kore

Kore is a web application platform for writing scalable, concurrent web based processes in C or Python.
Commits | Files | Refs | README | LICENSE | git clone https://git.kore.io/kore.git
commit 68e90507f45ddb1ef7197f05e73c86c89c6b358d
parent e7352a363414f5c6a8db90884df2630d3ede17c1
Author: Joris Vink <joris@coders.se>
Date:   Wed, 25 Sep 2019 12:40:44 +0000

properly seccomp keymgr

Diffstat:

src/keymgr.c | 17+++++++++++++++--


src/seccomp.c | 16+++++++++++++---


src/worker.c | 7-------


3 files changed, 28 insertions(+), 12 deletions(-)

diff --git a/src/keymgr.c b/src/keymgr.c
@@ -61,15 +61,28 @@ static struct sock_filter filter_keymgr[] = {
 	KORE_SYSCALL_ALLOW(open),
 	KORE_SYSCALL_ALLOW(read),
 	KORE_SYSCALL_ALLOW(close),
+	KORE_SYSCALL_ALLOW(fstat),
+	KORE_SYSCALL_ALLOW(futex),
+	KORE_SYSCALL_ALLOW(openat),
 
-	/* Allow it to read/write messages. */
-	KORE_SYSCALL_ALLOW(write),
+	/* Net related. */
 	KORE_SYSCALL_ALLOW(read),
+	KORE_SYSCALL_ALLOW(write),
+	KORE_SYSCALL_ALLOW(epoll_wait),
 
 	/* Process things. */
 	KORE_SYSCALL_ALLOW(exit),
+	KORE_SYSCALL_ALLOW(kill),
+	KORE_SYSCALL_ALLOW(getpid),
+	KORE_SYSCALL_ALLOW(arch_prctl),
+	KORE_SYSCALL_ALLOW(exit_group),
 	KORE_SYSCALL_ALLOW(sigaltstack),
+	KORE_SYSCALL_ALLOW(rt_sigreturn),
 	KORE_SYSCALL_ALLOW(rt_sigaction),
+
+	/* Other things. */
+	KORE_SYSCALL_ALLOW(munmap),
+	KORE_SYSCALL_ALLOW(getrandom),
 };
 #endif
 
diff --git a/src/seccomp.c b/src/seccomp.c
@@ -154,6 +154,7 @@ kore_seccomp_enable(void)
 	struct sock_fprog		prog;
 	struct kore_runtime_call	*rcall;
 	struct filter			*filter;
+	int				skip_worker_filter;
 	size_t				prog_len, pos, jmp_off, i;
 
 #if defined(KORE_DEBUG)
@@ -174,9 +175,18 @@ kore_seccomp_enable(void)
 		kore_free(rcall);
 	}
 
-	/* Add worker required syscalls. */
-	kore_seccomp_filter("worker", filter_kore,
-	    KORE_FILTER_LEN(filter_kore));
+	skip_worker_filter = 0;
+
+#if !defined(KORE_NO_TLS)
+	if (worker->id == KORE_WORKER_KEYMGR)
+		skip_worker_filter = 1;
+#endif
+
+	if (skip_worker_filter == 0) {
+		/* Add worker required syscalls. */
+		kore_seccomp_filter("worker", filter_kore,
+		    KORE_FILTER_LEN(filter_kore));
+	}
 
 	/*
 	 * Construct the entire BPF program by adding all relevant parts
diff --git a/src/worker.c b/src/worker.c
@@ -310,14 +310,7 @@ kore_worker_privdrop(const char *runas, const char *root)
 			fatalx("cannot drop privileges");
 	}
 
-#if defined(__linux__) && !defined(KORE_NO_TLS)
-	/* keymgr gets its own privileges. */
-	if (worker->id == KORE_WORKER_KEYMGR)
-		return;
-#endif
-
 	kore_platform_sandbox();
-
 }
 
 void