Главная Обзор Помощь
Регистрация Вход
pajamapants3000
/
linux-seccomp-pledge
ответвлено от rain1/linux-seccomp-pledge
Следить 1
В избранное 0
Ответвить 0
Файлы Обсуждения 0 Запросы на слияние 0 Вики
Ветка: master
Ветки Метки
linux-seccom...
/
pledge.c

pledge.c 15 KB
Постоянная ссылка История Исходник

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531 
  1. #include <seccomp.h>
    2. 

  2. #include <errno.h>
    3. 

  3. #include <string.h>
    4. 

  4. 

  5. #include <sys/ioctl.h>
    6. 

  6. 

  7. 

  8. enum {
    9. 

  9. 	PLEDGE_STDIO        = 1 << 0,
    10. 

  10. 	PLEDGE_RPATH        = 1 << 1,
    11. 

  11. 	PLEDGE_WPATH        = 1 << 2,
    12. 

  12. 	PLEDGE_CPATH        = 1 << 3,
    13. 

  13. 	PLEDGE_DPATH        = 1 << 4,
    14. 

  14. 	PLEDGE_TMPPATH      = 1 << 5,
    15. 

  15. 	PLEDGE_INET         = 1 << 6,
    16. 

  16. 	PLEDGE_FATTR        = 1 << 7,
    17. 

  17. 	PLEDGE_FLOCK        = 1 << 8,
    18. 

  18. 	PLEDGE_UNIX         = 1 << 9,
    19. 

  19. 	PLEDGE_DNS          = 1 << 10,
    20. 

  20. 	PLEDGE_GETPW        = 1 << 11,
    21. 

  21. 	PLEDGE_SENDFD       = 1 << 12,
    22. 

  22. 	PLEDGE_RECVFD       = 1 << 13,
    23. 

  23. 	PLEDGE_IOCTL        = 1 << 14,
    24. 

  24. 	PLEDGE_TTY          = 1 << 15,
    25. 

  25. 	PLEDGE_PROC         = 1 << 16,
    26. 

  26. 	PLEDGE_EXEC         = 1 << 17,
    27. 

  27. 	PLEDGE_PROT_EXEC    = 1 << 18,
    28. 

  28. 	PLEDGE_SETTIME      = 1 << 19,
    29. 

  29. 	PLEDGE_PS           = 1 << 20,
    30. 

  30. 	PLEDGE_VMINFO       = 1 << 21,
    31. 

  31. 	PLEDGE_ID           = 1 << 22,
    32. 

  32. 	PLEDGE_PF           = 1 << 23,
    33. 

  33. 	PLEDGE_AUDIO        = 1 << 24,
    34. 

  34. };
    35. 

  35. 

  36. typedef struct {
    37. 

  37. 	char *name;
    38. 

  38. 	int mask;
    39. 

  39. } promise;
    40. 

  40. 

  41. promise ptable[] = {
    42. 

  42. 	{ .name = "stdio",      .mask = PLEDGE_STDIO },
    43. 

  43. 	{ .name = "rpath",      .mask = PLEDGE_RPATH },
    44. 

  44. 	{ .name = "wpath",      .mask = PLEDGE_WPATH },
    45. 

  45. 	{ .name = "cpath",      .mask = PLEDGE_CPATH },
    46. 

  46. 	{ .name = "dpath",      .mask = PLEDGE_DPATH },
    47. 

  47. 	{ .name = "tmppath",    .mask = PLEDGE_TMPPATH },
    48. 

  48. 	{ .name = "inet",       .mask = PLEDGE_INET },
    49. 

  49. 	{ .name = "fattr",      .mask = PLEDGE_FATTR },
    50. 

  50. 	{ .name = "flock",      .mask = PLEDGE_FLOCK },
    51. 

  51. 	{ .name = "unix",       .mask = PLEDGE_UNIX },
    52. 

  52. 	{ .name = "dns",        .mask = PLEDGE_DNS },
    53. 

  53. 	{ .name = "getpw",      .mask = PLEDGE_GETPW },
    54. 

  54. 	{ .name = "sendfd",     .mask = PLEDGE_SENDFD },
    55. 

