main: make the set of system calls allowed in sandbox tunable

Signed-off-by: Masatake YAMATO <yamato@redhat.com>

Author: masatake

main/interactive_p.h

@@ -31,7 +31,12 @@ bool jsonErrorPrinter (const errorSelection selection, const char *const format,
 #endif
 
 void interactiveOneshot (cookedArgs *args, void *user);
-int installSyscallFilter (void);
+
+enum syscallSet {
+	syscall_coreset    = 1 << 0,
+};
+
+int installSyscallFilter (unsigned int set);
 
 #endif  /* CTAGS_MAIN_INTERACTIVE_H */
 

main/main.c

@@ -391,9 +391,9 @@ static void batchMakeTags (cookedArgs *args, void *user CTAGS_ATTR_UNUSED)
 #undef timeStamp
 }
 
-static void prepareSandbox (void)
+static void prepareSandbox (unsigned int set)
 {
-	if (installSyscallFilter ()) {
+	if (installSyscallFilter (set)) {
 		error (FATAL, "install_syscall_filter failed");
 		/* The explicit exit call is needed because
 		   "error (FATAL,..." just prints a message in
@@ -408,7 +408,7 @@ void interactiveLoop (cookedArgs *args CTAGS_ATTR_UNUSED, void *user)
 	struct interactiveModeArgs *iargs = user;
 
 	if (iargs->sandbox)
-		prepareSandbox ();
+		prepareSandbox (syscall_coreset);
 
 	char buffer[1024];
 	json_t *request;
@@ -521,7 +521,7 @@ extern void interactiveOneshot (cookedArgs *args CTAGS_ATTR_UNUSED, void *user)
 	Assert (iargs->fname);
 
 	if (iargs->sandbox)
-		prepareSandbox ();
+		prepareSandbox (syscall_coreset);
 
 	oneshotCommon (iargs->fname, iargs->limit, iargs->sandbox);
 }

main/seccomp.c

@@ -17,15 +17,8 @@
 #include <seccomp.h>
 
 
-int installSyscallFilter (void)
+static void installSyscallCoresetFilter(scmp_filter_ctx ctx)
 {
-	// Use SCMP_ACT_TRAP to get a core dump.
-	scmp_filter_ctx ctx = seccomp_init (SCMP_ACT_KILL);
-	if (ctx == NULL)
-	{
-		return 1;
-	}
-
 	// Memory allocation.
 	seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS (mmap), 0);
 	seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS (munmap), 0);
@@ -61,7 +54,23 @@ int installSyscallFilter (void)
 	// libxml2 uses pthread_once, which in turn uses a futex
 	seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS (futex), 0);
 
-	verbose ("Entering sandbox\n");
+	verbose ("coreset ");
+}
+
+int installSyscallFilter (unsigned int set)
+{
+	// Use SCMP_ACT_TRAP to get a core dump.
+	scmp_filter_ctx ctx = seccomp_init (SCMP_ACT_KILL);
+	if (ctx == NULL)
+	{
+		return 1;
+	}
+
+	verbose ("Entering sandbox (");
+	if (set & syscall_coreset)
+		installSyscallCoresetFilter (ctx);
+	verbose (")\n");
+
 	int err = seccomp_load (ctx);
 	if (err < 0)
 	{
@@ -81,7 +90,7 @@ int installSyscallFilter (void)
  */
 
 #else
-int installSyscallFilter (void)
+int installSyscallFilter (unsigned int set)
 {
 	AssertNotReached ();
 	return -1;