Skip to content

Commit

Permalink
Add seccomp system call filter
Browse files Browse the repository at this point in the history
This adds back the seccomp filter, but focusing on potentially hazardous
system calls rather than filtering network access.

The filter itself is almost identical to Docker's seccomp filter, with
the exception of focusing only on the system calls allowed without
privileges, while Docker allows additional system calls with appropriate
capabilities present.

Closes #48.
  • Loading branch information
cd-work committed Oct 6, 2023
1 parent 77db8aa commit 8f5a7df
Show file tree
Hide file tree
Showing 5 changed files with 468 additions and 0 deletions.
6 changes: 6 additions & 0 deletions Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,13 @@ name = "consistent_id_mappings"
path = "tests/consistent_id_mappings.rs"
harness = false

[[test]]
name = "seccomp"
path = "tests/seccomp.rs"
harness = false

[target.'cfg(target_os = "linux")'.dependencies]
seccompiler = "0.3.0"
libc = "0.2.132"

[dev-dependencies]
Expand Down
23 changes: 23 additions & 0 deletions src/error.rs
Original file line number Diff line number Diff line change
Expand Up @@ -7,12 +7,19 @@ use std::fmt::{self, Display, Formatter};
use std::io::Error as IoError;
use std::result::Result as StdResult;

#[cfg(target_os = "linux")]
use seccompiler::{BackendError, Error as SeccompError};

/// Birdcage result type.
pub type Result<T> = StdResult<T, Error>;

/// Sandboxing error.
#[derive(Debug)]
pub enum Error {
/// Seccomp errors.
#[cfg(target_os = "linux")]
Seccomp(SeccompError),

/// Invalid sandbox exception path.
#[cfg(target_os = "macos")]
InvalidPath(InvalidPathError),
Expand All @@ -29,6 +36,8 @@ impl StdError for Error {}
impl Display for Error {
fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result {
match self {
#[cfg(target_os = "linux")]
Self::Seccomp(error) => write!(f, "seccomp error: {error}"),
#[cfg(target_os = "macos")]
Self::InvalidPath(error) => write!(f, "invalid path: {error:?}"),
Self::Io(error) => write!(f, "input/output error: {error}"),
Expand All @@ -39,6 +48,20 @@ impl Display for Error {
}
}

#[cfg(target_os = "linux")]
impl From<SeccompError> for Error {
fn from(error: SeccompError) -> Self {
Self::Seccomp(error)
}
}

#[cfg(target_os = "linux")]
impl From<BackendError> for Error {
fn from(error: BackendError) -> Self {
Self::Seccomp(SeccompError::Backend(error))
}
}

#[cfg(target_os = "macos")]
impl From<InvalidPathError> for Error {
fn from(error: InvalidPathError) -> Self {
Expand Down
5 changes: 5 additions & 0 deletions src/linux/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,11 @@ use std::path::PathBuf;

use crate::error::Result;
use crate::linux::namespaces::MountFlags;
use crate::linux::seccomp::SyscallFilter;
use crate::{Exception, Sandbox};

mod namespaces;
mod seccomp;

/// Linux sandboxing.
#[derive(Default)]
Expand Down Expand Up @@ -68,6 +70,9 @@ impl Sandbox for LinuxSandbox {
// Setup namespaces.
namespaces::create_namespaces(self.allow_networking, self.bind_mounts)?;

// Setup seccomp filters.
SyscallFilter::apply()?;

// Block suid/sgid.
//
// This is also blocked by our bind mount's MS_NOSUID flag, so we're just
Expand Down
Loading

0 comments on commit 8f5a7df

Please sign in to comment.