diff --git a/src/child.c b/src/child.c index f378ecd..86e999c 100644 --- a/src/child.c +++ b/src/child.c @@ -153,6 +153,16 @@ void child_process(FILE *log_fp, struct config *_config) { CHILD_ERROR_EXIT(LOAD_SECCOMP_FAILED); } } + else if (strcmp("golang", _config->seccomp_rule_name) == 0) { + if (golang_seccomp_rules(_config) != SUCCESS ) { + CHILD_ERROR_EXIT(LOAD_SECCOMP_FAILED); + } + } + else if (strcmp("node", _config->seccomp_rule_name) == 0) { + if (node_seccomp_rules(_config) != SUCCESS ) { + CHILD_ERROR_EXIT(LOAD_SECCOMP_FAILED); + } + } // other rules else { // rule does not exist diff --git a/src/rules/golang.c b/src/rules/golang.c new file mode 100644 index 0000000..551f1b2 --- /dev/null +++ b/src/rules/golang.c @@ -0,0 +1,51 @@ +#include +#include +#include +#include +#include +#include + +#include "../runner.h" + + +int golang_seccomp_rules(struct config *_config) { + int syscalls_blacklist[] = {SCMP_SYS(socket), + SCMP_SYS(fork), SCMP_SYS(vfork), + SCMP_SYS(kill), +#ifdef __NR_execveat + SCMP_SYS(execveat) +#endif + }; + int syscalls_blacklist_length = sizeof(syscalls_blacklist) / sizeof(int); + scmp_filter_ctx ctx = NULL; + // load seccomp rules + ctx = seccomp_init(SCMP_ACT_ALLOW); + if (!ctx) { + return LOAD_SECCOMP_FAILED; + } + for (int i = 0; i < syscalls_blacklist_length; i++) { + if (seccomp_rule_add(ctx, SCMP_ACT_KILL, syscalls_blacklist[i], 0) != 0) { + return LOAD_SECCOMP_FAILED; + } + } + // do not allow "w" and "rw" using open + if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(open), 1, SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_WRONLY, O_WRONLY)) != 0) { + return LOAD_SECCOMP_FAILED; + } + if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(open), 1, SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_RDWR, O_RDWR)) != 0) { + return LOAD_SECCOMP_FAILED; + } + // do not allow "w" and "rw" using openat + if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(openat), 1, SCMP_CMP(2, SCMP_CMP_MASKED_EQ, O_WRONLY, O_WRONLY)) != 0) { + return LOAD_SECCOMP_FAILED; + } + if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(openat), 1, SCMP_CMP(2, SCMP_CMP_MASKED_EQ, O_RDWR, O_RDWR)) != 0) { + return LOAD_SECCOMP_FAILED; + } + + if (seccomp_load(ctx) != 0) { + return LOAD_SECCOMP_FAILED; + } + seccomp_release(ctx); + return 0; +} diff --git a/src/rules/node.c b/src/rules/node.c new file mode 100644 index 0000000..79d8482 --- /dev/null +++ b/src/rules/node.c @@ -0,0 +1,36 @@ +#include +#include +#include +#include +#include +#include + +#include "../runner.h" + + +int node_seccomp_rules(struct config *_config) { + int syscalls_blacklist[] = {SCMP_SYS(socket), + SCMP_SYS(fork), SCMP_SYS(vfork), + SCMP_SYS(kill), +#ifdef __NR_execveat + SCMP_SYS(execveat) +#endif + }; + int syscalls_blacklist_length = sizeof(syscalls_blacklist) / sizeof(int); + scmp_filter_ctx ctx = NULL; + // load seccomp rules + ctx = seccomp_init(SCMP_ACT_ALLOW); + if (!ctx) { + return LOAD_SECCOMP_FAILED; + } + for (int i = 0; i < syscalls_blacklist_length; i++) { + if (seccomp_rule_add(ctx, SCMP_ACT_KILL, syscalls_blacklist[i], 0) != 0) { + return LOAD_SECCOMP_FAILED; + } + } + if (seccomp_load(ctx) != 0) { + return LOAD_SECCOMP_FAILED; + } + seccomp_release(ctx); + return 0; +} diff --git a/src/rules/seccomp_rules.h b/src/rules/seccomp_rules.h index 8a318ed..0fb1c96 100644 --- a/src/rules/seccomp_rules.h +++ b/src/rules/seccomp_rules.h @@ -7,5 +7,7 @@ int _c_cpp_seccomp_rules(struct config *_config, bool allow_write_file); int c_cpp_seccomp_rules(struct config *_config); int general_seccomp_rules(struct config *_config); int c_cpp_file_io_seccomp_rules(struct config *_config); +int golang_seccomp_rules(struct config *_config); +int node_seccomp_rules(struct config *_config); #endif //JUDGER_SECCOMP_RULES_H