Simplify rules handling

This commit is contained in:
Sebastian Ramacher 2018-11-28 00:23:06 +01:00
parent 875108c911
commit 08b1d829ef

View file

@ -12,27 +12,20 @@
#include <errno.h> #include <errno.h>
#include <girara/utils.h> #include <girara/utils.h>
#define DENY_RULE(call) \ #define ADD_RULE(str_action, action, call, ...) \
do { \ do { \
girara_debug("denying " G_STRINGIFY(call)); \ girara_debug("adding rule " str_action " to " G_STRINGIFY(call)); \
const int err = seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(call), 0); \ const int err = \
seccomp_rule_add(ctx, action, SCMP_SYS(call), __VA_ARGS__); \
if (err < 0) { \ if (err < 0) { \
girara_error("failed to deny " G_STRINGIFY(call) ": %s", \ girara_error("failed: %s", g_strerror(-err)); \
g_strerror(-err)); \
goto out; \
} \
} while (0)
#define ALLOW_RULE(call) \
do { \
girara_debug("allowing " G_STRINGIFY(call)); \
const int err = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(call), 0); \
if (err < 0) { \
girara_error("failed to allow " G_STRINGIFY(call) ": %s", \
g_strerror(-err)); \
goto out; \ goto out; \
} \ } \
} while (0) } while (0)
#define DENY_RULE(call) ADD_RULE("kill", SCMP_ACT_KILL, call, 0)
#define ALLOW_RULE(call) ADD_RULE("allow", SCMP_ACT_ALLOW, call, 0)
int int
seccomp_enable_basic_filter(void) seccomp_enable_basic_filter(void)
{ {
@ -227,59 +220,24 @@ seccomp_enable_strict_filter(void)
ALLOW_RULE(wait4); /* trying to open links should not crash the app */ ALLOW_RULE(wait4); /* trying to open links should not crash the app */
/* Special requirements for ioctl, allowed on stdout/stderr */ /* Special requirements for ioctl, allowed on stdout/stderr */
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1, ADD_RULE("allow", SCMP_ACT_ALLOW, ioctl, 1, SCMP_CMP(0, SCMP_CMP_EQ, 1));
SCMP_CMP(0, SCMP_CMP_EQ, 1)) < 0) { ADD_RULE("allow", SCMP_ACT_ALLOW, ioctl, 1, SCMP_CMP(0, SCMP_CMP_EQ, 2));
goto out;
}
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1,
SCMP_CMP(0, SCMP_CMP_EQ, 2)) < 0) {
goto out;
}
/* needed by gtk??? (does not load content without) */ /* needed by gtk??? (does not load content without) */
/* special restrictions for prctl, only allow PR_SET_NAME/PR_SET_PDEATHSIG */ /* special restrictions for prctl, only allow PR_SET_NAME/PR_SET_PDEATHSIG */
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(prctl), 1, ADD_RULE("allow", SCMP_ACT_ALLOW, prctl, 1, SCMP_CMP(0, SCMP_CMP_EQ, PR_SET_NAME));
SCMP_CMP(0, SCMP_CMP_EQ, PR_SET_NAME)) < 0) { ADD_RULE("allow", SCMP_ACT_ALLOW, prctl, 1, SCMP_CMP(0, SCMP_CMP_EQ, PR_SET_PDEATHSIG));
goto out;
}
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(prctl), 1,
SCMP_CMP(0, SCMP_CMP_EQ, PR_SET_PDEATHSIG)) < 0) {
goto out;
}
/* special restrictions for open, prevent opening files for writing */ /* special restrictions for open, prevent opening files for writing */
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 1, ADD_RULE("allow", SCMP_ACT_ALLOW, open, 1, SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_WRONLY | O_RDWR, 0));
SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_WRONLY | O_RDWR, 0)) < 0) { ADD_RULE("errno", SCMP_ACT_ERRNO(EACCES), open, 1, SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_WRONLY, O_WRONLY));
goto out; ADD_RULE("errno", SCMP_ACT_ERRNO(EACCES), open, 1, SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_RDWR, O_RDWR));
}
if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO (EACCES), SCMP_SYS(open), 1,
SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_WRONLY, O_WRONLY)) < 0) {
goto out;
}
if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO (EACCES), SCMP_SYS(open), 1,
SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_RDWR, O_RDWR)) < 0) {
goto out;
}
/* special restrictions for openat, prevent opening files for writing */ /* special restrictions for openat, prevent opening files for writing */
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1, ADD_RULE("allow", SCMP_ACT_ALLOW, openat, 1, SCMP_CMP(2, SCMP_CMP_MASKED_EQ, O_WRONLY | O_RDWR, 0));
SCMP_CMP(2, SCMP_CMP_MASKED_EQ, O_WRONLY | O_RDWR, 0)) < 0) { ADD_RULE("errno", SCMP_ACT_ERRNO(EACCES), openat, 1, SCMP_CMP(2, SCMP_CMP_MASKED_EQ, O_WRONLY, O_WRONLY));
goto out; ADD_RULE("errno", SCMP_ACT_ERRNO(EACCES), openat, 1, SCMP_CMP(2, SCMP_CMP_MASKED_EQ, O_RDWR, O_RDWR));
}
if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO (EACCES), SCMP_SYS(openat), 1,
SCMP_CMP(2, SCMP_CMP_MASKED_EQ, O_WRONLY, O_WRONLY)) < 0) {
goto out;
}
if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO (EACCES), SCMP_SYS(openat), 1,
SCMP_CMP(2, SCMP_CMP_MASKED_EQ, O_RDWR, O_RDWR)) < 0) {
goto out;
}
/* allowed for debugging: */ /* allowed for debugging: */