  55. 	{ .name = "recvfd",     .mask = PLEDGE_RECVFD },
    56. 

  56. 	{ .name = "ioctl",      .mask = PLEDGE_IOCTL },
    57. 

  57. 	{ .name = "tty",        .mask = PLEDGE_TTY },
    58. 

  58. 	{ .name = "proc",       .mask = PLEDGE_PROC },
    59. 

  59. 	{ .name = "exec",       .mask = PLEDGE_EXEC },
    60. 

  60. 	{ .name = "prot_exec",  .mask = PLEDGE_PROT_EXEC },
    61. 

  61. 	{ .name = "settime",    .mask = PLEDGE_SETTIME },
    62. 

  62. 	{ .name = "ps",         .mask = PLEDGE_PS },
    63. 

  63. 	{ .name = "vminfo",     .mask = PLEDGE_VMINFO },
    64. 

  64. 	{ .name = "id",         .mask = PLEDGE_ID },
    65. 

  65. 	{ .name = "pf",         .mask = PLEDGE_PF },
    66. 

  66. 	{ .name = "audio",      .mask = PLEDGE_AUDIO },
    67. 

  67. };
    68. 

  68. 

  69. int
    70. 

  70. pledge(const char *promises, const char *paths[])
    71. 

  71. {
    72. 

  72. 	int i, n, f;
    73. 

  73. 	int flags = 0;
    74. 

  74. 

  75.         int rc = -1;
    76. 

  76.         scmp_filter_ctx ctx;
    77. 

  77. 

  78.         ctx = seccomp_init(SCMP_ACT_TRAP);
    79. 

  79.         if (!ctx) {
    80. 

  80. 		errno = EACCES;
    81. 

  81. 		goto out;
    82. 

  82. 	}
    83. 

  83. 

  84. 	while (*promises) {
    85. 

  85. 		// skip spaces
    86. 

  86. 		while (*promises && *promises == ' ') promises++;
    87. 

  87. 

  88. 		// look for a token
    89. 

  89. 		f = 0;
    90. 

  90. 		for (i = 0; i < sizeof(ptable)/sizeof(*ptable); i++) {
    91. 

  91. 			n = strlen(ptable[i].name);
    92. 

  92. 			if (!strncmp(promises, ptable[i].name, n)) {
    93. 

  93. 				// this can be removed once every promise has been implemented
    94. 

  94. 				if (!ptable[i].mask) {
    95. 

  95. 					errno = ENOSYS;
    96. 

  96. 					goto out;
    97. 

  97. 				}
    98. 

  98. 				flags |= ptable[i].mask;
    99. 

  99. 				promises += n;
    100. 

  100. 				f = 1;
    101. 

  101. 				break;
    102. 

  102. 			}
    103. 

  103. 		}
    104. 

  104. 

  105. 		// what we saw was not any valid token
    106. 

  106. 		if (!f) {
    107. 

  107. 			errno = EINVAL;
    108. 

  108. 			goto out;
    109. 

  109. 		}
    110. 

  110. 

  111. 		// ensure the token is terminated by a space or end of string
    112. 

  112. 		if (*promises && *promises != ' ') {
    113. 

  113. 			errno = EINVAL;
    114. 

  114. 			goto out;
    115. 

  115. 		}
    116. 

  116. 	}
    117. 

  117. 

  118. #define RULE(syscall) \
    119. 

  119.         rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(syscall), 0); \
    120. 

  120.         if (rc < 0) goto out
    121. 

  121. 

  122. 	// everyone is allowed to exit
    123. 

  123. 	RULE(exit_group);
    124. 

  124. 

  125. 	if (flags & PLEDGE_STDIO) {
    126. 

  126.         RULE(clock_getres);
    127. 

  127.         RULE(clock_gettime);
    128. 

  128.         RULE(close);
    129. 

  129. /*        RULE(closefrom);  */
    130. 

  130.         RULE(dup);
    131. 

  131.         RULE(dup2);
    132. 

  132.         RULE(dup3);
    133. 

  133.         RULE(fchdir);
    134. 

  134.         RULE(fcntl);
    135. 

  135.         RULE(fstat);
    136. 

  136.         RULE(fsync);
    137. 

  137.         RULE(ftruncate);
    138. 

  138.         RULE(getdents);
    139. 

  139. /*        RULE(getdtablecount);     */
    140. 

