int main(int argc, char *argv[]) { int rc; struct util_options opts; scmp_filter_ctx ctx = NULL; rc = util_getopt(argc, argv, &opts); if (rc < 0) goto out; ctx = seccomp_init(SCMP_ACT_KILL); if (ctx == NULL) return ENOMEM; rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0); if (rc != 0) goto out; rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0); if (rc != 0) goto out; rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 3, SCMP_A0(SCMP_CMP_EQ, STDIN_FILENO), SCMP_A1(SCMP_CMP_NE, 0x0), SCMP_A2(SCMP_CMP_LT, SSIZE_MAX)); if (rc != 0) goto out; rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 3, SCMP_A0(SCMP_CMP_EQ, STDOUT_FILENO), SCMP_A1(SCMP_CMP_NE, 0x0), SCMP_A2(SCMP_CMP_LT, SSIZE_MAX)); if (rc != 0) goto out; rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 3, SCMP_A0(SCMP_CMP_EQ, STDERR_FILENO), SCMP_A1(SCMP_CMP_NE, 0x0), SCMP_A2(SCMP_CMP_LT, SSIZE_MAX)); if (rc != 0) goto out; rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0); if (rc != 0) goto out; rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0); if (rc != 0) goto out; rc = util_filter_output(&opts, ctx); if (rc) goto out; out: seccomp_release(ctx); return (rc < 0 ? -rc : rc); }
static int setup(struct spt *spt) { if (diskfile == NULL) return 0; /* not present */ diskfd = open(diskfile, O_RDWR); if (diskfd == -1) err(1, "Could not open disk: %s", diskfile); off_t capacity = lseek(diskfd, 0, SEEK_END); if (capacity == -1) err(1, "%s: Could not determine capacity", diskfile); if (capacity < 512) errx(1, "%s: Backing storage must be at least 1 block (512 bytes) " "in size", diskfile); spt->bi->blocki.present = 1; spt->bi->blocki.block_size = 512; spt->bi->blocki.capacity = capacity; spt->bi->blocki.hostfd = diskfd; int rc = -1; /* * When reading or writing to the file descriptor, enforce that the * operation cannot be performed beyond the (detected) capacity, otherwise, * when backed by a regular file, the guest could grow the file size * arbitrarily. * * The Solo5 API mandates that reads/writes must be equal to block_size, so * we implement the above by ensuring that (A2 == block_size) && (A3 <= * (capacity - block_size) holds. */ rc = seccomp_rule_add(spt->sc_ctx, SCMP_ACT_ALLOW, SCMP_SYS(pread64), 3, SCMP_A0(SCMP_CMP_EQ, diskfd), SCMP_A2(SCMP_CMP_EQ, spt->bi->blocki.block_size), SCMP_A3(SCMP_CMP_LE, (spt->bi->blocki.capacity - spt->bi->blocki.block_size))); if (rc != 0) errx(1, "seccomp_rule_add(pread64, fd=%d) failed: %s", diskfd, strerror(-rc)); rc = seccomp_rule_add(spt->sc_ctx, SCMP_ACT_ALLOW, SCMP_SYS(pwrite64), 3, SCMP_A0(SCMP_CMP_EQ, diskfd), SCMP_A2(SCMP_CMP_EQ, spt->bi->blocki.block_size), SCMP_A3(SCMP_CMP_LE, (spt->bi->blocki.capacity - spt->bi->blocki.block_size))); if (rc != 0) errx(1, "seccomp_rule_add(pwrite64, fd=%d) failed: %s", diskfd, strerror(-rc)); return 0; }
int setup_seccomp(uint64_t cap_list_retain) { scmp_filter_ctx seccomp; int r; seccomp = seccomp_init(SCMP_ACT_ALLOW); if (!seccomp) return log_oom(); r = seccomp_add_secondary_archs(seccomp); if (r < 0) { log_error_errno(r, "Failed to add secondary archs to seccomp filter: %m"); goto finish; } r = seccomp_add_default_syscall_filter(seccomp, cap_list_retain); if (r < 0) goto finish; /* Audit is broken in containers, much of the userspace audit hookup will fail if running inside a container. We don't care and just turn off creation of audit sockets. This will make socket(AF_NETLINK, *, NETLINK_AUDIT) fail with EAFNOSUPPORT which audit userspace uses as indication that audit is disabled in the kernel. */ r = seccomp_rule_add( seccomp, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 2, SCMP_A0(SCMP_CMP_EQ, AF_NETLINK), SCMP_A2(SCMP_CMP_EQ, NETLINK_AUDIT)); if (r < 0) { log_error_errno(r, "Failed to add audit seccomp rule: %m"); goto finish; } r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0); if (r < 0) { log_error_errno(r, "Failed to unset NO_NEW_PRIVS: %m"); goto finish; } r = seccomp_load(seccomp); if (r == -EINVAL) { log_debug_errno(r, "Kernel is probably not configured with CONFIG_SECCOMP. Disabling seccomp audit filter: %m"); r = 0; goto finish; } if (r < 0) { log_error_errno(r, "Failed to install seccomp audit filter: %m"); goto finish; } finish: seccomp_release(seccomp); return r; }
void GenHash::calcGenHash() { sandbox_init(); // cannot excute execve prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); kDebug() << "execve" << execve("ls",NULL,NULL); if (child_pid){ KParts::ReadOnlyPart * part = qobject_cast<KParts::ReadOnlyPart *>(parent()); QFile file(KFileDialog::getOpenFileName(KUrl("kfiledialog:///konqueror"), i18n("*"), part->widget(), i18n("Open File To make MD5."))); if (!file.open(QIODevice::ReadOnly)) { return; } // TODO QFile //char s[1024]; // write file content { close(pipe_fd[0]); QByteArray s = file.readAll(); char *ch = s.data(); if (write(pipe_fd[1], ch, s.size()) < 0) { perror("write"); } close(pipe_fd[1]); } //read result { close(pipe_result_fd[1]); char result[128]; if (read(pipe_result_fd[0], &result[0], 128) < 0){ perror("read"); } close(pipe_result_fd[0]); KMessageBox::information(part->widget(),i18n("Md5 : %1").arg(QString(QByteArray(result, 128)))); } }else{ scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_KILL); seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0); seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 3, SCMP_A0(SCMP_CMP_EQ, (scmp_datum_t)pipe_fd[0]), SCMP_A1(SCMP_CMP_EQ, (scmp_datum_t)buff), SCMP_A2(SCMP_CMP_LE, 1024)); seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, SCMP_CMP(0, SCMP_CMP_EQ, (scmp_datum_t)pipe_result_fd[1])); seccomp_load(ctx); seccomp_release(ctx); calcMD5(); } }
