int main(int argc, char *argv[])
{
int rc;
struct util_options opts;
scmp_filter_ctx ctx = NULL;
rc = util_getopt(argc, argv, &opts);
if (rc < 0)
goto out;
ctx = seccomp_init(SCMP_ACT_KILL);
if (ctx == NULL)
return ENOMEM;
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0);
if (rc != 0)
goto out;
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0);
if (rc != 0)
goto out;
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 3,
SCMP_A0(SCMP_CMP_EQ, STDIN_FILENO),
SCMP_A1(SCMP_CMP_NE, 0x0),
SCMP_A2(SCMP_CMP_LT, SSIZE_MAX));
if (rc != 0)
goto out;
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 3,
SCMP_A0(SCMP_CMP_EQ, STDOUT_FILENO),
SCMP_A1(SCMP_CMP_NE, 0x0),
SCMP_A2(SCMP_CMP_LT, SSIZE_MAX));
if (rc != 0)
goto out;
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 3,
SCMP_A0(SCMP_CMP_EQ, STDERR_FILENO),
SCMP_A1(SCMP_CMP_NE, 0x0),
SCMP_A2(SCMP_CMP_LT, SSIZE_MAX));
if (rc != 0)
goto out;
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0);
if (rc != 0)
goto out;
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0);
if (rc != 0)
goto out;
rc = util_filter_output(&opts, ctx);
if (rc)
goto out;
out:
seccomp_release(ctx);
return (rc < 0 ? -rc : rc);
}
static int setup(struct spt *spt)
{
if (diskfile == NULL)
return 0; /* not present */
diskfd = open(diskfile, O_RDWR);
if (diskfd == -1)
err(1, "Could not open disk: %s", diskfile);
off_t capacity = lseek(diskfd, 0, SEEK_END);
if (capacity == -1)
err(1, "%s: Could not determine capacity", diskfile);
if (capacity < 512)
errx(1, "%s: Backing storage must be at least 1 block (512 bytes) "
"in size", diskfile);
spt->bi->blocki.present = 1;
spt->bi->blocki.block_size = 512;
spt->bi->blocki.capacity = capacity;
spt->bi->blocki.hostfd = diskfd;
int rc = -1;
/*
* When reading or writing to the file descriptor, enforce that the
* operation cannot be performed beyond the (detected) capacity, otherwise,
* when backed by a regular file, the guest could grow the file size
* arbitrarily.
*
* The Solo5 API mandates that reads/writes must be equal to block_size, so
* we implement the above by ensuring that (A2 == block_size) && (A3 <=
* (capacity - block_size) holds.
*/
rc = seccomp_rule_add(spt->sc_ctx, SCMP_ACT_ALLOW, SCMP_SYS(pread64), 3,
SCMP_A0(SCMP_CMP_EQ, diskfd),
SCMP_A2(SCMP_CMP_EQ, spt->bi->blocki.block_size),
SCMP_A3(SCMP_CMP_LE,
(spt->bi->blocki.capacity - spt->bi->blocki.block_size)));
if (rc != 0)
errx(1, "seccomp_rule_add(pread64, fd=%d) failed: %s", diskfd,
strerror(-rc));
rc = seccomp_rule_add(spt->sc_ctx, SCMP_ACT_ALLOW, SCMP_SYS(pwrite64), 3,
SCMP_A0(SCMP_CMP_EQ, diskfd),
SCMP_A2(SCMP_CMP_EQ, spt->bi->blocki.block_size),
SCMP_A3(SCMP_CMP_LE,
(spt->bi->blocki.capacity - spt->bi->blocki.block_size)));
if (rc != 0)
errx(1, "seccomp_rule_add(pwrite64, fd=%d) failed: %s", diskfd,
strerror(-rc));
return 0;
}
int setup_seccomp(uint64_t cap_list_retain) {
scmp_filter_ctx seccomp;
int r;
seccomp = seccomp_init(SCMP_ACT_ALLOW);
if (!seccomp)
return log_oom();
r = seccomp_add_secondary_archs(seccomp);
if (r < 0) {
log_error_errno(r, "Failed to add secondary archs to seccomp filter: %m");
goto finish;
}
r = seccomp_add_default_syscall_filter(seccomp, cap_list_retain);
if (r < 0)
goto finish;
/*
Audit is broken in containers, much of the userspace audit
hookup will fail if running inside a container. We don't
care and just turn off creation of audit sockets.
