public/seccomp-sandbox
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

improve sandbox

Browse Source
This commit is contained in:
guochao 2023-11-01 21:56:16 +08:00
parent 3305f70f77
commit 5ba657dfc7
1 changed files with 20 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
src/main.rs
View File

@ -1,13 +1,12 @@
use nix::{ use nix::{
libc::{c_long, EPERM, ORIG_RAX}, libc::{c_long, EPERM, ORIG_RAX},
sys::signal::Signal,
unistd::{getpid, getppid}, unistd::{getpid, getppid},
}; };
use std::io::Write;
use std::{ use std::{
ffi::{c_void, CString}, ffi::{c_void, CString},
mem::size_of, mem::size_of,
}; };
use std::io::Write;
use clap::*; use clap::*;
@ -29,7 +28,6 @@ fn main() -> anyhow::Result<()> {
log::trace!("args parsed: {args:?}"); log::trace!("args parsed: {args:?}");
#[cfg(feature = "tracing-mode")] #[cfg(feature = "tracing-mode")]
let tracing = args.log_failed_to != None; let tracing = args.log_failed_to != None;
@ -56,7 +54,12 @@ fn main() -> anyhow::Result<()> {
log::trace!("waiting for child to be ready..."); log::trace!("waiting for child to be ready...");
waitpid(child, None)?; waitpid(child, None)?;
let mut output = match std::fs::OpenOptions::new().append(true).write(true).create(true).open(log_fail_to) { let mut output = match std::fs::OpenOptions::new()
.append(true)
.write(true)
.create(true)
.open(log_fail_to)
{
Ok(file) => file, Ok(file) => file,
Err(err) => { Err(err) => {
nix::sys::ptrace::kill(child)?; nix::sys::ptrace::kill(child)?;
@ -74,20 +77,24 @@ fn main() -> anyhow::Result<()> {
log::info!("child {pid} exited with return code {ret}"); log::info!("child {pid} exited with return code {ret}");
break; break;
} }
WaitStatus::PtraceEvent(pid, sig,_) => { WaitStatus::PtraceEvent(pid, sig, _) => {
let syscall_nr = nix::sys::ptrace::read_user( let syscall_nr = nix::sys::ptrace::read_user(
pid, pid,
(size_of::<c_long>() * ORIG_RAX as usize) as *mut c_void, (size_of::<c_long>() * ORIG_RAX as usize) as *mut c_void,
)? as i32; )? as i32;
let syscall = ScmpSyscall::from(syscall_nr); let syscall = ScmpSyscall::from(syscall_nr);
let syscall_name = syscall.get_name().unwrap_or(format!("syscall({syscall_nr})")); let syscall_name = syscall
.get_name()
.unwrap_or(format!("syscall({syscall_nr})"));
log::info!("parent: child {pid} received signal {sig:?} syscall: {syscall_name}({syscall_nr})"); log::info!("parent: child {pid} received signal {sig:?} syscall: {syscall_name}({syscall_nr})");
writeln!(output, "{} {}", pid.as_raw(), syscall_name); if let Err(err) = writeln!(output, "{} {}", pid.as_raw(), syscall_name) {
log::warn!("failed to write to output file: {err}")
}
} }
_ => {}, _ => {}
} }
nix::sys::ptrace::cont(child, None); nix::sys::ptrace::cont(child, None)?;
} }
return Ok(()); return Ok(());
} }
@ -126,7 +133,10 @@ fn main() -> anyhow::Result<()> {
log::trace!("create filter context..."); log::trace!("create filter context...");
let mut filter = ScmpFilterContext::new_filter(default_action)?; let mut filter = ScmpFilterContext::new_filter(default_action)?;
filter.add_rule(ScmpAction::Allow, ScmpSyscall::from(nix::libc::SYS_execve as i32))?; filter.add_rule(
ScmpAction::Allow,
ScmpSyscall::from(nix::libc::SYS_execve as i32),
)?;
x2t_sandbox_rulegen::generate! { x2t_sandbox_rulegen::generate! {
log::trace!("accepting {}({})", syscall_name, syscall_nr); log::trace!("accepting {}({})", syscall_name, syscall_nr);