@sysid/sandbox-runtime-improved 0.0.43-sysid.6 → 0.0.49-sysid.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (36) hide show
  1. package/README.md +24 -34
  2. package/dist/sandbox/generate-seccomp-filter.d.ts +0 -51
  3. package/dist/sandbox/generate-seccomp-filter.d.ts.map +1 -1
  4. package/dist/sandbox/generate-seccomp-filter.js +0 -106
  5. package/dist/sandbox/generate-seccomp-filter.js.map +1 -1
  6. package/dist/sandbox/linux-sandbox-utils.d.ts +21 -19
  7. package/dist/sandbox/linux-sandbox-utils.d.ts.map +1 -1
  8. package/dist/sandbox/linux-sandbox-utils.js +190 -118
  9. package/dist/sandbox/linux-sandbox-utils.js.map +1 -1
  10. package/dist/sandbox/macos-sandbox-utils.d.ts +1 -1
  11. package/dist/sandbox/macos-sandbox-utils.d.ts.map +1 -1
  12. package/dist/sandbox/macos-sandbox-utils.js +50 -20
  13. package/dist/sandbox/macos-sandbox-utils.js.map +1 -1
  14. package/dist/sandbox/sandbox-config.d.ts +16 -12
  15. package/dist/sandbox/sandbox-config.d.ts.map +1 -1
  16. package/dist/sandbox/sandbox-config.js +17 -10
  17. package/dist/sandbox/sandbox-config.js.map +1 -1
  18. package/dist/sandbox/sandbox-manager.d.ts +1 -1
  19. package/dist/sandbox/sandbox-manager.d.ts.map +1 -1
  20. package/dist/sandbox/sandbox-manager.js +9 -11
  21. package/dist/sandbox/sandbox-manager.js.map +1 -1
  22. package/dist/vendor/seccomp/build.ts +91 -0
  23. package/dist/vendor/seccomp-src/apply-seccomp.c +232 -50
  24. package/dist/vendor/seccomp-src/seccomp-unix-block.c +50 -3
  25. package/package.json +3 -8
  26. package/vendor/seccomp/build.ts +91 -0
  27. package/vendor/seccomp-src/apply-seccomp.c +232 -50
  28. package/vendor/seccomp-src/seccomp-unix-block.c +50 -3
  29. package/dist/vendor/seccomp/arm64/apply-seccomp +0 -0
  30. package/dist/vendor/seccomp/arm64/unix-block.bpf +0 -0
  31. package/dist/vendor/seccomp/x64/apply-seccomp +0 -0
  32. package/dist/vendor/seccomp/x64/unix-block.bpf +0 -0
  33. package/vendor/seccomp/arm64/apply-seccomp +0 -0
  34. package/vendor/seccomp/arm64/unix-block.bpf +0 -0
  35. package/vendor/seccomp/x64/apply-seccomp +0 -0
  36. package/vendor/seccomp/x64/unix-block.bpf +0 -0
@@ -0,0 +1,91 @@
1
+ import { spawnSync } from 'node:child_process'
2
+ import { mkdirSync, readFileSync, rmSync, writeFileSync } from 'node:fs'
3
+ import { dirname, join } from 'node:path'
4
+ import { fileURLToPath } from 'node:url'
5
+
6
+ if (process.platform !== 'linux') {
7
+ console.error('seccomp build: Linux only')
8
+ process.exit(1)
9
+ }
10
+
11
+ const HERE = dirname(fileURLToPath(import.meta.url))
12
+ const SRC = join(HERE, '..', 'seccomp-src')
13
+
14
+ const nodeArchToDir: Record<string, string> = { x64: 'x64', arm64: 'arm64' }
15
+ const arch = nodeArchToDir[process.arch]
16
+ if (!arch) {
17
+ console.error('seccomp build: unsupported arch ' + process.arch)
18
+ process.exit(1)
19
+ }
20
+ const OUT = join(HERE, arch)
21
+
22
+ function run(argv: string[]): void {
23
+ const [cmd, ...args] = argv
24
+ const r = spawnSync(cmd, args, { stdio: 'inherit' })
25
+ if (r.status !== 0) {
26
+ console.error(argv.join(' ') + ' exited ' + (r.status ?? r.signal))
27
+ process.exit(1)
28
+ }
29
+ }
30
+
31
+ function toCArray(bytes: Buffer): string {
32
+ const hex = Array.from(bytes, b => '0x' + b.toString(16).padStart(2, '0'))
33
+ const lines: string[] = []
34
+ for (let i = 0; i < hex.length; i += 8) {
35
