Skip to content

Commit

Permalink
seccomp: Restrict socket to domain
Browse files Browse the repository at this point in the history
  • Loading branch information
@mbuesch
mbuesch committed Oct 3, 2024
1 parent 48fa4b6 commit 9ba1c2f
Showing 1 changed file with 18 additions and 3 deletions.
21 changes: 18 additions & 3 deletions letmein-seccomp/src/lib.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,9 @@ use anyhow::{self as ah, Context as _};
use seccompiler::BpfProgram;

#[cfg(feature = "compile")]
use seccompiler::{SeccompAction, SeccompFilter, SeccompRule};
use seccompiler::{
SeccompAction, SeccompCmpArgLen, SeccompCmpOp, SeccompCondition, SeccompFilter, SeccompRule,
};
#[cfg(feature = "compile")]
use std::{collections::BTreeMap, env::consts::ARCH};

Expand All @@ -31,6 +33,18 @@ macro_rules! sys {
}};
}

#[cfg(feature = "compile")]
macro_rules! arg {
($arg:literal, $value:expr) => {
SeccompRule::new(vec![SeccompCondition::new(
$arg,
SeccompCmpArgLen::Dword,
SeccompCmpOp::Eq,
($value) as _,
)?])?
};
}

#[cfg(feature = "de")]
use seccompiler::sock_filter;

Expand Down Expand Up @@ -159,12 +173,13 @@ impl Filter {
}
Allow::UnixConnect => {
rules.insert(sys!(SYS_connect), vec![]);
rules.insert(sys!(SYS_socket), vec![]); //TODO: Restrict to AF_UNIX
rules.insert(sys!(SYS_socket), vec![arg!(0, libc::AF_UNIX)]);
rules.insert(sys!(SYS_getsockopt), vec![]);
}
Allow::TcpAccept => {
rules.insert(sys!(SYS_accept4), vec![]);
rules.insert(sys!(SYS_socket), vec![]); //TODO: Restrict to AF_UNIX
rules.insert(sys!(SYS_socket), vec![arg!(0, libc::AF_INET)]);
rules.insert(sys!(SYS_socket), vec![arg!(0, libc::AF_INET6)]);
rules.insert(sys!(SYS_getsockopt), vec![]);
}
Allow::Read => {
Expand Down

0 comments on commit 9ba1c2f

Please sign in to comment.