From bb37f7e5ec360573a4996b7bc372acf21a811808 Mon Sep 17 00:00:00 2001
From: Joris Vink <joris@coders.se>
Date: Mon, 4 Nov 2019 21:27:40 +0100
Subject: [PATCH] add seccomp rules and other small cleanups

---
 src/acme.c   | 54 +++++++++++++++++++++++++++++++++++++---------------
 src/keymgr.c |  6 ++++++
 2 files changed, 45 insertions(+), 15 deletions(-)

diff --git a/src/acme.c b/src/acme.c
index 478e4fd..7416535 100644
--- a/src/acme.c
+++ b/src/acme.c
@@ -52,7 +52,7 @@
 #include "seccomp.h"
 
 /* The syscalls our acme worker is allowed to perform, only. */
-static struct sock_filter filter_keymgr[] = {
+static struct sock_filter filter_acme[] = {
 	/* Net related. */
 	KORE_SYSCALL_ALLOW(poll),
 	KORE_SYSCALL_ALLOW(sendto),
@@ -68,6 +68,28 @@ static struct sock_filter filter_keymgr[] = {
 	KORE_SYSCALL_ALLOW(mmap),
 	KORE_SYSCALL_ALLOW(munmap),
 	KORE_SYSCALL_ALLOW(clock_gettime),
+
+	/* Allow sockets and libcurl to call connect. */
+	KORE_SYSCALL_ALLOW(bind),
+	KORE_SYSCALL_ALLOW(ioctl),
+	KORE_SYSCALL_ALLOW(connect),
+	KORE_SYSCALL_ALLOW(getsockopt),
+	KORE_SYSCALL_ALLOW(getsockname),
+	KORE_SYSCALL_ALLOW_ARG(socket, 0, AF_INET),
+	KORE_SYSCALL_ALLOW_ARG(socket, 0, AF_INET6),
+	KORE_SYSCALL_ALLOW_ARG(socket, 0, AF_UNIX),
+	KORE_SYSCALL_ALLOW_ARG(socket, 0, AF_NETLINK),
+
+	/* Threading related. */
+	KORE_SYSCALL_ALLOW(clone),
+	KORE_SYSCALL_ALLOW(set_robust_list),
+
+	/* Other */
+	KORE_SYSCALL_ALLOW(ioctl),
+	KORE_SYSCALL_ALLOW(madvise),
+	KORE_SYSCALL_ALLOW(recvmsg),
+	KORE_SYSCALL_ALLOW(sendmmsg),
+	KORE_SYSCALL_ALLOW(getpeername),
 };
 #endif
 
@@ -536,33 +558,35 @@ acme_order_create_submit(struct acme_sign_op *op, struct kore_buf *payload)
 	struct acme_order		*order;
 	struct acme_auth		*auth;
 	const char			*header;
+	const char			*domain;
 	struct kore_json_item		*item, *array, *final, *status;
 
 	order = NULL;
+	domain = op->udata;
 	acme_request_prepare(&req, HTTP_METHOD_POST, order_url,
 	    payload->data, payload->offset);
 
 	if (!acme_request_run(&req)) {
 		acme_request_cleanup(&req);
-		acme_order_retry(op->udata);
+		acme_order_retry(domain);
 		return;
 	}
 
 	if (req.curl.http.status != HTTP_STATUS_CREATED) {
 		kore_log(LOG_NOTICE,
 		    "[%s] - request to '%s' failed: status %ld - body '%s'",
-		    op->udata, req.curl.url, req.curl.http.status,
+		    domain, req.curl.url, req.curl.http.status,
 		    kore_curl_response_as_string(&req.curl));
 		acme_request_cleanup(&req);
-		acme_order_retry(op->udata);
+		acme_order_retry(domain);
 		return;
 	}
 
 	if (!kore_curl_http_get_header(&req.curl, "location", &header)) {
 		kore_log(LOG_NOTICE,
-		    "[%s] new-order: no order id found", op->udata);
+		    "[%s] new-order: no order id found", domain);
 		acme_request_cleanup(&req);
-		acme_order_retry(op->udata);
+		acme_order_retry(domain);
 		return;
 	}
 
@@ -572,38 +596,38 @@ acme_order_create_submit(struct acme_sign_op *op, struct kore_buf *payload)
 	if (!kore_json_parse(&json)) {
 		kore_log(LOG_NOTICE,
 		    "[%s] failed to parse order payload from ACME server (%s)",
-		    op->udata, kore_json_strerror(&json));
+		    domain, kore_json_strerror(&json));
 		goto cleanup;
 	}
 
 	array = kore_json_find_array(json.root, "authorizations");
 	if (array == NULL) {
 		kore_log(LOG_NOTICE, "[%s] body has no 'authorizations' array",
-		    op->udata);
+		    domain);
 		goto cleanup;
 	}
 
 	if (TAILQ_EMPTY(&array->data.items)) {
 		kore_log(LOG_NOTICE, "[%s] no authoritization URLs in payload",
-		    op->udata);
+		    domain);
 		goto cleanup;
 	}
 
 	if ((status = kore_json_find_string(json.root, "status")) == NULL) {
 		kore_log(LOG_NOTICE, "[%s] order has no 'status' string",
-		    op->udata);
+		    domain);
 		goto cleanup;
 	}
 
 	if ((final = kore_json_find_string(json.root, "finalize")) == NULL) {
 		kore_log(LOG_NOTICE, "[%s] order has no 'finalize' string",
-		    op->udata);
+		    domain);
 		goto cleanup;
 	}
 
 	if ((stval = acme_status_type(status->data.string)) == -1) {
 		kore_log(LOG_NOTICE, "[%s] order has invalid status",
-		    op->udata);
+		    domain);
 		goto cleanup;
 	}
 
@@ -615,7 +639,7 @@ acme_order_create_submit(struct acme_sign_op *op, struct kore_buf *payload)
 	order->status = stval;
 	order->start = kore_time_ms();
 	order->id = kore_strdup(header);
-	order->domain = kore_strdup(op->udata);
+	order->domain = kore_strdup(domain);
 	order->state = ACME_ORDER_STATE_RUNNING;
 	order->final = kore_strdup(final->data.string);
 
@@ -636,7 +660,7 @@ acme_order_create_submit(struct acme_sign_op *op, struct kore_buf *payload)
 
 cleanup:
 	if (order == NULL)
-		acme_order_retry(op->udata);
+		acme_order_retry(domain);
 
 	kore_json_cleanup(&json);
 	acme_request_cleanup(&req);
@@ -1299,7 +1323,7 @@ acme_generic_submit(struct acme_sign_op *op, struct kore_buf *payload)
 	}
 
 	kore_log(LOG_INFO, "submitted %zu bytes to %s",
-	    payload->offset, op->udata);
+	    payload->offset, req.curl.url);
 
 cleanup:
 	acme_request_cleanup(&req);
diff --git a/src/keymgr.c b/src/keymgr.c
index 41e6a79..8ee8737 100644
--- a/src/keymgr.c
+++ b/src/keymgr.c
@@ -107,6 +107,12 @@ static struct sock_filter filter_keymgr[] = {
 #if defined(__NR_getrandom)
 	KORE_SYSCALL_ALLOW(getrandom),
 #endif
+
+#if defined(KORE_USE_ACME)
+	KORE_SYSCALL_ALLOW(mkdir),
+	KORE_SYSCALL_ALLOW(umask),
+	KORE_SYSCALL_ALLOW(access),
+#endif
 };
 #endif