+ lines.push(' ' + hex.slice(i, i + 8).join(', ') + ',')
36
+ }
37
+ return lines.join('\n')
38
+ }
39
+
40
+ mkdirSync(OUT, { recursive: true })
41
+
42
+ const cflags = ['-static', '-O2', '-Wall', '-Wextra']
43
+
44
+ const gen = join(OUT, 'seccomp-unix-block')
45
+ run([
46
+ 'gcc',
47
+ ...cflags,
48
+ '-o',
49
+ gen,
50
+ join(SRC, 'seccomp-unix-block.c'),
51
+ '-lseccomp',
52
+ ])
53
+
54
+ const bpf: Record<string, Buffer> = {}
55
+ for (const target of ['x86_64', 'aarch64']) {
56
+ const tmp = join(OUT, target + '.bpf')
57
+ run([gen, tmp, target])
58
+ bpf[target] = readFileSync(tmp)
59
+ rmSync(tmp)
60
+ }
61
+ rmSync(gen)
62
+
63
+ const header = join(OUT, 'unix-block-bpf.h')
64
+ writeFileSync(
65
+ header,
66
+ '#if defined(__x86_64__)\n' +
67
+ 'static const unsigned char unix_block_bpf[] = {\n' +
68
+ toCArray(bpf.x86_64) +
69
+ '\n};\n' +
70
+ '#elif defined(__aarch64__)\n' +
71
+ 'static const unsigned char unix_block_bpf[] = {\n' +
72
+ toCArray(bpf.aarch64) +
73
+ '\n};\n' +
74
+ '#else\n' +
75
+ '#error "unsupported architecture for unix-block BPF filter"\n' +
76
+ '#endif\n',
77
+ )
78
+
79
+ run([
80
+ 'gcc',
81
+ ...cflags,
82
+ '-I',
83
+ OUT,
84
+ '-o',
85
+ join(OUT, 'apply-seccomp'),
86
+ join(SRC, 'apply-seccomp.c'),
87
+ ])
88
+ run(['strip', join(OUT, 'apply-seccomp')])
89
+ rmSync(header)
90
+
91
+ console.log('built ' + join(OUT, 'apply-seccomp'))
@@ -1,98 +1,280 @@
1
1
  /*
2
- * apply-seccomp.c - Apply seccomp BPF filter and exec command
2
+ * apply-seccomp.c - Apply seccomp BPF filter in an isolated PID namespace
3
3
  *
4
- * Usage: apply-seccomp <filter.bpf> <command> [args...]
4
+ * Usage: apply-seccomp <command> [args...]
5
5
  *
6
- * This program reads a pre-compiled BPF filter from a file, applies it
7
- * using prctl(PR_SET_SECCOMP), and then execs the specified command.
6
+ * This program applies a baked-in seccomp BPF filter, isolates the
7
+ * target command in a nested user+PID+mount namespace so it cannot see or
8
+ * ptrace any process that lacks the filter, applies the filter with
9
+ * prctl(PR_SET_SECCOMP), and execs the command.
8
10
  *
9
- * The BPF filter must be in the format expected by SECCOMP_MODE_FILTER:
10
- * - struct sock_fprog { unsigned short len; struct sock_filter *filter; }
11
- * - Each filter instruction is 8 bytes (BPF instruction format)
11
+ * Process layout inside the outer bwrap sandbox:
12
+ *
13
+ * bwrap init (PID 1) <- outer PID ns, no seccomp
14
+ * \_ bash / socat ... <- outer PID ns, no seccomp
15
+ * \_ apply-seccomp [outer] <- outer PID ns, waits for inner init
16
+ * ================================================= PID ns boundary
17
+ * \_ apply-seccomp [inner init] <- inner PID 1, PR_SET_DUMPABLE=0
18
+ * \_ user command <- inner PID 2, seccomp applied
19
+ *
20
+ * From the user command's point of view /proc contains only its own process
21
+ * tree. The bwrap init, bash wrapper, and socat helpers are not addressable,
22
+ * so they cannot be ptraced or patched via /proc/N/mem even on systems with
23
+ * kernel.yama.ptrace_scope=0. The inner init (PID 1) sets PR_SET_DUMPABLE=0
24
+ * so it cannot be ptraced either.
25
+ *
26
+ * Any failure to set up the nested namespaces aborts with a non-zero exit
27
+ * status; we never fall back to running the command without isolation.
12
28
  *
13
29
  * Compile: gcc -static -O2 -o apply-seccomp apply-seccomp.c
14
30
  */
15
31
 
