Merge branch 'seccomp'.

fcambus · Oct 23, 2019 · ab8c474 · ab8c474
2 parents 7f4ac5c + 01c45a2
commit ab8c474
Show file tree

Hide file tree

Showing 2 changed files with 74 additions and 1 deletion.
diff --git a/src/logswan.c b/src/logswan.c
@@ -4,7 +4,7 @@
  * https://www.logswan.org
  *
  * Created:      2015-05-31
- * Last Updated: 2019-08-16
+ * Last Updated: 2019-09-27
  *
  * Logswan is released under the BSD 2-Clause license.
  * See LICENSE file for details.
@@ -31,6 +31,15 @@
 #include <string.h>
 #include <time.h>
 
+#if defined(__linux__)
+#include <sys/prctl.h>
+#include <sys/syscall.h>
+#include <linux/audit.h>
+#include <linux/filter.h>
+#include <linux/seccomp.h>
+#include "seccomp.h"
+#endif
+
 #include <maxminddb.h>
 
 #include "compat.h"
@@ -90,6 +99,11 @@ main(int argc, char *argv[]) {
 		err(EXIT_FAILURE, "pledge");
 	}
 
+#if defined(__linux__)
+	prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
+	prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &logswan);
+#endif
+
 	hll_init(&uniqueIPv4, HLL_BITS);
 	hll_init(&uniqueIPv6, HLL_BITS);
 

diff --git a/src/seccomp.h b/src/seccomp.h
@@ -0,0 +1,59 @@
+/*
+ * Logswan 2.0.4
+ * Copyright (c) 2015-2019, Frederic Cambus
+ * https://www.logswan.org
+ *
+ * Created:      2015-05-31
+ * Last Updated: 2019-10-23
+ *
+ * Logswan is released under the BSD 2-Clause license.
+ * See LICENSE file for details.
+ */
+
+#include <stddef.h>
+#include <sys/prctl.h>
+#include <sys/socket.h>
+#include <sys/syscall.h>
+#include <linux/audit.h>
+#include <linux/filter.h>
+#include <linux/seccomp.h>
+
+static struct sock_filter filter[] = {
+	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, nr)),
+
+	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_brk, 0, 1),
+	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
+	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_close, 0, 1),
+	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
+	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_exit_group, 0, 1),
+	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
+	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_fcntl, 0, 1),
+	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
+	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_fstat, 0, 1),
+	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
+	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_ioctl, 0, 1),
+	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
+	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_lseek, 0, 1),
+	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
+	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_open, 0, 1),
+	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
+	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_openat, 0, 1),
+	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
+	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mmap, 0, 1),
+	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
+	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_munmap, 0, 1),
+	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
+	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_read, 0, 1),
+	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
+	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_write, 0, 1),
+	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
+	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_writev, 0, 1),
+	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
+
+	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
+};
+
+struct sock_fprog logswan = {
+	.len = sizeof(filter)/sizeof(filter[0]),
+	.filter = filter
+};