deviloric
/
bubblewrap-scripts
mirror of https://github.com/valoq/bwscripts.git
0
0
Fork 0
Code Releases Activity
bubblewrap-scripts/exportFilter.c

152 lines
4.0 KiB
C
Raw Permalink Blame History

/**
* Seccomp BPF export program
*
* Copyright (c) 2017 valoq <valoq@mailbox.org>
*/
/*
* This program is free software; you can redistribute it and/or modify it
* under the terms of version 2.1 of the GNU Lesser General Public License as
* published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
* for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program; if not, see <http://www.gnu.org/licenses>.
*/
/*
* compile with: gcc exportFilter.c -lseccomp -o exportFilter.bin
* generate seccomp_default_filter.bpf with: ./exportFilter.bin
*/
#include <seccomp.h>
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>
#include <sys/socket.h>
#define DENY_RULE(call) { if (seccomp_rule_add (ctx, SCMP_ACT_KILL, SCMP_SYS(call), 0) < 0) goto out; }
#define ALLOW_RULE(call) { if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(call), 0) < 0) goto out; }
int main(int argc, char *argv[])
{
int rc = -1;
scmp_filter_ctx ctx;
int filter_fd;
/* for whitelisting */
/* ctx = seccomp_init(SCMP_ACT_KILL); */
/* if (ctx == NULL) */
/* goto out; */
/* for blacklisting */
ctx = seccomp_init(SCMP_ACT_ALLOW);
if (ctx == NULL)
goto out;
/* start of syscall filter list */
/* common blacklist with privileged syscalls */
DENY_RULE (_sysctl);
DENY_RULE (acct);
DENY_RULE (add_key);
DENY_RULE (adjtimex);
/* DENY_RULE (chroot); required by firefox */
DENY_RULE (clock_adjtime);
DENY_RULE (create_module);
DENY_RULE (delete_module);
DENY_RULE (fanotify_init);
DENY_RULE (finit_module);
DENY_RULE (get_kernel_syms);
/* DENY_RULE (get_mempolicy); required by firefox */
DENY_RULE (init_module);
DENY_RULE (io_cancel);
DENY_RULE (io_destroy);
DENY_RULE (io_getevents);
DENY_RULE (io_setup);
DENY_RULE (io_submit);
DENY_RULE (ioperm);
DENY_RULE (iopl);
DENY_RULE (ioprio_set);
DENY_RULE (kcmp);
DENY_RULE (kexec_file_load);
DENY_RULE (kexec_load);
DENY_RULE (keyctl);
DENY_RULE (lookup_dcookie);
DENY_RULE (mbind);
DENY_RULE (nfsservctl);
DENY_RULE (migrate_pages);
DENY_RULE (modify_ldt);
DENY_RULE (mount);
DENY_RULE (move_pages);
DENY_RULE (name_to_handle_at);
DENY_RULE (open_by_handle_at);
DENY_RULE (perf_event_open);
DENY_RULE (pivot_root);
DENY_RULE (process_vm_readv);
DENY_RULE (process_vm_writev);
DENY_RULE (ptrace);
DENY_RULE (reboot);
DENY_RULE (remap_file_pages);
DENY_RULE (request_key);
/* DENY_RULE (set_mempolicy); required by firefox */
DENY_RULE (swapoff);
DENY_RULE (swapon);
DENY_RULE (sysfs);
DENY_RULE (syslog);
DENY_RULE (tuxcall);
DENY_RULE (umount2);
DENY_RULE (uselib);
DENY_RULE (vmsplice);
/* DENY_RULE (quotactl); todo: implement as errno */
DENY_RULE (unshare);
DENY_RULE (umount);
DENY_RULE (open_tree);
DENY_RULE (move_mount);
DENY_RULE (fsopen);
DENY_RULE (fsconfig);
DENY_RULE (fsmount);
DENY_RULE (fspick);
DENY_RULE (mount_setattr);
/* filter connect arguments to block communication to abstracte sockets */
/* not working and vulnerable to TOUTOC */
/* if (seccomp_rule_add (ctx, SCMP_ACT_KILL, SCMP_SYS(connect), 1,
SCMP_CMP(1, SCMP_CMP_EQ, '\0')) < 0)
goto out;
*/
/* end of syscall filter list */
filter_fd = open("seccomp_default_filter.bpf", O_CREAT | O_WRONLY, 0644);
if (filter_fd == -1) {
rc = -errno;
goto out;
}
rc = seccomp_export_bpf(ctx, filter_fd);
if (rc < 0) {
close(filter_fd);
goto out;
}
close(filter_fd);
out:
seccomp_release(ctx);
return -rc;
}
View Git Blame Copy Permalink