mirror of
https://passt.top/passt
synced 2025-06-16 20:35:33 +02:00
passt, pasta: Add seccomp support
List of allowed syscalls comes from comments in the form: #syscalls <list> for syscalls needed both in passt and pasta mode, and: #syscalls:pasta <list> #syscalls:passt <list> for syscalls specifically needed in pasta or passt mode only. seccomp.sh builds a list of BPF statements from those comments, prefixed by a binary search tree to keep lookup fast. While at it, clean up a bit the Makefile using wildcards. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
This commit is contained in:
Stefano Brivio
parent
f318174a93
commit
66d5930ec7
10 changed files with 259 additions and 9 deletions
36
passt.c
36
passt.c
|
|
@ -51,7 +51,12 @@
|
|||
#include <time.h>
|
||||
#include <syslog.h>
|
||||
#include <sys/stat.h>
|
||||
#include <seccomp.h>
|
||||
#include <sys/prctl.h>
|
||||
#include <linux/filter.h>
|
||||
#include <stddef.h>
|
||||
|
||||
#include "seccomp.h"
|
||||
#include "util.h"
|
||||
#include "passt.h"
|
||||
#include "dhcp.h"
|
||||
|
|
@ -157,12 +162,41 @@ void proto_update_l2_buf(unsigned char *eth_d, unsigned char *eth_s,
|
|||
udp_update_l2_buf(eth_d, eth_s, ip_da);
|
||||
}
|
||||
|
||||
/**
|
||||
* seccomp() - Set up seccomp filters depending on mode, won't return on failure
|
||||
* @c: Execution context
|
||||
*/
|
||||
static void seccomp(struct ctx *c)
|
||||
{
|
||||
struct sock_fprog prog;
|
||||
|
||||
if (c->mode == MODE_PASST) {
|
||||
prog.len = (unsigned short)ARRAY_SIZE(filter_passt);
|
||||
prog.filter = filter_passt;
|
||||
} else {
|
||||
prog.len = (unsigned short)ARRAY_SIZE(filter_pasta);
|
||||
prog.filter = filter_pasta;
|
||||
}
|
||||
|
||||
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) ||
|
||||
prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
|
||||
perror("prctl");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* main() - Entry point and main loop
|
||||
* @argc: Argument count
|
||||
* @argv: Options, plus optional target PID for pasta mode
|
||||
*
|
||||
* Return: 0 once interrupted, non-zero on failure
|
||||
*
|
||||
* #syscalls read write open close fork dup2 exit chdir brk ioctl writev syslog
|
||||
* #syscalls prlimit64 epoll_ctl epoll_create1 epoll_wait accept4 accept listen
|
||||
* #syscalls socket bind connect getsockopt setsockopt recvfrom sendto shutdown
|
||||
* #syscalls openat fstat fcntl lseek
|
||||
* #syscalls:pasta rt_sigreturn
|
||||
*/
|
||||
int main(int argc, char **argv)
|
||||
{
|
||||
|
|
@ -198,6 +232,8 @@ int main(int argc, char **argv)
|
|||
|
||||
conf(&c, argc, argv);
|
||||
|
||||
seccomp(&c);
|
||||
|
||||
if (!c.debug && (c.stderr || isatty(fileno(stdout))))
|
||||
openlog(log_name, LOG_PERROR, LOG_DAEMON);
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue