/** * Seccomp BPF export program * * Copyright (c) 2017 valoq */ /* * This program is free software; you can redistribute it and/or modify it * under the terms of version 2.1 of the GNU Lesser General Public License as * published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License * for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program; if not, see . */ /* * compile with: gcc exportFilter.c -lseccomp -o exportFilter.bin * generate seccomp_default_filter.bpf with: ./exportFilter.bin */ #include #include #include #include #include #define DENY_RULE(call) { if (seccomp_rule_add (ctx, SCMP_ACT_KILL, SCMP_SYS(call), 0) < 0) goto out; } #define ALLOW_RULE(call) { if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(call), 0) < 0) goto out; } int main(int argc, char *argv[]) { int rc = -1; scmp_filter_ctx ctx; int filter_fd; /* for whitelisting */ /* ctx = seccomp_init(SCMP_ACT_KILL); */ /* if (ctx == NULL) */ /* goto out; */ /* for blacklisting */ ctx = seccomp_init(SCMP_ACT_ALLOW); if (ctx == NULL) goto out; /* start of syscall filter list */ /* common blacklist with privileged syscalls */ DENY_RULE (_sysctl); DENY_RULE (acct); DENY_RULE (add_key); DENY_RULE (adjtimex); /* DENY_RULE (chroot); required by firefox */ DENY_RULE (clock_adjtime); DENY_RULE (create_module); DENY_RULE (delete_module); DENY_RULE (fanotify_init); DENY_RULE (finit_module); DENY_RULE (get_kernel_syms); /* DENY_RULE (get_mempolicy); required by firefox */ DENY_RULE (init_module); DENY_RULE (io_cancel); DENY_RULE (io_destroy); DENY_RULE (io_getevents); DENY_RULE (io_setup); DENY_RULE (io_submit); DENY_RULE (ioperm); DENY_RULE (iopl); DENY_RULE (ioprio_set); DENY_RULE (kcmp); DENY_RULE (kexec_file_load); DENY_RULE (kexec_load); DENY_RULE (keyctl); DENY_RULE (lookup_dcookie); DENY_RULE (mbind); DENY_RULE (nfsservctl); DENY_RULE (migrate_pages); DENY_RULE (modify_ldt); DENY_RULE (mount); DENY_RULE (move_pages); DENY_RULE (name_to_handle_at); DENY_RULE (open_by_handle_at); DENY_RULE (perf_event_open); DENY_RULE (pivot_root); DENY_RULE (process_vm_readv); DENY_RULE (process_vm_writev); DENY_RULE (ptrace); DENY_RULE (reboot); DENY_RULE (remap_file_pages); DENY_RULE (request_key); /* DENY_RULE (set_mempolicy); required by firefox */ DENY_RULE (swapoff); DENY_RULE (swapon); DENY_RULE (sysfs); DENY_RULE (syslog); DENY_RULE (tuxcall); DENY_RULE (umount2); DENY_RULE (uselib); DENY_RULE (vmsplice); /* DENY_RULE (quotactl); todo: implement as errno */ DENY_RULE (unshare); DENY_RULE (umount); DENY_RULE (open_tree); DENY_RULE (move_mount); DENY_RULE (fsopen); DENY_RULE (fsconfig); DENY_RULE (fsmount); DENY_RULE (fspick); DENY_RULE (mount_setattr); /* filter connect arguments to block communication to abstracte sockets */ /* not working and vulnerable to TOUTOC */ /* if (seccomp_rule_add (ctx, SCMP_ACT_KILL, SCMP_SYS(connect), 1, SCMP_CMP(1, SCMP_CMP_EQ, '\0')) < 0) goto out; */ /* end of syscall filter list */ filter_fd = open("seccomp_default_filter.bpf", O_CREAT | O_WRONLY, 0644); if (filter_fd == -1) { rc = -errno; goto out; } rc = seccomp_export_bpf(ctx, filter_fd); if (rc < 0) { close(filter_fd); goto out; } close(filter_fd); out: seccomp_release(ctx); return -rc; }