3 #if defined(__FreeBSD__)
5 #include <sys/capsicum.h>
11 if (cap_enter() == -1)
15 #elif defined(__linux__)
17 #include <sys/prctl.h>
18 #include <sys/syscall.h>
19 #include <sys/syscall.h>
20 #include <sys/types.h>
22 #include <linux/audit.h>
23 #include <linux/filter.h>
24 #include <linux/seccomp.h>
32 /* thanks chromium' src/seccomp.c */
34 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_I386
35 #elif defined(__x86_64__)
36 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_X86_64
37 #elif defined(__arm__)
38 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARM
39 #elif defined(__aarch64__)
40 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_AARCH64
41 #elif defined(__mips__)
42 # if defined(__mips64)
43 # if defined(__MIPSEB__)
44 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS64
46 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL64
49 # if defined(__MIPSEB__)
50 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS
52 # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL
56 # error "Platform does not support seccomp filter yet"
59 /* uncomment to enable debugging. ONLY FOR DEVELOPMENT */
60 /* #define SC_DEBUG */
63 # define SC_FAIL SECCOMP_RET_TRAP
65 # define SC_FAIL SECCOMP_RET_KILL
68 /* make the filter more readable */
69 #define SC_ALLOW(nr) \
70 BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_##nr, 0, 1), \
71 BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW)
79 sandbox_seccomp_violation(int signum, siginfo_t *info, void *ctx)
84 fprintf(stderr, "%s: unexpected system call (arch:0x%x,syscall:%d @ %p)\n",
85 __func__, info->si_arch, info->si_syscall, info->si_call_addr);
90 sandbox_seccomp_catch_sigsys(void)
95 memset(&act, 0, sizeof(act));
97 sigaddset(&mask, SIGSYS);
99 act.sa_sigaction = &sandbox_seccomp_violation;
100 act.sa_flags = SA_SIGINFO;
101 if (sigaction(SIGSYS, &act, NULL) == -1) {
102 fprintf(stderr, "%s: sigaction(SIGSYS): %s\n",
103 __func__, strerror(errno));
106 if (sigprocmask(SIG_UNBLOCK, &mask, NULL) == -1) {
107 fprintf(stderr, "%s: sigprocmask(SIGSYS): %s\n",
108 __func__, strerror(errno));
112 #endif /* SC_DEBUG */
117 struct sock_filter filter[] = {
118 /* load the *current* architecture */
119 BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
120 (offsetof(struct seccomp_data, arch))),
121 /* ensure it's the same that we've been compiled on */
122 BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K,
123 SECCOMP_AUDIT_ARCH, 1, 0),
124 /* if not, kill the program */
125 BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
127 /* load the syscall number */
128 BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
129 (offsetof(struct seccomp_data, nr))),
131 /* allow logging on stdout */
136 /* these are used to serve the files. note how we
137 * allow openat but not open. */
151 /* we need recvmsg to receive fd */
158 SC_ALLOW(exit_group),
160 /* allow ioctl but only on fd 1, glibc doing stuff? */
161 BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_ioctl, 0, 3),
162 BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
163 (offsetof(struct seccomp_data, args[0]))),
164 BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 1, 0, 1),
165 BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
167 /* disallow enything else */
168 BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
171 struct sock_fprog prog = {
172 .len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),
177 sandbox_seccomp_catch_sigsys();
180 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1) {
181 fprintf(stderr, "%s: prctl(PR_SET_NO_NEW_PRIVS): %s\n",
182 __func__, strerror(errno));
186 if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) == -1) {
187 fprintf(stderr, "%s: prctl(PR_SET_SECCOMP): %s\n",
188 __func__, strerror(errno));
193 #elif defined(__OpenBSD__)
203 for (h = hosts; h->domain != NULL; ++h) {
204 if (unveil(h->dir, "rx") == -1)
205 err(1, "unveil %s for domain %s", h->dir, h->domain);
208 if (pledge("stdio recvfd rpath inet", NULL) == -1)
217 LOGN(NULL, "%s", "no sandbox method known for this OS");