|
Line
Link Here
|
| 0 |
-- a/paxinc.h |
0 |
++ b/paxinc.h |
|
Lines 22-27
Link Here
|
| 22 |
# define VCSID "<unknown>" |
22 |
# define VCSID "<unknown>" |
| 23 |
#endif |
23 |
#endif |
| 24 |
|
24 |
|
|
|
25 |
#ifdef EBUG |
| 26 |
# define USE_DEBUG 1 |
| 27 |
#else |
| 28 |
# define USE_DEBUG 1 |
| 29 |
#endif |
| 30 |
|
| 25 |
/* ELF love */ |
31 |
/* ELF love */ |
| 26 |
#include "elf.h" |
32 |
#include "elf.h" |
| 27 |
#include "paxelf.h" |
33 |
#include "paxelf.h" |
| 28 |
-- a/porting.h |
34 |
++ b/porting.h |
|
Lines 30-35
Link Here
|
| 30 |
#include <pwd.h> |
30 |
#include <pwd.h> |
| 31 |
#include <regex.h> |
31 |
#include <regex.h> |
| 32 |
#include <sched.h> |
32 |
#include <sched.h> |
|
|
33 |
#include <signal.h> |
| 33 |
#include <stdbool.h> |
34 |
#include <stdbool.h> |
| 34 |
#include <stdio.h> |
35 |
#include <stdio.h> |
| 35 |
#include <stdlib.h> |
36 |
#include <stdlib.h> |
| 36 |
-- a/security.c |
37 |
++ b/security.c |
|
Lines 41-46
static int pax_seccomp_rules_add(scmp_filter_ctx ctx, int syscalls[], size_t num
Link Here
|
| 41 |
} |
41 |
} |
| 42 |
#define pax_seccomp_rules_add(ctx, syscalls) pax_seccomp_rules_add(ctx, syscalls, ARRAY_SIZE(syscalls)) |
42 |
#define pax_seccomp_rules_add(ctx, syscalls) pax_seccomp_rules_add(ctx, syscalls, ARRAY_SIZE(syscalls)) |
| 43 |
|
43 |
|
|
|
44 |
static void pax_seccomp_sigal(int signo, siginfo_t *info, void *context) |
| 45 |
{ |
| 46 |
uint32_t arch; |
| 47 |
warn("seccomp violated: syscall %i", info->si_syscall); |
| 48 |
fflush(stderr); |
| 49 |
arch = seccomp_arch_native(); |
| 50 |
warn(" syscall = %s", seccomp_syscall_resolve_num_arch(arch, info->si_syscall)); |
| 51 |
kill(getpid(), SIGSYS); |
| 52 |
_exit(1); |
| 53 |
} |
| 54 |
|
| 55 |
static void pax_seccomp_signal_init(void) |
| 56 |
{ |
| 57 |
struct sigaction act; |
| 58 |
sigemptyset(&act.sa_mask); |
| 59 |
act.sa_sigaction = pax_seccomp_sigal, |
| 60 |
act.sa_flags = SA_SIGINFO | SA_RESETHAND; |
| 61 |
sigaction(SIGSYS, &act, NULL); |
| 62 |
} |
| 63 |
|
| 44 |
static void pax_seccomp_init(bool allow_forking) |
64 |
static void pax_seccomp_init(bool allow_forking) |
| 45 |
{ |
65 |
{ |
| 46 |
/* Order determines priority (first == lowest prio). */ |
66 |
/* Order determines priority (first == lowest prio). */ |
|
Lines 147-152
static void pax_seccomp_init(bool allow_forking)
Link Here
|
| 147 |
/* We already called prctl. */ |
167 |
/* We already called prctl. */ |
| 148 |
seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 0); |
168 |
seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 0); |
| 149 |
|
169 |
|
|
|
170 |
if (USE_DEBUG) |
| 171 |
pax_seccomp_signal_init(); |
| 172 |
|
| 150 |
#ifndef __SANITIZE_ADDRESS__ |
173 |
#ifndef __SANITIZE_ADDRESS__ |
| 151 |
/* ASAN does some weird stuff. */ |
174 |
/* ASAN does some weird stuff. */ |
| 152 |
if (seccomp_load(ctx) < 0) |
175 |
if (seccomp_load(ctx) < 0) |
