Home Explore Help
Sign In
mbuesch
/
letmein
Watch 1
Star 0
Fork 0

2 Commits daaf10f4ae ... e4dac193e2

Author SHA1 Message Date
  Michael Buesch e4dac193e2 Split the daemon into network and firewall part 2 months ago
  Michael Buesch daaf10f4ae Split the daemon into network and firewall part 2 months ago
1 changed files with 59 additions and 51 deletions
Split View Show Diff Stats
  1. 59 51
      letmein-seccomp/src/lib.rs

+ 59 - 51
letmein-seccomp/src/lib.rs
View File 

@@ -12,7 +12,9 @@
 
 std::compile_error!("letmeind server and letmein-seccomp do not support non-Linux platforms.");
 
 
 use anyhow::{self as ah, Context as _};
 
-use seccompiler::{apply_filter_all_threads, BpfProgram, SeccompAction, SeccompFilter};
 
+use seccompiler::{
 
+    apply_filter_all_threads, BpfProgram, SeccompAction, SeccompFilter, SeccompRule,
 
+};
 
 use std::{collections::BTreeMap, env::consts::ARCH};
 
 
 #[derive(Clone, Debug)]
 
@@ -40,90 +42,96 @@ pub fn seccomp_compile(allow: &[Allow], deny_action: Action) -> ah::Result<Filte
 
     seccomp_compile_for_arch(allow, deny_action, ARCH)
 
 }
 
 
+macro_rules! sys {
 
+    ($ident:ident) => {
 
+        libc::$ident as i64
 
+    };
 
+}
 
+
 
 pub fn seccomp_compile_for_arch(
 
     allow: &[Allow],
 
     deny_action: Action,
 
     arch: &str,
 
 ) -> ah::Result<Filter> {
 
-    let mut rules: BTreeMap<_, _> = [
 
-        (libc::SYS_brk, vec![]),
 
-        (libc::SYS_close, vec![]),
 
-        (libc::SYS_close_range, vec![]),
 
-        (libc::SYS_exit, vec![]),
 
-        (libc::SYS_exit_group, vec![]),
 
-        (libc::SYS_getpid, vec![]),
 
-        (libc::SYS_getrandom, vec![]),
 
-        (libc::SYS_gettid, vec![]),
 
-        (libc::SYS_madvise, vec![]),
 
-        (libc::SYS_munmap, vec![]),
 
-        (libc::SYS_sched_getaffinity, vec![]),
 
-        (libc::SYS_sigaltstack, vec![]),
 
-        (libc::SYS_nanosleep, vec![]),
 
-        (libc::SYS_clock_nanosleep, vec![]),
 
+    let mut rules: BTreeMap<i64, Vec<SeccompRule>> = [
 
+        (sys!(SYS_brk), vec![]),
 
+        (sys!(SYS_close), vec![]),
 
+        (sys!(SYS_close_range), vec![]),
 
+        (sys!(SYS_exit), vec![]),
 
+        (sys!(SYS_exit_group), vec![]),
 
+        (sys!(SYS_getpid), vec![]),
 
+        (sys!(SYS_getrandom), vec![]),
 
+        (sys!(SYS_gettid), vec![]),
 
+        (sys!(SYS_madvise), vec![]),
 
+        (sys!(SYS_munmap), vec![]),
 
+        (sys!(SYS_sched_getaffinity), vec![]),
 
+        (sys!(SYS_sigaltstack), vec![]),
 
+        (sys!(SYS_nanosleep), vec![]),
 
+        (sys!(SYS_clock_nanosleep), vec![]),
 
     ]
 
     .into();
 
 
     let add_read_write_rules = |rules: &mut BTreeMap<_, _>| {
 
-        rules.insert(libc::SYS_epoll_create1, vec![]);
 
-        rules.insert(libc::SYS_epoll_ctl, vec![]);
 
-        rules.insert(libc::SYS_epoll_pwait2, vec![]);
 
-        rules.insert(libc::SYS_epoll_wait, vec![]);
 
-        rules.insert(libc::SYS_lseek, vec![]);
 
-        rules.insert(libc::SYS_ppoll, vec![]);
 
-        rules.insert(libc::SYS_pselect6, vec![]);
 
+        rules.insert(sys!(SYS_epoll_create1), vec![]);
 
+        rules.insert(sys!(SYS_epoll_ctl), vec![]);
 
+        rules.insert(sys!(SYS_epoll_pwait2), vec![]);
 
+        rules.insert(sys!(SYS_epoll_wait), vec![]);
 
+        rules.insert(sys!(SYS_lseek), vec![]);
 
+        rules.insert(sys!(SYS_ppoll), vec![]);
 
+        rules.insert(sys!(SYS_pselect6), vec![]);
 