int waive(const int flags) { scmp_filter_ctx ctx; int ret = -1; ctx = seccomp_init(SCMP_ACT_ALLOW); if (NULL == ctx) goto out; if (0 != (WAIVE_SOCKET & flags)) { if (0 != seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(socket), 0)) goto release; if (0 != seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(socketpair), 0)) goto release; } else { if (0 != (WAIVE_INET & flags)) { if (0 != seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(socket), 1, SCMP_A0(SCMP_CMP_EQ, AF_INET))) goto release; if (0 != seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(socket), 1, SCMP_A0(SCMP_CMP_EQ, AF_INET6))) goto release; if (0 != seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(socketpair), 1, SCMP_A0(SCMP_CMP_EQ, AF_INET))) goto release; if (0 != seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(socketpair), 1, SCMP_A0(SCMP_CMP_EQ, AF_INET6))) goto release; } if (0 != (WAIVE_UN & flags)) { if (0 != seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(socket), 1, SCMP_A0(SCMP_CMP_EQ, AF_UNIX))) goto release; if (0 != seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(socketpair), 1, SCMP_A0(SCMP_CMP_EQ, AF_UNIX))) goto release; } if (0 != (WAIVE_PACKET & flags)) { if (0 != seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(socket), 1, SCMP_A0(SCMP_CMP_EQ, AF_PACKET))) goto release; if (0 != seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(socketpair), 1, SCMP_A0(SCMP_CMP_EQ, AF_PACKET))) goto release; } } if (0 != (WAIVE_MOUNT & flags)) { if (0 != seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(mount), 0)) goto release; if (0 != seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(umount), 0)) goto release; if (0 != seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(umount2), 0)) goto release; } if (0 != (WAIVE_OPEN & flags)) { if (0 != seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(open), 0)) goto release; if (0 != seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(openat), 0)) goto release; if (0 != seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(creat), 0)) goto release; } if (0 != (WAIVE_EXEC & flags)) { if (0 != seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(execve), 0)) goto release; #ifdef __NR_execveat if (0 != seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(execveat), 0)) goto release; #endif if (0 != seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(mprotect), 1, SCMP_A2(SCMP_CMP_EQ, PROT_EXEC))) goto release; if (0 != seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(mprotect), 1, SCMP_A2(SCMP_CMP_EQ, PROT_READ | PROT_EXEC))) goto release; if (0 != seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(mprotect), 1, SCMP_A2(SCMP_CMP_EQ, PROT_WRITE | PROT_EXEC))) goto release; if (0 != seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(mprotect), 1, SCMP_A2(SCMP_CMP_EQ, PROT_READ | PROT_WRITE | PROT_EXEC))) goto release; if (0 != seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(mmap), 1, SCMP_A2(SCMP_CMP_EQ, PROT_READ | PROT_EXEC))) goto release; if (0 != seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(mmap), 1, SCMP_A2(SCMP_CMP_EQ, PROT_WRITE | PROT_EXEC))) goto release; if (0 != seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(mmap), 1, SCMP_A2(SCMP_CMP_EQ, PROT_READ | PROT_WRITE | PROT_EXEC))) goto release; if (0 != seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(mmap2), 1, SCMP_A2(SCMP_CMP_EQ, PROT_WRITE | PROT_EXEC))) goto release; if (0 != seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(mmap2), 1, SCMP_A2(SCMP_CMP_EQ, PROT_READ | PROT_WRITE | PROT_EXEC))) goto release; } if (0 != (WAIVE_CLONE & flags)) { if (0 != seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(clone), 0)) goto release; } if (0 != (WAIVE_KILL & flags)) { if (0 != seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(kill), 1, SCMP_A0(SCMP_CMP_NE, 0))) goto release; if (0 != seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(tkill), 1, SCMP_A0(SCMP_CMP_NE, 0))) goto release; if (0 != seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(tgkill), 1, SCMP_A0(SCMP_CMP_NE, 0))) goto release; } if (0 != (WAIVE_PIPE & flags)) { if (0 != seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(pipe), 0)) goto release; if (0 != seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(pipe2), 0)) goto release; if (0 != seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(mknod), 0)) goto release; if (0 != seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(mknodat), 0)) goto release; } if (0 == seccomp_load(ctx)) ret = 0; release: seccomp_release(ctx); out: return ret; }