search

mptre / pick

A fuzzy search tool for the command-line
MIT License
814 stars 42 forks source link

Add seccomp support for sandbox #274

Open ghost opened 6 years ago

mptre commented 6 years ago

Great work! Attached is a diff which reworks the macros and some cleanup:

diff --git compat-sandbox.c compat-sandbox.c
index 3f63556..2645f23 100644
--- compat-sandbox.c
+++ compat-sandbox.c
@@ -36,49 +36,45 @@ sandbox(int stage)
 #include <err.h>
 #include <seccomp.h>

-#define ALLOW(syscall)                             \
-   if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(syscall), 0) < 0) {  \
-       err(1, "seccomp_rule_add");                 \
-   }
+#define ALLOW(syscall)                         \
+   (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(syscall), 0) < 0)

-#define ALLOW_IOCTL(syscall, x)                            \
-   if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), x,       \
-       SCMP_A1(SCMP_CMP_EQ, syscall)) < 0) {               \
-       err(1, "seccomp_rule_add (ioctl)");             \
-   }
+#define ALLOW_IOCTL(syscall, x)    \
+   (seccomp_rule_add(ctx, SCMP_ACT_ALLOW,SCMP_SYS(ioctl), x,   \
+    SCMP_A1(SCMP_CMP_EQ, syscall)) < 0)

 void
 sandbox(int stage)
 {
-   scmp_filter_ctx     ctx;
+   scmp_filter_ctx ctx;

    switch (stage) {
    case SANDBOX_ENTER:
-
        if ((ctx = seccomp_init(SCMP_ACT_TRAP)) == NULL)
            err(1, "seccomp_init");

-       ALLOW(access);
-       ALLOW(close);
-       ALLOW(exit_group);
-       ALLOW(fstat);
-       ALLOW(fstat64);
-       ALLOW(mmap);
-       ALLOW(mmap2);
-       ALLOW(munmap);
-       ALLOW(open);
-       ALLOW(poll);
-       ALLOW(read);
-       ALLOW(rt_sigaction);
-       ALLOW(sigaction);
-       ALLOW(sigreturn);
-       ALLOW(stat);
-       ALLOW(stat64);
-       ALLOW(time);
-       ALLOW(write);
-       ALLOW_IOCTL(TCGETS, 1);
-       ALLOW_IOCTL(TCSETS, 1);
-       ALLOW_IOCTL(TIOCGWINSZ, 1);
+       if (ALLOW(access) ||
+           ALLOW(close) ||
+           ALLOW(exit_group) ||
+           ALLOW(fstat) ||
+           ALLOW(fstat64) ||
+           ALLOW(mmap) ||
+           ALLOW(mmap2) ||
+           ALLOW(munmap) ||
+           ALLOW(open) ||
+           ALLOW(poll) ||
+           ALLOW(read) ||
+           ALLOW(rt_sigaction) ||
+           ALLOW(sigaction) ||
+           ALLOW(sigreturn) ||
+           ALLOW(stat) ||
+           ALLOW(stat64) ||
+           ALLOW(time) ||
+           ALLOW(write) ||
+           ALLOW_IOCTL(TCGETS, 1) ||
+           ALLOW_IOCTL(TCSETS, 1) ||
+           ALLOW_IOCTL(TIOCGWINSZ, 1))
+           err(1, "seccomp_rule_add");

        if (seccomp_load(ctx) < 0)
            err(1, "seccomp_load");
mptre commented 6 years ago

I guess libseccomp-dev is required be installed on Travis in order to trigger the autoconf check? You could try to install it globally in .travis.yml. Caution, lines below untested:

addons:
  apt:
    packages:
      - libseccomp-dev
ghost commented 6 years ago

Thanks: applied!

ghost commented 6 years ago

The experimental seccomp-support can be enabled with --enable-seccomp ...

codecov-io commented 6 years ago

Codecov Report

Merging #274 into sandbox will not change coverage. The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff            @@
##           sandbox     #274   +/-   ##
========================================
  Coverage    90.58%   90.58%           
========================================
  Files            1        1           
  Lines          510      510           
========================================
  Hits           462      462           
  Misses          48       48

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update 321e6e7...9f21d79. Read the comment docs.