-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathbandaid.c
121 lines (107 loc) · 2.92 KB
/
bandaid.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
#define _GNU_SOURCE
#include <seccomp.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/fcntl.h>
#include <sys/ioctl.h>
#include <sys/queue.h>
#include <sys/select.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/uio.h>
#include <sys/wait.h>
#include <systemd/sd-daemon.h>
#include <unistd.h>
int confine(const char *pathname, char *const argv[], char *const envp[],
int *pid) {
scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW);
if (ctx == NULL)
return -1;
if (seccomp_rule_add(ctx, SCMP_ACT_NOTIFY, SCMP_SYS(socket), 0) < 0)
return -1;
if (seccomp_rule_add(ctx, SCMP_ACT_NOTIFY, SCMP_SYS(bind), 0) < 0)
return -1;
if (seccomp_load(ctx) < 0)
return -1;
*pid = fork();
if (*pid == 0) {
execvpe(pathname, argv, envp);
} else {
if (*pid == -1)
return -1;
return seccomp_notify_fd(ctx);
}
return -1;
}
static void sighandler(int sig) { exit(0); }
int main(int argc, char **argv, char **envp) {
if (argc < 2) {
fprintf(stderr, "usage: bandaid COMMAND [ARGS...]");
exit(2);
}
struct sigaction sa;
sa.sa_handler = sighandler;
sa.sa_flags = 0;
sigemptyset(&sa.sa_mask);
if (sigaction(SIGCHLD, &sa, NULL) != 0)
exit(1);
int num_fds = sd_listen_fds(1);
// no fd passed, doing nothing
if (num_fds == 0) {
execvpe(argv[1], argv + 1, envp);
}
int pid;
int notifd = confine(argv[1], argv + 1, envp, &pid);
if (notifd == -1)
exit(1);
fd_set fds;
FD_ZERO(&fds);
while (1) {
struct seccomp_notif *req;
struct seccomp_notif_resp *resp;
if (seccomp_notify_alloc(&req, &resp) != 0) {
kill(pid, SIGTERM);
exit(1);
}
if (seccomp_notify_receive(notifd, req) != 0) {
kill(pid, SIGTERM);
exit(1);
};
resp->id = req->id;
resp->val = 0;
resp->error = 0;
resp->flags = 0;
if (req->data.nr == __NR_socket) {
int type = req->data.args[1];
int found = 0;
for (int fd = SD_LISTEN_FDS_START; fd < SD_LISTEN_FDS_START + num_fds;
fd++) {
if (sd_is_socket(fd, req->data.args[0],
req->data.args[1] & ~SOCK_NONBLOCK & ~SOCK_CLOEXEC,
-1)) {
struct seccomp_notif_addfd addfd;
addfd.id = req->id;
addfd.srcfd = fd;
addfd.newfd = 0;
addfd.flags = 0;
addfd.newfd_flags = (type & SOCK_CLOEXEC) ? O_CLOEXEC : 0;
int newfd = ioctl(notifd, SECCOMP_IOCTL_NOTIF_ADDFD, &addfd);
resp->val = newfd;
FD_SET(newfd, &fds);
found = 1;
}
}
if (!found) {
resp->flags = SECCOMP_USER_NOTIF_FLAG_CONTINUE;
}
} else if (req->data.nr == __NR_bind) {
if (!FD_ISSET(req->data.args[0], &fds))
resp->flags = SECCOMP_USER_NOTIF_FLAG_CONTINUE;
}
if (seccomp_notify_respond(notifd, resp) != 0) {
kill(pid, SIGTERM);
exit(1);
}
seccomp_notify_free(req, resp);
}
}