From df58efff26529acd6a5675d3b4044d494b138397 Mon Sep 17 00:00:00 2001 From: Omar Polo Date: Mon, 8 Feb 2021 12:46:46 +0000 Subject: [PATCH] fix seccomp for the new event loop add/remove syscalls from the BPF filter and move sandbox() after libevent initialisation --- gmid.c | 1 - sandbox.c | 22 +++++++++++----------- server.c | 2 ++ 3 files changed, 13 insertions(+), 12 deletions(-) diff --git a/gmid.c b/gmid.c index 023dd62..b960bfc 100644 --- a/gmid.c +++ b/gmid.c @@ -200,7 +200,6 @@ listener_main(void) unblock_signals(); load_default_mime(&conf.mime); load_vhosts(); - sandbox(); loop(ctx, sock4, sock6); return 0; } diff --git a/sandbox.c b/sandbox.c index 262d41a..2a2504f 100644 --- a/sandbox.c +++ b/sandbox.c @@ -150,16 +150,9 @@ sandbox() /* these are used to serve the files. note how we * allow openat but not open. */ - -#ifdef __aarch64__ - /* it seems that on aarch64 there isn't a poll(2) - * syscall, but instead it's implemented on top of - * ppoll(2). */ - SC_ALLOW(ppoll), -#else - SC_ALLOW(poll), -#endif - SC_ALLOW(accept), + SC_ALLOW(epoll_pwait), + SC_ALLOW(epoll_ctl), + SC_ALLOW(accept4), SC_ALLOW(read), SC_ALLOW(openat), SC_ALLOW(fstat), @@ -175,8 +168,9 @@ sandbox() /* XXX: ??? */ SC_ALLOW(getpid), - /* alpine on amd64 does a clock_gettime(2) */ + /* alpine on amd64 */ SC_ALLOW(clock_gettime), + SC_ALLOW(madvise), /* void on aarch64 does a gettrandom */ SC_ALLOW(getrandom), @@ -187,6 +181,12 @@ sandbox() SC_ALLOW(exit), SC_ALLOW(exit_group), + /* stuff used by syslog. revisit once we move + * logging in its own process */ + SC_ALLOW(socket), + SC_ALLOW(sendto), + SC_ALLOW(connect), + /* allow only F_GETFL and F_SETFL fcntl */ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_fcntl, 0, 8), BPF_STMT(BPF_LD | BPF_W | BPF_ABS, diff --git a/server.c b/server.c index daeeb93..d7e5108 100644 --- a/server.c +++ b/server.c @@ -1059,5 +1059,7 @@ loop(struct tls *ctx, int sock4, int sock6) server.ctx = ctx; + sandbox(); event_dispatch(); + _exit(0); }