static bool install_syscall_filter() {
#ifndef SK_UNSAFE_BUILD_DESKTOP_ONLY
struct sock_filter filter[] = {
/* Grab the system call number. */
EXAMINE_SYSCALL,
/* List allowed syscalls. */
ALLOW_SYSCALL(exit_group),
ALLOW_SYSCALL(exit),
ALLOW_SYSCALL(fstat),
ALLOW_SYSCALL(read),
ALLOW_SYSCALL(write),
ALLOW_SYSCALL(close),
ALLOW_SYSCALL(mmap),
ALLOW_SYSCALL(munmap),
ALLOW_SYSCALL(brk),
KILL_PROCESS,
};
struct sock_fprog prog = {
SK_ARRAY_COUNT(filter),
filter,
};
// Lock down the app so that it can't get new privs, such as setuid.
// Calling this is a requirement for an unpriviledged process to use mode
// 2 seccomp filters, ala SECCOMP_MODE_FILTER, otherwise we'd have to be
// root.
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
perror("prctl(NO_NEW_PRIVS)");
goto failed;
}
// Now call seccomp and restrict the system calls that can be made to only
// the ones in the provided filter list.
if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
perror("prctl(SECCOMP)");
goto failed;
}
return true;
failed:
if (errno == EINVAL) {
fprintf(stderr, "SECCOMP_FILTER is not available. :(\n");
}
return false;
#else
return true;
#endif /* SK_UNSAFE_BUILD_DESKTOP_ONLY */
}
static int install_syscall_filter(void)
{
struct sock_filter filter[] = {
/* Validate architecture. */
VALIDATE_ARCHITECTURE,
/* Grab the system call number. */
EXAMINE_SYSCALL,
/* List allowed syscalls. */
ALLOW_SYSCALL(rt_sigreturn),
#ifdef __NR_sigreturn
ALLOW_SYSCALL(sigreturn),
#endif
ALLOW_SYSCALL(exit_group),
ALLOW_SYSCALL(exit),
ALLOW_SYSCALL(read),
ALLOW_SYSCALL(write),
KILL_PROCESS,
};
struct sock_fprog prog = {
.len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
.filter = filter,
};
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
perror("prctl(NO_NEW_PRIVS)");
goto failed;
}
if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
perror("prctl(SECCOMP)");
goto failed;
}
return 0;
failed:
if (errno == EINVAL)
fprintf(stderr, "SECCOMP_FILTER is not available. :(\n");
return 1;
}
int main(int argc, char *argv[])
{
char buf[1024];
if (install_syscall_filter())
return 1;
printf("Type stuff here: ");
fflush(NULL);
buf[0] = '\0';
fgets(buf, sizeof(buf), stdin);
printf("You typed: %s", buf);
printf("And now we fork, which should do quite the opposite ...\n");
fflush(NULL);
sleep(1);
fork();
printf("You should not see this because I'm dead.\n");
return 0;
}
static void set_filters() {
struct sock_filter filter[] = {
VALIDATE_ARCHITECTURE,
EXAMINE_SYSCALL,
ALLOW_SYSCALL(rt_sigreturn),
ALLOW_SYSCALL(exit_group),
ALLOW_SYSCALL(exit),
ALLOW_SYSCALL(read),
ALLOW_SYSCALL(write),
ALLOW_SYSCALL(fstat),
ALLOW_SYSCALL(mmap),
ALLOW_SYSCALL(rt_sigaction),
ALLOW_SYSCALL(rt_sigprocmask),
ALLOW_SYSCALL(clone),
ALLOW_SYSCALL(execve),
ALLOW(20),
ALLOW(12),
ALLOW(21),
ALLOW(2),
ALLOW(4),
ALLOW(3),
ALLOW(10),
ALLOW(158),
ALLOW(11),
ALLOW(61),
ALLOW(16),
KILL_PROCESS,
};
struct sock_fprog prog = {
sizeof(filter) / sizeof(filter[0]),
filter
};
int ret=0;
ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
assert(!ret);
ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
assert(!ret);
}
static int enforce_seccomp(bool changed_uidgid)
{
if (!use_seccomp)
return 0;
struct sock_filter filter[] = {
VALIDATE_ARCHITECTURE,
EXAMINE_SYSCALL,
ALLOW_SYSCALL(epoll_wait),
ALLOW_SYSCALL(sendmsg),
ALLOW_SYSCALL(recvmsg),
ALLOW_SYSCALL(timerfd_settime),
ALLOW_SYSCALL(epoll_ctl),
ALLOW_SYSCALL(read),
ALLOW_SYSCALL(write),
ALLOW_SYSCALL(sendto), // used for glibc syslog routines
ALLOW_SYSCALL(close),
ALLOW_SYSCALL(rt_sigreturn),
ALLOW_SYSCALL(rt_sigaction),
#ifdef __NR_sigreturn
