| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647 |
- Subject: Allow only the ioctls we use (Shankara Pailoor)
- Origin: FILE5_37-29-gfa46ca9d <https://github.com/file/file/commit/FILE5_37-29-gfa46ca9d>
- Upstream-Author: Christos Zoulas <christos@zoulas.com>
- Date: Fri Jun 21 16:44:23 2019 +0000
- --- a/src/seccomp.c
- +++ b/src/seccomp.c
- @@ -33,6 +33,7 @@
- #if HAVE_LIBSECCOMP
- #include <seccomp.h> /* libseccomp */
- #include <sys/prctl.h> /* prctl */
- +#include <sys/ioctl.h>
- #include <sys/socket.h>
- #include <fcntl.h>
- #include <stdlib.h>
- @@ -49,8 +50,14 @@
- goto out; \
- while (/*CONSTCOND*/0)
-
- -static scmp_filter_ctx ctx;
- +#define ALLOW_IOCTL_RULE(param) \
- + do \
- + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1, \
- + SCMP_CMP(1, SCMP_CMP_EQ, param)) == -1) \
- + goto out; \
- + while (/*CONSTCOND*/0)
-
- +static scmp_filter_ctx ctx;
-
- int
- enable_sandbox_basic(void)
- @@ -171,7 +178,14 @@
- #ifdef __NR_getdents64
- ALLOW_RULE(getdents64);
- #endif
- - ALLOW_RULE(ioctl);
- +#ifdef FIONREAD
- + // called in src/compress.c under sread
- + ALLOW_IOCTL_RULE(FIONREAD);
- +#endif
- +#ifdef TIOCGWINSZ
- + // musl libc may call ioctl TIOCGWINSZ when calling stdout
- + ALLOW_IOCTL_RULE(TIOCGWINSZ);
- +#endif
- ALLOW_RULE(lseek);
- ALLOW_RULE(_llseek);
- ALLOW_RULE(lstat);
|
