Whitelist syscalls for musl-libc, Raspberry Pi and alt libsqlite configs

This commit is contained in:
dongresource 2021-12-15 20:57:29 +01:00
parent 4319ee57a0
commit 9297e82589

View File

@ -52,12 +52,30 @@ static inline int seccomp(unsigned int operation, unsigned int flags, void *args
#define KILL_PROCESS \ #define KILL_PROCESS \
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
/*
* The main supported configuration is Linux on x86_64 with either glibc or
* musl-libc, with secondary support for Linux on the Raspberry Pi (ARM).
*
* Syscalls marked with "maybe" don't seem to be used in the default
* configuration, but should probably be whitelisted anyway.
*
* Syscalls marked with "musl-libc", "raspi" or "alt DB" were observed to be
* necessary on that configuration, but are probably neccessary in other
* configurations as well. ("alt DB" represents libsqlite compiled with
* different options.)
*
* Syscalls marked "vdso" aren't normally caught by seccomp because they are
* implemented in the vdso(7) in most configurations, but it's still prudent
* to whitelist them here.
*/
static sock_filter filter[] = { static sock_filter filter[] = {
VALIDATE_ARCHITECTURE, VALIDATE_ARCHITECTURE,
EXAMINE_SYSCALL, EXAMINE_SYSCALL,
// memory management // memory management
#ifdef __NR_mmap
ALLOW_SYSCALL(mmap), ALLOW_SYSCALL(mmap),
#endif
ALLOW_SYSCALL(munmap), ALLOW_SYSCALL(munmap),
ALLOW_SYSCALL(mprotect), ALLOW_SYSCALL(mprotect),
ALLOW_SYSCALL(madvise), ALLOW_SYSCALL(madvise),
@ -74,19 +92,25 @@ static sock_filter filter[] = {
ALLOW_SYSCALL(fsync), // maybe ALLOW_SYSCALL(fsync), // maybe
ALLOW_SYSCALL(creat), // maybe; for DB journal ALLOW_SYSCALL(creat), // maybe; for DB journal
ALLOW_SYSCALL(unlink), // for DB journal ALLOW_SYSCALL(unlink), // for DB journal
ALLOW_SYSCALL(lseek), // musl-libc; alt DB
// more IO // more IO
ALLOW_SYSCALL(pread64), ALLOW_SYSCALL(pread64),
ALLOW_SYSCALL(pwrite64), ALLOW_SYSCALL(pwrite64),
ALLOW_SYSCALL(fdatasync), ALLOW_SYSCALL(fdatasync),
ALLOW_SYSCALL(writev), // musl-libc
ALLOW_SYSCALL(preadv), // maybe; alt-DB
ALLOW_SYSCALL(preadv2), // maybe
// misc libc things // misc syscalls called from libc
ALLOW_SYSCALL(getcwd), ALLOW_SYSCALL(getcwd),
ALLOW_SYSCALL(getpid), ALLOW_SYSCALL(getpid),
ALLOW_SYSCALL(geteuid), ALLOW_SYSCALL(geteuid),
ALLOW_SYSCALL(ioctl), // musl-libc
ALLOW_SYSCALL(fcntl), ALLOW_SYSCALL(fcntl),
ALLOW_SYSCALL(exit), ALLOW_SYSCALL(exit),
ALLOW_SYSCALL(exit_group), ALLOW_SYSCALL(exit_group),
ALLOW_SYSCALL(rt_sigprocmask), // musl-libc
// threading // threading
ALLOW_SYSCALL(futex), ALLOW_SYSCALL(futex),
@ -99,6 +123,46 @@ static sock_filter filter[] = {
ALLOW_SYSCALL(recvfrom), ALLOW_SYSCALL(recvfrom),
ALLOW_SYSCALL(shutdown), ALLOW_SYSCALL(shutdown),
// vdso
ALLOW_SYSCALL(clock_gettime),
ALLOW_SYSCALL(gettimeofday),
#ifdef __NR_time
ALLOW_SYSCALL(time),
#endif
ALLOW_SYSCALL(rt_sigreturn),
// Raspberry Pi (ARM)
#ifdef __NR_set_robust_list
ALLOW_SYSCALL(set_robust_list),
#endif
#ifdef __NR_clock_gettime64
ALLOW_SYSCALL(clock_gettime64),
#endif
#ifdef __NR_mmap2
ALLOW_SYSCALL(mmap2),
#endif
#ifdef __NR_fcntl64
ALLOW_SYSCALL(fcntl64),
#endif
#ifdef __NR_stat64
ALLOW_SYSCALL(stat64),
#endif
#ifdef __NR_send
ALLOW_SYSCALL(send),
#endif
#ifdef __NR_recv
ALLOW_SYSCALL(recv),
#endif
#ifdef __NR_fstat64
ALLOW_SYSCALL(fstat64),
#endif
#ifdef __NR_geteuid32
ALLOW_SYSCALL(geteuid32),
#endif
#ifdef __NR_sigreturn
ALLOW_SYSCALL(sigreturn), // vdso
#endif
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL_PROCESS) BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL_PROCESS)
}; };