ansilove

commit e9004146b9949e2113ff68f6e379fd56069fc382
parent 4aa9ffb1242a8284a8bdd30f4ee7265e33f11170
Author: Frederic Cambus <fred@statdns.com>
Date:   Sat, 26 Oct 2019 21:43:17 +0200

Add initial seccomp support to Ansilove.

Diffstat:
M
src/ansilove.c
 | 
14
++++++++++++++
A
src/seccomp.h
 | 
57
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++

2 files changed, 71 insertions(+), 0 deletions(-)
diff --git a/src/ansilove.c b/src/ansilove.c
@@ -28,6 +28,15 @@
 #include "strtonum.h"
 #endif
 
+#ifdef HAVE_SECCOMP
+#include <sys/prctl.h>
+#include <sys/syscall.h>
+#include <linux/audit.h>
+#include <linux/filter.h>
+#include <linux/seccomp.h>
+#include "seccomp.h"
+#endif
+
 #include "config.h"
 #include "fonts.h"
 #include "sauce.h"
@@ -86,6 +95,11 @@ main(int argc, char *argv[])
 	if (pledge("stdio cpath rpath wpath", NULL) == -1)
 		err(EXIT_FAILURE, "pledge");
 
+#ifdef HAVE_SECCOMP
+	prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
+	prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &ansilove);
+#endif
+
 	while ((getoptFlag = getopt(argc, argv, "b:c:df:him:o:qrR:sv")) != -1) {
 		switch (getoptFlag) {
 		case 'b':
diff --git a/src/seccomp.h b/src/seccomp.h
@@ -0,0 +1,57 @@
+/*
+ * seccomp.h
+ * Ansilove 4.0.3
+ * https://www.ansilove.org
+ *
+ * Copyright (c) 2019, Frederic Cambus
+ * All rights reserved.
+ *
+ * Ansilove is licensed under the BSD 2-Clause License.
+ * See LICENSE file for details.
+ */
+
+#ifndef SECCOMP_H
+#define SECCOMP_H
+
+#include <stddef.h>
+#include <sys/prctl.h>
+#include <sys/socket.h>
+#include <sys/syscall.h>
+#include <linux/audit.h>
+#include <linux/filter.h>
+#include <linux/seccomp.h>
+
+#define ANSILOVE_SYSCALL_ALLOW(syscall) \
+	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##syscall, 0, 1), \
+	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
+
+static struct sock_filter filter[] = {
+	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, nr)),
+
+	ANSILOVE_SYSCALL_ALLOW(brk),
+	ANSILOVE_SYSCALL_ALLOW(close),
+	ANSILOVE_SYSCALL_ALLOW(exit_group),
+	ANSILOVE_SYSCALL_ALLOW(fstat),
+	ANSILOVE_SYSCALL_ALLOW(ioctl),
+	ANSILOVE_SYSCALL_ALLOW(lseek),
+#if defined(SYS_open)
+	ANSILOVE_SYSCALL_ALLOW(open),
+#else
+	ANSILOVE_SYSCALL_ALLOW(openat),
+#endif
+	ANSILOVE_SYSCALL_ALLOW(madvise),
+	ANSILOVE_SYSCALL_ALLOW(mmap),
+	ANSILOVE_SYSCALL_ALLOW(mremap),
+	ANSILOVE_SYSCALL_ALLOW(munmap),
+	ANSILOVE_SYSCALL_ALLOW(readv),
+	ANSILOVE_SYSCALL_ALLOW(writev),
+
+	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
+};
+
+struct sock_fprog ansilove = {
+	.len = sizeof(filter)/sizeof(filter[0]),
+	.filter = filter
+};
+
+#endif /* SECCOMP_H */