Skip to content

Commit

Permalink
Add seccomp allows to get through SoftHSM test suite.
Browse files Browse the repository at this point in the history
  • Loading branch information
@fredrikt
fredrikt committed Jan 29, 2013
1 parent 562b10f commit f832b71
Show file tree
Hide file tree
Showing 2 changed files with 34 additions and 3 deletions.
21 changes: 18 additions & 3 deletions gck-rpc-daemon-standalone.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -114,17 +114,32 @@ static int install_syscall_filter(const int sock, const char *tls_psk_keyfile, c
if (path[0] &&
strncmp(path, "tcp://", strlen("tcp://")) != 0 &&
strncmp(path, "tls://", strlen("tls://")) != 0)
/* XXX only permit unlink(path) */
seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(unlink), 0);

/*
* Syscalls to allow spawned threads to initialize a new (stricter) seccomp policy.
* Allow spawned threads to initialize a new seccomp policy (subset of this).
*/
seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(prctl), 0);

/*
* SoftHSM required syscalls
*/
seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(getcwd), 0);
seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(stat), 0);
seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(open), 0);
seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(fcntl), 0);
seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(fstat), 0);
seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(lseek), 0);
seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(access), 0);
seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(fsync), 0);
seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(unlink), 0);
seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(ftruncate), 0);
seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(select), 0);
seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(futex), 0);

#ifdef DEBUG_SECCOMP
/* Dumps the generated BPF rules in sort-of human readable syntax. */
seccomp_export_pfc(2);
seccomp_export_pfc(STDERR_FILENO);

/* Print the name of syscalls stopped by seccomp. Should not be used in production. */
if (install_syscall_reporter())
Expand Down
16 changes: 16 additions & 0 deletions gck-rpc-dispatch.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2695,6 +2695,22 @@ static int _install_dispatch_syscall_filter(int use_tls)
seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(mprotect), 1,
SCMP_A2(SCMP_CMP_EQ, PROT_READ|PROT_WRITE));

/*
* SoftHSM
*/
seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(getcwd), 0);
seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(stat), 0);
seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(open), 0);
seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(fcntl), 0);
seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(fstat), 0);
seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(lseek), 0);
seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(access), 0);
seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(fsync), 0);
seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(unlink), 0);
seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(ftruncate), 0);
seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(select), 0);
seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(futex), 0);

rc = seccomp_load();
if (rc < 0)
goto failure_scmp;
Expand Down

0 comments on commit f832b71

Please sign in to comment.