  140.         RULE(getegid);
    141. 

  141. /*        RULE(getentropy);         */
    142. 

  142.         RULE(geteuid);
    143. 

  143.         RULE(getgid);
    144. 

  144.         RULE(getgroups);
    145. 

  145.         RULE(getitimer);
    146. 

  146. /*        RULE(getlogin);           */
    147. 

  147.         RULE(getpgid);
    148. 

  148.         RULE(getpgrp);
    149. 

  149.         RULE(getpid);
    150. 

  150.         RULE(getppid);
    151. 

  151.         RULE(getresgid);
    152. 

  152.         RULE(getresuid);
    153. 

  153.         RULE(getrlimit);
    154. 

  154.         RULE(getsid);
    155. 

  155. /*        RULE(getthrid);           */
    156. 

  156.         RULE(gettimeofday);
    157. 

  157.         RULE(getuid);
    158. 

  158.         RULE(getuid);
    159. 

  159. /*        RULE(issetugid);          */
    160. 

  160. /*        RULE(kevent);             */
    161. 

  161. /*        RULE(kqueue);             */
    162. 

  162.         RULE(lseek);
    163. 

  163.         RULE(madvise);
    164. 

  164. /*        RULE(minherit);           */
    165. 

  165.         RULE(mmap);
    166. 

  166.         RULE(mprotect);
    167. 

  167. /*        RULE(mquery);             */
    168. 

  168.         RULE(munmap);
    169. 

  169.         RULE(nanosleep);
    170. 

  170.         RULE(pipe);
    171. 

  171.         RULE(pipe2);
    172. 

  172.         RULE(poll);
    173. 

  173. /*        RULE(pread);              */
    174. 

  174.         RULE(preadv);
    175. 

  175. /*        RULE(pwrite);             */
    176. 

  176.         RULE(pwritev);
    177. 

  177.         RULE(read);
    178. 

  178.         RULE(readv);
    179. 

  179.         RULE(recvfrom);
    180. 

  180.         RULE(recvmsg);
    181. 

  181.         RULE(select);
    182. 

  182.         RULE(sendmsg);
    183. 

  183. /*        RULE(sendsyslog);         */
    184. 

  184.     /* sendto: only if dest sockaddr is NULL */
    185. 

  185.         RULE(sendto);
    186. 

  186.         RULE(setitimer);
    187. 

  187.         RULE(shutdown);
    188. 

  188.         RULE(sigaction);
    189. 

  189.         RULE(sigprocmask);
    190. 

  190.         RULE(sigreturn);
    191. 

  191.         RULE(socketpair);
    192. 

  192.         RULE(umask);
    193. 

  193.         RULE(wait4);
    194. 

  194.         RULE(write);
    195. 

  195.         RULE(writev);
    196. 

  196. 	}
    197. 

  197. 	if (flags & PLEDGE_RPATH) {
    198. 

  198.     /* Allowed if the only cause read-only effects on file system */
    199. 

  199.         RULE(chdir);
    200. 

  200.         RULE(getcwd);
    201. 

  201.         RULE(openat);
    202. 

  202. /*        RULE(fstatat);            */
    203. 

  203.         RULE(faccessat);
    204. 

  204.         RULE(readlinkat);
    205. 

  205.         RULE(lstat);
    206. 

  206.         RULE(chmod);
    207. 

  207.         RULE(fchmod);
    208. 

  208.         RULE(fchmodat);
    209. 

  209. /*        RULE(chflags);            */
    210. 

  210. /*        RULE(chflagsat);          */
    211. 

  211.         RULE(chown);
    212. 

  212.         RULE(fchown);
    213. 

  213.         RULE(fchownat);
    214. 

  214.         RULE(fstat);
    215. 

  215. /*        RULE(getfsstat);          */
    216. 

  216.     }
    217. 

  217. 	if (flags & PLEDGE_WPATH) {
    218. 

  218.     /* system calls may have write effects on file system */
    219. 

  219.         RULE(getcwd);
    220. 

  220.         RULE(openat);
    221. 

  221. /*        RULE(fstatat);            */
    222. 

