kore

An easy to use, scalable and secure web application framework for writing web APIs in C.
Commits | Files | Refs | README | LICENSE | git clone https://git.kore.io/kore.git

commit a5f68054843ee58e02dbd48f986af1221172ebfe
parent c1affbbd740a08b5b733057eba76f1d0aa57c783
Author: Joris Vink <joris@coders.se>
Date:   Thu, 26 Sep 2019 07:19:26 +0000

seccomp improvements for developers.

- Add KORE_SECCOMP_FILTER() as a helpful shortcut to create your
  application seccomp filter. You can still roll your own and hook
  into kore_seccomp_hook() yourself to load your filters.

- Add KORE_SYSCALL_ALLOW_LOG(_name)
	Allows a system call but will log it.

Diffstat:
include/kore/seccomp.h | 46+++++++++++++++++++++++++++++++++++-----------
1 file changed, 35 insertions(+), 11 deletions(-)

diff --git a/include/kore/seccomp.h b/include/kore/seccomp.h @@ -23,24 +23,48 @@ #include <linux/filter.h> #include <linux/seccomp.h> -/* - * Allow a system call by comparing the accumulator value (which will contain - * the system call value) with the value of SYS_##name. - */ -#define KORE_SYSCALL_ALLOW(_name) \ +/* Do something with a syscall with a user-supplied action. */ +#define KORE_SYSCALL_FILTER(_name, _action) \ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_##_name, 0, 1), \ - BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) + BPF_STMT(BPF_RET+BPF_K, _action) -/* - * Explicit deny of a system call with an errno code for the caller. - */ +/* Allow a system call completely. */ +#define KORE_SYSCALL_ALLOW(_name) \ + KORE_SYSCALL_FILTER(_name, SECCOMP_RET_ALLOW) + +/* Allow system call, but log it. */ +#define KORE_SYSCALL_ALLOW_LOG(_name) \ + KORE_SYSCALL_FILTER(_name, SECCOMP_RET_LOG) + +/* Explicit deny of a system call with an errno code for the caller. */ #define KORE_SYSCALL_DENY_ERRNO(_name, _errno) \ - BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_##_name, 0, 1), \ - BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO|(_errno)) + KORE_SYSCALL_FILTER(_name, SECCOMP_RET_ERRNO|(_errno)) /* The length of a filter. */ #define KORE_FILTER_LEN(x) (sizeof(x) / sizeof(x[0])) +/* + * Macro for applications to make easily define custom filter. + * + * eg: + * KORE_SECCOMP_FILTER("filter", + * KORE_SYSCALL_DENY_ERRNO(socket, EACCESS), + * KORE_SYSCALL_DENY_ERRNO(ioctl, EACCESS), + * KORE_SYSCALL_ALLOW(poll), + * ); + * + */ +#define KORE_SECCOMP_FILTER(name, ...) \ + struct sock_filter _scfilt[] = { \ + __VA_ARGS__ \ + }; \ + void \ + kore_seccomp_hook(void) \ + { \ + kore_seccomp_filter(name, _scfilt, \ + KORE_FILTER_LEN(_scfilt)); \ + } + void kore_seccomp_init(void); void kore_seccomp_drop(void); void kore_seccomp_enable(void);