diff options
Diffstat (limited to 'src/fseccomp')
-rw-r--r-- | src/fseccomp/fseccomp.h | 3 | ||||
-rw-r--r-- | src/fseccomp/main.c | 3 | ||||
-rw-r--r-- | src/fseccomp/seccomp.c | 54 | ||||
-rw-r--r-- | src/fseccomp/seccomp_file.c | 2 |
4 files changed, 61 insertions, 1 deletions
diff --git a/src/fseccomp/fseccomp.h b/src/fseccomp/fseccomp.h index 1e4881e9c..157b71011 100644 --- a/src/fseccomp/fseccomp.h +++ b/src/fseccomp/fseccomp.h | |||
@@ -48,6 +48,7 @@ void seccomp_secondary_64(const char *fname); | |||
48 | void seccomp_secondary_32(const char *fname); | 48 | void seccomp_secondary_32(const char *fname); |
49 | 49 | ||
50 | // seccomp_file.c | 50 | // seccomp_file.c |
51 | void write_to_file(int fd, const void *data, int size); | ||
51 | void filter_init(int fd); | 52 | void filter_init(int fd); |
52 | void filter_add_whitelist(int fd, int syscall, int arg); | 53 | void filter_add_whitelist(int fd, int syscall, int arg); |
53 | void filter_add_blacklist(int fd, int syscall, int arg); | 54 | void filter_add_blacklist(int fd, int syscall, int arg); |
@@ -64,6 +65,8 @@ void seccomp_drop(const char *fname, char *list, int allow_debuggers); | |||
64 | void seccomp_default_drop(const char *fname, char *list, int allow_debuggers); | 65 | void seccomp_default_drop(const char *fname, char *list, int allow_debuggers); |
65 | // whitelisted filter | 66 | // whitelisted filter |
66 | void seccomp_keep(const char *fname, char *list); | 67 | void seccomp_keep(const char *fname, char *list); |
68 | // block writable and executable memory | ||
69 | void memory_deny_write_execute(const char *fname); | ||
67 | 70 | ||
68 | // seccomp_print | 71 | // seccomp_print |
69 | void filter_print(const char *fname); | 72 | void filter_print(const char *fname); |
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c index e322b5bbb..3d95d5bb2 100644 --- a/src/fseccomp/main.c +++ b/src/fseccomp/main.c | |||
@@ -35,6 +35,7 @@ static void usage(void) { | |||
35 | printf("\tfseccomp default drop file list\n"); | 35 | printf("\tfseccomp default drop file list\n"); |
36 | printf("\tfseccomp default drop file list allow-debuggers\n"); | 36 | printf("\tfseccomp default drop file list allow-debuggers\n"); |
37 | printf("\tfseccomp keep file list\n"); | 37 | printf("\tfseccomp keep file list\n"); |
38 | printf("\tfseccomp memory-deny-write-execute file\n"); | ||
38 | printf("\tfseccomp print file\n"); | 39 | printf("\tfseccomp print file\n"); |
39 | } | 40 | } |
40 | 41 | ||
@@ -87,6 +88,8 @@ printf("\n"); | |||
87 | seccomp_default_drop(argv[3], argv[4], 1); | 88 | seccomp_default_drop(argv[3], argv[4], 1); |
88 | else if (argc == 4 && strcmp(argv[1], "keep") == 0) | 89 | else if (argc == 4 && strcmp(argv[1], "keep") == 0) |
89 | seccomp_keep(argv[2], argv[3]); | 90 | seccomp_keep(argv[2], argv[3]); |
91 | else if (argc == 3 && strcmp(argv[1], "memory-deny-write-execute") == 0) | ||
92 | memory_deny_write_execute(argv[2]); | ||
90 | else if (argc == 3 && strcmp(argv[1], "print") == 0) | 93 | else if (argc == 3 && strcmp(argv[1], "print") == 0) |
91 | filter_print(argv[2]); | 94 | filter_print(argv[2]); |
92 | else { | 95 | else { |
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index 4f8de8c5e..7d2ccbbce 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c | |||
@@ -19,7 +19,10 @@ | |||
19 | */ | 19 | */ |
