From: "Mike Frysinger" <vapier@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/pax-utils:master commit in: /
Date: Thu, 20 Aug 2015 14:39:29 +0000 (UTC) [thread overview]
Message-ID: <1440081520.d6fcdb53ed7341f25db859516fa0383fca95eb1d.vapier@gentoo> (raw)
commit: d6fcdb53ed7341f25db859516fa0383fca95eb1d
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Tue Aug 18 14:50:45 2015 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Thu Aug 20 14:38:40 2015 +0000
URL: https://gitweb.gentoo.org/proj/pax-utils.git/commit/?id=d6fcdb53
security: use seccomp to lock ourselves down
This has a minor speed hit (a few milliseconds), but otherwise provides
a decent balance.
Makefile | 7 +++
configure.ac | 7 +++
security.c | 147 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 161 insertions(+)
diff --git a/Makefile b/Makefile
index ac5e9cc..3abfee7 100644
--- a/Makefile
+++ b/Makefile
@@ -49,6 +49,13 @@ CPPFLAGS-pspax.c += $(LIBCAPS_CFLAGS) -DWANT_SYSCAP
LIBS-pspax += $(LIBCAPS_LIBS)
endif
+ifeq ($(USE_SECCOMP),yes)
+LIBSECCOMP_CFLAGS := $(shell $(PKG_CONFIG) --cflags libseccomp)
+LIBSECCOMP_LIBS := $(shell $(PKG_CONFIG) --libs libseccomp)
+override CPPFLAGS += $(LIBSECCOMP_CFLAGS) -DWANT_SECCOMP
+LIBS += $(LIBSECCOMP_LIBS)
+endif
+
ifdef PV
override CPPFLAGS += -DVERSION=\"$(PV)\"
else
diff --git a/configure.ac b/configure.ac
index c3591ff..327d9b8 100644
--- a/configure.ac
+++ b/configure.ac
@@ -26,6 +26,13 @@ AS_IF([test "x$with_caps" = "xyes"], [
AC_ARG_WITH([python], [AS_HELP_STRING([--with-python], [use lddtree.py])])
AM_CONDITIONAL([USE_PYTHON], [test "x$with_python" = "xyes"])
+AC_ARG_WITH([seccomp], [AS_HELP_STRING([--with-seccomp], [build with seccomp])])
+AS_IF([test "x$with_seccomp" = "xyes"], [
+ PKG_CHECK_MODULES(LIBSECCOMP, libseccomp)
+ CPPFLAGS="$CPPFLAGS $LIBSECCOMP_CFLAGS -DWANT_SECCOMP"
+ LIBS="$LIBS $LIBSECCOMP_LIBS"
+])
+
AX_CFLAGS_WARN_ALL
AC_DEFUN([PT_CHECK_CFLAG],[AX_CHECK_COMPILER_FLAGS([$1],[CFLAGS="$CFLAGS $1"])])
m4_foreach_w([flag], [
diff --git a/security.c b/security.c
index 3012212..333524a 100644
--- a/security.c
+++ b/security.c
@@ -16,6 +16,151 @@
# define ALLOW_PIDNS 1
#endif
+#ifdef WANT_SECCOMP
+# include <seccomp.h>
+
+/* Simple helper to add all of the syscalls in an array. */
+static int pax_seccomp_rules_add(scmp_filter_ctx ctx, int syscalls[], size_t num)
+{
+ static uint8_t prio;
+ size_t i;
+ for (i = 0; i < num; ++i) {
+ if (syscalls[i] < 0)
+ continue;
+
+ if (seccomp_syscall_priority(ctx, syscalls[i], prio++) < 0) {
+ warnp("seccomp_syscall_priority failed");
+ return -1;
+ }
+ if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, syscalls[i], 0) < 0) {
+ warnp("seccomp_rule_add failed");
+ return -1;
+ }
+ }
+ return 0;
+}
