rdelaage
/
gmid
mirror of https://github.com/omar-polo/gmid.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

tighten the rules for fcntl 

allow only the F_GETFL and F_SETFL commands
This commit is contained in:
Omar Polo 2021-01-20 15:54:26 +00:00
parent 298e4b96dc
commit de4f713184
1 changed files with 14 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
sandbox.c
View File

@ -145,7 +145,6 @@ sandbox()
SC_ALLOW(poll),
#endif
SC_ALLOW(accept),
SC_ALLOW(fcntl),
SC_ALLOW(read),
SC_ALLOW(openat),
SC_ALLOW(fstat),
@ -164,6 +163,20 @@ sandbox()
SC_ALLOW(exit),
SC_ALLOW(exit_group),
/* allow only F_GETFL and F_SETFL fcntl */
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_fcntl, 0, 6);
BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
(offsetof(struct seccomp_data, args[1])));
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_GETFL, 0 1);
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW);
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_SETFL, 0, 1);
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW);
BPF_STMT(BPF_RET | BPF_K, SC_FAIL);
/* re-load the syscall number */
BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
(offsetof(struct seccomp_data, nr))),
/* allow ioctl but only on fd 1, glibc doing stuff? */
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_ioctl, 0, 3),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS,