diff options
Diffstat (limited to 'src/fseccomp/seccomp.c')
-rw-r--r-- | src/fseccomp/seccomp.c | 32 |
1 files changed, 2 insertions, 30 deletions
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index 7ae74c340..8abc249ec 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c | |||
@@ -164,6 +164,8 @@ void seccomp_default_drop(const char *fname1, const char *fname2, char *list, in | |||
164 | } | 164 | } |
165 | 165 | ||
166 | void seccomp_keep(const char *fname1, const char *fname2, char *list) { | 166 | void seccomp_keep(const char *fname1, const char *fname2, char *list) { |
167 | (void) fname2; | ||
168 | |||
167 | // open file for pre-exec filter | 169 | // open file for pre-exec filter |
168 | int fd = open(fname1, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); | 170 | int fd = open(fname1, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); |
169 | if (fd < 0) { | 171 | if (fd < 0) { |
@@ -187,36 +189,6 @@ void seccomp_keep(const char *fname1, const char *fname2, char *list) { | |||
187 | 189 | ||
188 | // close file | 190 | // close file |
189 | close(fd); | 191 | close(fd); |
190 | |||
191 | #if 0 | ||
192 | // There is something very wrong here with the file descriptors, "ls -l /proc/self/fd" will show no file | ||
193 | // after running this code. We don't need the postexec filter in this case anyway. | ||
194 | printf("@@seccomp_keep start %s %s %s\n", fname1, fname2, list); | ||
195 | system("ls -l /proc/self/fd"); | ||
196 | printf("@@seccomp_keep start %s %s %s\n", fname1, fname2, list); | ||
197 | // open file for post-exec filter | ||
198 | fd = open(fname2, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); | ||
199 | if (fd < 0) { | ||
200 | fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname2); | ||
201 | exit(1); | ||
202 | } | ||
203 | |||
204 | // build post-exec filter: whitelist without @default-keep | ||
205 | filter_init(fd); | ||
206 | |||
207 | if (syscall_check_list(list, filter_add_whitelist, fd, 0, NULL)) { | ||
208 | fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n"); | ||
209 | exit(1); | ||
210 | } | ||
211 | |||
212 | filter_end_whitelist(fd); | ||
213 | |||
214 | // close file | ||
215 | close(fd); | ||
216 | printf("@@seccomp_keep end %s %s %s\n", fname1, fname2, list); | ||
217 | system("ls -l /proc/self/fd"); | ||
218 | printf("@@seccomp_keep end %s %s %s\n", fname1, fname2, list); | ||
219 | #endif | ||
220 | } | 192 | } |
221 | 193 | ||
222 | void memory_deny_write_execute(const char *fname) { | 194 | void memory_deny_write_execute(const char *fname) { |