public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed
From: "Mike Frysinger" <vapier@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/pax-utils:master commit in: /
Date: Thu, 20 Aug 2015 14:39:29 +0000 (UTC)	[thread overview]
Message-ID: <1440081520.d6fcdb53ed7341f25db859516fa0383fca95eb1d.vapier@gentoo> (raw)

commit:     d6fcdb53ed7341f25db859516fa0383fca95eb1d
Author:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Tue Aug 18 14:50:45 2015 +0000
Commit:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Thu Aug 20 14:38:40 2015 +0000
URL:        https://gitweb.gentoo.org/proj/pax-utils.git/commit/?id=d6fcdb53

security: use seccomp to lock ourselves down

This has a minor speed hit (a few milliseconds), but otherwise provides
a decent balance.

 Makefile     |   7 +++
 configure.ac |   7 +++
 security.c   | 147 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 161 insertions(+)

diff --git a/Makefile b/Makefile
index ac5e9cc..3abfee7 100644
--- a/Makefile
+++ b/Makefile
@@ -49,6 +49,13 @@ CPPFLAGS-pspax.c += $(LIBCAPS_CFLAGS) -DWANT_SYSCAP
 LIBS-pspax       += $(LIBCAPS_LIBS)
 endif
 
+ifeq ($(USE_SECCOMP),yes)
+LIBSECCOMP_CFLAGS := $(shell $(PKG_CONFIG) --cflags libseccomp)
+LIBSECCOMP_LIBS   := $(shell $(PKG_CONFIG) --libs libseccomp)
+override CPPFLAGS += $(LIBSECCOMP_CFLAGS) -DWANT_SECCOMP
+LIBS              += $(LIBSECCOMP_LIBS)
+endif
+
 ifdef PV
 override CPPFLAGS  += -DVERSION=\"$(PV)\"
 else

diff --git a/configure.ac b/configure.ac
index c3591ff..327d9b8 100644
--- a/configure.ac
+++ b/configure.ac
@@ -26,6 +26,13 @@ AS_IF([test "x$with_caps" = "xyes"], [
 AC_ARG_WITH([python], [AS_HELP_STRING([--with-python], [use lddtree.py])])
 AM_CONDITIONAL([USE_PYTHON], [test "x$with_python" = "xyes"])
 
+AC_ARG_WITH([seccomp], [AS_HELP_STRING([--with-seccomp], [build with seccomp])])
+AS_IF([test "x$with_seccomp" = "xyes"], [
+	PKG_CHECK_MODULES(LIBSECCOMP, libseccomp)
+	CPPFLAGS="$CPPFLAGS $LIBSECCOMP_CFLAGS -DWANT_SECCOMP"
+	LIBS="$LIBS $LIBSECCOMP_LIBS"
+])
+
 AX_CFLAGS_WARN_ALL
 AC_DEFUN([PT_CHECK_CFLAG],[AX_CHECK_COMPILER_FLAGS([$1],[CFLAGS="$CFLAGS $1"])])
 m4_foreach_w([flag], [

diff --git a/security.c b/security.c
index 3012212..333524a 100644
--- a/security.c
+++ b/security.c
@@ -16,6 +16,151 @@
 # define ALLOW_PIDNS 1
 #endif
 
