commit af99a4d9e2a1514b8144ce46ce776ec54e6ee03a
parent 28ea1b3c7e604729b740fe95c206dd897940c09d
Author: Frederic Cambus <fred@statdns.com>
Date: Thu, 17 Sep 2020 12:17:57 +0200
Conditionally allow syscalls required to run on arm.
Those syscalls do not exist on other Kore supported platforms, so we
must check that they exist before allowing them.
Diffstat:
3 files changed, 45 insertions(+), 0 deletions(-)
diff --git a/src/acme.c b/src/acme.c
@@ -87,6 +87,9 @@ static struct sock_filter filter_acme[] = {
#if defined(SYS_mmap)
KORE_SYSCALL_ALLOW(mmap),
#endif
+#if defined(SYS_mmap2)
+ KORE_SYSCALL_ALLOW(mmap2),
+#endif
KORE_SYSCALL_ALLOW(ioctl),
KORE_SYSCALL_ALLOW(uname),
KORE_SYSCALL_ALLOW(munmap),
diff --git a/src/keymgr.c b/src/keymgr.c
@@ -85,6 +85,9 @@ static struct sock_filter filter_keymgr[] = {
KORE_SYSCALL_ALLOW(stat),
#endif
KORE_SYSCALL_ALLOW(fstat),
+#if defined(SYS_fstat64)
+ KORE_SYSCALL_ALLOW(fstat64),
+#endif
KORE_SYSCALL_ALLOW(futex),
KORE_SYSCALL_ALLOW(writev),
KORE_SYSCALL_ALLOW(openat),
@@ -97,7 +100,13 @@ static struct sock_filter filter_keymgr[] = {
#if defined(SYS_poll)
KORE_SYSCALL_ALLOW(poll),
#endif
+#if defined(SYS_send)
+ KORE_SYSCALL_ALLOW(send),
+#endif
KORE_SYSCALL_ALLOW(sendto),
+#if defined(SYS_recv)
+ KORE_SYSCALL_ALLOW(recv),
+#endif
KORE_SYSCALL_ALLOW(recvfrom),
#if defined(SYS_epoll_wait)
KORE_SYSCALL_ALLOW(epoll_wait),
@@ -114,6 +123,9 @@ static struct sock_filter filter_keymgr[] = {
#endif
KORE_SYSCALL_ALLOW(exit_group),
KORE_SYSCALL_ALLOW(sigaltstack),
+#if defined(SYS_sigreturn)
+ KORE_SYSCALL_ALLOW(sigreturn),
+#endif
KORE_SYSCALL_ALLOW(rt_sigreturn),
KORE_SYSCALL_ALLOW(rt_sigaction),
KORE_SYSCALL_ALLOW(rt_sigprocmask),
@@ -123,6 +135,9 @@ static struct sock_filter filter_keymgr[] = {
#if defined(SYS_mmap)
KORE_SYSCALL_ALLOW(mmap),
#endif
+#if defined(SYS_mmap2)
+ KORE_SYSCALL_ALLOW(mmap2),
+#endif
KORE_SYSCALL_ALLOW(munmap),
KORE_SYSCALL_ALLOW(clock_gettime),
#if defined(__NR_getrandom)
diff --git a/src/seccomp.c b/src/seccomp.c
@@ -58,13 +58,25 @@ static struct sock_filter filter_kore[] = {
#if defined(SYS_stat)
KORE_SYSCALL_ALLOW(stat),
#endif
+#if defined(SYS_stat64)
+ KORE_SYSCALL_ALLOW(stat64),
+#endif
#if defined(SYS_lstat)
KORE_SYSCALL_ALLOW(lstat),
#endif
KORE_SYSCALL_ALLOW(fstat),
+#if defined(SYS_fstat64)
+ KORE_SYSCALL_ALLOW(fstat64),
+#endif
KORE_SYSCALL_ALLOW(write),
KORE_SYSCALL_ALLOW(fcntl),
+#if defined(SYS_fcntl64)
+ KORE_SYSCALL_ALLOW(fcntl64),
+#endif
KORE_SYSCALL_ALLOW(lseek),
+#if defined(SYS__llseek)
+ KORE_SYSCALL_ALLOW(_llseek),
+#endif
KORE_SYSCALL_ALLOW(close),
KORE_SYSCALL_ALLOW(openat),
#if defined(SYS_access)
@@ -88,6 +100,9 @@ static struct sock_filter filter_kore[] = {
KORE_SYSCALL_ALLOW(exit_group),
KORE_SYSCALL_ALLOW(nanosleep),
KORE_SYSCALL_ALLOW(clock_nanosleep),
+#if defined(SYS_sigreturn)
+ KORE_SYSCALL_ALLOW(sigreturn),
+#endif
/* Memory related. */
KORE_SYSCALL_ALLOW(brk),
@@ -97,11 +112,17 @@ static struct sock_filter filter_kore[] = {
#if defined(SYS_mmap)
KORE_SYSCALL_DENY_WITH_FLAG(mmap, 2, PROT_EXEC | PROT_WRITE, EINVAL),
#endif
+#if defined(SYS_mmap2)
+ KORE_SYSCALL_DENY_WITH_FLAG(mmap2, 2, PROT_EXEC | PROT_WRITE, EINVAL),
+#endif
KORE_SYSCALL_DENY_WITH_FLAG(mprotect, 2, PROT_EXEC, EINVAL),
#if defined(SYS_mmap)
KORE_SYSCALL_ALLOW(mmap),
#endif
+#if defined(SYS_mmap2)
+ KORE_SYSCALL_ALLOW(mmap2),
+#endif
KORE_SYSCALL_ALLOW(madvise),
KORE_SYSCALL_ALLOW(mprotect),
@@ -110,9 +131,15 @@ static struct sock_filter filter_kore[] = {
KORE_SYSCALL_ALLOW(poll),
#endif
KORE_SYSCALL_ALLOW(ppoll),
+#if defined(SYS_send)
+ KORE_SYSCALL_ALLOW(send),
+#endif
KORE_SYSCALL_ALLOW(sendto),
KORE_SYSCALL_ALLOW(accept),
KORE_SYSCALL_ALLOW(sendfile),
+#if defined(SYS_recv)
+ KORE_SYSCALL_ALLOW(recv),
+#endif
KORE_SYSCALL_ALLOW(recvfrom),
KORE_SYSCALL_ALLOW(epoll_ctl),
KORE_SYSCALL_ALLOW(setsockopt),
