index : blog

        

            
            
        
        
0
1
2
3sec_seccomp_init :: () {
4    #if !SECCOMP_ENABLED {
5        log_error("SECCOMP IS DISABLED!");
6        if !is_dev_machine() then exit(99);
7        return;
8    }
9
10    new_context := context;
11    new_context.logger = my_logger;
12
13    push_context,defer_pop new_context;
14
15
16    SECCOMP_TEMPLATE :: "had_error |= seccomp_rule_add(ctx, .ALLOW, .%);";
17
18    #if SECCOMP_ARMED {
19        ctx := seccomp_init(.KILL_PROCESS);
20    } else {
21        ctx := seccomp_init(.LOG);
22    }
23    defer seccomp_release(ctx);
24    if !ctx { log_error("Init failed"); exit(1); }
25
26    had_error := false;
27
28    #insert -> string {
29        buf: String_Builder;
30        for SECCOMP_ALLOWED_SYSCALLS {
31            template := tprint(SECCOMP_TEMPLATE, it);
32            append(*buf, template);
33        }
34        s := builder_to_string(*buf);
35        return s;
36    }
37
38    had_error |= seccomp_rule_add(ctx, .ALLOW, .EXIT);
39    had_error |= seccomp_rule_add(ctx, .ALLOW, .EXIT_GROUP);
40
41    if had_error {
42        log_error("Could not add rules.");
43        exit(1);
44    }
45
46    if seccomp_load(ctx) < 0 {
47        log_error("Could not load context into kernel");
48        exit(1);
49    }
50
51    #if SECCOMP_ARMED then log("is armed."); else log("is in log mode! NOT ARMED!");
52}
53
54
55#scope_file
56
57
58/** Copy pasta from dev/syscalls.py */
59SECCOMP_ALLOWED_SYSCALLS :: string.[
60    "READ",
61    "FSTAT",
62    "CLOSE",
63    "MADVISE",
64    "RT_SIGRETURN",
65    "WRITE",
66    "FUTEX",
67    "EPOLL_WAIT",
68    "RECVFROM",
69    "ACCEPT",
70    "SENDTO",
71    "MMAP",
72    "MUNMAP",
73    "EPOLL_CTL",
74    "EXIT_GROUP",
75    "FCNTL",
76    "OPENAT",
77    "LSEEK",
78];
79
80
81my_logger :: #bake_arguments base_logger(prefix="Seccomp");
82
83