+#ifdef WANT_SECCOMP
+# include <seccomp.h>
+
+/* Simple helper to add all of the syscalls in an array. */
+static int pax_seccomp_rules_add(scmp_filter_ctx ctx, int syscalls[], size_t num)
+{
+	static uint8_t prio;
+	size_t i;
+	for (i = 0; i < num; ++i) {
+		if (syscalls[i] < 0)
+			continue;
+
+		if (seccomp_syscall_priority(ctx, syscalls[i], prio++) < 0) {
+			warnp("seccomp_syscall_priority failed");
+			return -1;
+		}
+		if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, syscalls[i], 0) < 0) {
+			warnp("seccomp_rule_add failed");
+			return -1;
+		}
+	}
+	return 0;
+}
+#define pax_seccomp_rules_add(ctx, syscalls) pax_seccomp_rules_add(ctx, syscalls, ARRAY_SIZE(syscalls))
+
+static void pax_seccomp_init(bool allow_forking)
+{
+	/* Order determines priority (first == lowest prio).  */
+	int base_syscalls[] = {
+		/* We write the most w/scanelf.  */
+		SCMP_SYS(write),
+
+		/* Then the stat family of functions.  */
+		SCMP_SYS(newfstatat),
+#ifdef __NR_fstat
+		SCMP_SYS(fstat),
+#endif
+		SCMP_SYS(fstat64),
+#ifdef __NR_fstatat
+		SCMP_SYS(fstatat),
+#endif
+		SCMP_SYS(fstatat64),
+		SCMP_SYS(lstat),
+		SCMP_SYS(lstat64),
+		SCMP_SYS(stat),
+		SCMP_SYS(stat64),
+
+		/* Then the fd close func.  */
+		SCMP_SYS(close),
+
+		/* Then fd open family of functions.  */
+		SCMP_SYS(open),
+#ifdef __NR_openat
+		SCMP_SYS(openat),
+#endif
+
+		/* Then the memory mapping functions.  */
+		SCMP_SYS(mmap),
+		SCMP_SYS(mmap2),
+		SCMP_SYS(munmap),
+
+		/* Then the directory reading functions.  */
+		SCMP_SYS(getdents),
+#ifdef __NR_getdents64
+		SCMP_SYS(getdents64),
+#endif
+
+		/* Then the file reading functions.  */
+#ifdef __NR_pread
+		SCMP_SYS(pread),
+#endif
+#ifdef __NR_pread64
+		SCMP_SYS(pread64),
+#endif
+		SCMP_SYS(read),
+
+		/* Then the fd manipulation functions.  */
+#ifdef __NR_fcntl
+		SCMP_SYS(fcntl),
+#endif
+		SCMP_SYS(fcntl64),
+
+		/* After this point, just sort the list alphabetically.  */
+		SCMP_SYS(access),
+		SCMP_SYS(brk),
+		SCMP_SYS(capget),
+		SCMP_SYS(chdir),
+		SCMP_SYS(exit),
+		SCMP_SYS(exit_group),
+		SCMP_SYS(faccessat),
+		SCMP_SYS(fchdir),
+		SCMP_SYS(getpid),
+		SCMP_SYS(gettid),
+		SCMP_SYS(ioctl),
+#ifdef __NR_lseek
+		SCMP_SYS(lseek),
+#endif
+		SCMP_SYS(_llseek),
+		SCMP_SYS(mprotect),
+
+		/* Syscalls listed because of sandbox.  */
+		SCMP_SYS(readlink),
+	};
+	int fork_syscalls[] = {
+		SCMP_SYS(clone),
+		SCMP_SYS(execve),
+		SCMP_SYS(fork),
+		SCMP_SYS(rt_sigaction),
+		SCMP_SYS(rt_sigprocmask),
+		SCMP_SYS(unshare),
+		SCMP_SYS(vfork),
+		SCMP_SYS(wait4),
+		SCMP_SYS(waitid),
+		SCMP_SYS(waitpid),
+	};
+	scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_TRAP);
+	if (!ctx) {
+		warnp("seccomp_init failed");
+		return;
+	}
+
+	if (pax_seccomp_rules_add(ctx, base_syscalls) < 0)
+		goto done;
+
+	if (allow_forking)
+		if (pax_seccomp_rules_add(ctx, fork_syscalls) < 0)
+			goto done;
+
+	/* We already called prctl. */
+	seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 0);
+
+#ifndef __SANITIZE_ADDRESS__
+	/* ASAN does some weird stuff. */
+	if (seccomp_load(ctx) < 0)
+		warnp("seccomp_load failed");
+#endif
+
+ done:
+	seccomp_release(ctx);
+}
+
+#else
+# define pax_seccomp_init(allow_forking)
+#endif
+
 static int ns_unshare(int flags)
 {
 	int flag, ret = 0;
@@ -93,6 +238,8 @@ void security_init(bool allow_forking)
 			if (vfork() == 0)
 				_exit(0);
 	}
+
+	pax_seccomp_init(allow_forking);
 }
 
 #endif


             reply	other threads:[~2015-08-20 14:39 UTC|newest]

