159 lines
5.4 KiB
HTML
159 lines
5.4 KiB
HTML
<!DOCTYPE html>
|
|
<html>
|
|
<head>
|
|
<meta charset="utf-8">
|
|
<meta content="width=device-width, initial-scale=1" name="viewport">
|
|
<link href="/theme/css/normalize.css" rel="stylesheet">
|
|
<link href="/theme/css/skeleton.css" rel="stylesheet">
|
|
<link href="/theme/css/statocles-default.css" rel="stylesheet">
|
|
<link href="//maxcdn.bootstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css" rel="stylesheet">
|
|
<title>Seccomp and Us - Perlbot.pl pastebin</title>
|
|
<meta content="Statocles 0.086" name="generator">
|
|
|
|
</head>
|
|
<body>
|
|
<header>
|
|
<nav class="navbar">
|
|
<div class="container">
|
|
<a class="brand" href="/">Perlbot.pl pastebin</a>
|
|
<ul>
|
|
<li>
|
|
<a href="/blog">Blog</a>
|
|
</li>
|
|
</ul>
|
|
|
|
</div>
|
|
</nav>
|
|
|
|
</header>
|
|
<div class="main container">
|
|
<div class="row">
|
|
<div class="nine columns">
|
|
<main>
|
|
<header>
|
|
<h1>Seccomp and Us</h1>
|
|
|
|
<aside>
|
|
<time datetime="2018-03-16">
|
|
Posted on 2018-03-16
|
|
</time>
|
|
</aside>
|
|
|
|
<p class="tags">Tags:
|
|
<a href="/blog/tag/perlbot/" rel="tag">perlbot</a>
|
|
<a href="/blog/tag/seccomp/" rel="tag">seccomp</a>
|
|
<a href="/blog/tag/plugins/" rel="tag">plugins</a>
|
|
</p>
|
|
|
|
|
|
</header>
|
|
<section id="section-1">
|
|
<p>Back in october I wrote an article about how I was redesigning the seccomp system inside App::EvalServerAdvanced, a few months ago I finally finished that
|
|
and have gotten it ready to document it here. I ended up writing most of it as part of the module/project documentation and you can view it at https://metacpan.org/pod/App::EvalServerAdvanced::Seccomp so that it'll always be up to date.
|
|
What I didn't document there, were the plugins to enable more advanced behavior, since the API there hasn't fully been fleshed out, but I don't see them changing much in the future.</p>
|
|
|
|
<h2>Plugin Types</h2>
|
|
|
|
<h1>Constant Plugins</h1>
|
|
|
|
<p>These ones are pretty well defined and not likely to actually change. There's two provided by default, ::Seccomp::Plugin::Constant::POSIX and ::Seccomp::Plugin::Constant::LinuxClone
|
|
POSIX provides most of the constants from POSIX and some specific to the clone(2) syscall.</p>
|
|
|
|
<pre><code>constants:
|
|
plugins:
|
|
- 'POSIX'
|
|
- 'LinuxClone'
|
|
values:
|
|
TCGETS: 0x5401
|
|
FIOCLEX: 0x5451
|
|
FIONBIO: 0x5421
|
|
TIOCGPTN: 0x80045430
|
|
</code></pre>
|
|
|
|
<p>An example of the YAML above, that pulls in the two plugins, and here's how you use them:</p>
|
|
|
|
<pre><code> file_readonly:
|
|
include:
|
|
- file_open
|
|
permute:
|
|
open_modes:
|
|
- 'O_NONBLOCK'
|
|
- 'O_EXCL'
|
|
- 'O_RDONLY'
|
|
- 'O_NOFOLLOW'
|
|
- 'O_CLOEXEC'
|
|
|
|
lang_ruby:
|
|
include:
|
|
- default
|
|
rules:
|
|
- syscall: clone
|
|
tests:
|
|
- [0, '==', 'CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID']
|
|
- syscall: sigaltstack
|
|
</code></pre>
|
|
|
|
<p>So now the rules you write don't need to have strange magic numbers in them, like 0x80045430, or having to worry so much about portability among architectures.</p>
|
|
|
|
<h1>Rule generating plugins</h1>
|
|
|
|
<p>These are useful if you need to generate a rule a runtime, either because you need to look up some information that will change
|
|
or you otherwise need to know about what's being generated. The API for these plugins is very likely going to change, to add in
|
|
some more information that the plugins can use to make rules, things like the code and files being passed in, and other information
|
|
about the whole setup.</p>
|
|
|
|
<p>https://github.com/perlbot/App-EvalServerAdvanced/blob/master/lib/App/EvalServerAdvanced/Seccomp/Plugin/ExecWrapper.pm</p>
|
|
|
|
</section>
|
|
|
|
<ul class="pager">
|
|
<li class="prev">
|
|
<a class="button button-primary" href="/blog/2017/10/23/seccomp-and-you/index.html" rel="prev">
|
|
← Older
|
|
</a>
|
|
</li>
|
|
<li class="next">
|
|
<button disabled>
|
|
Newer →
|
|
</button>
|
|
</li>
|
|
</ul>
|
|
|
|
|
|
<h1>Comments</h1>
|
|
<section id="isso-thread"></section>
|
|
<noscript>Please enable JavaScript to view the comments. I promise it's not doing weird third party crap.</noscript>
|
|
|
|
<script data-isso="//isso.perlbot.pl/" data-isso-require-author="true" src="//isso.perlbot.pl/js/embed.min.js"></script>
|
|
|
|
|
|
</main>
|
|
</div>
|
|
|
|
<div class="three columns sidebar">
|
|
|
|
<nav id="tags">
|
|
<h1>Tags</h1>
|
|
<ul class="list-inline">
|
|
<li><a href="/blog/tag/evalserver/">evalserver</a></li>
|
|
<li><a href="/blog/tag/perlbot/">perlbot</a></li>
|
|
<li><a href="/blog/tag/plugins/">plugins</a></li>
|
|
<li><a href="/blog/tag/seccomp/">seccomp</a></li>
|
|
</ul>
|
|
</nav>
|
|
|
|
|
|
</div>
|
|
</div>
|
|
</div>
|
|
<footer>
|
|
|
|
<div class="container tagline">
|
|
<a href="http://preaction.me/statocles">Made with Statocles</a><br>
|
|
<a href="http://www.perl.org">Powered by Perl</a>
|
|
</div>
|
|
</footer>
|
|
|
|
|
|
</body>
|
|
</html>
|