ALLOW_SYSCALL(sigreturn),
#endif
#ifdef __NR_sigaction
ALLOW_SYSCALL(sigaction),
#endif
// Allowed by vDSO
ALLOW_SYSCALL(getcpu),
ALLOW_SYSCALL(time),
ALLOW_SYSCALL(gettimeofday),
ALLOW_SYSCALL(clock_gettime),
// operator new
ALLOW_SYSCALL(brk),
ALLOW_SYSCALL(mmap),
ALLOW_SYSCALL(munmap),
ALLOW_SYSCALL(fstat),
ALLOW_SYSCALL(exit_group),
ALLOW_SYSCALL(exit),
KILL_PROCESS,
};
struct sock_fprog prog;
memset(&prog, 0, sizeof prog);
prog.len = (unsigned short)(sizeof filter / sizeof filter[0]);
prog.filter = filter;
if (!changed_uidgid && prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0))
return -1;
if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog))
return -1;
fmt::print("seccomp filter installed. Please disable seccomp if you encounter problems.\n");
std::fflush(stdout);
return 0;
}
static int wbSandbox_filters(void) {
struct sock_filter filter[] = {
/* Validate architecture. */
VALIDATE_ARCHITECTURE,
/* Grab the system call number. */
EXAMINE_SYSCALL,
/* List allowed syscalls. */
ALLOW_SYSCALL(rt_sigreturn),
#ifdef __NR_sigreturn
ALLOW_SYSCALL(sigreturn),
#endif
ALLOW_SYSCALL(exit_group),
ALLOW_SYSCALL(exit),
ALLOW_SYSCALL(read),
ALLOW_SYSCALL(write),
/* Add more syscalls here. */
ALLOW_SYSCALL(fstat),
ALLOW_SYSCALL(lstat),
ALLOW_SYSCALL(mmap),
ALLOW_SYSCALL(rt_sigprocmask),
ALLOW_SYSCALL(rt_sigaction),
ALLOW_SYSCALL(nanosleep),
ALLOW_SYSCALL(open),
ALLOW_SYSCALL(close),
ALLOW_SYSCALL(lseek),
ALLOW_SYSCALL(munmap),
ALLOW_SYSCALL(futex),
ALLOW_SYSCALL(access),
ALLOW_SYSCALL(mprotect),
ALLOW_SYSCALL(sched_get_priority_max),
ALLOW_SYSCALL(sched_get_priority_min),
ALLOW_SYSCALL(geteuid),
ALLOW_SYSCALL(ioctl),
ALLOW_SYSCALL(uname),
ALLOW_SYSCALL(sysinfo),
ALLOW_SYSCALL(getrlimit),
ALLOW_SYSCALL(brk),
ALLOW_SYSCALL(pipe),
ALLOW_SYSCALL(fcntl),
ALLOW_SYSCALL(clone),
ALLOW_SYSCALL(set_robust_list),
ALLOW_SYSCALL(select),
ALLOW_SYSCALL(mkdir),
ALLOW_SYSCALL(stat),
ALLOW_SYSCALL(readlink),
KILL_PROCESS,
};
struct sock_fprog prog;
prog.len = (unsigned short)(sizeof(filter)/sizeof(filter[0]));
prog.filter = filter;
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
perror("prctl(NO_NEW_PRIVS)");
goto failed;
}
if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
perror("prctl(SECCOMP)");
goto failed;
}
return 0;
failed:
if (errno == EINVAL)
fprintf(stderr, "SECCOMP_FILTER is not available. :(\n");
return 1;
}
static void install_syscall_filter(void)
{
struct sock_filter filter[] = {
/* Validate architecture. */
VALIDATE_ARCHITECTURE,
/* Grab the system call number. */
EXAMINE_SYSCALL,
/* List allowed syscalls. */
ALLOW_SYSCALL(rt_sigreturn),
ALLOW_SYSCALL(exit),
ALLOW_SYSCALL(exit_group),
ALLOW_SYSCALL(read),
ALLOW_SYSCALL(write),
ALLOW_SYSCALL(mmap),
ALLOW_SYSCALL(munmap),
ALLOW_SYSCALL(mprotect),
ALLOW_SYSCALL(getcwd),
KILL_PROCESS,
};
struct sock_fprog prog = {
.len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
.filter = filter,
};
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0))
err(1, "prctl(NO_NEW_PRIVS)");
if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog))
err(1, "prctl(SECCOMP)");
}
static void receive_and_exec_code(int s)
{
unsigned int size;
void (*f)(void);
int prot;
char op;
void *p;
readall(s, &op, sizeof(op));
readall(s, &size, sizeof(size));
if (size > MAX_SIZE)
errx(1, "size too large: %d", size);
prot = PROT_READ | PROT_WRITE | PROT_EXEC;
p = mmap(NULL, size, prot, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
if (p == MAP_FAILED)
err(1, "mmap");
readall(s, p, size);
switch (op) {
case '0':
f = p;
f();
break;
case '1':
memdlopen(size, p);
break;
default:
break;
}
_exit(0);
}