Thread overview: 254+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-08-20 14:39 Mike Frysinger [this message]
  -- strict thread matches above, loose matches on Subject: below --
2025-07-13 12:32 [gentoo-commits] proj/pax-utils:master commit in: / Fabian Groffen
2024-09-22  4:33 Sam James
2024-09-22  4:30 Sam James
2024-08-09 10:06 Sam James
2024-08-09 10:06 Sam James
2024-08-09 10:06 Sam James
2024-08-09 10:06 Sam James
2024-08-09 10:06 Sam James
2024-08-09 10:06 Sam James
2024-08-09 10:02 Sam James
2024-07-22 21:07 Mike Gilbert
2024-07-22 20:08 Mike Gilbert
2024-01-25  6:52 Mike Frysinger
2024-01-25  5:57 Mike Frysinger
2024-01-25  5:57 Mike Frysinger
2024-01-25  5:36 Mike Frysinger
2024-01-25  5:21 Mike Frysinger
2024-01-25  5:06 Mike Frysinger
2024-01-25  5:06 Mike Frysinger
2024-01-25  4:44 Mike Frysinger
2024-01-25  2:53 Mike Frysinger
2024-01-25  2:53 Mike Frysinger
2024-01-25  2:53 Mike Frysinger
2024-01-25  2:14 Mike Frysinger
2024-01-24 22:53 Mike Frysinger
2024-01-24 22:15 Mike Frysinger
2024-01-24 15:44 Mike Frysinger
2024-01-16  5:13 Mike Frysinger
2024-01-16  5:13 Mike Frysinger
2024-01-10  8:05 Mike Frysinger
2024-01-10  8:02 Mike Frysinger
2024-01-10  8:02 Mike Frysinger
2024-01-10  7:58 Mike Frysinger
2024-01-02 18:03 Mike Frysinger
2024-01-02 18:03 Mike Frysinger
2024-01-02 18:03 Mike Frysinger
2024-01-02 18:03 Mike Frysinger
2024-01-02 16:28 Mike Frysinger
2024-01-01 15:43 Mike Frysinger
2024-01-01 15:43 Mike Frysinger
2023-12-22  5:31 Mike Frysinger
2023-12-22  5:31 Mike Frysinger
2023-12-22  5:31 Mike Frysinger
2023-12-22  2:31 Mike Frysinger
2023-12-22  2:31 Mike Frysinger
2023-12-22  2:31 Mike Frysinger
2023-12-14 21:28 Mike Frysinger
2023-12-14 21:28 Mike Frysinger
2023-12-14 19:57 Mike Frysinger
2023-11-23 13:31 Sam James
2023-02-13  5:26 Sam James
2023-02-13  5:26 Sam James
2023-01-29  5:56 Sam James
2023-01-29  5:56 Sam James
2023-01-29  5:56 Sam James
2023-01-29  3:41 Sam James
2023-01-29  3:36 Sam James
2023-01-29  3:36 Sam James
2023-01-26 21:46 Sam James
2023-01-06  7:15 Sam James
2022-09-28  7:42 Mike Frysinger
2022-09-28  7:42 Mike Frysinger
2022-09-28  7:42 Mike Frysinger
2022-09-28  7:42 Mike Frysinger
2022-09-28  7:42 Mike Frysinger
2022-09-28  7:42 Mike Frysinger
2022-09-28  7:42 Mike Frysinger
2022-09-21  8:28 Mike Frysinger
2022-09-21  8:26 Mike Frysinger
2022-09-21  8:20 Mike Frysinger
2022-07-31  4:56 Sam James
2022-07-12  6:33 Sam James
2022-07-12  6:33 Sam James
2022-04-25  1:20 WANG Xuerui
2022-03-24 15:42 Sam James
2022-03-09  8:01 Mike Frysinger
2022-02-07  7:18 Fabian Groffen
2022-01-23  2:47 Mike Frysinger
2021-12-24  1:45 Sam James
2021-12-17  5:19 Mike Frysinger
2021-10-17  5:15 Mike Frysinger
2021-10-05  1:05 Mike Frysinger
2021-10-04 22:05 Mike Frysinger
2021-09-20  4:51 Sam James
2021-07-22 21:31 Sergei Trofimovich
2021-07-22 21:16 Sergei Trofimovich
