GitLab/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-02-10 00:37:00 +08:00
Code Issues Packages Projects Releases Wiki Activity

updated seccomp rules.

Browse Source
This commit is contained in:
Nikos Mavrogiannopoulos
2014-01-21 21:59:38 +01:00
parent f9a1dd94ae
commit 28a2026363
3 changed files with 26 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
NEWS
View File

@@ -9,6 +9,8 @@
- Added configuration option cisco-client-compat which if enabled
it allows a client to authenticate by sending its credentials in
different TLS sessions. A cookie is used to associate the sessions.
- Updated seccomp rules to allow the system calls used by the
worker process.
* Version 0.2.4 (released 2014-01-08)

5
README
View File

@@ -16,6 +16,7 @@ libgnutls-dev / gnutls-devel
Optional dependencies that enable specific functionality:
* TCP wrappers: libwrap0-dev / tcp_wrappers-devel
* PAM: libpam0g-dev / pam-devel
* seccomp: libsecomp-dev / libseccomp-devel
* occtl: libdbus-1-dev / dbus-devel
libreadline-dev / readline-devel
libnl-route-3-dev / libnl3-devel
@@ -40,6 +41,10 @@ $ ./configure && make
When cross compiling it may be useful to add the --enable-local-libopts
option to configure.
To prevent ocserv's worker process from executing non authorized system
calls you may compile ocserv with the --enable-seccomp option. That is
currently experimental and not enabled by default.
To build from the git repository use:

22
src/worker-privs.c
View File

@@ -46,30 +46,46 @@ int disable_system_calls(struct worker_st *ws)
goto fail; \
}
/* we use quite some system calls here, and in the end
* we don't even know whether a newer libc will change the
* underlying calls to something else. seccomp seems to be useful
* in very restricted designs.
*/
ADD_SYSCALL(time, 0);
ADD_SYSCALL(gettimeofday, 0);
ADD_SYSCALL(nanosleep, 0);
ADD_SYSCALL(getrusage, 0);
ADD_SYSCALL(alarm, 0);
ADD_SYSCALL(brk, 0);
ADD_SYSCALL(recvmsg, 0);
ADD_SYSCALL(sendmsg, 0);
ADD_SYSCALL(read, 0);
ADD_SYSCALL(write, 0);
ADD_SYSCALL(writev, 0);
ADD_SYSCALL(send, 0);
ADD_SYSCALL(recv, 0);
/* it seems we need to add sendto and recvfrom
* since send() and recv() aren't real system
* calls.
* since send() and recv() aren't called by libc.
*/
ADD_SYSCALL(sendto, 0);
ADD_SYSCALL(recvfrom, 0);
ADD_SYSCALL(select, 0);
ADD_SYSCALL(alarm, 0);
ADD_SYSCALL(pselect6, 0);
ADD_SYSCALL(close, 0);
ADD_SYSCALL(exit, 0);
ADD_SYSCALL(exit_group, 0);
ADD_SYSCALL(socket, 0);
ADD_SYSCALL(connect, 0);
ADD_SYSCALL(getsockopt, 0);
ADD_SYSCALL(setsockopt, 0);
/* this we need to get the MTU from
* the TUN device */
ADD_SYSCALL(ioctl, 1, SCMP_A1(SCMP_CMP_EQ, (int)SIOCGIFDSTADDR));