diff --git a/Makefile b/Makefile index e84d50b..ab1cf18 100644 --- a/Makefile +++ b/Makefile @@ -29,7 +29,7 @@ CFLAGS+=-DPREFIX='"$(PREFIX)"' -fstack-protector-all ifneq ("$(OPENSSL_PATH)", "") CFLAGS+=-I$(OPENSSL_PATH)/include -LDFLAGS=-rdynamic -L$(OPENSSL_PATH) -lssl -l$(KORE_CRYPTO) +LDFLAGS=-rdynamic -L$(OPENSSL_PATH)/lib -lssl -l$(KORE_CRYPTO) else LDFLAGS=-rdynamic -lssl -l$(KORE_CRYPTO) endif diff --git a/src/connection.c b/src/connection.c index 1f8d913..b0ed7f0 100644 --- a/src/connection.c +++ b/src/connection.c @@ -185,7 +185,8 @@ kore_connection_check_timeout(u_int64_t now) if (c->proto == CONN_PROTO_MSG) continue; #if !defined(KORE_NO_HTTP) - if (c->state == CONN_STATE_ESTABLISHED) { + if (c->state == CONN_STATE_ESTABLISHED && + c->proto == CONN_PROTO_HTTP) { if (!http_check_timeout(c, now)) continue; if (!TAILQ_EMPTY(&c->http_requests)) diff --git a/src/keymgr.c b/src/keymgr.c index 8ee8737..c02a6f0 100644 --- a/src/keymgr.c +++ b/src/keymgr.c @@ -71,7 +71,9 @@ /* The syscalls our keymgr is allowed to perform, only. */ static struct sock_filter filter_keymgr[] = { /* Required to deal with private keys and certs. */ +#if defined(SYS_open) KORE_SYSCALL_ALLOW(open), +#endif KORE_SYSCALL_ALLOW(read), KORE_SYSCALL_ALLOW(write), KORE_SYSCALL_ALLOW(close), @@ -81,10 +83,14 @@ static struct sock_filter filter_keymgr[] = { KORE_SYSCALL_ALLOW(openat), /* Net related. */ +#if defined(SYS_poll) KORE_SYSCALL_ALLOW(poll), +#endif KORE_SYSCALL_ALLOW(sendto), KORE_SYSCALL_ALLOW(recvfrom), +#if defined(SYS_epoll_wait) KORE_SYSCALL_ALLOW(epoll_wait), +#endif KORE_SYSCALL_ALLOW(epoll_pwait), /* Process things. */ @@ -92,7 +98,9 @@ static struct sock_filter filter_keymgr[] = { KORE_SYSCALL_ALLOW(kill), KORE_SYSCALL_ALLOW(getuid), KORE_SYSCALL_ALLOW(getpid), +#if defined(SYS_arch_prctl) KORE_SYSCALL_ALLOW(arch_prctl), +#endif KORE_SYSCALL_ALLOW(exit_group), KORE_SYSCALL_ALLOW(sigaltstack), KORE_SYSCALL_ALLOW(rt_sigreturn), diff --git a/src/seccomp.c b/src/seccomp.c index 72e611f..60dfe76 100644 --- a/src/seccomp.c +++ b/src/seccomp.c @@ -19,7 +19,7 @@ #include #include #include -#include +#include #include #include @@ -50,21 +50,33 @@ static struct sock_filter filter_kore[] = { KORE_SYSCALL_DENY(ioctl, EACCES), /* File related. */ +#if defined(SYS_open) KORE_SYSCALL_ALLOW(open), +#endif KORE_SYSCALL_ALLOW(read), +#if defined(SYS_stat) KORE_SYSCALL_ALLOW(stat), +#endif +#if defined(SYS_lstat) KORE_SYSCALL_ALLOW(lstat), +#endif KORE_SYSCALL_ALLOW(fstat), KORE_SYSCALL_ALLOW(write), KORE_SYSCALL_ALLOW(fcntl), KORE_SYSCALL_ALLOW(lseek), KORE_SYSCALL_ALLOW(close), KORE_SYSCALL_ALLOW(openat), +#if defined(SYS_access) KORE_SYSCALL_ALLOW(access), +#endif KORE_SYSCALL_ALLOW(writev), KORE_SYSCALL_ALLOW(getcwd), +#if defined(SYS_unlink) KORE_SYSCALL_ALLOW(unlink), +#endif +#if defined(SYS_readlink) KORE_SYSCALL_ALLOW(readlink), +#endif /* Process related. */ KORE_SYSCALL_ALLOW(exit), @@ -88,14 +100,18 @@ static struct sock_filter filter_kore[] = { KORE_SYSCALL_ALLOW(mprotect), /* Net related. */ +#if defined(SYS_poll) KORE_SYSCALL_ALLOW(poll), +#endif KORE_SYSCALL_ALLOW(sendto), KORE_SYSCALL_ALLOW(accept), KORE_SYSCALL_ALLOW(sendfile), KORE_SYSCALL_ALLOW(recvfrom), KORE_SYSCALL_ALLOW(epoll_ctl), KORE_SYSCALL_ALLOW(setsockopt), +#if defined(SYS_epoll_wait) KORE_SYSCALL_ALLOW(epoll_wait), +#endif KORE_SYSCALL_ALLOW(epoll_pwait), /* Signal related. */ @@ -291,7 +307,7 @@ kore_seccomp_traceme(void) return; if (ptrace(PTRACE_TRACEME, 0, NULL, NULL) == -1) - fatalx("ptrace. %s", errno_s); + fatalx("ptrace: %s", errno_s); if (kill(worker->pid, SIGSTOP) == -1) fatalx("kill: %s", errno_s); } @@ -406,12 +422,26 @@ kore_seccomp_syscall_flag(const char *name, int action, int arg, int value) static void seccomp_register_violation(struct kore_worker *kw) { - long sysnr; + struct iovec iov; + struct user_regs_struct regs; + long sysnr; - if ((sysnr = ptrace(PTRACE_PEEKUSER, kw->pid, - sizeof(long) * ORIG_RAX, NULL)) == -1) + iov.iov_base = ®s; + iov.iov_len = sizeof(regs); + + if (ptrace(PTRACE_GETREGSET, kw->pid, 1, &iov) == -1) fatal("ptrace: %s", errno_s); +#if SECCOMP_AUDIT_ARCH == AUDIT_ARCH_X86_64 + sysnr = regs.orig_rax; +#elif SECCOMP_AUDIT_ARCH == AUDIT_ARCH_I386 + sysnr = regs.orig_ax; +#elif SECCOMP_AUDIT_ARCH == AUDIT_ARCH_AARCH64 + sysnr = regs.regs[8]; +#else +#error "platform not yet supported" +#endif + kore_log(LOG_INFO, "seccomp violation, worker=%d, syscall=%s", kw->id, kore_seccomp_syscall_name(sysnr)); }