From e6848b1e3f310b1f52bd3ee4e6fec44a5dadea02 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 26 Nov 2019 14:10:24 +0100 Subject: [PATCH] sys: specify context for syscall filter Specify a context to enable different processes using different (more restrictive) syscall filters. --- main.c | 2 +- sys.c | 4 ++-- sys.h | 6 +++++- sys_linux.c | 2 +- sys_linux.h | 4 +++- 5 files changed, 12 insertions(+), 6 deletions(-) diff --git a/main.c b/main.c index e0b5c48..b32cd52 100644 --- a/main.c +++ b/main.c @@ -596,7 +596,7 @@ int main CAM_OpenUnixSocket(); if (scfilter_level) - SYS_EnableSystemCallFilter(scfilter_level); + SYS_EnableSystemCallFilter(scfilter_level, SYS_MAIN_PROCESS); if (ref_mode == REF_ModeNormal && CNF_GetInitSources() > 0) { ref_mode = REF_ModeInitStepSlew; diff --git a/sys.c b/sys.c index f3797c4..2088c09 100644 --- a/sys.c +++ b/sys.c @@ -114,10 +114,10 @@ void SYS_DropRoot(uid_t uid, gid_t gid) /* ================================================== */ -void SYS_EnableSystemCallFilter(int level) +void SYS_EnableSystemCallFilter(int level, SYS_SystemCallContext context) { #if defined(LINUX) && defined(FEAT_SCFILTER) - SYS_Linux_EnableSystemCallFilter(level); + SYS_Linux_EnableSystemCallFilter(level, context); #else LOG_FATAL("system call filter not supported"); #endif diff --git a/sys.h b/sys.h index cb726f2..775e1a3 100644 --- a/sys.h +++ b/sys.h @@ -38,9 +38,13 @@ extern void SYS_Finalise(void); /* Drop root privileges to the specified user and group */ extern void SYS_DropRoot(uid_t uid, gid_t gid); +typedef enum { + SYS_MAIN_PROCESS, +} SYS_SystemCallContext; + /* Enable a system call filter to allow only system calls which chronyd normally needs after initialization */ -extern void SYS_EnableSystemCallFilter(int level); +extern void SYS_EnableSystemCallFilter(int level, SYS_SystemCallContext context); extern void SYS_SetScheduler(int SchedPriority); extern void SYS_LockMemory(void); diff --git a/sys_linux.c b/sys_linux.c index d2dc908..1babfd1 100644 --- a/sys_linux.c +++ b/sys_linux.c @@ -474,7 +474,7 @@ void check_seccomp_applicability(void) /* ================================================== */ void -SYS_Linux_EnableSystemCallFilter(int level) +SYS_Linux_EnableSystemCallFilter(int level, SYS_SystemCallContext context) { const int syscalls[] = { /* Clock */ diff --git a/sys_linux.h b/sys_linux.h index 551a186..799049d 100644 --- a/sys_linux.h +++ b/sys_linux.h @@ -27,13 +27,15 @@ #ifndef GOT_SYS_LINUX_H #define GOT_SYS_LINUX_H +#include "sys.h" + extern void SYS_Linux_Initialise(void); extern void SYS_Linux_Finalise(void); extern void SYS_Linux_DropRoot(uid_t uid, gid_t gid, int clock_control); -extern void SYS_Linux_EnableSystemCallFilter(int level); +extern void SYS_Linux_EnableSystemCallFilter(int level, SYS_SystemCallContext context); extern int SYS_Linux_CheckKernelVersion(int req_major, int req_minor);