mirror of
https://github.com/OpenFusionProject/OpenFusion.git
synced 2024-11-22 05:20:05 +00:00
Switch seccomp sandbox to default-deny filter
This commit is contained in:
parent
09e452a09d
commit
4319ee57a0
@ -52,28 +52,54 @@ static inline int seccomp(unsigned int operation, unsigned int flags, void *args
|
|||||||
#define KILL_PROCESS \
|
#define KILL_PROCESS \
|
||||||
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
|
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
|
||||||
|
|
||||||
#define DENY_SYSCALL(name) \
|
|
||||||
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##name, 0, 1), \
|
|
||||||
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL_PROCESS)
|
|
||||||
|
|
||||||
static sock_filter filter[] = {
|
static sock_filter filter[] = {
|
||||||
VALIDATE_ARCHITECTURE,
|
VALIDATE_ARCHITECTURE,
|
||||||
EXAMINE_SYSCALL,
|
EXAMINE_SYSCALL,
|
||||||
|
|
||||||
// examples of undesirable syscalls
|
// memory management
|
||||||
DENY_SYSCALL(execve),
|
ALLOW_SYSCALL(mmap),
|
||||||
DENY_SYSCALL(fork),
|
ALLOW_SYSCALL(munmap),
|
||||||
DENY_SYSCALL(vfork),
|
ALLOW_SYSCALL(mprotect),
|
||||||
DENY_SYSCALL(clone),
|
ALLOW_SYSCALL(madvise),
|
||||||
DENY_SYSCALL(connect),
|
ALLOW_SYSCALL(brk),
|
||||||
DENY_SYSCALL(listen),
|
|
||||||
DENY_SYSCALL(bind),
|
|
||||||
DENY_SYSCALL(kill),
|
|
||||||
DENY_SYSCALL(settimeofday),
|
|
||||||
// etc
|
|
||||||
|
|
||||||
// default-permit mode
|
// basic file IO
|
||||||
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
|
ALLOW_SYSCALL(open),
|
||||||
|
ALLOW_SYSCALL(openat),
|
||||||
|
ALLOW_SYSCALL(read),
|
||||||
|
ALLOW_SYSCALL(write),
|
||||||
|
ALLOW_SYSCALL(close),
|
||||||
|
ALLOW_SYSCALL(stat),
|
||||||
|
ALLOW_SYSCALL(fstat),
|
||||||
|
ALLOW_SYSCALL(fsync), // maybe
|
||||||
|
ALLOW_SYSCALL(creat), // maybe; for DB journal
|
||||||
|
ALLOW_SYSCALL(unlink), // for DB journal
|
||||||
|
|
||||||
|
// more IO
|
||||||
|
ALLOW_SYSCALL(pread64),
|
||||||
|
ALLOW_SYSCALL(pwrite64),
|
||||||
|
ALLOW_SYSCALL(fdatasync),
|
||||||
|
|
||||||
|
// misc libc things
|
||||||
|
ALLOW_SYSCALL(getcwd),
|
||||||
|
ALLOW_SYSCALL(getpid),
|
||||||
|
ALLOW_SYSCALL(geteuid),
|
||||||
|
ALLOW_SYSCALL(fcntl),
|
||||||
|
ALLOW_SYSCALL(exit),
|
||||||
|
ALLOW_SYSCALL(exit_group),
|
||||||
|
|
||||||
|
// threading
|
||||||
|
ALLOW_SYSCALL(futex),
|
||||||
|
|
||||||
|
// networking
|
||||||
|
ALLOW_SYSCALL(poll),
|
||||||
|
ALLOW_SYSCALL(accept),
|
||||||
|
ALLOW_SYSCALL(setsockopt),
|
||||||
|
ALLOW_SYSCALL(sendto),
|
||||||
|
ALLOW_SYSCALL(recvfrom),
|
||||||
|
ALLOW_SYSCALL(shutdown),
|
||||||
|
|
||||||
|
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL_PROCESS)
|
||||||
};
|
};
|
||||||
|
|
||||||
static sock_fprog prog = {
|
static sock_fprog prog = {
|
||||||
|
Loading…
Reference in New Issue
Block a user