forked from mirrors/kore
add seccomp rules and other small cleanups
This commit is contained in:
parent
313133f252
commit
bb37f7e5ec
54
src/acme.c
54
src/acme.c
|
@ -52,7 +52,7 @@
|
|||
#include "seccomp.h"
|
||||
|
||||
/* The syscalls our acme worker is allowed to perform, only. */
|
||||
static struct sock_filter filter_keymgr[] = {
|
||||
static struct sock_filter filter_acme[] = {
|
||||
/* Net related. */
|
||||
KORE_SYSCALL_ALLOW(poll),
|
||||
KORE_SYSCALL_ALLOW(sendto),
|
||||
|
@ -68,6 +68,28 @@ static struct sock_filter filter_keymgr[] = {
|
|||
KORE_SYSCALL_ALLOW(mmap),
|
||||
KORE_SYSCALL_ALLOW(munmap),
|
||||
KORE_SYSCALL_ALLOW(clock_gettime),
|
||||
|
||||
/* Allow sockets and libcurl to call connect. */
|
||||
KORE_SYSCALL_ALLOW(bind),
|
||||
KORE_SYSCALL_ALLOW(ioctl),
|
||||
KORE_SYSCALL_ALLOW(connect),
|
||||
KORE_SYSCALL_ALLOW(getsockopt),
|
||||
KORE_SYSCALL_ALLOW(getsockname),
|
||||
KORE_SYSCALL_ALLOW_ARG(socket, 0, AF_INET),
|
||||
KORE_SYSCALL_ALLOW_ARG(socket, 0, AF_INET6),
|
||||
KORE_SYSCALL_ALLOW_ARG(socket, 0, AF_UNIX),
|
||||
KORE_SYSCALL_ALLOW_ARG(socket, 0, AF_NETLINK),
|
||||
|
||||
/* Threading related. */
|
||||
KORE_SYSCALL_ALLOW(clone),
|
||||
KORE_SYSCALL_ALLOW(set_robust_list),
|
||||
|
||||
/* Other */
|
||||
KORE_SYSCALL_ALLOW(ioctl),
|
||||
KORE_SYSCALL_ALLOW(madvise),
|
||||
KORE_SYSCALL_ALLOW(recvmsg),
|
||||
KORE_SYSCALL_ALLOW(sendmmsg),
|
||||
KORE_SYSCALL_ALLOW(getpeername),
|
||||
};
|
||||
#endif
|
||||
|
||||
|
@ -536,33 +558,35 @@ acme_order_create_submit(struct acme_sign_op *op, struct kore_buf *payload)
|
|||
struct acme_order *order;
|
||||
struct acme_auth *auth;
|
||||
const char *header;
|
||||
const char *domain;
|
||||
struct kore_json_item *item, *array, *final, *status;
|
||||
|
||||
order = NULL;
|
||||
domain = op->udata;
|
||||
acme_request_prepare(&req, HTTP_METHOD_POST, order_url,
|
||||
payload->data, payload->offset);
|
||||
|
||||
if (!acme_request_run(&req)) {
|
||||
acme_request_cleanup(&req);
|
||||
acme_order_retry(op->udata);
|
||||
acme_order_retry(domain);
|
||||
return;
|
||||
}
|
||||
|
||||
if (req.curl.http.status != HTTP_STATUS_CREATED) {
|
||||
kore_log(LOG_NOTICE,
|
||||
"[%s] - request to '%s' failed: status %ld - body '%s'",
|
||||
op->udata, req.curl.url, req.curl.http.status,
|
||||
domain, req.curl.url, req.curl.http.status,
|
||||
kore_curl_response_as_string(&req.curl));
|
||||
acme_request_cleanup(&req);
|
||||
acme_order_retry(op->udata);
|
||||
acme_order_retry(domain);
|
||||
return;
|
||||
}
|
||||
|
||||
if (!kore_curl_http_get_header(&req.curl, "location", &header)) {
|
||||
kore_log(LOG_NOTICE,
|
||||
"[%s] new-order: no order id found", op->udata);
|
||||
"[%s] new-order: no order id found", domain);
|
||||
acme_request_cleanup(&req);
|
||||
acme_order_retry(op->udata);
|
||||
acme_order_retry(domain);
|
||||
return;
|
||||
}
|
||||
|
