Switch seccomp sandbox to default-deny filter

This commit is contained in:
dongresource 2021-11-05 18:22:55 +01:00
parent 09e452a09d
commit 4319ee57a0

View File

@ -52,28 +52,54 @@ static inline int seccomp(unsigned int operation, unsigned int flags, void *args
#define KILL_PROCESS \ #define KILL_PROCESS \
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
#define DENY_SYSCALL(name) \
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##name, 0, 1), \
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL_PROCESS)
static sock_filter filter[] = { static sock_filter filter[] = {
VALIDATE_ARCHITECTURE, VALIDATE_ARCHITECTURE,
EXAMINE_SYSCALL, EXAMINE_SYSCALL,
// examples of undesirable syscalls // memory management
DENY_SYSCALL(execve), ALLOW_SYSCALL(mmap),
DENY_SYSCALL(fork), ALLOW_SYSCALL(munmap),
DENY_SYSCALL(vfork), ALLOW_SYSCALL(mprotect),
DENY_SYSCALL(clone), ALLOW_SYSCALL(madvise),
DENY_SYSCALL(connect), ALLOW_SYSCALL(brk),
DENY_SYSCALL(listen),
DENY_SYSCALL(bind),
DENY_SYSCALL(kill),
DENY_SYSCALL(settimeofday),
// etc
// default-permit mode // basic file IO
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) ALLOW_SYSCALL(open),
ALLOW_SYSCALL(openat),
ALLOW_SYSCALL(read),
ALLOW_SYSCALL(write),
ALLOW_SYSCALL(close),
ALLOW_SYSCALL(stat),
ALLOW_SYSCALL(fstat),
ALLOW_SYSCALL(fsync), // maybe
ALLOW_SYSCALL(creat), // maybe; for DB journal
ALLOW_SYSCALL(unlink), // for DB journal
// more IO
ALLOW_SYSCALL(pread64),
ALLOW_SYSCALL(pwrite64),
ALLOW_SYSCALL(fdatasync),
// misc libc things
ALLOW_SYSCALL(getcwd),
ALLOW_SYSCALL(getpid),
ALLOW_SYSCALL(geteuid),
ALLOW_SYSCALL(fcntl),
ALLOW_SYSCALL(exit),
ALLOW_SYSCALL(exit_group),
// threading
ALLOW_SYSCALL(futex),
// networking
ALLOW_SYSCALL(poll),
ALLOW_SYSCALL(accept),
ALLOW_SYSCALL(setsockopt),
ALLOW_SYSCALL(sendto),
ALLOW_SYSCALL(recvfrom),
ALLOW_SYSCALL(shutdown),
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL_PROCESS)
}; };
static sock_fprog prog = { static sock_fprog prog = {