2021-07-02 22:04 Sergei Trofimovich
2021-06-10  7:07 Sergei Trofimovich
2021-06-10  7:02 Sergei Trofimovich
2021-04-19  4:58 Mike Frysinger
2021-04-18 18:29 Mike Frysinger
2021-04-17  5:39 Mike Frysinger
2021-04-17  5:39 Mike Frysinger
2021-04-17  0:38 Mike Frysinger
2021-04-16 19:26 Mike Frysinger
2021-04-16 19:26 Mike Frysinger
2021-04-16 19:26 Mike Frysinger
2021-04-16 19:03 Mike Frysinger
2021-04-16 19:03 Mike Frysinger
2021-04-16 15:08 Mike Frysinger
2021-04-16 15:08 Mike Frysinger
2021-04-16 15:08 Mike Frysinger
2021-04-16  3:41 Mike Frysinger
2021-04-16  3:39 Mike Frysinger
2021-04-16  3:39 Mike Frysinger
2021-04-16  1:56 Mike Frysinger
2021-04-16  1:56 Mike Frysinger
2021-04-16  0:48 Mike Frysinger
2021-04-16  0:48 Mike Frysinger
2021-02-26 11:51 Sergei Trofimovich
2021-02-04 18:51 Sergei Trofimovich
2021-02-03 20:41 Sergei Trofimovich
2021-02-03 20:17 Sergei Trofimovich
2021-02-03 19:46 Sergei Trofimovich
2021-01-01 14:08 Fabian Groffen
2021-01-01 14:08 Fabian Groffen
2020-12-20 19:53 Sergei Trofimovich
2020-10-05 17:46 Sergei Trofimovich
2020-08-14 22:17 Sergei Trofimovich
2020-04-13 10:41 Sergei Trofimovich
2020-04-06 18:00 Sergei Trofimovich
2020-03-26 19:27 Mike Frysinger
2020-03-26 17:09 Mike Frysinger
2020-03-26 17:09 Mike Frysinger
2020-03-19  0:00 Sergei Trofimovich
2020-03-18 23:39 Sergei Trofimovich
2020-02-16 10:57 Sergei Trofimovich
2020-02-16 10:50 Sergei Trofimovich
2020-02-16 10:48 Sergei Trofimovich
2020-02-16 10:17 Sergei Trofimovich
2019-01-14 22:53 Sergei Trofimovich
2018-11-19 22:20 Sergei Trofimovich
2018-06-07 14:09 Mike Frysinger
2018-06-07 14:09 Mike Frysinger
2018-06-07 14:09 Mike Frysinger
2018-06-07 14:09 Mike Frysinger
2018-06-07 14:09 Mike Frysinger
2018-06-07 14:09 Mike Frysinger
2018-06-07 14:09 Mike Frysinger
2018-06-07 14:09 Mike Frysinger
2018-06-07 14:09 Mike Frysinger
2018-06-07  4:44 Mike Frysinger
2018-06-07  4:44 Mike Frysinger
2018-06-07  4:44 Mike Frysinger
2018-02-24 10:16 Sergei Trofimovich
2017-09-18  9:27 Fabian Groffen
2017-09-18  9:27 Fabian Groffen
2017-09-18  7:06 Fabian Groffen
2017-03-14  7:19 Mike Frysinger
2017-02-16 21:24 Mike Frysinger
2017-02-16 21:24 Mike Frysinger
2017-02-16 21:24 Mike Frysinger
2017-02-11  7:06 Mike Frysinger
2017-02-01 23:08 Mike Frysinger
2017-02-01 23:08 Mike Frysinger
2017-02-01 23:08 Mike Frysinger
2017-01-24 20:39 Mike Frysinger
2017-01-24 20:39 Mike Frysinger
2017-01-24  6:50 Mike Frysinger
2017-01-24  6:50 Mike Frysinger
2017-01-24  6:50 Mike Frysinger
2017-01-24  6:50 Mike Frysinger
2017-01-22 17:59 Mike Frysinger
2017-01-22 17:59 Mike Frysinger
2017-01-22 17:59 Mike Frysinger
2017-01-22 17:59 Mike Frysinger
2017-01-22 17:59 Mike Frysinger
2017-01-22 17:59 Mike Frysinger
2017-01-22 17:59 Mike Frysinger
2017-01-22 17:59 Mike Frysinger
2017-01-22 17:59 Mike Frysinger
2016-11-27  3:43 Mike Frysinger
