Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement syscall restritions with seccomp #3

Merged
merged 2 commits into from Nov 19, 2019
Merged
Changes from all commits
Commits
File filter...
Filter file types
Jump to…
Jump to file or symbol
Failed to load files and symbols.

Always

Just for now

@@ -6,7 +6,7 @@ bscdiff compares bsc, issue, fate (it's a SUSE thing) and CVE numbers from a sou
## Usage

```
brejoc@alpha ~> ./bscdiff source.changes target.changes
$ ./bscdiff source.changes target.changes
508: bsc#1098394 -> - Fix file.get_diff regression on 2018.3 (bsc#1098394)
525: bsc#1098394 -> - Fix file.managed binary file utf8 error (bsc#1098394)
4092: bsc#565656565 -> - uploaded to salt 1.12.0 (bsc#565656565, bsc#676767676)
@@ -28,7 +28,7 @@ bscdiff looks for the following patterns:

## Building bscdiff

Since no external dependency was used, you can just do a `go build bscdiff.go`.
Since Go modules are used and everything is vendorized, a simple `go build` should be enough. But you need the devel lib of seccomp: libseccomp-dev on Debian based systemes and libseccomp-devel on openSUSE or Redhat based systems.

## Installation

@@ -14,6 +14,12 @@ import (
"sort"
)

func init() {
// The syscall restriciton is only available for Linux right now via
// seccomp.
applySyscallRestrictions()
}

type searchResult struct {
line int
match []string
2 go.mod
@@ -1,3 +1,5 @@
module github.com/brejoc/bscdiff

go 1.12

require github.com/seccomp/libseccomp-golang v0.9.1
2 go.sum
@@ -0,0 +1,2 @@
github.com/seccomp/libseccomp-golang v0.9.1 h1:NJjM5DNFOs0s3kYE1WUOr6G8V97sdt46rlXTMfXGWBo=
github.com/seccomp/libseccomp-golang v0.9.1/go.mod h1:GbW5+tmTXfcxTToHLXlScSlAvWlF4P2Ca7zGrPiEpWo=
@@ -0,0 +1,38 @@
// +build linux

package main

import (
"fmt"
"syscall"

libseccomp "github.com/seccomp/libseccomp-golang"
)

func applySyscallRestrictions() {
var syscalls = []string{"read", "write", "close", "mmap", "munmap",
"rt_sigaction", "rt_sigprocmask", "clone", "execve", "sigaltstack",
"arch_prctl", "gettid", "futex", "sched_getaffinity", "epoll_ctl",
"openat", "newfstatat", "readlinkat", "pselect6", "epoll_pwait",
"epoll_create1", "exit_group"}
whiteList(syscalls)
}

// Load the seccomp whitelist.
func whiteList(syscalls []string) {

filter, err := libseccomp.NewFilter(
libseccomp.ActErrno.SetReturnCode(int16(syscall.EPERM)))
if err != nil {
fmt.Printf("Error creating filter: %s\n", err)
}
for _, element := range syscalls {
// fmt.Printf("[+] Whitelisting: %s\n", element)
syscallID, err := libseccomp.GetSyscallFromName(element)
if err != nil {
panic(err)
}
filter.AddRule(syscallID, libseccomp.ActAllow)
}
filter.Load()
}
@@ -0,0 +1,7 @@
// +build !linux

package main

// We only have seccomp for linux right now.
func appylSyscallRestrictions() {
}

Some generated files are not rendered by default. Learn more.

Some generated files are not rendered by default. Learn more.

Some generated files are not rendered by default. Learn more.

Some generated files are not rendered by default. Learn more.

Some generated files are not rendered by default. Learn more.

Some generated files are not rendered by default. Learn more.

ProTip! Use n and p to navigate between commits in a pull request.
You can’t perform that action at this time.