  222.         RULE(faccessat);
    223. 

  223.         RULE(readlinkat);
    224. 

  224.         RULE(lstat);
    225. 

  225.         RULE(chmod);
    226. 

  226.         RULE(fchmod);
    227. 

  227.         RULE(fchmodat);
    228. 

  228. /*        RULE(chflags);            */
    229. 

  229. /*        RULE(chflagsat);          */
    230. 

  230.         RULE(chown);
    231. 

  231.         RULE(fchown);
    232. 

  232.         RULE(fchownat);
    233. 

  233.         RULE(fstat);
    234. 

  234.     }
    235. 

  235. 	if (flags & PLEDGE_CPATH) {
    236. 

  236.     /* system calls may create new files or directories on file system */
    237. 

  237.         RULE(rename);
    238. 

  238.         RULE(rmdir);
    239. 

  239.         RULE(renameat);
    240. 

  240.         RULE(link);
    241. 

  241.         RULE(linkat);
    242. 

  242.         RULE(symlink);
    243. 

  243.         RULE(unlink);
    244. 

  244.         RULE(unlinkat);
    245. 

  245.         RULE(mkdir);
    246. 

  246.         RULE(mkdirat);
    247. 

  247.     }
    248. 

  248. 	if (flags & PLEDGE_DPATH) {
    249. 

  249.     /* may create special files */
    250. 

  250. /*        RULE(mkfifo);             */
    251. 

  251.         RULE(mknod);
    252. 

  252. 

  253.     }
    254. 

  254. 	if (flags & PLEDGE_TMPPATH) {
    255. 

  255.     /* system calls permitted to read, write, and create in /tmp directory */
    256. 

  256.         RULE(lstat);
    257. 

  257.         RULE(chmod);
    258. 

  258. /*        RULE(chflags);            */
    259. 

  259.         RULE(chown);
    260. 

  260.         RULE(unlink);
    261. 

  261.         RULE(fstat);
    262. 

  262. 

  263.     }
    264. 

  264. 	if (flags & PLEDGE_INET) {
    265. 

  265.     /* system calls may operate in AF_INET and AF_INET6 domains */
    266. 

  266.         RULE(socket);
    267. 

  267.         RULE(listen);
    268. 

  268.         RULE(bind);
    269. 

  269.         RULE(connect);
    270. 

  270.         RULE(accept4);
    271. 

  271.         RULE(accept);
    272. 

  272.         RULE(getpeername);
    273. 

  273.         RULE(getsockname);
    274. 

  274.     /* setsockopt: substantially reduced in functionality */
    275. 

  275.         RULE(setsockopt);
    276. 

  276.         RULE(getsockopt);
    277. 

  277. 

  278.     }
    279. 

  279. 	if (flags & PLEDGE_FATTR) {
    280. 

  280.     /* system calls may make explicit changes in struct stat of a file */
    281. 

  281.         RULE(socket);
    282. 

  282.         RULE(listen);
    283. 

  283.         RULE(bind);
    284. 

  284.         RULE(connect);
    285. 

  285.         RULE(accept4);
    286. 

  286.         RULE(accept);
    287. 

  287.         RULE(getpeername);
    288. 

  288.         RULE(getsockname);
    289. 

  289.         RULE(setsockopt);
    290. 

  290.         RULE(getsockopt);
    291. 

  291. 

  292.     }
    293. 

  293. 	if (flags & PLEDGE_FLOCK) {
    294. 

  294.     /* no distinction btw shared/exclusive locks; required for lock/unlock */
    295. 

  295.         RULE(fcntl);
    296. 

  296.         RULE(flock);
    297. 

  297. /*        RULE(lockf);              */
    298. 

  298.         RULE(open);
    299. 

  299. 

  300.     }
    301. 

  301. 	if (flags & PLEDGE_UNIX) {
    302. 

  302.     /* system calls may operate in AF_UNIX domain */
    303. 