+#define pax_seccomp_rules_add(ctx, syscalls) pax_seccomp_rules_add(ctx, syscalls, ARRAY_SIZE(syscalls))
+
+static void pax_seccomp_init(bool allow_forking)
+{
+ /* Order determines priority (first == lowest prio). */
+ int base_syscalls[] = {
+ /* We write the most w/scanelf. */
+ SCMP_SYS(write),
+
+ /* Then the stat family of functions. */
+ SCMP_SYS(newfstatat),
+#ifdef __NR_fstat
+ SCMP_SYS(fstat),
+#endif
+ SCMP_SYS(fstat64),
+#ifdef __NR_fstatat
+ SCMP_SYS(fstatat),
+#endif
+ SCMP_SYS(fstatat64),
+ SCMP_SYS(lstat),
+ SCMP_SYS(lstat64),
+ SCMP_SYS(stat),
+ SCMP_SYS(stat64),
+
+ /* Then the fd close func. */
+ SCMP_SYS(close),
+
+ /* Then fd open family of functions. */
+ SCMP_SYS(open),
+#ifdef __NR_openat
+ SCMP_SYS(openat),
+#endif
+
+ /* Then the memory mapping functions. */
+ SCMP_SYS(mmap),
+ SCMP_SYS(mmap2),
+ SCMP_SYS(munmap),
+
+ /* Then the directory reading functions. */
+ SCMP_SYS(getdents),
+#ifdef __NR_getdents64
+ SCMP_SYS(getdents64),
+#endif
+
+ /* Then the file reading functions. */
+#ifdef __NR_pread
+ SCMP_SYS(pread),
+#endif
+#ifdef __NR_pread64
+ SCMP_SYS(pread64),
+#endif
+ SCMP_SYS(read),
+
+ /* Then the fd manipulation functions. */
+#ifdef __NR_fcntl
+ SCMP_SYS(fcntl),
+#endif
+ SCMP_SYS(fcntl64),
+
+ /* After this point, just sort the list alphabetically. */
+ SCMP_SYS(access),
+ SCMP_SYS(brk),
+ SCMP_SYS(capget),
+ SCMP_SYS(chdir),
+ SCMP_SYS(exit),
+ SCMP_SYS(exit_group),
+ SCMP_SYS(faccessat),
+ SCMP_SYS(fchdir),
+ SCMP_SYS(getpid),
+ SCMP_SYS(gettid),
+ SCMP_SYS(ioctl),
+#ifdef __NR_lseek
+ SCMP_SYS(lseek),
+#endif
+ SCMP_SYS(_llseek),
+ SCMP_SYS(mprotect),
+
+ /* Syscalls listed because of sandbox. */
+ SCMP_SYS(readlink),
+ };
+ int fork_syscalls[] = {
+ SCMP_SYS(clone),
+ SCMP_SYS(execve),
+ SCMP_SYS(fork),
+ SCMP_SYS(rt_sigaction),
+ SCMP_SYS(rt_sigprocmask),
+ SCMP_SYS(unshare),
+ SCMP_SYS(vfork),
+ SCMP_SYS(wait4),
+ SCMP_SYS(waitid),
+ SCMP_SYS(waitpid),
+ };
+ scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_TRAP);
+ if (!ctx) {
+ warnp("seccomp_init failed");
+ return;
+ }
+
+ if (pax_seccomp_rules_add(ctx, base_syscalls) < 0)
+ goto done;
+
+ if (allow_forking)
+ if (pax_seccomp_rules_add(ctx, fork_syscalls) < 0)
+ goto done;
+
+ /* We already called prctl. */
+ seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 0);
+
+#ifndef __SANITIZE_ADDRESS__
+ /* ASAN does some weird stuff. */
+ if (seccomp_load(ctx) < 0)
+ warnp("seccomp_load failed");
+#endif
+
+ done:
+ seccomp_release(ctx);
+}
+
+#else
+# define pax_seccomp_init(allow_forking)
+#endif
+
static int ns_unshare(int flags)
{
int flag, ret = 0;
@@ -93,6 +238,8 @@ void security_init(bool allow_forking)
if (vfork() == 0)
_exit(0);
}
+
+ pax_seccomp_init(allow_forking);
}
#endif
next reply other threads:[~2015-08-20 14:39 UTC|newest]
