jt = 0;
|
|
p_filter->jf = 0;
|
|
/* Offset 0 for syscall number. */
|
|
p_filter->k = 0;
|
|
p_filter++;
|
|
|
|
for (i = 0; i < s_syscall_index; ++i)
|
|
{
|
|
int block_size = 1;
|
|
if (s_args_3[i])
|
|
{
|
|
block_size = 8;
|
|
}
|
|
else if (s_args_2[i])
|
|
{
|
|
block_size = 6;
|
|
}
|
|
else if (s_args_1[i])
|
|
{
|
|
block_size = 4;
|
|
}
|
|
/* Check for syscall number match. */
|
|
p_filter->code = BPF_JMP+BPF_JEQ+BPF_K;
|
|
p_filter->jt = 0;
|
|
p_filter->jf = block_size;
|
|
p_filter->k = s_syscalls[i];
|
|
p_filter++;
|
|
/* Check argument matches if necessary. */
|
|
if (s_args_3[i])
|
|
{
|
|
p_filter->code = BPF_LD+BPF_W+BPF_ABS;
|
|
p_filter->jt = 0;
|
|
p_filter->jf = 0;
|
|
p_filter->k = 16 + ((s_args_3[i] - 1) * 8);
|
|
p_filter++;
|
|
p_filter->code = BPF_JMP+BPF_JEQ+BPF_K;
|
|
p_filter->jt = 0;
|
|
p_filter->jf = 5;
|
|
p_filter->k = s_vals_3[i];
|
|
p_filter++;
|
|
}
|
|
if (s_args_2[i])
|
|
{
|
|
p_filter->code = BPF_LD+BPF_W+BPF_ABS;
|
|
p_filter->jt = 0;
|
|
p_filter->jf = 0;
|
|
p_filter->k = 16 + ((s_args_2[i] - 1) * 8);
|
|
p_filter++;
|
|
p_filter->code = BPF_JMP+BPF_JEQ+BPF_K;
|
|
p_filter->jt = 0;
|
|
p_filter->jf = 3;
|
|
p_filter->k = s_vals_2[i];
|
|
p_filter++;
|
|
}
|
|
if (s_args_1[i])
|
|
{
|
|
int arg = s_args_1[i];
|
|
int code = BPF_JMP+BPF_JEQ+BPF_K;
|
|
int val = s_vals_1[i];
|
|
int jt = 0;
|
|
int jf = 1;
|
|
if (arg > 100)
|
|
{
|
|
arg -= 100;
|
|
code = BPF_JMP+BPF_JSET+BPF_K;
|
|
val = ~val;
|
|
jt = 1;
|
|
jf = 0;
|
|
}
|
|
p_filter->code = BPF_LD+BPF_W+BPF_ABS;
|
|
p_filter->jt = 0;
|
|
p_filter->jf = 0;
|
|
p_filter->k = 16 + ((arg - 1) * 8);
|
|
p_filter++;
|
|
p_filter->code = code;
|
|
p_filter->jt = jt;
|
|
p_filter->jf = jf;
|
|
p_filter->k = val;
|
|
p_filter++;
|
|
}
|
|
p_filter->code = BPF_RET+BPF_K;
|
|
p_filter->jt = 0;
|
|
p_filter->jf = 0;
|
|
if (!s_errnos[i])
|
|
{
|
|
/* SECCOMP_RET_ALLOW */
|
|
p_filter->k = 0x7fff0000;
|
|
}
|
|
else
|
|
{
|
|
/* SECCOMP_RET_ERRNO */
|
|
p_filter->k = 0x00050000 + s_errnos[i];
|
|
}
|
|
p_filter++;
|
|
if (s_args_1[i])
|
|
{
|
|
/* We trashed the accumulator so put it back. */
|
|
p_filter->code = BPF_LD+BPF_W+BPF_ABS;
|
|
p_filter->jt = 0;
|
|
p_filter->jf = 0;
|
|
p_filter->k = 0;
|
|
p_filter++;
|
|
}
|
|
}
|
|
/* No "allow" matches so kill. */
|
|
p_filter->code = BPF_RET+BPF_K;
|
|
p_filter->jt = 0;
|
|
p_filter->jf = 0;
|
|
#ifdef DEBUG_SIGSYS
|
|
/* SECCOMP_RET_TRAP */
|
|
p_filter->k = 0x00030000;
|
|
#else
|
|
/* SECCOMP_RET_KILL */
|
|
p_filter->k = 0;
|
|
#endif
|
|
|
|
ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
|
|
if (ret != 0)
|
|
{
|
|
if (errno == EINVAL)
|
|
{
|
|
/* Kernel isn't good enough. */
|
|
return;
|
|
}
|
|
die("prctl PR_SET_NO_NEW_PRIVS");
|
|
}
|
|
|
|
if (!tunable_seccomp_sandbox)
|
|
{
|
|
return;
|
|
}
|
|
|
|
#ifdef DEBUG_SIGSYS
|
|
{
|
|
struct sigaction sa;
|
|
memset(&sa, '\0', sizeof(sa));
|
|
sa.sa_handler = handle_sigsys;
|
|
sigaction(SIGSYS, &sa, NULL);
|
|
}
|
|
#endif
|
|
|
|
ret = prctl(PR_SET_SECCOMP, 2, &prog, 0, 0);
|
|
if (ret != 0)
|
|
{
|
|
if (errno == EINVAL)
|
|
{
|
|
/* Kernel isn't good enough. */
|
|
return;
|
|
}
|
|
die("prctl PR_SET_SECCOMP failed");
|
|
}
|
|
}
|
|
|
|
#else /* __linux__ && __x86_64__ */
|
|
|
|
void
|
|
seccomp_sandbox_init()
|
|
{
|
|
}
|
|
|
|
void
|
|
seccomp_sandbox_setup_prelogin(const struct vsf_session* p_sess)
|
|
{
|
|
(void) p_sess;
|
|
}
|
|
|
|
void
|
|
seccomp_sandbox_setup_postlogin(const struct vsf_session* p_sess)
|
|
{
|
|
(void) p_sess;
|
|
}
|
|
|
|
void
|
|
seccomp_sandbox_setup_postlogin_broker()
|
|
{
|
|
}
|
|
|
|
void
|
|
seccomp_sandbox_lockdown()
|
|
{
|
|
}
|
|
|
|
#endif /* __linux__ && __x86_64__ */
|