mooa

Lua + lubev + sandboxing
git clone https://code.literati.org/mooa.git
Log | Files | Refs | README | LICENSE

commit 4f889169ade576de6fc1b7d25036bdec881fdb97
parent cff8d71d56b256c5770d0f6c56f4abad3953fb24
Author: Sean Lynch <seanl@literati.org>
Date:   Tue, 23 Feb 2016 21:43:00 -0800

Complete syscall whitelist

Diffstat:
MMakefile | 2+-
Mmooa.c | 18+++++++++++++++++-
Mtask.c | 2++
3 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/Makefile b/Makefile @@ -1,7 +1,7 @@ CC = clang CFLAGS += -std=c99 -g -O0 \ -fPIE -fstack-protector-strong \ - -DVERSION=\"$(shell git describe)\" + -DVERSION=\"$(shell git describe --tags)\" LINT=splint LUA_CFLAGS=$(pkg-config --cflags lua) LIBS=$(shell pkg-config --libs lua) -lev -ludns diff --git a/mooa.c b/mooa.c @@ -99,7 +99,7 @@ static int get_syscall_nr(const char *name) { static void install_seccomp_filter(const char *syscalls[]) { - scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_TRACE(1)); + scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_TRAP); if (!ctx) { errx(EXIT_FAILURE, "Failed to init seccomp"); } @@ -160,12 +160,28 @@ int main(void) { lua_State *L; const char *whitelist[] = { "brk", + "close", + "connect", + "epoll_create1", + "epoll_ctl", "epoll_wait", + "eventfd2", + "exit", + "exit_group", + "fcntl", "fstat", + "getegid", + "geteuid", + "getgid", "gettid", + "getuid", "mmap", + "read", + "recvfrom", "rt_sigaction", "rt_sigprocmask", + "sendto", + "socket", "tgkill", "write", NULL diff --git a/task.c b/task.c @@ -159,11 +159,13 @@ static void mooa_task_step(mooa_task_t *task) { static void mooa_task_timer_cb(struct ev_loop *loop, ev_timer *timer, int revents) { +#pragma unused(loop, revents) mooa_task_schedule((mooa_task_t *)timer->data, 0); } static void mooa_task_io_cb(struct ev_loop *loop, ev_io *io, int revents) { +#pragma unused(revents) ev_io_stop(loop, io); mooa_task_schedule((mooa_task_t *)io->data, 0); }