This will make socket(AF_NETLINK, *, NETLINK_AUDIT) fail
with EAFNOSUPPORT which audit userspace uses as indication
that audit is disabled in the kernel.
*/
r = seccomp_rule_add(
seccomp,
SCMP_ACT_ERRNO(EAFNOSUPPORT),
SCMP_SYS(socket),
2,
SCMP_A0(SCMP_CMP_EQ, AF_NETLINK),
SCMP_A2(SCMP_CMP_EQ, NETLINK_AUDIT));
if (r < 0) {
log_error_errno(r, "Failed to add audit seccomp rule: %m");
goto finish;
}
r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
if (r < 0) {
log_error_errno(r, "Failed to unset NO_NEW_PRIVS: %m");
goto finish;
}
r = seccomp_load(seccomp);
if (r == -EINVAL) {
log_debug_errno(r, "Kernel is probably not configured with CONFIG_SECCOMP. Disabling seccomp audit filter: %m");
r = 0;
goto finish;
}
if (r < 0) {
log_error_errno(r, "Failed to install seccomp audit filter: %m");
goto finish;
}
finish:
seccomp_release(seccomp);
return r;
}
void GenHash::calcGenHash()
{
sandbox_init();
// cannot excute execve
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
kDebug() << "execve" << execve("ls",NULL,NULL);
if (child_pid){
KParts::ReadOnlyPart * part = qobject_cast<KParts::ReadOnlyPart *>(parent());
QFile file(KFileDialog::getOpenFileName(KUrl("kfiledialog:///konqueror"), i18n("*"), part->widget(), i18n("Open File To make MD5.")));
if (!file.open(QIODevice::ReadOnly))
{
return;
}
// TODO QFile
//char s[1024];
// write file content
{
close(pipe_fd[0]);
QByteArray s = file.readAll();
char *ch = s.data();
if (write(pipe_fd[1], ch, s.size()) < 0) {
perror("write");
}
close(pipe_fd[1]);
}
//read result
{
close(pipe_result_fd[1]);
char result[128];
if (read(pipe_result_fd[0], &result[0], 128) < 0){
perror("read");
}
close(pipe_result_fd[0]);
KMessageBox::information(part->widget(),i18n("Md5 : %1").arg(QString(QByteArray(result, 128))));
}
}else{
scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_KILL);
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0);
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 3,
SCMP_A0(SCMP_CMP_EQ, (scmp_datum_t)pipe_fd[0]),
SCMP_A1(SCMP_CMP_EQ, (scmp_datum_t)buff),
SCMP_A2(SCMP_CMP_LE, 1024));
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1,
SCMP_CMP(0, SCMP_CMP_EQ, (scmp_datum_t)pipe_result_fd[1]));
seccomp_load(ctx);
seccomp_release(ctx);
calcMD5();
}
}