     };
 
 
     for allow in allow {
 
         match *allow {
 
             Allow::Mmap => {
 
                 #[cfg(has_SYS_mmap)]
 
-                rules.insert(libc::SYS_mmap, vec![]);
 
+                rules.insert(sys!(SYS_mmap), vec![]);
 
                 #[cfg(has_SYS_mmap2)]
 
-                rules.insert(libc::SYS_mmap2, vec![]);
 
-                rules.insert(libc::SYS_mremap, vec![]);
 
-                rules.insert(libc::SYS_munmap, vec![]);
 
+                rules.insert(sys!(SYS_mmap2), vec![]);
 
+                rules.insert(sys!(SYS_mremap), vec![]);
 
+                rules.insert(sys!(SYS_munmap), vec![]);
 
             }
 
             Allow::Mprotect => {
 
-                rules.insert(libc::SYS_mprotect, vec![]);
 
+                rules.insert(sys!(SYS_mprotect), vec![]);
 
             }
 
             Allow::UnixConnect => {
 
-                rules.insert(libc::SYS_connect, vec![]);
 
-                rules.insert(libc::SYS_socket, vec![]); //TODO: Restrict to AF_UNIX
 
-                rules.insert(libc::SYS_getsockopt, vec![]);
 
+                rules.insert(sys!(SYS_connect), vec![]);
 
+                rules.insert(sys!(SYS_socket), vec![]); //TODO: Restrict to AF_UNIX
 
+                rules.insert(sys!(SYS_getsockopt), vec![]);
 
             }
 
             Allow::TcpAccept => {
 
-                rules.insert(libc::SYS_accept4, vec![]);
 
-                rules.insert(libc::SYS_socket, vec![]); //TODO: Restrict to AF_UNIX
 
-                rules.insert(libc::SYS_getsockopt, vec![]);
 
+                rules.insert(sys!(SYS_accept4), vec![]);
 
+                rules.insert(sys!(SYS_socket), vec![]); //TODO: Restrict to AF_UNIX
 
+                rules.insert(sys!(SYS_getsockopt), vec![]);
 
             }
 
             Allow::Read => {
 
-                rules.insert(libc::SYS_pread64, vec![]);
 
-                rules.insert(libc::SYS_preadv2, vec![]);
 
-                rules.insert(libc::SYS_read, vec![]);
 
-                rules.insert(libc::SYS_readv, vec![]);
 
+                rules.insert(sys!(SYS_pread64), vec![]);
 
+                rules.insert(sys!(SYS_preadv2), vec![]);
 
+                rules.insert(sys!(SYS_read), vec![]);
 
+                rules.insert(sys!(SYS_readv), vec![]);
 
                 add_read_write_rules(&mut rules);
 
             }
 
             Allow::Write => {
 
-                rules.insert(libc::SYS_fdatasync, vec![]);
 
-                rules.insert(libc::SYS_fsync, vec![]);
 
-                rules.insert(libc::SYS_pwrite64, vec![]);
 
-                rules.insert(libc::SYS_pwritev2, vec![]);
 
-                rules.insert(libc::SYS_write, vec![]);
 
-                rules.insert(libc::SYS_writev, vec![]);
 
+                rules.insert(sys!(SYS_fdatasync), vec![]);
 
+                rules.insert(sys!(SYS_fsync), vec![]);
 
+                rules.insert(sys!(SYS_pwrite64), vec![]);
 
+                rules.insert(sys!(SYS_pwritev2), vec![]);
 
+                rules.insert(sys!(SYS_write), vec![]);
 
+                rules.insert(sys!(SYS_writev), vec![]);
 
                 add_read_write_rules(&mut rules);
 
             }
 
             Allow::Recv => {
 
-                rules.insert(libc::SYS_recvfrom, vec![]);
 
-                rules.insert(libc::SYS_recvmsg, vec![]);
 
-                rules.insert(libc::SYS_recvmmsg, vec![]);
 
+                rules.insert(sys!(SYS_recvfrom), vec![]);
 
+                rules.insert(sys!(SYS_recvmsg), vec![]);
 
+                rules.insert(sys!(SYS_recvmmsg), vec![]);
 
             }
 
             Allow::Send => {
 
-                rules.insert(libc::SYS_sendto, vec![]);
 
-                rules.insert(libc::SYS_sendmsg, vec![]);
 
-                rules.insert(libc::SYS_sendmmsg, vec![]);
 
+                rules.insert(sys!(SYS_sendto), vec![]);
 
+                rules.insert(sys!(SYS_sendmsg), vec![]);
 
+                rules.insert(sys!(SYS_sendmmsg), vec![]);
 
             }
 
             Allow::SignalReturn => {
 
-                rules.insert(libc::SYS_rt_sigreturn, vec![]);
 
+                rules.insert(sys!(SYS_rt_sigreturn), vec![]);
 
             }
 
         }
 
     }