From 28a20263635f177c01ba227fdf007983ca1a5310 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Tue, 21 Jan 2014 21:59:38 +0100 Subject: [PATCH] updated seccomp rules. --- NEWS | 2 ++ README | 5 +++++ src/worker-privs.c | 22 +++++++++++++++++++--- 3 files changed, 26 insertions(+), 3 deletions(-) diff --git a/NEWS b/NEWS index 1e4307f4..dc859218 100644 --- a/NEWS +++ b/NEWS @@ -9,6 +9,8 @@ - Added configuration option cisco-client-compat which if enabled it allows a client to authenticate by sending its credentials in different TLS sessions. A cookie is used to associate the sessions. +- Updated seccomp rules to allow the system calls used by the + worker process. * Version 0.2.4 (released 2014-01-08) diff --git a/README b/README index 41908c86..cfb4a95a 100644 --- a/README +++ b/README @@ -16,6 +16,7 @@ libgnutls-dev / gnutls-devel Optional dependencies that enable specific functionality: * TCP wrappers: libwrap0-dev / tcp_wrappers-devel * PAM: libpam0g-dev / pam-devel +* seccomp: libsecomp-dev / libseccomp-devel * occtl: libdbus-1-dev / dbus-devel libreadline-dev / readline-devel libnl-route-3-dev / libnl3-devel @@ -40,6 +41,10 @@ $ ./configure && make When cross compiling it may be useful to add the --enable-local-libopts option to configure. +To prevent ocserv's worker process from executing non authorized system +calls you may compile ocserv with the --enable-seccomp option. That is +currently experimental and not enabled by default. + To build from the git repository use: diff --git a/src/worker-privs.c b/src/worker-privs.c index 8dade258..42234e9f 100644 --- a/src/worker-privs.c +++ b/src/worker-privs.c @@ -46,30 +46,46 @@ int disable_system_calls(struct worker_st *ws) goto fail; \ } + /* we use quite some system calls here, and in the end + * we don't even know whether a newer libc will change the + * underlying calls to something else. seccomp seems to be useful + * in very restricted designs. + */ ADD_SYSCALL(time, 0); ADD_SYSCALL(gettimeofday, 0); + ADD_SYSCALL(nanosleep, 0); + ADD_SYSCALL(getrusage, 0); + ADD_SYSCALL(alarm, 0); + ADD_SYSCALL(brk, 0); + ADD_SYSCALL(recvmsg, 0); ADD_SYSCALL(sendmsg, 0); + ADD_SYSCALL(read, 0); + ADD_SYSCALL(write, 0); ADD_SYSCALL(writev, 0); + ADD_SYSCALL(send, 0); ADD_SYSCALL(recv, 0); /* it seems we need to add sendto and recvfrom - * since send() and recv() aren't real system - * calls. + * since send() and recv() aren't called by libc. */ ADD_SYSCALL(sendto, 0); ADD_SYSCALL(recvfrom, 0); + ADD_SYSCALL(select, 0); - ADD_SYSCALL(alarm, 0); + ADD_SYSCALL(pselect6, 0); ADD_SYSCALL(close, 0); ADD_SYSCALL(exit, 0); ADD_SYSCALL(exit_group, 0); ADD_SYSCALL(socket, 0); ADD_SYSCALL(connect, 0); + ADD_SYSCALL(getsockopt, 0); + ADD_SYSCALL(setsockopt, 0); + /* this we need to get the MTU from * the TUN device */ ADD_SYSCALL(ioctl, 1, SCMP_A1(SCMP_CMP_EQ, (int)SIOCGIFDSTADDR));