config: support seccomp filters

diff --git a/config.c b/config.c
index f7069fa842b79231a0b87fa05877a235d1d52ea9..1bc5aa1da04cc410fbc6d6b312db9341d851f085 100644 (file)
--- a/config.c
+++ b/config.c
@@ -199,6 +199,19 @@ static bool configParseInternal(struct nsjconf_t *nsjconf, Nsjail__NsJailConfig
                TAILQ_INSERT_TAIL(&nsjconf->mountpts, p, pointers);
        }
 
+       nsjconf->mount_proc = njc->mount_proc;
+
+       if (njc->seccomp_policy_file) {
+               if ((nsjconf->kafel_file = fopen(njc->seccomp_policy_file, "rb")) == NULL) {
+                       PLOG_W("Couldn't open file with seccomp policy '%s'",
+                              njc->seccomp_policy_file);
+                       return false;
+               }
+       }
+       if (njc->seccomp_string) {
+               nsjconf->kafel_string = utilStrDup(njc->seccomp_string);
+       }
+
        return true;
 }
 

diff --git a/config.example b/config.example
index 1ab09dab70fbc8a9499b249968d2661e9bf844fd..4667015000ef10bf7a124f0215157f49efd65349 100644 (file)
--- a/config.example
+++ b/config.example
@@ -77,3 +77,11 @@ mount {
        is_ro: false
        is_bind: true
 }
+
+seccomp_string: "
+       POLICY example {
+               ERRNO(1337) { geteuid },
+               KILL { syslog }
+       }
+       USE example DEFAULT ALLOW
+"

diff --git a/config.pb-c.c b/config.pb-c.c
index e45d6a34ee2131545a2018130a21f05bbd72ad8e..99ea60158049e30994925a0e5c7fc981d6aa4ebb 100644 (file)
--- a/config.pb-c.c
+++ b/config.pb-c.c
@@ -351,7 +351,8 @@ static const protobuf_c_boolean nsjail__ns_jail_config__clone_newpid__default_va
 static const protobuf_c_boolean nsjail__ns_jail_config__clone_newipc__default_value = 1;
 static const protobuf_c_boolean nsjail__ns_jail_config__clone_newuts__default_value = 1;
 static const protobuf_c_boolean nsjail__ns_jail_config__clone_newcgroup__default_value = 0;
-static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[40] = {
+static const protobuf_c_boolean nsjail__ns_jail_config__mount_proc__default_value = 1;
+static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[43] = {
        {
         "mode",
         1,
@@ -832,6 +833,42 @@ static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[
         0,                     /* flags */
         0, NULL, NULL          /* reserved1,reserved2, etc */
         },
+       {
+        "mount_proc",
+        43,
+        PROTOBUF_C_LABEL_REQUIRED,
+        PROTOBUF_C_TYPE_BOOL,
+        0,                     /* quantifier_offset */
+        offsetof(Nsjail__NsJailConfig, mount_proc),
+        NULL,
+        &nsjail__ns_jail_config__mount_proc__default_value,
+        0,                     /* flags */
+        0, NULL, NULL          /* reserved1,reserved2, etc */
+        },
+       {
+        "seccomp_policy_file",
+        44,
+        PROTOBUF_C_LABEL_OPTIONAL,
+        PROTOBUF_C_TYPE_STRING,
+        0,                     /* quantifier_offset */
+        offsetof(Nsjail__NsJailConfig, seccomp_policy_file),
+        NULL,
+        NULL,
+        0,                     /* flags */
+        0, NULL, NULL          /* reserved1,reserved2, etc */
+        },
+       {
+        "seccomp_string",
+        45,
+        PROTOBUF_C_LABEL_OPTIONAL,
+        PROTOBUF_C_TYPE_STRING,
+        0,                     /* quantifier_offset */
+        offsetof(Nsjail__NsJailConfig, seccomp_string),
+        NULL,
+        NULL,
+        0,                     /* flags */
+        0, NULL, NULL          /* reserved1,reserved2, etc */
+        },
 };
 