2016-11-15  4:02 Mike Frysinger
2016-11-15  4:02 Mike Frysinger
2016-11-14 14:57 Mike Frysinger
2016-11-12  7:15 Mike Frysinger
2016-11-12  7:15 Mike Frysinger
2016-11-12  7:15 Mike Frysinger
2016-11-12  7:15 Mike Frysinger
2016-11-12  7:15 Mike Frysinger
2016-11-12  7:15 Mike Frysinger
2016-11-08 20:47 Mike Gilbert
2016-06-20 17:46 Mike Frysinger
2016-06-20  4:03 Mike Frysinger
2016-06-20  4:03 Mike Frysinger
2016-06-20  3:22 Mike Frysinger
2016-06-20  3:22 Mike Frysinger
2016-06-20  3:08 Mike Frysinger
2016-06-20  3:08 Mike Frysinger
2016-06-20  3:08 Mike Frysinger
2016-06-20  3:08 Mike Frysinger
2016-06-20  3:08 Mike Frysinger
2016-06-20  3:08 Mike Frysinger
2016-06-20  3:08 Mike Frysinger
2016-06-20  3:08 Mike Frysinger
2016-06-20  3:08 Mike Frysinger
2016-06-20  3:08 Mike Frysinger
2016-06-20  3:08 Mike Frysinger
2016-05-31 22:27 Mike Frysinger
2016-03-03 21:15 Mike Frysinger
2016-02-10 19:41 Mike Frysinger
2016-02-10 18:54 Mike Frysinger
2016-01-28 22:42 Mike Frysinger
2016-01-03 22:23 Mike Frysinger
2016-01-03 22:23 Mike Frysinger
2016-01-03 22:01 Mike Frysinger
2016-01-02 15:26 Mike Frysinger
2016-01-02  3:52 Mike Frysinger
2015-12-19 19:41 Mike Frysinger
2015-12-17  3:24 Mike Frysinger
2015-12-17  3:24 Mike Frysinger
2015-12-17  3:24 Mike Frysinger
2015-12-17  3:24 Mike Frysinger
2015-12-12 22:45 Mike Frysinger
2015-12-12 22:45 Mike Frysinger
2015-12-12 22:45 Mike Frysinger
2015-12-12 22:45 Mike Frysinger
2015-12-12 22:45 Mike Frysinger
2015-12-12 22:45 Mike Frysinger
2015-11-26  8:43 Mike Frysinger
2015-10-26  4:35 Mike Frysinger
2015-10-08 20:31 Mike Frysinger
2015-09-19  6:27 Mike Frysinger
2015-09-19  6:27 Mike Frysinger
2015-09-12  4:17 Mike Frysinger
2015-08-28  0:33 Mike Frysinger
2015-08-26  6:29 Mike Frysinger
2015-08-24 21:22 Mike Frysinger
2015-08-24 21:22 Mike Frysinger
2015-08-24 21:22 Mike Frysinger
2015-08-20 14:39 Mike Frysinger
2015-08-20 14:39 Mike Frysinger
2015-08-20 14:33 Mike Frysinger
2015-08-20 14:33 Mike Frysinger
2015-08-20 13:32 Mike Frysinger
2015-08-18 15:56 Mike Frysinger
2015-08-18 15:35 Mike Frysinger
2015-08-18 15:35 Mike Frysinger
2015-08-18 14:39 Mike Frysinger
2015-08-18 14:38 Mike Frysinger
2015-07-13  9:14 Mike Frysinger
2015-07-13  9:14 Mike Frysinger
2015-07-13  9:14 Mike Frysinger
2015-05-24  3:22 Mike Frysinger
2015-03-29 20:07 Mike Frysinger
2015-03-29 20:07 Mike Frysinger
2015-03-29 20:07 Mike Frysinger
2015-03-10  5:31 Mike Frysinger
2015-03-10  5:31 Mike Frysinger
2015-03-10  4:19 Mike Frysinger
2015-03-10  3:36 Mike Frysinger
2015-03-06 11:52 Mike Frysinger
2015-03-04 22:35 Mike Frysinger

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1440081520.d6fcdb53ed7341f25db859516fa0383fca95eb1d.vapier@gentoo \
    --to=vapier@gentoo.org \
    --cc=gentoo-commits@lists.gentoo.org \
    --cc=gentoo-dev@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox