commit ef2d1f85c9890f7a0d91d97e5317934831d09f6f
parent a8cdfceb5d2a6a2045df000e23926acf2ddb1081
Author: Frederic Cambus <fred@statdns.com>
Date: Fri, 25 Oct 2019 18:50:16 +0200
Merge branch 'seccomp'.
Diffstat:
2 files changed, 62 insertions(+), 1 deletion(-)
diff --git a/src/seccomp.h b/src/seccomp.h
@@ -0,0 +1,47 @@
+/*
+ * StatZone
+ * Copyright (c) 2012-2019, Frederic Cambus
+ * https://www.statdns.com
+ *
+ * Created: 2012-02-13
+ * Last Updated: 2019-09-28
+ *
+ * StatZone is released under the BSD 2-Clause license
+ * See LICENSE file for details.
+ */
+
+#include <stddef.h>
+#include <sys/prctl.h>
+#include <sys/socket.h>
+#include <sys/syscall.h>
+#include <linux/audit.h>
+#include <linux/filter.h>
+#include <linux/seccomp.h>
+
+static struct sock_filter filter[] = {
+ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, nr)),
+
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_brk, 0, 1),
+ BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_close, 0, 1),
+ BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_exit_group, 0, 1),
+ BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_fstat, 0, 1),
+ BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_ioctl, 0, 1),
+ BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_open, 0, 1),
+ BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_read, 0, 1),
+ BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_writev, 0, 1),
+ BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
+
+ BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
+};
+
+struct sock_fprog statzone = {
+ .len = sizeof(filter)/sizeof(filter[0]),
+ .filter = filter
+};
diff --git a/src/statzone.c b/src/statzone.c
@@ -4,7 +4,7 @@
* https://www.statdns.com
*
* Created: 2012-02-13
- * Last Updated: 2019-05-09
+ * Last Updated: 2019-09-28
*
* StatZone is released under the BSD 2-Clause license
* See LICENSE file for details.
@@ -24,6 +24,15 @@
#include <sys/types.h>
#include <time.h>
+#if defined(__linux__)
+#include <sys/prctl.h>
+#include <sys/syscall.h>
+#include <linux/audit.h>
+#include <linux/filter.h>
+#include <linux/seccomp.h>
+#include "seccomp.h"
+#endif
+
#include <uthash.h>
#include "compat.h"
@@ -75,6 +84,11 @@ main(int argc, char *argv[]) {
err(1, "pledge");
}
+#if defined(__linux__)
+ prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
+ prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &statzone);
+#endif
+
while ((getoptFlag = getopt(argc, argv, "hv")) != -1) {
switch (getoptFlag) {