kore

An easy to use, scalable and secure web application framework for writing web APIs in C.
Commits | Files | Refs | README | LICENSE | git clone https://git.kore.io/kore.git

commit 68e90507f45ddb1ef7197f05e73c86c89c6b358d
parent e7352a363414f5c6a8db90884df2630d3ede17c1
Author: Joris Vink <joris@coders.se>
Date:   Wed, 25 Sep 2019 12:40:44 +0000

properly seccomp keymgr

Diffstat:
src/keymgr.c | 17+++++++++++++++--
src/seccomp.c | 16+++++++++++++---
src/worker.c | 7-------
3 files changed, 28 insertions(+), 12 deletions(-)

diff --git a/src/keymgr.c b/src/keymgr.c @@ -61,15 +61,28 @@ static struct sock_filter filter_keymgr[] = { KORE_SYSCALL_ALLOW(open), KORE_SYSCALL_ALLOW(read), KORE_SYSCALL_ALLOW(close), + KORE_SYSCALL_ALLOW(fstat), + KORE_SYSCALL_ALLOW(futex), + KORE_SYSCALL_ALLOW(openat), - /* Allow it to read/write messages. */ - KORE_SYSCALL_ALLOW(write), + /* Net related. */ KORE_SYSCALL_ALLOW(read), + KORE_SYSCALL_ALLOW(write), + KORE_SYSCALL_ALLOW(epoll_wait), /* Process things. */ KORE_SYSCALL_ALLOW(exit), + KORE_SYSCALL_ALLOW(kill), + KORE_SYSCALL_ALLOW(getpid), + KORE_SYSCALL_ALLOW(arch_prctl), + KORE_SYSCALL_ALLOW(exit_group), KORE_SYSCALL_ALLOW(sigaltstack), + KORE_SYSCALL_ALLOW(rt_sigreturn), KORE_SYSCALL_ALLOW(rt_sigaction), + + /* Other things. */ + KORE_SYSCALL_ALLOW(munmap), + KORE_SYSCALL_ALLOW(getrandom), }; #endif diff --git a/src/seccomp.c b/src/seccomp.c @@ -154,6 +154,7 @@ kore_seccomp_enable(void) struct sock_fprog prog; struct kore_runtime_call *rcall; struct filter *filter; + int skip_worker_filter; size_t prog_len, pos, jmp_off, i; #if defined(KORE_DEBUG) @@ -174,9 +175,18 @@ kore_seccomp_enable(void) kore_free(rcall); } - /* Add worker required syscalls. */ - kore_seccomp_filter("worker", filter_kore, - KORE_FILTER_LEN(filter_kore)); + skip_worker_filter = 0; + +#if !defined(KORE_NO_TLS) + if (worker->id == KORE_WORKER_KEYMGR) + skip_worker_filter = 1; +#endif + + if (skip_worker_filter == 0) { + /* Add worker required syscalls. */ + kore_seccomp_filter("worker", filter_kore, + KORE_FILTER_LEN(filter_kore)); + } /* * Construct the entire BPF program by adding all relevant parts diff --git a/src/worker.c b/src/worker.c @@ -310,14 +310,7 @@ kore_worker_privdrop(const char *runas, const char *root) fatalx("cannot drop privileges"); } -#if defined(__linux__) && !defined(KORE_NO_TLS) - /* keymgr gets its own privileges. */ - if (worker->id == KORE_WORKER_KEYMGR) - return; -#endif - kore_platform_sandbox(); - } void