|
Packit Service |
10c312 |
#!/usr/bin/env python
|
|
Packit Service |
10c312 |
|
|
Packit Service |
10c312 |
#
|
|
Packit Service |
10c312 |
# Seccomp Library test program
|
|
Packit Service |
10c312 |
#
|
|
Packit Service |
10c312 |
# Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved.
|
|
Packit Service |
10c312 |
# Author: Tom Hromatka <tom.hromatka@oracle.com>
|
|
Packit Service |
10c312 |
#
|
|
Packit Service |
10c312 |
|
|
Packit Service |
10c312 |
#
|
|
Packit Service |
10c312 |
# This library is free software; you can redistribute it and/or modify it
|
|
Packit Service |
10c312 |
# under the terms of version 2.1 of the GNU Lesser General Public License as
|
|
Packit Service |
10c312 |
# published by the Free Software Foundation.
|
|
Packit Service |
10c312 |
#
|
|
Packit Service |
10c312 |
# This library is distributed in the hope that it will be useful, but WITHOUT
|
|
Packit Service |
10c312 |
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
Packit Service |
10c312 |
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
|
|
Packit Service |
10c312 |
# for more details.
|
|
Packit Service |
10c312 |
#
|
|
Packit Service |
10c312 |
# You should have received a copy of the GNU Lesser General Public License
|
|
Packit Service |
10c312 |
# along with this library; if not, see <http://www.gnu.org/licenses>.
|
|
Packit Service |
10c312 |
#
|
|
Packit Service |
10c312 |
|
|
Packit Service |
10c312 |
import argparse
|
|
Packit Service |
10c312 |
import sys
|
|
Packit Service |
10c312 |
|
|
Packit Service |
10c312 |
import util
|
|
Packit Service |
10c312 |
|
|
Packit Service |
10c312 |
from seccomp import *
|
|
Packit Service |
10c312 |
|
|
Packit Service |
10c312 |
denylist = [
|
|
Packit Service |
10c312 |
"times",
|
|
Packit Service |
10c312 |
"ptrace",
|
|
Packit Service |
10c312 |
"getuid",
|
|
Packit Service |
10c312 |
"syslog",
|
|
Packit Service |
10c312 |
"getgid",
|
|
Packit Service |
10c312 |
"setuid",
|
|
Packit Service |
10c312 |
"setgid",
|
|
Packit Service |
10c312 |
"geteuid",
|
|
Packit Service |
10c312 |
"getegid",
|
|
Packit Service |
10c312 |
"setpgid",
|
|
Packit Service |
10c312 |
"getppid",
|
|
Packit Service |
10c312 |
"getpgrp",
|
|
Packit Service |
10c312 |
"setsid",
|
|
Packit Service |
10c312 |
"setreuid",
|
|
Packit Service |
10c312 |
"setregid",
|
|
Packit Service |
10c312 |
"getgroups",
|
|
Packit Service |
10c312 |
"setgroups",
|
|
Packit Service |
10c312 |
"setresuid",
|
|
Packit Service |
10c312 |
"getresuid",
|
|
Packit Service |
10c312 |
"setresgid",
|
|
Packit Service |
10c312 |
"getresgid",
|
|
Packit Service |
10c312 |
"getpgid",
|
|
Packit Service |
10c312 |
"setfsuid",
|
|
Packit Service |
10c312 |
"setfsgid",
|
|
Packit Service |
10c312 |
]
|
|
Packit Service |
10c312 |
|
|
Packit Service |
10c312 |
def test():
|
|
Packit Service |
10c312 |
action = util.parse_action(sys.argv[1])
|
|
Packit Service |
10c312 |
if not action == ALLOW:
|
|
Packit Service |
10c312 |
quit(1)
|
|
Packit Service |
10c312 |
util.install_trap()
|
|
Packit Service |
10c312 |
f = SyscallFilter(TRAP)
|
|
Packit Service |
10c312 |
f.set_attr(Attr.CTL_TSYNC, 1)
|
|
Packit Service |
10c312 |
# NOTE: additional syscalls required for python
|
|
Packit Service |
10c312 |
f.add_rule(ALLOW, "stat")
|
|
Packit Service |
10c312 |
f.add_rule(ALLOW, "fstat")
|
|
Packit Service |
10c312 |
f.add_rule(ALLOW, "open")
|
|
Packit Service |
10c312 |
f.add_rule(ALLOW, "openat")
|
|
Packit Service |
10c312 |
f.add_rule(ALLOW, "mmap")
|
|
Packit Service |
10c312 |
f.add_rule(ALLOW, "munmap")
|
|
Packit Service |
10c312 |
f.add_rule(ALLOW, "read")
|
|
Packit Service |
10c312 |
f.add_rule(ALLOW, "write")
|
|
Packit Service |
10c312 |
f.add_rule(ALLOW, "close")
|
|
Packit Service |
10c312 |
f.add_rule(ALLOW, "rt_sigaction")
|
|
Packit Service |
10c312 |
f.add_rule(ALLOW, "rt_sigreturn")
|
|
Packit Service |
10c312 |
f.add_rule(ALLOW, "sigreturn")
|
|
Packit Service |
10c312 |
f.add_rule(ALLOW, "sigaltstack")
|
|
Packit Service |
10c312 |
f.add_rule(ALLOW, "brk")
|
|
Packit Service |
10c312 |
f.add_rule(ALLOW, "exit_group")
|
|
Packit Service |
10c312 |
|
|
Packit Service |
10c312 |
for syscall in denylist:
|
|
Packit Service |
10c312 |
f.add_rule(KILL, syscall)
|
|
Packit Service |
10c312 |
|
|
Packit Service |
10c312 |
f.load()
|
|
Packit Service |
10c312 |
try:
|
|
Packit Service |
10c312 |
util.write_file("/dev/null")
|
|
Packit Service |
10c312 |
except OSError as ex:
|
|
Packit Service |
10c312 |
quit(ex.errno)
|
|
Packit Service |
10c312 |
quit(160)
|
|
Packit Service |
10c312 |
|
|
Packit Service |
10c312 |
test()
|
|
Packit Service |
10c312 |
|
|
Packit Service |
10c312 |
# kate: syntax python;
|
|
Packit Service |
10c312 |
# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
|