||||
|
@ -572,38 +596,38 @@ acme_order_create_submit(struct acme_sign_op *op, struct kore_buf *payload)
|
|||
if (!kore_json_parse(&json)) {
|
||||
kore_log(LOG_NOTICE,
|
||||
"[%s] failed to parse order payload from ACME server (%s)",
|
||||
op->udata, kore_json_strerror(&json));
|
||||
domain, kore_json_strerror(&json));
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
array = kore_json_find_array(json.root, "authorizations");
|
||||
if (array == NULL) {
|
||||
kore_log(LOG_NOTICE, "[%s] body has no 'authorizations' array",
|
||||
op->udata);
|
||||
domain);
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
if (TAILQ_EMPTY(&array->data.items)) {
|
||||
kore_log(LOG_NOTICE, "[%s] no authoritization URLs in payload",
|
||||
op->udata);
|
||||
domain);
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
if ((status = kore_json_find_string(json.root, "status")) == NULL) {
|
||||
kore_log(LOG_NOTICE, "[%s] order has no 'status' string",
|
||||
op->udata);
|
||||
domain);
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
if ((final = kore_json_find_string(json.root, "finalize")) == NULL) {
|
||||
kore_log(LOG_NOTICE, "[%s] order has no 'finalize' string",
|
||||
op->udata);
|
||||
domain);
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
if ((stval = acme_status_type(status->data.string)) == -1) {
|
||||
kore_log(LOG_NOTICE, "[%s] order has invalid status",
|
||||
op->udata);
|
||||
domain);
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
|
@ -615,7 +639,7 @@ acme_order_create_submit(struct acme_sign_op *op, struct kore_buf *payload)
|
|||
order->status = stval;
|
||||
order->start = kore_time_ms();
|
||||
order->id = kore_strdup(header);
|
||||
order->domain = kore_strdup(op->udata);
|
||||
order->domain = kore_strdup(domain);
|
||||
order->state = ACME_ORDER_STATE_RUNNING;
|
||||
order->final = kore_strdup(final->data.string);
|
||||
|
||||
|
@ -636,7 +660,7 @@ acme_order_create_submit(struct acme_sign_op *op, struct kore_buf *payload)
|
|||
|
||||
cleanup:
|
||||
if (order == NULL)
|
||||
acme_order_retry(op->udata);
|
||||
acme_order_retry(domain);
|
||||
|
||||
kore_json_cleanup(&json);
|
||||
acme_request_cleanup(&req);
|
||||
|
@ -1299,7 +1323,7 @@ acme_generic_submit(struct acme_sign_op *op, struct kore_buf *payload)
|
|||
}
|
||||
|
||||
kore_log(LOG_INFO, "submitted %zu bytes to %s",
|
||||
payload->offset, op->udata);
|
||||
payload->offset, req.curl.url);
|
||||
|
||||
cleanup:
|
||||
acme_request_cleanup(&req);
|
||||
|
|
|
@ -107,6 +107,12 @@ static struct sock_filter filter_keymgr[] = {
|
|||
#if defined(__NR_getrandom)
|
||||
KORE_SYSCALL_ALLOW(getrandom),
|
||||
#endif
|
||||
|
||||
#if defined(KORE_USE_ACME)
|
||||
KORE_SYSCALL_ALLOW(mkdir),
|
||||
KORE_SYSCALL_ALLOW(umask),
|
||||
KORE_SYSCALL_ALLOW(access),
|
||||
#endif
|
||||
};
|
||||
#endif
|
||||
|
||||
|
|
Loading…
Reference in New Issue