Add first seccomp implementation

This commit is contained in:
Grégory Soutadé 2016-02-04 20:39:50 +01:00
parent 1b72bc86f2
commit feb89ff6b3
2 changed files with 30 additions and 1 deletions

View File

@ -11,6 +11,11 @@ else
CFLAGS += -O2
endif
ifneq ($(DISABLE_SECCOMP),)
CFLAGS += -DUSE_SECCOMP=1
LDFLAGS += -lseccomp
endif
all: $(BIN_DIR) ip_data.c $(TARGET)
$(BIN_DIR):

View File

@ -12,6 +12,10 @@
#include <stdlib.h>
#include <string.h>
#ifdef USE_SECCOMP
#include <seccomp.h>
#endif
#include "ip_to_geo.h"
#include "protocol.h"
@ -383,10 +387,25 @@ int daemonize(struct gengetopt_args_info* params)
syslog(LOG_INFO, "ip_togeod started\n");
signal(SIGINT, sigint);
signal(SIGINT, sigint);
signal(SIGUSR1, sigint);
signal(SIGUSR2, sigint);
#ifdef USE_SECCOMP
scmp_filter_ctx seccomp_ctx = seccomp_init(SCMP_ACT_KILL);
if (seccomp_ctx == NULL)
{
syslog(LOG_ERR, "unable to initialize seccomp\n");
return -5;
}
seccomp_rule_add(seccomp_ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0);
seccomp_rule_add(seccomp_ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0);
seccomp_rule_add(seccomp_ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0);
seccomp_rule_add(seccomp_ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept), 0);
#endif
while (!s_stop)
{
sockaddr_len = sizeof(sockaddr);
@ -413,6 +432,11 @@ int daemonize(struct gengetopt_args_info* params)
closelog();
#ifdef USE_SECCOMP
if (seccomp_ctx)
seccomp_release(seccomp_ctx);
#endif
return 0;
}