int waive(const int flags)
{
scmp_filter_ctx ctx;
int ret = -1;
ctx = seccomp_init(SCMP_ACT_ALLOW);
if (NULL == ctx)
goto out;
if (0 != (WAIVE_SOCKET & flags)) {
if (0 != seccomp_rule_add(ctx,
SCMP_ACT_ERRNO(EPERM),
SCMP_SYS(socket),
0))
goto release;
if (0 != seccomp_rule_add(ctx,
SCMP_ACT_ERRNO(EPERM),
SCMP_SYS(socketpair),
0))
goto release;
}
else {
if (0 != (WAIVE_INET & flags)) {
if (0 != seccomp_rule_add(ctx,
SCMP_ACT_ERRNO(EPERM),
SCMP_SYS(socket),
1,
SCMP_A0(SCMP_CMP_EQ, AF_INET)))
goto release;
if (0 != seccomp_rule_add(ctx,
SCMP_ACT_ERRNO(EPERM),
SCMP_SYS(socket),
1,
SCMP_A0(SCMP_CMP_EQ, AF_INET6)))
goto release;
if (0 != seccomp_rule_add(ctx,
SCMP_ACT_ERRNO(EPERM),
SCMP_SYS(socketpair),
1,
SCMP_A0(SCMP_CMP_EQ, AF_INET)))
goto release;
if (0 != seccomp_rule_add(ctx,
SCMP_ACT_ERRNO(EPERM),
SCMP_SYS(socketpair),
1,
SCMP_A0(SCMP_CMP_EQ, AF_INET6)))
goto release;
}
if (0 != (WAIVE_UN & flags)) {
if (0 != seccomp_rule_add(ctx,
SCMP_ACT_ERRNO(EPERM),
SCMP_SYS(socket),
1,
SCMP_A0(SCMP_CMP_EQ, AF_UNIX)))
goto release;
if (0 != seccomp_rule_add(ctx,
SCMP_ACT_ERRNO(EPERM),
SCMP_SYS(socketpair),
1,
SCMP_A0(SCMP_CMP_EQ, AF_UNIX)))
goto release;
}
if (0 != (WAIVE_PACKET & flags)) {
if (0 != seccomp_rule_add(ctx,
SCMP_ACT_ERRNO(EPERM),
SCMP_SYS(socket),
1,
SCMP_A0(SCMP_CMP_EQ, AF_PACKET)))
goto release;
if (0 != seccomp_rule_add(ctx,
SCMP_ACT_ERRNO(EPERM),
SCMP_SYS(socketpair),
1,
SCMP_A0(SCMP_CMP_EQ, AF_PACKET)))
goto release;
}
}
if (0 != (WAIVE_MOUNT & flags)) {
if (0 != seccomp_rule_add(ctx,
SCMP_ACT_ERRNO(EPERM),
SCMP_SYS(mount),
0))
goto release;
if (0 != seccomp_rule_add(ctx,
SCMP_ACT_ERRNO(EPERM),
SCMP_SYS(umount),
0))
goto release;
if (0 != seccomp_rule_add(ctx,
SCMP_ACT_ERRNO(EPERM),
SCMP_SYS(umount2),
0))
goto release;
}
if (0 != (WAIVE_OPEN & flags)) {
if (0 != seccomp_rule_add(ctx,
SCMP_ACT_ERRNO(EPERM),
SCMP_SYS(open),
0))
goto release;
if (0 != seccomp_rule_add(ctx,
SCMP_ACT_ERRNO(EPERM),
SCMP_SYS(openat),
0))
goto release;
if (0 != seccomp_rule_add(ctx,
SCMP_ACT_ERRNO(EPERM),
SCMP_SYS(creat),
0))
goto release;
}
if (0 != (WAIVE_EXEC & flags)) {
if (0 != seccomp_rule_add(ctx,
SCMP_ACT_ERRNO(EPERM),
SCMP_SYS(execve),
0))
goto release;
#ifdef __NR_execveat
if (0 != seccomp_rule_add(ctx,
SCMP_ACT_ERRNO(EPERM),
SCMP_SYS(execveat),