20 | #include "fseccomp.h" | 20 | #include "fseccomp.h" |
21 | #include "../include/seccomp.h" | 21 | #include "../include/seccomp.h" |
22 | #include <sys/mman.h> | ||
23 | #include <sys/shm.h> | ||
22 | #include <sys/syscall.h> | 24 | #include <sys/syscall.h> |
25 | #include <sys/types.h> | ||
23 | 26 | ||
24 | static void add_default_list(int fd, int allow_debuggers) { | 27 | static void add_default_list(int fd, int allow_debuggers) { |
25 | #ifdef SYS_mount | 28 | #ifdef SYS_mount |
@@ -428,3 +431,54 @@ void seccomp_keep(const char *fname, char *list) { | |||
428 | // close file | 431 | // close file |
429 | close(fd); | 432 | close(fd); |
430 | } | 433 | } |
434 | |||
435 | void memory_deny_write_execute(const char *fname) { | ||
436 | // open file | ||
437 | int fd = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); | ||
438 | if (fd < 0) { | ||
439 | fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname); | ||
440 | exit(1); | ||
441 | } | ||
442 | |||
443 | filter_init(fd); | ||
444 | |||
445 | // build filter | ||
446 | static const struct sock_filter filter[] = { | ||
447 | #ifndef __x86_64__ | ||
448 | // block old multiplexing mmap syscall for i386 | ||
449 | BLACKLIST(SYS_mmap), | ||
450 | #endif | ||
451 | // block mmap(,,x|PROT_WRITE|PROT_EXEC) so W&X memory can't be created | ||
452 | #ifndef __x86_64__ | ||
453 | // mmap2 is used for mmap on i386 these days | ||
454 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mmap2, 0, 5), | ||
455 | #else | ||
456 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mmap, 0, 5), | ||
457 | #endif | ||
458 | EXAMINE_ARGUMENT(2), | ||
459 | BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_WRITE|PROT_EXEC), | ||
460 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_WRITE|PROT_EXEC, 0, 1), | ||
461 | KILL_PROCESS, | ||
462 | RETURN_ALLOW, | ||
463 | // block mprotect(,,PROT_EXEC) so writable memory can't be turned into executable | ||
464 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mprotect, 0, 5), | ||
465 | EXAMINE_ARGUMENT(2), | ||
466 | BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_EXEC), | ||
467 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_EXEC, 0, 1), | ||
468 | KILL_PROCESS, | ||
469 | RETURN_ALLOW, | ||
470 | // block shmat(,,x|SHM_EXEC) so W&X shared memory can't be created | ||
471 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_shmat, 0, 5), | ||
472 | EXAMINE_ARGUMENT(2), | ||
473 | BPF_STMT(BPF_ALU+BPF_AND+BPF_K, SHM_EXEC), | ||
474 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SHM_EXEC, 0, 1), | ||
475 | KILL_PROCESS, | ||
476 | RETURN_ALLOW | ||
477 | }; | ||
478 | write_to_file(fd, filter, sizeof(filter)); | ||
479 | |||
480 | filter_end_blacklist(fd); | ||
481 | |||
482 | // close file | ||
483 | close(fd); | ||
484 | } | ||
diff --git a/src/fseccomp/seccomp_file.c b/src/fseccomp/seccomp_file.c index c74de9faf..16ffd5302 100644 --- a/src/fseccomp/seccomp_file.c +++ b/src/fseccomp/seccomp_file.c | |||
@@ -21,7 +21,7 @@ | |||
21 | #include "../include/seccomp.h" | 21 | #include "../include/seccomp.h" |
22 | #include <sys/syscall.h> | 22 | #include <sys/syscall.h> |
23 | 23 | ||
24 | static void write_to_file(int fd, void *data, int size) { | 24 | void write_to_file(int fd, const void *data, int size) { |
25 | assert(data); | 25 | assert(data); |
26 | assert(size); | 26 | assert(size); |
27 | 27 | ||