kore

Kore is a web application platform for writing scalable, concurrent web based processes in C or Python.
Commits | Files | Refs | README | LICENSE | git clone https://git.kore.io/kore.git
commit a5f68054843ee58e02dbd48f986af1221172ebfe
parent c1affbbd740a08b5b733057eba76f1d0aa57c783
Author: Joris Vink <joris@coders.se>
Date:   Thu, 26 Sep 2019 07:19:26 +0000

seccomp improvements for developers.

- Add KORE_SECCOMP_FILTER() as a helpful shortcut to create your
  application seccomp filter. You can still roll your own and hook
  into kore_seccomp_hook() yourself to load your filters.

- Add KORE_SYSCALL_ALLOW_LOG(_name)
	Allows a system call but will log it.

Diffstat:

include/kore/seccomp.h | 46+++++++++++++++++++++++++++++++++++-----------


1 file changed, 35 insertions(+), 11 deletions(-)

diff --git a/include/kore/seccomp.h b/include/kore/seccomp.h
@@ -23,24 +23,48 @@
 #include <linux/filter.h>
 #include <linux/seccomp.h>
 
-/*
- * Allow a system call by comparing the accumulator value (which will contain
- * the system call value) with the value of SYS_##name.
- */
-#define KORE_SYSCALL_ALLOW(_name)				\
+/* Do something with a syscall with a user-supplied action. */
+#define KORE_SYSCALL_FILTER(_name, _action)			\
     BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_##_name, 0, 1),		\
-    BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
+    BPF_STMT(BPF_RET+BPF_K, _action)
 
-/*
- * Explicit deny of a system call with an errno code for the caller.
- */
+/* Allow a system call completely. */
+#define KORE_SYSCALL_ALLOW(_name)				\
+    KORE_SYSCALL_FILTER(_name, SECCOMP_RET_ALLOW)
+
+/* Allow system call, but log it. */
+#define KORE_SYSCALL_ALLOW_LOG(_name)				\
+    KORE_SYSCALL_FILTER(_name, SECCOMP_RET_LOG)
+
+/* Explicit deny of a system call with an errno code for the caller. */
 #define KORE_SYSCALL_DENY_ERRNO(_name, _errno)			\
-    BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_##_name, 0, 1),		\
-    BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO|(_errno))
+    KORE_SYSCALL_FILTER(_name, SECCOMP_RET_ERRNO|(_errno))
 
 /* The length of a filter. */
 #define KORE_FILTER_LEN(x)		(sizeof(x) / sizeof(x[0]))
 
+/*
+ * Macro for applications to make easily define custom filter.
+ *
+ * eg:
+ * KORE_SECCOMP_FILTER("filter",
+ *	KORE_SYSCALL_DENY_ERRNO(socket, EACCESS),
+ *	KORE_SYSCALL_DENY_ERRNO(ioctl, EACCESS),
+ *	KORE_SYSCALL_ALLOW(poll),
+ * );
+ *
+ */
+#define KORE_SECCOMP_FILTER(name, ...)				\
+	struct sock_filter _scfilt[] = {			\
+		__VA_ARGS__					\
+	};							\
+	void							\
+	kore_seccomp_hook(void)					\
+	{							\
+		kore_seccomp_filter(name, _scfilt,		\
+		    KORE_FILTER_LEN(_scfilt));			\
+	}
+
 void	kore_seccomp_init(void);
 void	kore_seccomp_drop(void);
 void	kore_seccomp_enable(void);