Commit 31886dc8 authored by godog's avatar godog
Browse files

make syscalls and capabilities configurable

parent 59d00e62
......@@ -47,7 +47,10 @@ int sandbox_config_init(struct sandbox_config *config, uid_t uid, gid_t gid,
return 0;
}
static int capabilities() {
static int capabilities(struct sandbox_config *config) {
if (!config->enable_capabilities) {
return 0;
}
fprintf(stderr, "=> dropping capabilities...");
int drop_caps[] = {
CAP_AUDIT_CONTROL, CAP_AUDIT_READ, CAP_AUDIT_WRITE, CAP_BLOCK_SUSPEND,
......@@ -143,7 +146,10 @@ static int mounts(struct sandbox_config *config) {
#define SCMP_FAIL SCMP_ACT_ERRNO(EPERM)
static int syscalls() {
static int syscalls(struct sandbox_config *config) {
if (!config->enable_syscalls) {
return 0;
}
scmp_filter_ctx ctx = NULL;
fprintf(stderr, "=> filtering syscalls...");
if (!(ctx = seccomp_init(SCMP_ACT_ALLOW)) ||
......@@ -382,11 +388,13 @@ static int userns(struct sandbox_config *config) {
static int child(void *arg) {
struct sandbox_config *config = arg;
if (sethostname(config->hostname, strlen(config->hostname)) ||
mounts(config) || userns(config) || capabilities() || syscalls()) {
if (mounts(config) || userns(config) || capabilities(config) || syscalls(config)) {
close(config->fd);
return -1;
}
if (sethostname(config->hostname, strlen(config->hostname))) {
log_println_errno("sethostname failed, ignoring");
}
if (close(config->fd)) {
log_println_errno("close failed");
return -1;
......
......@@ -15,8 +15,10 @@ struct sandbox_config {
char *argv0;
char **argv;
char *new_root_dir;
int enable_capabilities;
int enable_cgroups;
int enable_namespaces;
int enable_syscalls;
};
int sandbox_config_init(struct sandbox_config *, uid_t, gid_t, int, char *, char **);
......
......@@ -40,8 +40,10 @@ struct config {
int num_docroots;
int min_uid;
int min_gid;
int enable_capabilities;
int enable_cgroups;
int enable_namespaces;
int enable_syscalls;
};
// Convert string to int, with syntax checking.
......@@ -170,10 +172,14 @@ static int read_config(const char *path, struct config *config) {
r = config_set_min_uid(config, value);
} else if (!strcmp(key, "min_gid")) {
r = config_set_min_gid(config, value);
} else if (!strcmp(key, "enable_capabilities")) {
r = s2b(value, &(config->enable_capabilities));
} else if (!strcmp(key, "enable_cgroups")) {
r = s2b(value, &(config->enable_cgroups));
} else if (!strcmp(key, "enable_namespaces")) {
r = s2b(value, &(config->enable_namespaces));
} else if (!strcmp(key, "enable_syscalls")) {
r = s2b(value, &(config->enable_syscalls));
} else {
log_printf("Syntax error at %s:%d: unknown directive '%s'", path, lineno,
key);
......@@ -431,20 +437,15 @@ int main(int argc, char **argv) {
real_cmd, (argv + 3)) < 0)
exit(106);
sandbox_config.enable_capabilities = config.enable_capabilities;
sandbox_config.enable_cgroups = config.enable_cgroups;
sandbox_config.enable_namespaces = config.enable_namespaces;
sandbox_config.enable_syscalls = config.enable_syscalls;
if (config.root)
sandbox_config.new_root_dir = config.root;
if (sandbox_start(&sandbox_config) < 0)
exit(107);
// Switch user.
// if (change_user(target_uid, target_gid) < 0)
// exit(105);
// Execute the command (with arguments), in our clean environment.
// execv(real_cmd, (argv + 3));
exit(110);
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment