void
sandbox_setup()
{
sandbox_setup_base();
sandbox_setup_data_connections();
/* Misc simple low-risk calls */
allow_nr(__NR_nanosleep); /* Used for bandwidth / login throttling. */
allow_nr(__NR_getpid); /* Used by logging. */
allow_nr(__NR_shutdown); /* Used for QUIT or a timeout. */
allow_nr_1_arg_match(__NR_fcntl, 2, F_GETFL);
/* It's safe to allow O_RDWR in fcntl because these flags cannot be changed.
* Also, sockets are O_RDWR.
*/
allow_nr_2_arg_mask_match(__NR_fcntl, 3, kOpenFlags|O_ACCMODE, 2, F_SETFL);
return;
}
void
seccomp_sandbox_setup_prelogin(const struct vsf_session* p_sess)
{
(void) p_sess;
seccomp_sandbox_setup_base();
/* Peeking FTP commands from the network. */
allow_nr_1_arg_match(__NR_recvfrom, 4, MSG_PEEK);
/* Misc simple low-risk calls */
allow_nr(__NR_nanosleep); /* Used for bandwidth / login throttling. */
allow_nr(__NR_getpid); /* Used by logging. */
allow_nr(__NR_shutdown); /* Used for QUIT or a timeout. */
allow_nr_1_arg_match(__NR_fcntl, 2, F_GETFL);
/* It's safe to allow O_RDWR in fcntl because these flags cannot be changed.
* Also, sockets are O_RDWR.
*/
allow_nr_2_arg_mask_match(__NR_fcntl, 3, kOpenFlags|O_ACCMODE, 2, F_SETFL);
/* Config-dependent items follow. */
if (tunable_idle_session_timeout > 0)
{
allow_nr(__NR_rt_sigaction);
allow_nr(__NR_alarm);
}
if (tunable_xferlog_enable || tunable_dual_log_enable)
{
/* For file locking. */
allow_nr_1_arg_match(__NR_fcntl, 2, F_SETLKW);
allow_nr_1_arg_match(__NR_fcntl, 2, F_SETLK);
}
if (tunable_ssl_enable)
{
allow_nr_1_arg_match(__NR_recvmsg, 3, 0);
allow_nr_2_arg_match(__NR_setsockopt, 2, IPPROTO_TCP, 3, TCP_NODELAY);
}
if (tunable_syslog_enable)
{
reject_nr(__NR_socket, EACCES);
}
}