Thread overview: 254+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-20 14:39 Mike Frysinger [this message]
-- strict thread matches above, loose matches on Subject: below --
2025-07-13 12:32 [gentoo-commits] proj/pax-utils:master commit in: / Fabian Groffen
2024-09-22 4:33 Sam James
2024-09-22 4:30 Sam James
2024-08-09 10:06 Sam James
2024-08-09 10:06 Sam James
2024-08-09 10:06 Sam James
2024-08-09 10:06 Sam James
2024-08-09 10:06 Sam James
2024-08-09 10:06 Sam James
2024-08-09 10:02 Sam James
2024-07-22 21:07 Mike Gilbert
2024-07-22 20:08 Mike Gilbert
2024-01-25 6:52 Mike Frysinger
2024-01-25 5:57 Mike Frysinger
2024-01-25 5:57 Mike Frysinger
2024-01-25 5:36 Mike Frysinger
2024-01-25 5:21 Mike Frysinger
2024-01-25 5:06 Mike Frysinger
2024-01-25 5:06 Mike Frysinger
2024-01-25 4:44 Mike Frysinger
2024-01-25 2:53 Mike Frysinger
2024-01-25 2:53 Mike Frysinger
2024-01-25 2:53 Mike Frysinger
2024-01-25 2:14 Mike Frysinger
2024-01-24 22:53 Mike Frysinger
2024-01-24 22:15 Mike Frysinger
2024-01-24 15:44 Mike Frysinger
2024-01-16 5:13 Mike Frysinger
2024-01-16 5:13 Mike Frysinger
2024-01-10 8:05 Mike Frysinger
2024-01-10 8:02 Mike Frysinger
2024-01-10 8:02 Mike Frysinger
2024-01-10 7:58 Mike Frysinger
2024-01-02 18:03 Mike Frysinger
2024-01-02 18:03 Mike Frysinger
2024-01-02 18:03 Mike Frysinger
2024-01-02 18:03 Mike Frysinger
2024-01-02 16:28 Mike Frysinger
2024-01-01 15:43 Mike Frysinger
2024-01-01 15:43 Mike Frysinger
2023-12-22 5:31 Mike Frysinger
2023-12-22 5:31 Mike Frysinger
2023-12-22 5:31 Mike Frysinger
2023-12-22 2:31 Mike Frysinger
2023-12-22 2:31 Mike Frysinger
2023-12-22 2:31 Mike Frysinger
2023-12-14 21:28 Mike Frysinger
2023-12-14 21:28 Mike Frysinger
2023-12-14 19:57 Mike Frysinger
2023-11-23 13:31 Sam James
2023-02-13 5:26 Sam James
2023-02-13 5:26 Sam James
2023-01-29 5:56 Sam James
2023-01-29 5:56 Sam James
2023-01-29 5:56 Sam James
2023-01-29 3:41 Sam James
2023-01-29 3:36 Sam James
2023-01-29 3:36 Sam James
2023-01-26 21:46 Sam James
2023-01-06 7:15 Sam James
2022-09-28 7:42 Mike Frysinger
2022-09-28 7:42 Mike Frysinger
2022-09-28 7:42 Mike Frysinger
2022-09-28 7:42 Mike Frysinger
2022-09-28 7:42 Mike Frysinger
2022-09-28 7:42 Mike Frysinger
2022-09-28 7:42 Mike Frysinger
2022-09-21 8:28 Mike Frysinger
2022-09-21 8:26 Mike Frysinger
2022-09-21 8:20 Mike Frysinger
2022-07-31 4:56 Sam James
2022-07-12 6:33 Sam James
2022-07-12 6:33 Sam James
2022-04-25 1:20 WANG Xuerui
2022-03-24 15:42 Sam James
2022-03-09 8:01 Mike Frysinger
2022-02-07 7:18 Fabian Groffen
2022-01-23 2:47 Mike Frysinger
2021-12-24 1:45 Sam James
2021-12-17 5:19 Mike Frysinger
2021-10-17 5:15 Mike Frysinger
2021-10-05 1:05 Mike Frysinger
2021-10-04 22:05 Mike Frysinger
2021-09-20 4:51 Sam James
2021-07-22 21:31 Sergei Trofimovich
2021-07-22 21:16 Sergei Trofimovich