 static const unsigned nsjail__ns_jail_config__field_indices_by_name[] = {
@@ -856,6 +893,7 @@ static const unsigned nsjail__ns_jail_config__field_indices_by_name[] = {
        7,                      /* field[7] = max_conns_per_ip */
        0,                      /* field[0] = mode */
        39,                     /* field[39] = mount */
+       40,                     /* field[40] = mount_proc */
        15,                     /* field[15] = pass_fd */
        25,                     /* field[25] = persona_addr_compat_layout */
        28,                     /* field[28] = persona_addr_limit_3gb */
@@ -871,6 +909,8 @@ static const unsigned nsjail__ns_jail_config__field_indices_by_name[] = {
        22,                     /* field[22] = rlimit_nofile */
        23,                     /* field[23] = rlimit_nproc */
        24,                     /* field[24] = rlimit_stack */
+       41,                     /* field[41] = seccomp_policy_file */
+       42,                     /* field[42] = seccomp_string */
        13,                     /* field[13] = silent */
        14,                     /* field[14] = skip_setsid */
        8,                      /* field[8] = time_limit */
@@ -880,7 +920,7 @@ static const unsigned nsjail__ns_jail_config__field_indices_by_name[] = {
 static const ProtobufCIntRange nsjail__ns_jail_config__number_ranges[2 + 1] = {
        {1, 0},
        {6, 3},
-       {0, 40}
+       {0, 43}
 };
 
 const ProtobufCMessageDescriptor nsjail__ns_jail_config__descriptor = {
@@ -890,7 +930,7 @@ const ProtobufCMessageDescriptor nsjail__ns_jail_config__descriptor = {
        "Nsjail__NsJailConfig",
        "nsjail",
        sizeof(Nsjail__NsJailConfig),
-       40,
+       43,
        nsjail__ns_jail_config__field_descriptors,
        nsjail__ns_jail_config__field_indices_by_name,
        2, nsjail__ns_jail_config__number_ranges,

diff --git a/config.pb-c.h b/config.pb-c.h
index f1ec50c4c3abe9ed353c46f838a90a6eeeb815ca..e4298b2ca3701ab4ecc743ef305b9d13953a7773 100644 (file)
--- a/config.pb-c.h
+++ b/config.pb-c.h
@@ -112,13 +112,16 @@ struct _Nsjail__NsJailConfig {
        Nsjail__IdMap **gidmap;
        size_t n_mount;
        Nsjail__MountPt **mount;
+       protobuf_c_boolean mount_proc;
+       char *seccomp_policy_file;
+       char *seccomp_string;
 };
 extern char nsjail__ns_jail_config__hostname__default_value[];
 extern char nsjail__ns_jail_config__cwd__default_value[];
 extern char nsjail__ns_jail_config__bindhost__default_value[];
 #define NSJAIL__NS_JAIL_CONFIG__INIT \
  { PROTOBUF_C_MESSAGE_INIT (&nsjail__ns_jail_config__descriptor) \
-    , NSJAIL__MODE__ONCE, NULL, 0, nsjail__ns_jail_config__hostname__default_value, nsjail__ns_jail_config__cwd__default_value, 0u, nsjail__ns_jail_config__bindhost__default_value, 0u, 600u, 0, NULL, 0,0, 0, 0, 0, 0,NULL, 0, 0, 512ull, 0ull, 600ull, 1ull, 32ull, 0,0, 0,0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 0, 0,NULL, 0,NULL, 0,NULL }
+    , NSJAIL__MODE__ONCE, NULL, 0, nsjail__ns_jail_config__hostname__default_value, nsjail__ns_jail_config__cwd__default_value, 0u, nsjail__ns_jail_config__bindhost__default_value, 0u, 600u, 0, NULL, 0,0, 0, 0, 0, 0,NULL, 0, 0, 512ull, 0ull, 600ull, 1ull, 32ull, 0,0, 0,0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 0, 0,NULL, 0,NULL, 0,NULL, 1, NULL, NULL }
 
 /* Nsjail__IdMap methods */
 void nsjail__id_map__init(Nsjail__IdMap * message);

diff --git a/config.proto b/config.proto
index 9372699f9c32889948ba28b27ecfc1edd265aa25..5d0e21bf471a6a11755dcf48555822728c7cbe0c 100644 (file)
--- a/config.proto
+++ b/config.proto
@@ -82,4 +82,7 @@ message NsJailConfig {
        repeated IdMap gidmap = 41;
 
        repeated MountPt mount = 42;
+       required bool mount_proc = 43 [default = true];
+       optional string seccomp_policy_file = 44;
+       optional string seccomp_string = 45;
 }