  303.         RULE(socket);
    304. 

  304.         RULE(listen);
    305. 

  305.         RULE(bind);
    306. 

  306.         RULE(connect);
    307. 

  307.         RULE(accept4);
    308. 

  308.         RULE(accept);
    309. 

  309.         RULE(getpeername);
    310. 

  310.         RULE(getsockname);
    311. 

  311.         RULE(setsockopt);
    312. 

  312.         RULE(getsockopt);
    313. 

  313. 

  314.     }
    315. 

  315. 	if (flags & PLEDGE_DNS) {
    316. 

  316.     /* subsequent to successful open of /etc/resolv.conf; allow DNS xaction */
    317. 

  317.         RULE(sendto);
    318. 

  318.         RULE(recvfrom);
    319. 

  319.         RULE(socket);
    320. 

  320.         RULE(connect);
    321. 

  321. 

  322.     }
    323. 

  323. 	if (flags & PLEDGE_GETPW) {
    324. 

  324.         /* ro opening of files in /etc */
    325. 

  325. /*        RULE(getpwnam);           */
    326. 

  326. /*        RULE(getgrnam);           */
    327. 

  327. /*        RULE(getgrouplist);       */
    328. 

  328. /*        RULE(initgroups);     */
    329. 

  329. 

  330.     }
    331. 

  331. 	if (flags & PLEDGE_SENDFD) {
    332. 

  332.     /* directory FDs not permitted */
    333. 

  333.         RULE(sendmsg);
    334. 

  334. 

  335.     }
    336. 

  336. 	if (flags & PLEDGE_RECVFD) {
    337. 

  337.     /* directory FDs not permitted */
    338. 

  338.         RULE(recvmsg);
    339. 

  339. 

  340.     }
    341. 

  341. 	if (flags & PLEDGE_IOCTL) {
    342. 

  342.     /* allows subset of ioctl:
    343. 

  343.      * FIOCLEX
    344. 

  344.      * FIONCLEX
    345. 

  345.      * FIOASYNC
    346. 

  346.      * FIOGETOWN
    347. 

  347.      * FIOSETOWN
    348. 

  348.      * TIOCGETA succeed on tty device, otherwise fail with EPERM
    349. 

  349.      * TIOCGPGRP and TIOCGWINSZ allowed on tty device
    350. 

  350.      * Rather than test for tty device, just let ioctl fail on ENOTTY
    351. 

  351.      * A few other operations are allowed, but not listed here (?)
    352. 

  352.      */
    353. 

  353.         rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1,
    354. 

  354.                 SCMP_A1(SCMP_CMP_EQ, FIOCLEX));
    355. 

  355.         rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1,
    356. 

  356.                 SCMP_A1(SCMP_CMP_EQ, FIONCLEX));
    357. 

  357.         rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1,
    358. 

  358.                 SCMP_A1(SCMP_CMP_EQ, FIOASYNC));
    359. 

  359. /*        rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1,
    360. 

  360.                 SCMP_A1(SCMP_CMP_EQ, FIOGETOWN));   */
    361. 

  361. /*        rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1,
    362. 

  362.                 SCMP_A1(SCMP_CMP_EQ, FIOSETOWN));   */
    363. 

  363. /*        rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 2,
    364. 

  364.                 SCMP_A1(SCMP_CMP_EQ, TIOCGETA));    */
    365. 

  365.         rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 2,
    366. 

  366.                 SCMP_A1(SCMP_CMP_EQ, TIOCGPGRP));
    367. 

  367. 

  368.     }
    369. 

  369. 	if (flags & PLEDGE_TTY) {
    370. 

  370.     /* allows subset of ioctl:
    371. 

  371.      * TIOCSPGRP
    372. 

  372.      * TIOCGETA
    373. 

  373.      * TIOCGPGRP
    374. 

  374.      * TIOCGWINSZ
    375. 

  375.      * TIOCSWINSZ
    376. 

  376.      * TIOCSBRK
    377. 

  377.      * TIOCCDTR
    378. 

  378.      * TIOCSETA
    379. 

  379.      * TIOCSETAW
    380. 

  380.      * TIOCSETAF
    381. 

  381.      */
    382. 

  382.      rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1,
    383. 

  383.         SCMP_A1(SCMP_CMP_EQ, TIOCSPGRP));
    384. 

  384. /*     rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1,
    385. 