2021-07-02 22:04 Sergei Trofimovich
2021-06-10 7:07 Sergei Trofimovich
2021-06-10 7:02 Sergei Trofimovich
2021-04-19 4:58 Mike Frysinger
2021-04-18 18:29 Mike Frysinger
2021-04-17 5:39 Mike Frysinger
2021-04-17 5:39 Mike Frysinger
2021-04-17 0:38 Mike Frysinger
2021-04-16 19:26 Mike Frysinger
2021-04-16 19:26 Mike Frysinger
2021-04-16 19:26 Mike Frysinger
2021-04-16 19:03 Mike Frysinger
2021-04-16 19:03 Mike Frysinger
2021-04-16 15:08 Mike Frysinger
2021-04-16 15:08 Mike Frysinger
2021-04-16 15:08 Mike Frysinger
2021-04-16 3:41 Mike Frysinger
2021-04-16 3:39 Mike Frysinger
2021-04-16 3:39 Mike Frysinger
2021-04-16 1:56 Mike Frysinger
2021-04-16 1:56 Mike Frysinger
2021-04-16 0:48 Mike Frysinger
2021-04-16 0:48 Mike Frysinger
2021-02-26 11:51 Sergei Trofimovich
2021-02-04 18:51 Sergei Trofimovich
2021-02-03 20:41 Sergei Trofimovich
2021-02-03 20:17 Sergei Trofimovich
2021-02-03 19:46 Sergei Trofimovich
2021-01-01 14:08 Fabian Groffen
2021-01-01 14:08 Fabian Groffen
2020-12-20 19:53 Sergei Trofimovich
2020-10-05 17:46 Sergei Trofimovich
2020-08-14 22:17 Sergei Trofimovich
2020-04-13 10:41 Sergei Trofimovich
2020-04-06 18:00 Sergei Trofimovich
2020-03-26 19:27 Mike Frysinger
2020-03-26 17:09 Mike Frysinger
2020-03-26 17:09 Mike Frysinger
2020-03-19 0:00 Sergei Trofimovich
2020-03-18 23:39 Sergei Trofimovich
2020-02-16 10:57 Sergei Trofimovich
2020-02-16 10:50 Sergei Trofimovich
2020-02-16 10:48 Sergei Trofimovich
2020-02-16 10:17 Sergei Trofimovich
2019-01-14 22:53 Sergei Trofimovich
2018-11-19 22:20 Sergei Trofimovich
2018-06-07 14:09 Mike Frysinger
2018-06-07 14:09 Mike Frysinger
2018-06-07 14:09 Mike Frysinger
2018-06-07 14:09 Mike Frysinger
2018-06-07 14:09 Mike Frysinger
2018-06-07 14:09 Mike Frysinger
2018-06-07 14:09 Mike Frysinger
2018-06-07 14:09 Mike Frysinger
2018-06-07 14:09 Mike Frysinger
2018-06-07 4:44 Mike Frysinger
2018-06-07 4:44 Mike Frysinger
2018-06-07 4:44 Mike Frysinger
2018-02-24 10:16 Sergei Trofimovich
2017-09-18 9:27 Fabian Groffen
2017-09-18 9:27 Fabian Groffen
2017-09-18 7:06 Fabian Groffen
2017-03-14 7:19 Mike Frysinger
2017-02-16 21:24 Mike Frysinger
2017-02-16 21:24 Mike Frysinger
2017-02-16 21:24 Mike Frysinger
2017-02-11 7:06 Mike Frysinger
2017-02-01 23:08 Mike Frysinger
2017-02-01 23:08 Mike Frysinger
2017-02-01 23:08 Mike Frysinger
2017-01-24 20:39 Mike Frysinger
2017-01-24 20:39 Mike Frysinger
2017-01-24 6:50 Mike Frysinger
2017-01-24 6:50 Mike Frysinger
2017-01-24 6:50 Mike Frysinger
2017-01-24 6:50 Mike Frysinger
2017-01-22 17:59 Mike Frysinger
2017-01-22 17:59 Mike Frysinger
2017-01-22 17:59 Mike Frysinger
2017-01-22 17:59 Mike Frysinger
2017-01-22 17:59 Mike Frysinger
2017-01-22 17:59 Mike Frysinger
2017-01-22 17:59 Mike Frysinger
2017-01-22 17:59 Mike Frysinger
2017-01-22 17:59 Mike Frysinger
