sys_linux: add syscall filter context for NTS-KE
The NTS-KE helper process will use a more restrictive filter than the main process.
This commit is contained in:
Miroslav Lichvar
parent
e6848b1e3f
commit
1d4690eb64
2 changed files with 40 additions and 35 deletions
1
sys.h
1
sys.h
|
|
@ -40,6 +40,7 @@ extern void SYS_DropRoot(uid_t uid, gid_t gid);
|
|||
|
||||
typedef enum {
|
||||
SYS_MAIN_PROCESS,
|
||||
SYS_NTSKE_HELPER,
|
||||
} SYS_SystemCallContext;
|
||||
|
||||
/* Enable a system call filter to allow only system calls
|
||||
|
|
|
|||
14
sys_linux.c
14
sys_linux.c
|
|
@ -559,6 +559,7 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_SystemCallContext context)
|
|||
scmp_filter_ctx *ctx;
|
||||
int i;
|
||||
|
||||
if (context == SYS_MAIN_PROCESS) {
|
||||
/* Check if the chronyd configuration is supported */
|
||||
check_seccomp_applicability();
|
||||
|
||||
|
|
@ -567,6 +568,7 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_SystemCallContext context)
|
|||
list of required system calls (with glibc it depends on what NSS modules
|
||||
are installed and enabled on the system). */
|
||||
PRV_StartHelper();
|
||||
}
|
||||
|
||||
ctx = seccomp_init(level > 0 ? SCMP_ACT_KILL : SCMP_ACT_TRAP);
|
||||
if (ctx == NULL)
|
||||
|
|
@ -578,14 +580,15 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_SystemCallContext context)
|
|||
goto add_failed;
|
||||
}
|
||||
|
||||
/* Allow sockets to be created only in selected domains */
|
||||
if (context == SYS_MAIN_PROCESS) {
|
||||
/* Allow opening sockets in selected domains */
|
||||
for (i = 0; i < sizeof (socket_domains) / sizeof (*socket_domains); i++) {
|
||||
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 1,
|
||||
SCMP_A0(SCMP_CMP_EQ, socket_domains[i])) < 0)
|
||||
goto add_failed;
|
||||
}
|
||||
|
||||
/* Allow setting only selected sockets options */
|
||||
/* Allow selected socket options */
|
||||
for (i = 0; i < sizeof (socket_options) / sizeof (*socket_options); i++) {
|
||||
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt), 3,
|
||||
SCMP_A1(SCMP_CMP_EQ, socket_options[i][0]),
|
||||
|
|
@ -594,7 +597,7 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_SystemCallContext context)
|
|||
goto add_failed;
|
||||
}
|
||||
|
||||
/* Allow only selected fcntl calls */
|
||||
/* Allow selected fcntl calls */
|
||||
for (i = 0; i < sizeof (fcntls) / sizeof (*fcntls); i++) {
|
||||
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl), 1,
|
||||
SCMP_A1(SCMP_CMP_EQ, fcntls[i])) < 0 ||
|
||||
|
|
@ -603,17 +606,18 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_SystemCallContext context)
|
|||
goto add_failed;
|
||||
}
|
||||
|
||||
/* Allow only selected ioctls */
|
||||
/* Allow selected ioctls */
|
||||
for (i = 0; i < sizeof (ioctls) / sizeof (*ioctls); i++) {
|
||||
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1,
|
||||
SCMP_A1(SCMP_CMP_EQ, ioctls[i])) < 0)
|
||||
goto add_failed;
|
||||
}
|
||||
}
|
||||
|
||||
if (seccomp_load(ctx) < 0)
|
||||
LOG_FATAL("Failed to load seccomp rules");
|
||||
|
||||
LOG(LOGS_INFO, "Loaded seccomp filter");
|
||||
LOG(context == SYS_MAIN_PROCESS ? LOGS_INFO : LOGS_DEBUG, "Loaded seccomp filter");
|
||||
seccomp_release(ctx);
|
||||
return;
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue