deviloric
/
bubblewrap-scripts
mirror of https://github.com/valoq/bwscripts.git
0
0
Fork 0
Code Releases Activity

add seccomp filter for abstract sockets

This commit is contained in:
valoq 2022-11-25 17:46:58 +01:00
parent 8f60d4d155
commit c6f18a5e94
No known key found for this signature in database
GPG Key ID: 19F09A0FB865CBD8
2 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
exportFilter.c
View File

@ -27,6 +27,7 @@
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>
#include <sys/socket.h>
#define DENY_RULE(call) { if (seccomp_rule_add (ctx, SCMP_ACT_KILL, SCMP_SYS(call), 0) < 0) goto out; }
#define ALLOW_RULE(call) { if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(call), 0) < 0) goto out; }
@ -54,7 +55,7 @@ int main(int argc, char *argv[])
/* start of syscall filter list */
/* common blacklist with dangerous and rarely used syscalls */
/* common blacklist with privileged syscalls */
DENY_RULE (_sysctl);
DENY_RULE (acct);
@ -108,10 +109,14 @@ int main(int argc, char *argv[])
DENY_RULE (uselib);
DENY_RULE (vmsplice);
/* filter connect arguments to block communication to abstracte sockets */
if (seccomp_rule_add (ctx, SCMP_ACT_KILL, SCMP_SYS(connect), 1,
SCMP_CMP(1, SCMP_CMP_EQ, '\0')) < 0)
goto out;
/* end of syscall filter list */
filter_fd = open("seccomp_filter.bpf", O_CREAT | O_WRONLY, 0644);
if (filter_fd == -1) {
rc = -errno;

BIN
seccomp_filter.bpf Normal file
View File

Binary file not shown.