2016-11-27 3:43 Mike Frysinger
2016-11-15 4:02 Mike Frysinger
2016-11-15 4:02 Mike Frysinger
2016-11-14 14:57 Mike Frysinger
2016-11-12 7:15 Mike Frysinger
2016-11-12 7:15 Mike Frysinger
2016-11-12 7:15 Mike Frysinger
2016-11-12 7:15 Mike Frysinger
2016-11-12 7:15 Mike Frysinger
2016-11-12 7:15 Mike Frysinger
2016-11-08 20:47 Mike Gilbert
2016-06-20 17:46 Mike Frysinger
2016-06-20 4:03 Mike Frysinger
2016-06-20 4:03 Mike Frysinger
2016-06-20 3:22 Mike Frysinger
2016-06-20 3:22 Mike Frysinger
2016-06-20 3:08 Mike Frysinger
2016-06-20 3:08 Mike Frysinger
2016-06-20 3:08 Mike Frysinger
2016-06-20 3:08 Mike Frysinger
2016-06-20 3:08 Mike Frysinger
2016-06-20 3:08 Mike Frysinger
2016-06-20 3:08 Mike Frysinger
2016-06-20 3:08 Mike Frysinger
2016-06-20 3:08 Mike Frysinger
2016-06-20 3:08 Mike Frysinger
2016-06-20 3:08 Mike Frysinger
2016-05-31 22:27 Mike Frysinger
2016-03-03 21:15 Mike Frysinger
2016-02-10 19:41 Mike Frysinger
2016-02-10 18:54 Mike Frysinger
2016-01-28 22:42 Mike Frysinger
2016-01-03 22:23 Mike Frysinger
2016-01-03 22:23 Mike Frysinger
2016-01-03 22:01 Mike Frysinger
2016-01-02 15:26 Mike Frysinger
2016-01-02 3:52 Mike Frysinger
2015-12-19 19:41 Mike Frysinger
2015-12-17 3:24 Mike Frysinger
2015-12-17 3:24 Mike Frysinger
2015-12-17 3:24 Mike Frysinger
2015-12-17 3:24 Mike Frysinger
2015-12-12 22:45 Mike Frysinger
2015-12-12 22:45 Mike Frysinger
2015-12-12 22:45 Mike Frysinger
2015-12-12 22:45 Mike Frysinger
2015-12-12 22:45 Mike Frysinger
2015-12-12 22:45 Mike Frysinger
2015-11-26 8:43 Mike Frysinger
2015-10-26 4:35 Mike Frysinger
2015-10-08 20:31 Mike Frysinger
2015-09-19 6:27 Mike Frysinger
2015-09-19 6:27 Mike Frysinger
2015-09-12 4:17 Mike Frysinger
2015-08-28 0:33 Mike Frysinger
2015-08-26 6:29 Mike Frysinger
2015-08-24 21:22 Mike Frysinger
2015-08-24 21:22 Mike Frysinger
2015-08-24 21:22 Mike Frysinger
2015-08-20 14:39 Mike Frysinger
2015-08-20 14:39 Mike Frysinger
2015-08-20 14:33 Mike Frysinger
2015-08-20 14:33 Mike Frysinger
2015-08-20 13:32 Mike Frysinger
2015-08-18 15:56 Mike Frysinger
2015-08-18 15:35 Mike Frysinger
2015-08-18 15:35 Mike Frysinger
2015-08-18 14:39 Mike Frysinger
2015-08-18 14:38 Mike Frysinger
2015-07-13 9:14 Mike Frysinger
2015-07-13 9:14 Mike Frysinger
2015-07-13 9:14 Mike Frysinger
2015-05-24 3:22 Mike Frysinger
2015-03-29 20:07 Mike Frysinger
2015-03-29 20:07 Mike Frysinger
2015-03-29 20:07 Mike Frysinger
2015-03-10 5:31 Mike Frysinger
2015-03-10 5:31 Mike Frysinger
2015-03-10 4:19 Mike Frysinger
2015-03-10 3:36 Mike Frysinger
2015-03-06 11:52 Mike Frysinger
2015-03-04 22:35 Mike Frysinger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1440081520.d6fcdb53ed7341f25db859516fa0383fca95eb1d.vapier@gentoo \
--to=vapier@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox