Enable seccomp sandbox by default.

nbareil · Sep 11, 2012 · b5df469 · b5df469
2 parents d0334fd + 6a174f3
commit b5df469
Show file tree

Hide file tree

Showing 5 changed files with 88 additions and 8 deletions.
diff --git a/Makefile b/Makefile
diff --git a/Makefile.in b/Makefile.in
@@ -0,0 +1,15 @@
+#! /usr/bin/env make
+
+CC= @CC@
+CFLAGS=@CFLAGS@
+LDLIBS=@LIBS@
+
+prefix := /usr/local
+
+all: net2pcap
+
+net2pcap: net2pcap.o
+
+.PHONY: clean
+clean:
+	rm -f net2pcap.o net2pcap
diff --git a/autogen.sh b/autogen.sh
@@ -0,0 +1,4 @@
+#! /bin/sh
+
+autoreconf --install
+automake --add-missing --copy > /dev/null 2>&1
diff --git a/configure.ac b/configure.ac
@@ -0,0 +1,25 @@
+AC_INIT([net2pcap], [0.2], [nico@chdir.org], [net2pcap], [http://github.com/nbareil/net2pcap/])
+AC_PREREQ([2.59])
+AC_CONFIG_HEADERS([config.h])
+AC_CONFIG_FILES([Makefile])
+AC_ARG_ENABLE([sandbox],
+              [ --disable-sandbox          do not use SECCOMP sandbox],
+              [sandbox=${enableval}], [sandbox=auto])
+
+have_seccomp=no
+
+if test "x${sandbox}" != xno; then
+    AC_SEARCH_LIBS([seccomp_init], [seccomp], [have_seccomp=yes])
+    AC_CHECK_HEADERS([seccomp.h])
+fi
+
+if test "x${sandbox}" = xyes && test "x${have_seccomp}" != xyes; then
+   AC_MSG_ERROR([
+   --------------------------------------------
+   Unable to find libseccomp. Abording.
+   --------------------------------------------
+   ])
+fi
+
+AC_PROG_CC
+AC_OUTPUT
diff --git a/net2pcap.c b/net2pcap.c
@@ -3,7 +3,7 @@
  *              see http://www.secdev.org/projects/net2pcap.html
  *              for more informations
  *
- * Copyright (C) 2003-2011  Philippe Biondi <phil@secdev.org>
+ * Copyright (C) 2003-2012  Philippe Biondi <phil@secdev.org>
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public License
@@ -15,9 +15,10 @@
  * Lesser General Public License for more details.
  */
 
-#define IDENT "net2pcap -- http://www.secdev.org/projects/net2pcap/\n"
+#define IDENT "##PACKAGE_NAME -- ## PACKAGE_URL\n"
 
 #define _FILE_OFFSET_BITS 64
+#include "config.h"
 
 #include <sys/types.h>
 #include <asm/types.h>
@@ -40,10 +41,17 @@
 #include <grp.h>
 #include <signal.h>
 #include <stdlib.h>
+#if HAVE_SECCOMP_H
+#        include <seccomp.h>
+#endif
 #include <syslog.h>
 #include <string.h>
 #include <unistd.h>
 
+#ifndef O_LARGEFILE /* needed for SECCOMP rule */
+#        define O_LARGEFILE    00100000
+#endif
+
 #define MAX(a,b) (a > b ? a : b)
 
 #define DEFAULT_SNAPLEN 65535
@@ -447,7 +455,40 @@ int main(int argc, char *argv[])
         if (uid && (setuid(uid) == -1))
                 PERROR("setuid()");
 
-	LOG(LOG_INFO,"Started.\n");
+#if HAVE_SECCOMP_H
+        if (seccomp_init(SCMP_ACT_KILL) < 0)
+                ERROR("Cannot go into SECCOMPv2");
+
+        seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(open), 1,
+                         SCMP_A1(SCMP_CMP_EQ, O_CREAT|O_WRONLY|O_APPEND|O_LARGEFILE));
+        seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(socketcall), 0);
+        seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(close), 0);
+        seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(write), 0);
+        seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(gettimeofday), 0);
+        seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(read), 0);
+        seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(exit), 0);
+        seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(_llseek), 0);
+        seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(_newselect), 0);
+        seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0);
+        seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0);
+        seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(sigreturn), 0);
+
+        if (daemonize) {
+                seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(time), 0);
+                seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(fstat64), 0);
+                seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(mmap2), 0);
+                seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(munmap), 0);
+        }
+
+        if (seccomp_load() < 0)
+                ERROR("Cannot load SECCOMP filters");
+
+        LOG(LOG_INFO,"Started [sandboxed].\n");
+        seccomp_release();
+#else
+        LOG(LOG_INFO,"Started.\n");
+#endif /* HAVE_SECCOMP_H */
+
 
 	while (!term_received) { /* Main loop */
                 off_t filepos;