Line
Link Here
|
0 |
-- a/paxinc.h |
0 |
++ b/paxinc.h |
Lines 22-27
Link Here
|
22 |
# define VCSID "<unknown>" |
22 |
# define VCSID "<unknown>" |
23 |
#endif |
23 |
#endif |
24 |
|
24 |
|
|
|
25 |
#ifdef EBUG |
26 |
# define USE_DEBUG 1 |
27 |
#else |
28 |
# define USE_DEBUG 1 |
29 |
#endif |
30 |
|
25 |
/* ELF love */ |
31 |
/* ELF love */ |
26 |
#include "elf.h" |
32 |
#include "elf.h" |
27 |
#include "paxelf.h" |
33 |
#include "paxelf.h" |
28 |
-- a/porting.h |
34 |
++ b/porting.h |
Lines 30-35
Link Here
|
30 |
#include <pwd.h> |
30 |
#include <pwd.h> |
31 |
#include <regex.h> |
31 |
#include <regex.h> |
32 |
#include <sched.h> |
32 |
#include <sched.h> |
|
|
33 |
#include <signal.h> |
33 |
#include <stdbool.h> |
34 |
#include <stdbool.h> |
34 |
#include <stdio.h> |
35 |
#include <stdio.h> |
35 |
#include <stdlib.h> |
36 |
#include <stdlib.h> |
36 |
-- a/security.c |
37 |
++ b/security.c |
Lines 41-46
static int pax_seccomp_rules_add(scmp_filter_ctx ctx, int syscalls[], size_t num
Link Here
|
41 |
} |
41 |
} |
42 |
#define pax_seccomp_rules_add(ctx, syscalls) pax_seccomp_rules_add(ctx, syscalls, ARRAY_SIZE(syscalls)) |
42 |
#define pax_seccomp_rules_add(ctx, syscalls) pax_seccomp_rules_add(ctx, syscalls, ARRAY_SIZE(syscalls)) |
43 |
|
43 |
|
|
|
44 |
static void pax_seccomp_sigal(int signo, siginfo_t *info, void *context) |
45 |
{ |
46 |
uint32_t arch; |
47 |
warn("seccomp violated: syscall %i", info->si_syscall); |
48 |
fflush(stderr); |
49 |
arch = seccomp_arch_native(); |
50 |
warn(" syscall = %s", seccomp_syscall_resolve_num_arch(arch, info->si_syscall)); |
51 |
kill(getpid(), SIGSYS); |
52 |
_exit(1); |
53 |
} |
54 |
|
55 |
static void pax_seccomp_signal_init(void) |
56 |
{ |
57 |
struct sigaction act; |
58 |
sigemptyset(&act.sa_mask); |
59 |
act.sa_sigaction = pax_seccomp_sigal, |
60 |
act.sa_flags = SA_SIGINFO | SA_RESETHAND; |
61 |
sigaction(SIGSYS, &act, NULL); |
62 |
} |
63 |
|
44 |
static void pax_seccomp_init(bool allow_forking) |
64 |
static void pax_seccomp_init(bool allow_forking) |
45 |
{ |
65 |
{ |
46 |
/* Order determines priority (first == lowest prio). */ |
66 |
/* Order determines priority (first == lowest prio). */ |
Lines 147-152
static void pax_seccomp_init(bool allow_forking)
Link Here
|
147 |
/* We already called prctl. */ |
167 |
/* We already called prctl. */ |
148 |
seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 0); |
168 |
seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 0); |
149 |
|
169 |
|
|
|
170 |
if (USE_DEBUG) |
171 |
pax_seccomp_signal_init(); |
172 |
|
150 |
#ifndef __SANITIZE_ADDRESS__ |
173 |
#ifndef __SANITIZE_ADDRESS__ |
151 |
/* ASAN does some weird stuff. */ |
174 |
/* ASAN does some weird stuff. */ |
152 |
if (seccomp_load(ctx) < 0) |
175 |
if (seccomp_load(ctx) < 0) |