forked from mirrors/kore
properly seccomp keymgr
This commit is contained in:
parent
e7352a3634
commit
68e90507f4
17
src/keymgr.c
17
src/keymgr.c
|
@ -61,15 +61,28 @@ static struct sock_filter filter_keymgr[] = {
|
|||
KORE_SYSCALL_ALLOW(open),
|
||||
KORE_SYSCALL_ALLOW(read),
|
||||
KORE_SYSCALL_ALLOW(close),
|
||||
KORE_SYSCALL_ALLOW(fstat),
|
||||
KORE_SYSCALL_ALLOW(futex),
|
||||
KORE_SYSCALL_ALLOW(openat),
|
||||
|
||||
/* Allow it to read/write messages. */
|
||||
KORE_SYSCALL_ALLOW(write),
|
||||
/* Net related. */
|
||||
KORE_SYSCALL_ALLOW(read),
|
||||
KORE_SYSCALL_ALLOW(write),
|
||||
KORE_SYSCALL_ALLOW(epoll_wait),
|
||||
|
||||
/* Process things. */
|
||||
KORE_SYSCALL_ALLOW(exit),
|
||||
KORE_SYSCALL_ALLOW(kill),
|
||||
KORE_SYSCALL_ALLOW(getpid),
|
||||
KORE_SYSCALL_ALLOW(arch_prctl),
|
||||
KORE_SYSCALL_ALLOW(exit_group),
|
||||
KORE_SYSCALL_ALLOW(sigaltstack),
|
||||
KORE_SYSCALL_ALLOW(rt_sigreturn),
|
||||
KORE_SYSCALL_ALLOW(rt_sigaction),
|
||||
|
||||
/* Other things. */
|
||||
KORE_SYSCALL_ALLOW(munmap),
|
||||
KORE_SYSCALL_ALLOW(getrandom),
|
||||
};
|
||||
#endif
|
||||
|
||||
|
|
|
@ -154,6 +154,7 @@ kore_seccomp_enable(void)
|
|||
struct sock_fprog prog;
|
||||
struct kore_runtime_call *rcall;
|
||||
struct filter *filter;
|
||||
int skip_worker_filter;
|
||||
size_t prog_len, pos, jmp_off, i;
|
||||
|
||||
#if defined(KORE_DEBUG)
|
||||
|
@ -174,9 +175,18 @@ kore_seccomp_enable(void)
|
|||
kore_free(rcall);
|
||||
}
|
||||
|
||||
/* Add worker required syscalls. */
|
||||
kore_seccomp_filter("worker", filter_kore,
|
||||
KORE_FILTER_LEN(filter_kore));
|
||||
skip_worker_filter = 0;
|
||||
|
||||
#if !defined(KORE_NO_TLS)
|
||||
if (worker->id == KORE_WORKER_KEYMGR)
|
||||
skip_worker_filter = 1;
|
||||
#endif
|
||||
|
||||
if (skip_worker_filter == 0) {
|
||||
/* Add worker required syscalls. */
|
||||
kore_seccomp_filter("worker", filter_kore,
|
||||
KORE_FILTER_LEN(filter_kore));
|
||||
}
|
||||
|
||||
/*
|
||||
* Construct the entire BPF program by adding all relevant parts
|
||||
|
|
|
@ -310,14 +310,7 @@ kore_worker_privdrop(const char *runas, const char *root)
|
|||
fatalx("cannot drop privileges");
|
||||
}
|
||||
|
||||
#if defined(__linux__) && !defined(KORE_NO_TLS)
|
||||
/* keymgr gets its own privileges. */
|
||||
if (worker->id == KORE_WORKER_KEYMGR)
|
||||
return;
|
||||
#endif
|
||||
|
||||
kore_platform_sandbox();
|
||||
|
||||
}
|
||||
|
||||
void
|
||||
|
|
Loading…
Reference in New Issue