redmine

Added seccomp support for non-privileged thread

... ... @@ -39,6 +39,9 @@ clsync_CFLAGS += -DBACKTRACE_SUPPORT
endif
if HAVE_CAPABILITIES
clsync_CFLAGS += -DCAPABILITIES_SUPPORT
if HAVE_SECCOMP
clsync_CFLAGS += -DSECCOMP_SUPPORT
endif
endif
if HAVE_GETMNTENT
clsync_CFLAGS += -DGETMNTENT_SUPPORT
... ...
... ... @@ -112,6 +112,9 @@
# endif
#endif
#ifndef offsetof
# define offsetof(a, b) __builtin_offsetof(a, b)
#endif
#define TOSTR(a) # a
#define XTOSTR(a) TOSTR(a)
... ...
... ... @@ -322,6 +322,13 @@ esac
AS_IF([test "$HAVE_INOTIFY" != ""], [AC_CHECK_FUNC([inotify_init1], [], [INOTIFY_OLD=1])])
dnl searching for seccomp
AS_IF([test "$HAVE_CAPABILITIES" != ""], [
AC_CHECK_TYPES([scmp_filter_ctx], [
AC_CHECK_DECLS([seccomp_syscall_resolve_name_arch], [HAVE_SECCOMP=1], [], [[#include <seccomp.h>]])
], [], [[#include <seccomp.h>]])
])
AM_CONDITIONAL([HAVE_KQUEUE], [test "x$HAVE_KQUEUE" != "x"])
AM_CONDITIONAL([HAVE_INOTIFY], [test "x$HAVE_INOTIFY" != "x"])
AM_CONDITIONAL([INOTIFY_OLD], [test "x$INOTIFY_OLD" != "x"])
... ... @@ -332,7 +339,8 @@ AM_CONDITIONAL([HAVE_BACKTRACE], [test "x$HAVE_BACKTRACE" != "x"])
AM_CONDITIONAL([HAVE_CAPABILITIES], [test "x$HAVE_CAPABILITIES" != "x"])
AM_CONDITIONAL([HAVE_GETMNTENT], [test "x$HAVE_GETMNTENT" != "x"])
AM_CONDITIONAL([HAVE_PIVOTROOT], [test "x$HAVE_PIVOTROOT" != "x"])
AM_CONDITIONAL([HAVE_UNSHARE], [test "x$HAVE_UNSHARE" != "x"])
AM_CONDITIONAL([HAVE_UNSHARE], [test "x$HAVE_UNSHARE" != "x"])
AM_CONDITIONAL([HAVE_SECCOMP], [test "x$HAVE_SECCOMP" != "x"])
AS_IF([test "$HAVE_KQUEUE" = '' -a "$HAVE_INOTIFY" = '' -a "$HAVE_FANOTIFY" = '' -a "$HAVE_BSM" = '' ], [AC_MSG_FAILURE([kqueue, inotify and bsm are not supported on this system])])
... ...
... ... @@ -108,6 +108,7 @@ enum flags_enum {
DETACH_NETWORK = 32|OPTION_LONGOPTONLY,
DETACH_MISCELLANEA = 33|OPTION_LONGOPTONLY,
ADDPERMITTEDHOOKFILES = 34|OPTION_LONGOPTONLY,
SECCOMP_FILTER = 35|OPTION_LONGOPTONLY,
};
typedef enum flags_enum flags_t;
... ...
... ... @@ -87,6 +87,9 @@ static const struct option long_options[] =
{"thread-splitting", optional_argument, NULL, THREADSPLITTING},
{"check-execvp-args", optional_argument, NULL, CHECK_EXECVP_ARGS},
{"add-permitted-hook-files",required_argument, NULL, ADDPERMITTEDHOOKFILES},
# ifdef SECCOMP_SUPPORT
{"seccomp-filter", optional_argument, NULL, SECCOMP_FILTER},
# endif
#endif
#ifdef GETMNTENT_SUPPORT
{"mountpoints", optional_argument, NULL, MOUNTPOINTS},
... ...
... ... @@ -1246,6 +1246,37 @@ or
Is not set by default.
.RE
.B \-\-seccomp\-filter
.RS
Use
.B seccomp
filter to forbid syscalls that shouldn't be used by clsync.
Forbid all syscalls for non-privileged thread, but
.RS
futex
inotify_init1
alarm
lstat
open
write
close
wait4
unlink
tgkill
clock_gettime
rt_sigreturn
brk
mmap
munmap
wait4
rmdir
exit_group
.RE
Is not set by default.
.RE
.B \-\-chroot
.I chroot\-directory
.RS
... ... @@ -1997,6 +2028,14 @@ your
.RE
.B "Bad system call"
.RS
If \-\-use\-seccomp option is enabled then the error is probably caused
by using of forbidden syscall. It's a
.B clsync
bug or hack attack attempt.
.RE
To get support see
.BR SUPPORT .
... ...
This diff is collapsed. Click to expand it.