forked from universal-ctags/ctags
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathseccomp.c
80 lines (65 loc) · 2.08 KB
/
seccomp.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
/*
* Copyright (c) 2017, Google, Inc.
*
* Author: Han-Wen Nienhuys <[email protected]>
*
* This source code is released for free distribution under the terms of the
* GNU General Public License version 2 or (at your option) any later version.
*
*/
#include "general.h"
#include "debug.h"
#include "interactive_p.h"
#include "routines.h"
#ifdef HAVE_SECCOMP
#include <seccomp.h>
int installSyscallFilter (void)
{
// Use SCMP_ACT_TRAP to get a core dump.
scmp_filter_ctx ctx = seccomp_init (SCMP_ACT_KILL);
if (ctx == NULL)
{
return 1;
}
// Memory allocation.
seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS (mmap), 0);
seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS (munmap), 0);
seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS (mremap), 0);
seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS (brk), 0);
// I/O
seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS (read), 0);
seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS (write), 0);
// Clean exit
seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS (exit), 0);
seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS (exit_group), 0);
// The bowels of stdio want to know the size of a file, even for stdout.
seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS (fstat), 0);
seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS (fstat64), 0);
// seems unnecessary, but this comes from
// main/parse.c:2764 : tagFilePosition (&tagfpos);
seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS (lseek), 0);
seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS (_llseek), 0);
// libxml2 uses pthread_once, which in turn uses a futex
seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS (futex), 0);
verbose ("Entering sandbox\n");
int err = seccomp_load (ctx);
if (err < 0)
{
error (WARNING, "Failed to install syscall filter");
/* Error handling is done in upper layer. */
}
seccomp_release (ctx);
return err;
}
/*
TODO: on OSX, Seatbelt
(https://dev.chromium.org/developers/design-documents/sandbox/osx-sandboxing-design)
should be used for equivalent functionality.
*/
#else
int installSyscallFilter (void)
{
AssertNotReached ();
return -1;
}
#endif