commit e9004146b9949e2113ff68f6e379fd56069fc382
parent 4aa9ffb1242a8284a8bdd30f4ee7265e33f11170
Author: Frederic Cambus <fred@statdns.com>
Date: Sat, 26 Oct 2019 21:43:17 +0200
Add initial seccomp support to Ansilove.
Diffstat:
2 files changed, 71 insertions(+), 0 deletions(-)
diff --git a/src/ansilove.c b/src/ansilove.c
@@ -28,6 +28,15 @@
#include "strtonum.h"
#endif
+#ifdef HAVE_SECCOMP
+#include <sys/prctl.h>
+#include <sys/syscall.h>
+#include <linux/audit.h>
+#include <linux/filter.h>
+#include <linux/seccomp.h>
+#include "seccomp.h"
+#endif
+
#include "config.h"
#include "fonts.h"
#include "sauce.h"
@@ -86,6 +95,11 @@ main(int argc, char *argv[])
if (pledge("stdio cpath rpath wpath", NULL) == -1)
err(EXIT_FAILURE, "pledge");
+#ifdef HAVE_SECCOMP
+ prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
+ prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &ansilove);
+#endif
+
while ((getoptFlag = getopt(argc, argv, "b:c:df:him:o:qrR:sv")) != -1) {
switch (getoptFlag) {
case 'b':
diff --git a/src/seccomp.h b/src/seccomp.h
@@ -0,0 +1,57 @@
+/*
+ * seccomp.h
+ * Ansilove 4.0.3
+ * https://www.ansilove.org
+ *
+ * Copyright (c) 2019, Frederic Cambus
+ * All rights reserved.
+ *
+ * Ansilove is licensed under the BSD 2-Clause License.
+ * See LICENSE file for details.
+ */
+
+#ifndef SECCOMP_H
+#define SECCOMP_H
+
+#include <stddef.h>
+#include <sys/prctl.h>
+#include <sys/socket.h>
+#include <sys/syscall.h>
+#include <linux/audit.h>
+#include <linux/filter.h>
+#include <linux/seccomp.h>
+
+#define ANSILOVE_SYSCALL_ALLOW(syscall) \
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##syscall, 0, 1), \
+ BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
+
+static struct sock_filter filter[] = {
+ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, nr)),
+
+ ANSILOVE_SYSCALL_ALLOW(brk),
+ ANSILOVE_SYSCALL_ALLOW(close),
+ ANSILOVE_SYSCALL_ALLOW(exit_group),
+ ANSILOVE_SYSCALL_ALLOW(fstat),
+ ANSILOVE_SYSCALL_ALLOW(ioctl),
+ ANSILOVE_SYSCALL_ALLOW(lseek),
+#if defined(SYS_open)
+ ANSILOVE_SYSCALL_ALLOW(open),
+#else
+ ANSILOVE_SYSCALL_ALLOW(openat),
+#endif
+ ANSILOVE_SYSCALL_ALLOW(madvise),
+ ANSILOVE_SYSCALL_ALLOW(mmap),
+ ANSILOVE_SYSCALL_ALLOW(mremap),
+ ANSILOVE_SYSCALL_ALLOW(munmap),
+ ANSILOVE_SYSCALL_ALLOW(readv),
+ ANSILOVE_SYSCALL_ALLOW(writev),
+
+ BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
+};
+
+struct sock_fprog ansilove = {
+ .len = sizeof(filter)/sizeof(filter[0]),
+ .filter = filter
+};
+
+#endif /* SECCOMP_H */