85 lines
3.6 KiB
XML
85 lines
3.6 KiB
XML
<?xml version="1.0"?>
|
|
<feed xmlns="http://www.w3.org/2005/Atom">
|
|
<id>https://perlbot.pl/blog/tag/plugins/</id>
|
|
<title>Perlbot.pl pastebin</title>
|
|
<updated>2018-03-16T00:00:00Z</updated>
|
|
<link href="https://perlbot.pl/blog/tag/plugins.atom" rel="self" />
|
|
<link href="https://perlbot.pl/blog/tag/plugins/" rel="alternate" />
|
|
<generator version="0.086">Statocles</generator>
|
|
|
|
<entry>
|
|
<id>https://perlbot.pl/blog/2018/03/16/seccomp-and-us/</id>
|
|
<title>Seccomp and Us</title>
|
|
<link href="https://perlbot.pl/blog/2018/03/16/seccomp-and-us/" rel="alternate" />
|
|
<content type="html"><![CDATA[
|
|
<p>Back in october I wrote an article about how I was redesigning the seccomp system inside App::EvalServerAdvanced, a few months ago I finally finished that
|
|
and have gotten it ready to document it here. I ended up writing most of it as part of the module/project documentation and you can view it at https://metacpan.org/pod/App::EvalServerAdvanced::Seccomp so that it'll always be up to date.
|
|
What I didn't document there, were the plugins to enable more advanced behavior, since the API there hasn't fully been fleshed out, but I don't see them changing much in the future.</p>
|
|
|
|
<h2>Plugin Types</h2>
|
|
|
|
<h1>Constant Plugins</h1>
|
|
|
|
<p>These ones are pretty well defined and not likely to actually change. There's two provided by default, ::Seccomp::Plugin::Constant::POSIX and ::Seccomp::Plugin::Constant::LinuxClone
|
|
POSIX provides most of the constants from POSIX and some specific to the clone(2) syscall.</p>
|
|
|
|
<pre><code>constants:
|
|
plugins:
|
|
- 'POSIX'
|
|
- 'LinuxClone'
|
|
values:
|
|
TCGETS: 0x5401
|
|
FIOCLEX: 0x5451
|
|
FIONBIO: 0x5421
|
|
TIOCGPTN: 0x80045430
|
|
</code></pre>
|
|
|
|
<p>An example of the YAML above, that pulls in the two plugins, and here's how you use them:</p>
|
|
|
|
<pre><code> file_readonly:
|
|
include:
|
|
- file_open
|
|
permute:
|
|
open_modes:
|
|
- 'O_NONBLOCK'
|
|
- 'O_EXCL'
|
|
- 'O_RDONLY'
|
|
- 'O_NOFOLLOW'
|
|
- 'O_CLOEXEC'
|
|
|
|
lang_ruby:
|
|
include:
|
|
- default
|
|
rules:
|
|
- syscall: clone
|
|
tests:
|
|
- [0, '==', 'CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID']
|
|
- syscall: sigaltstack
|
|
</code></pre>
|
|
|
|
<p>So now the rules you write don't need to have strange magic numbers in them, like 0x80045430, or having to worry so much about portability among architectures.</p>
|
|
|
|
<h1>Rule generating plugins</h1>
|
|
|
|
<p>These are useful if you need to generate a rule a runtime, either because you need to look up some information that will change
|
|
or you otherwise need to know about what's being generated. The API for these plugins is very likely going to change, to add in
|
|
some more information that the plugins can use to make rules, things like the code and files being passed in, and other information
|
|
about the whole setup.</p>
|
|
|
|
<p>https://github.com/perlbot/App-EvalServerAdvanced/blob/master/lib/App/EvalServerAdvanced/Seccomp/Plugin/ExecWrapper.pm</p>
|
|
|
|
|
|
<p>Tags:
|
|
<a href="https://perlbot.pl/blog/tag/perlbot/">perlbot</a>
|
|
<a href="https://perlbot.pl/blog/tag/seccomp/">seccomp</a>
|
|
<a href="https://perlbot.pl/blog/tag/plugins/">plugins</a>
|
|
</p>
|
|
|
|
]]></content>
|
|
<updated>2018-03-16T00:00:00Z</updated>
|
|
<category term="perlbot" />
|
|
<category term="seccomp" />
|
|
<category term="plugins" />
|
|
</entry>
|
|
</feed>
|
|
|