  385.         SCMP_A1(SCMP_CMP_EQ, TIOCGETA));    */
    386. 

  386.      rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1,
    387. 

  387.         SCMP_A1(SCMP_CMP_EQ, TIOCGPGRP));
    388. 

  388.      rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1,
    389. 

  389.         SCMP_A1(SCMP_CMP_EQ, TIOCGWINSZ));
    390. 

  390.      rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1,
    391. 

  391.         SCMP_A1(SCMP_CMP_EQ, TIOCSWINSZ));
    392. 

  392.      rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1,
    393. 

  393.         SCMP_A1(SCMP_CMP_EQ, TIOCSBRK));
    394. 

  394. /*     rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1,
    395. 

  395.         SCMP_A1(SCMP_CMP_EQ, TIOCCDTR));    */
    396. 

  396. /*     rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1,
    397. 

  397.         SCMP_A1(SCMP_CMP_EQ, TIOCSETA));    */
    398. 

  398. /*     rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1,
    399. 

  399.         SCMP_A1(SCMP_CMP_EQ, TIOCSETAW));   */
    400. 

  400. /*     rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1,
    401. 

  401.         SCMP_A1(SCMP_CMP_EQ, TIOCSETAF));   */
    402. 

  402.     /* Also, allow r/w operations on /dev/tty */
    403. 

  403.     }
    404. 

  404. 	if (flags & PLEDGE_TTY & PLEDGE_RPATH) {
    405. 

  405. /*        RULE(revoke);                 */
    406. 

  406.     }
    407. 

  407. 	if (flags & PLEDGE_PROC) {
    408. 

  408.         RULE(fork);
    409. 

  409.         RULE(vfork);
    410. 

  410.         RULE(kill);
    411. 

  411.         RULE(getpriority);
    412. 

  412.         RULE(setpriority);
    413. 

  413.         RULE(setrlimit);
    414. 

  414.         RULE(setpgid);
    415. 

  415.         RULE(setsid);
    416. 

  416. 

  417.     }
    418. 

  418. 	if (flags & PLEDGE_EXEC) {
    419. 

  419.         RULE(execve);
    420. 

  420. 

  421.     }
    422. 

  422. 	if (flags & PLEDGE_PROT_EXEC) {
    423. 

  423.     /* Allows use of PROT_EXEC with the following system calls */
    424. 

  424.         RULE(mmap);
    425. 

  425.         RULE(mprotect);
    426. 

  426. 

  427.     }
    428. 

  428. 	if (flags & PLEDGE_SETTIME) {
    429. 

  429.     /* Allows setting of system time via the following system calls */
    430. 

  430.         RULE(settimeofday);
    431. 

  431. /*        RULE(adjtime);                */
    432. 

  432. /*        RULE(and adjfreq);            */
    433. 

  433. 

  434.     }
    435. 

  435. 	if (flags & PLEDGE_PS) {
    436. 

  436.     /* Allows sufficient sysctl access for inspection of procs, as in ps */
    437. 

  437. /*        RULE(sysctl);                 */
    438. 

  438. 

  439.     }
    440. 

  440. 	if (flags & PLEDGE_VMINFO) {
    441. 

  441.     /* Allows sufficient sysctl access for inspection of virtual mem,
    442. 

  442.      * as in top, vmstat */
    443. 

  443. /*        RULE(sysctl);                 */
    444. 

  444. 

  445.     }
    446. 

  446. 	if (flags & PLEDGE_ID) {
    447. 

  447.         RULE(setuid);
    448. 

  448. /*        RULE(seteuid);                */
    449. 

  449.         RULE(setreuid);
    450. 

  450.         RULE(setresuid);
    451. 

  451.         RULE(setgid);
    452. 

  452. /*        RULE(setegid);                */
    453. 

  453.         RULE(setregid);
    454. 

  454.         RULE(setresgid);
    455. 

  455.         RULE(setgroups);
    456. 

  456. /*        RULE(setlogin);               */
    457. 

  457.         RULE(setrlimit);
    458. 

  458.         RULE(getpriority);
    459. 

  459.         RULE(setpriority);
    460. 

  460. 

  461.     }
    462. 

  462. 	if (flags & PLEDGE_PF) {
    463. 