0))
goto release;
#endif
if (0 != seccomp_rule_add(ctx,
SCMP_ACT_ERRNO(EPERM),
SCMP_SYS(mprotect),
1,
SCMP_A2(SCMP_CMP_EQ, PROT_EXEC)))
goto release;
if (0 != seccomp_rule_add(ctx,
SCMP_ACT_ERRNO(EPERM),
SCMP_SYS(mprotect),
1,
SCMP_A2(SCMP_CMP_EQ, PROT_READ | PROT_EXEC)))
goto release;
if (0 != seccomp_rule_add(ctx,
SCMP_ACT_ERRNO(EPERM),
SCMP_SYS(mprotect),
1,
SCMP_A2(SCMP_CMP_EQ, PROT_WRITE | PROT_EXEC)))
goto release;
if (0 != seccomp_rule_add(ctx,
SCMP_ACT_ERRNO(EPERM),
SCMP_SYS(mprotect),
1,
SCMP_A2(SCMP_CMP_EQ,
PROT_READ | PROT_WRITE | PROT_EXEC)))
goto release;
if (0 != seccomp_rule_add(ctx,
SCMP_ACT_ERRNO(EPERM),
SCMP_SYS(mmap),
1,
SCMP_A2(SCMP_CMP_EQ, PROT_READ | PROT_EXEC)))
goto release;
if (0 != seccomp_rule_add(ctx,
SCMP_ACT_ERRNO(EPERM),
SCMP_SYS(mmap),
1,
SCMP_A2(SCMP_CMP_EQ, PROT_WRITE | PROT_EXEC)))
goto release;
if (0 != seccomp_rule_add(ctx,
SCMP_ACT_ERRNO(EPERM),
SCMP_SYS(mmap),
1,
SCMP_A2(SCMP_CMP_EQ,
PROT_READ | PROT_WRITE | PROT_EXEC)))
goto release;
if (0 != seccomp_rule_add(ctx,
SCMP_ACT_ERRNO(EPERM),
SCMP_SYS(mmap2),
1,
SCMP_A2(SCMP_CMP_EQ, PROT_WRITE | PROT_EXEC)))
goto release;
if (0 != seccomp_rule_add(ctx,
SCMP_ACT_ERRNO(EPERM),
SCMP_SYS(mmap2),
1,
SCMP_A2(SCMP_CMP_EQ,
PROT_READ | PROT_WRITE | PROT_EXEC)))
goto release;
}
if (0 != (WAIVE_CLONE & flags)) {
if (0 != seccomp_rule_add(ctx,
SCMP_ACT_ERRNO(EPERM),
SCMP_SYS(clone),
0))
goto release;
}
if (0 != (WAIVE_KILL & flags)) {
if (0 != seccomp_rule_add(ctx,
SCMP_ACT_ERRNO(EPERM),
SCMP_SYS(kill),
1,
SCMP_A0(SCMP_CMP_NE, 0)))
goto release;
if (0 != seccomp_rule_add(ctx,
SCMP_ACT_ERRNO(EPERM),
SCMP_SYS(tkill),
1,
SCMP_A0(SCMP_CMP_NE, 0)))
goto release;
if (0 != seccomp_rule_add(ctx,
SCMP_ACT_ERRNO(EPERM),
SCMP_SYS(tgkill),
1,
SCMP_A0(SCMP_CMP_NE, 0)))
goto release;
}
if (0 != (WAIVE_PIPE & flags)) {
if (0 != seccomp_rule_add(ctx,
SCMP_ACT_ERRNO(EPERM),
SCMP_SYS(pipe),
0))
goto release;
if (0 != seccomp_rule_add(ctx,
SCMP_ACT_ERRNO(EPERM),
SCMP_SYS(pipe2),
0))
goto release;
if (0 != seccomp_rule_add(ctx,
SCMP_ACT_ERRNO(EPERM),
SCMP_SYS(mknod),
0))
goto release;
if (0 != seccomp_rule_add(ctx,
SCMP_ACT_ERRNO(EPERM),
SCMP_SYS(mknodat),
0))
goto release;
}
if (0 == seccomp_load(ctx))
ret = 0;
release:
seccomp_release(ctx);
out:
return ret;
}
