bdf2sfd

BDF to SFD converter, allowing to vectorize bitmap fonts
Log | Files | Refs | README | LICENSE
commit 8aab9b8bb6bfb9a4d6beedac62ea21ea8efe66e1
parent 60974a614ddc122d718c0788e36c012bf25cec2f
Author: Frederic Cambus <fred@statdns.com>
Date:   Tue,  9 Jun 2020 21:53:19 +0200

Add initial seccomp support to BDF2SFD.

Diffstat:

Msrc/bdf2sfd.c | 21+++++++++++++++++++++


Asrc/seccomp.h | 52++++++++++++++++++++++++++++++++++++++++++++++++++++


2 files changed, 73 insertions(+), 0 deletions(-)

diff --git a/src/bdf2sfd.c b/src/bdf2sfd.c
@@ -23,6 +23,15 @@
 #include <string.h>
 #include <time.h>
 
+#ifdef HAVE_SECCOMP
+#include <sys/prctl.h>
+#include <sys/syscall.h>
+#include <linux/audit.h>
+#include <linux/filter.h>
+#include <linux/seccomp.h>
+#include "seccomp.h"
+#endif
+
 #include "compat.h"
 #include "config.h"
 #include "header.h"
@@ -85,6 +94,18 @@ main(int argc, char *argv[])
 		err(EXIT_FAILURE, "pledge");
 	}
 
+#ifdef HAVE_SECCOMP
+	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
+		perror("Can't initialize seccomp");
+		return EXIT_FAILURE;
+	}
+
+	if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &bdf2sfd)) {
+		perror("Can't load seccomp filter");
+		return EXIT_FAILURE;
+	}
+#endif
+
 	while ((getoptFlag = getopt(argc, argv, "f:p:hv")) != -1) {
 		switch (getoptFlag) {
 		case 'f':
diff --git a/src/seccomp.h b/src/seccomp.h
@@ -0,0 +1,52 @@
+/*
+ * bdf2sfd 1.1.1
+ * Copyright (c) 2019-2020, Frederic Cambus
+ * https://github.com/fcambus/bdf2sfd
+ *
+ * Created:      2019-11-21
+ * Last Updated: 2020-06-09
+ *
+ * bdf2sfd is released under the BSD 2-Clause license
+ * See LICENSE file for details
+ */
+
+#ifndef SECCOMP_H
+#define SECCOMP_H
+
+#include <stddef.h>
+#include <sys/prctl.h>
+#include <sys/socket.h>
+#include <sys/syscall.h>
+#include <linux/audit.h>
+#include <linux/filter.h>
+#include <linux/seccomp.h>
+
+#define BDF2SFD_SYSCALL_ALLOW(syscall) \
+	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##syscall, 0, 1), \
+	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
+
+static struct sock_filter filter[] = {
+	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, nr)),
+
+	BDF2SFD_SYSCALL_ALLOW(brk),
+	BDF2SFD_SYSCALL_ALLOW(close),
+	BDF2SFD_SYSCALL_ALLOW(exit_group),
+	BDF2SFD_SYSCALL_ALLOW(fstat),
+	BDF2SFD_SYSCALL_ALLOW(ioctl),
+#if defined(SYS_open)
+	BDF2SFD_SYSCALL_ALLOW(open),
+#endif
+	BDF2SFD_SYSCALL_ALLOW(openat),
+	BDF2SFD_SYSCALL_ALLOW(read),
+	BDF2SFD_SYSCALL_ALLOW(write),
+	BDF2SFD_SYSCALL_ALLOW(writev),
+
+	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
+};
+
+struct sock_fprog bdf2sfd = {
+	.len = sizeof(filter)/sizeof(filter[0]),
+	.filter = filter
+};
+
+#endif /* SECCOMP_H */