logswan

Fast Web log analyzer using probabilistic data structures
Log | Files | Refs | README | LICENSE

commit 7fa0fb010ba786776de4f0ca58a31d940418198e
parent 3dde4ffb12434533f94877625dc31704ce31eb93
Author: Frederic Cambus <fred@statdns.com>
Date:   Fri, 27 Sep 2019 20:46:51 +0200

Add initial seccomp support to Logswan.

Diffstat:
Msrc/logswan.c | 16+++++++++++++++-
Asrc/seccomp.h | 53+++++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 68 insertions(+), 1 deletion(-)

diff --git a/src/logswan.c b/src/logswan.c @@ -4,7 +4,7 @@ * https://www.logswan.org * * Created: 2015-05-31 - * Last Updated: 2019-08-16 + * Last Updated: 2019-09-27 * * Logswan is released under the BSD 2-Clause license. * See LICENSE file for details. @@ -31,6 +31,15 @@ #include <string.h> #include <time.h> +#if defined(__linux__) +#include <sys/prctl.h> +#include <sys/syscall.h> +#include <linux/audit.h> +#include <linux/filter.h> +#include <linux/seccomp.h> +#include "seccomp.h" +#endif + #include <maxminddb.h> #include "compat.h" @@ -90,6 +99,11 @@ main(int argc, char *argv[]) { err(EXIT_FAILURE, "pledge"); } +#if defined(__linux__) + prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); + prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &logswan); +#endif + hll_init(&uniqueIPv4, HLL_BITS); hll_init(&uniqueIPv6, HLL_BITS); diff --git a/src/seccomp.h b/src/seccomp.h @@ -0,0 +1,53 @@ +/* + * Logswan 2.0.4 + * Copyright (c) 2015-2019, Frederic Cambus + * https://www.logswan.org + * + * Created: 2015-05-31 + * Last Updated: 2019-09-27 + * + * Logswan is released under the BSD 2-Clause license. + * See LICENSE file for details. + */ + +#include <stddef.h> +#include <sys/prctl.h> +#include <sys/socket.h> +#include <sys/syscall.h> +#include <linux/audit.h> +#include <linux/filter.h> +#include <linux/seccomp.h> + +static struct sock_filter filter[] = { + BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, nr)), + + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_brk, 0, 1), + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_close, 0, 1), + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_exit_group, 0, 1), + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_fcntl, 0, 1), + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_fstat, 0, 1), + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_ioctl, 0, 1), + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_open, 0, 1), + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mmap, 0, 1), + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_munmap, 0, 1), + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_read, 0, 1), + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_writev, 0, 1), + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), + + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) +}; + +struct sock_fprog logswan = { + .len = sizeof(filter)/sizeof(filter[0]), + .filter = filter +};