  463.     /* Allows the following subset of ioctl operations on the pf(4) device:
    464. 

  464.      * DIOCADDRULE
    465. 

  465.      * DIOCGETSTATUS
    466. 

  466.      * DIOCNATLOOK
    467. 

  467.      * DIOCRADDTABLES
    468. 

  468.      * DIOCRCLRADDRS
    469. 

  469.      * DIOCRCLRTABLES
    470. 

  470.      * DIOCRCLRTSTATS
    471. 

  471.      * DIOCRGETTSTATS
    472. 

  472.      * DIOCRSETADDRS
    473. 

  473.      * DIOCXBEGIN
    474. 

  474.      * DIOCXCOMMIT
    475. 

  475.      */
    476. 

  476. /*     rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1,
    477. 

  477.         SCMP_A1(SCMP_CMP_EQ, DIOCADDRULE));     */
    478. 

  478. /*     rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1,
    479. 

  479.         SCMP_A1(SCMP_CMP_EQ, DIOCGETSTATUS));   */
    480. 

  480. /*     rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1,
    481. 

  481.         SCMP_A1(SCMP_CMP_EQ, DIOCNATLOOK));     */
    482. 

  482. /*     rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1,
    483. 

  483.         SCMP_A1(SCMP_CMP_EQ, DIOCRADDTABLES));  */
    484. 

  484. /*     rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1,
    485. 

  485.         SCMP_A1(SCMP_CMP_EQ, DIOCRCLRADDRS));   */
    486. 

  486. /*     rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1,
    487. 

  487.         SCMP_A1(SCMP_CMP_EQ, DIOCRCLRTABLES));  */
    488. 

  488. /*     rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1,
    489. 

  489.         SCMP_A1(SCMP_CMP_EQ, DIOCRCLRTSTATS));  */
    490. 

  490. /*     rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1,
    491. 

  491.         SCMP_A1(SCMP_CMP_EQ, DIOCRGETTSTATS));  */
    492. 

  492. /*     rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1,
    493. 

  493.         SCMP_A1(SCMP_CMP_EQ, DIOCRSETADDRS));   */
    494. 

  494. /*     rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1,
    495. 

  495.         SCMP_A1(SCMP_CMP_EQ, DIOCXBEGIN));  */
    496. 

  496. 

  497.     }
    498. 

  498. 	if (flags & PLEDGE_AUDIO) {
    499. 

  499.     /* Allows the following subset of ioctl operations on the audio(4) device:
    500. 

  500.      * AUDIO_GETPOS
    501. 

  501.      * AUDIO_SETINFO
    502. 

  502.      * AUDIO_GETINFO
    503. 

  503.      * AUDIO_GETENC
    504. 

  504.      * AUDIO_SETFD
    505. 

  505.      * AUDIO_GETPROPS
    506. 

  506.      */
    507. 

  507. /*     rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1,
    508. 

  508.         SCMP_A1(SCMP_CMP_EQ, AUDIO_GETPOS));    */
    509. 

  509. /*     rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1,
    510. 

  510.         SCMP_A1(SCMP_CMP_EQ, AUDIO_SETINFO));   */
    511. 

  511. /*     rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1,
    512. 

  512.         SCMP_A1(SCMP_CMP_EQ, AUDIO_GETINFO));   */
    513. 

  513. /*     rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1,
    514. 

  514.         SCMP_A1(SCMP_CMP_EQ, AUDIO_GETENC));    */
    515. 

  515. /*     rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1,
    516. 

  516.         SCMP_A1(SCMP_CMP_EQ, AUDIO_SETFD));     */
    517. 

  517. /*     rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1,
    518. 

  518.         SCMP_A1(SCMP_CMP_EQ, AUDIO_GETPROPS));  */
    519. 

  519. 

  520.     }
    521. 

  521. 

  522.         rc = seccomp_load(ctx);
    523. 

  523.         if (rc < 0) goto out;
    524. 

  524. 

  525. 	rc = 0;
    526. 

  526. 

  527. out:
    528. 

  528.         seccomp_release(ctx);
    529. 

  529.         return rc;
    530. 

  530. }
    531. 

  531.