From 9ba1c2f4cd9f9a5f239ba109bd2a34f199eafb8d Mon Sep 17 00:00:00 2001 From: Michael Buesch Date: Fri, 4 Oct 2024 00:07:04 +0200 Subject: [PATCH] seccomp: Restrict `socket` to domain --- letmein-seccomp/src/lib.rs | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/letmein-seccomp/src/lib.rs b/letmein-seccomp/src/lib.rs index b754fb3..34564c8 100644 --- a/letmein-seccomp/src/lib.rs +++ b/letmein-seccomp/src/lib.rs @@ -15,7 +15,9 @@ use anyhow::{self as ah, Context as _}; use seccompiler::BpfProgram; #[cfg(feature = "compile")] -use seccompiler::{SeccompAction, SeccompFilter, SeccompRule}; +use seccompiler::{ + SeccompAction, SeccompCmpArgLen, SeccompCmpOp, SeccompCondition, SeccompFilter, SeccompRule, +}; #[cfg(feature = "compile")] use std::{collections::BTreeMap, env::consts::ARCH}; @@ -31,6 +33,18 @@ macro_rules! sys { }}; } +#[cfg(feature = "compile")] +macro_rules! arg { + ($arg:literal, $value:expr) => { + SeccompRule::new(vec![SeccompCondition::new( + $arg, + SeccompCmpArgLen::Dword, + SeccompCmpOp::Eq, + ($value) as _, + )?])? + }; +} + #[cfg(feature = "de")] use seccompiler::sock_filter; @@ -159,12 +173,13 @@ impl Filter { } Allow::UnixConnect => { rules.insert(sys!(SYS_connect), vec![]); - rules.insert(sys!(SYS_socket), vec![]); //TODO: Restrict to AF_UNIX + rules.insert(sys!(SYS_socket), vec![arg!(0, libc::AF_UNIX)]); rules.insert(sys!(SYS_getsockopt), vec![]); } Allow::TcpAccept => { rules.insert(sys!(SYS_accept4), vec![]); - rules.insert(sys!(SYS_socket), vec![]); //TODO: Restrict to AF_UNIX + rules.insert(sys!(SYS_socket), vec![arg!(0, libc::AF_INET)]); + rules.insert(sys!(SYS_socket), vec![arg!(0, libc::AF_INET6)]); rules.insert(sys!(SYS_getsockopt), vec![]); } Allow::Read => {