32
+ #define _GNU_SOURCE
16
33
  #include <stdio.h>
17
34
  #include <stdlib.h>
35
+ #include <stdarg.h>
18
36
  #include <string.h>
19
37
  #include <unistd.h>
20
38
  #include <fcntl.h>
39
+ #include <errno.h>
40
+ #include <sched.h>
41
+ #include <signal.h>
21
42
  #include <sys/prctl.h>
43
+ #include <sys/wait.h>
44
+ #include <sys/mount.h>
22
45
  #include <linux/seccomp.h>
23
46
  #include <linux/filter.h>
24
- #include <errno.h>
47
+
48
+ #include "unix-block-bpf.h"
25
49
 
26
50
  #ifndef PR_SET_NO_NEW_PRIVS
27
51
  #define PR_SET_NO_NEW_PRIVS 38
28
52
  #endif
29
53
 
54
+ #ifndef PR_CAP_AMBIENT
55
+ #define PR_CAP_AMBIENT 47
56
+ #define PR_CAP_AMBIENT_CLEAR_ALL 4
57
+ #endif
58
+
30
59
  #ifndef SECCOMP_MODE_FILTER
31
60
  #define SECCOMP_MODE_FILTER 2
32
61
  #endif
33
62
 
34
- #define MAX_FILTER_SIZE 4096 // Maximum BPF filter size in bytes
63
+ static void die(const char *msg) {
64
+ perror(msg);
65
+ _exit(1);
66
+ }
35
67
 
36
- int main(int argc, char *argv[], char *envp[]) {
37
- if (argc < 3) {
38
- fprintf(stderr, "Usage: %s <filter.bpf> <command> [args...]\n", argv[0]);
39
- return 1;
68
+ static int write_file(const char *path, const char *fmt, ...) {
69
+ char buf[256];
70
+ va_list ap;
71
+ va_start(ap, fmt);
72
+ int len = vsnprintf(buf, sizeof(buf), fmt, ap);
73
+ va_end(ap);
74
+ if (len < 0 || (size_t)len >= sizeof(buf)) {
75
+ errno = EOVERFLOW;
76
+ return -1;
40
77
  }
41
78
 
42
- const char *filter_path = argv[1];
43
- char **command_argv = &argv[2];
44
-
45
- // Open and read BPF filter file
46
- int fd = open(filter_path, O_RDONLY);
79
+ int fd = open(path, O_WRONLY);
47
80
  if (fd < 0) {
48
- perror("Failed to open BPF filter file");
49
- return 1;
81
+ return -1;
50
82
  }
51
-
52
- // Read filter into memory
53
- unsigned char filter_bytes[MAX_FILTER_SIZE];
54
- ssize_t filter_size = read(fd, filter_bytes, MAX_FILTER_SIZE);
83
+ ssize_t r = write(fd, buf, (size_t)len);
84
+ int saved = errno;
55
85
  close(fd);
86
+ if (r != len) {
87
+ errno = (r < 0) ? saved : EIO;
88
+ return -1;
89
+ }
90
+ return 0;
91
+ }
56
92
 
57
- if (filter_size < 0) {
58
- perror("Failed to read BPF filter");
59
- return 1;
93
+ /* PID the current process forwards signals to. Used by both the outer stub
94
+ * (forwards to inner init) and the inner init (forwards to the worker).
95
+ * PID 1 ignores signals it has no handler for, so the inner init MUST install
96
+ * these or SIGTERM from the outside is silently dropped. */
97
+ static volatile pid_t forward_target = -1;
98
+
99
+ static void forward_signal(int sig) {
100
+ if (forward_target > 0) {
101
+ kill(forward_target, sig);
60
102
  }
61
- if (filter_size == 0) {
62
- fprintf(stderr, "BPF filter file is empty\n");
63
- return 1;
103
+ }
104
+
105
+ static void install_forwarders(pid_t target) {
106
+ forward_target = target;
107
+ struct sigaction sa = { .sa_handler = forward_signal };
108
+ sigemptyset(&sa.sa_mask);
109
+ sigaction(SIGTERM, &sa, NULL);
110
+ sigaction(SIGINT, &sa, NULL);
111
+ sigaction(SIGHUP, &sa, NULL);
112
+ sigaction(SIGQUIT, &sa, NULL);
113
+ sigaction(SIGUSR1, &sa, NULL);
114
+ sigaction(SIGUSR2, &sa, NULL);
115
+ }
116
+
117
+ /*
118
+ * Wait for `main_child`, reaping any other children that exit first.
119
+ * Returns as soon as `main_child` terminates — the caller then _exit()s,
120
+ * which as PID 1 tears down the namespace and SIGKILLs any stragglers.
121
+ * Returns an exit(3)-style status: exit code, or 128+signal.
122
+ */
123
+ static int reap_until(pid_t main_child) {
124
+ int status = 0;
125
+ for (;;) {
126
+ pid_t r = waitpid(-1, &status, 0);
127
+ if (r < 0) {
128
+ if (errno == EINTR) {
129
+ continue;
130
+ }
131
+ return 1; /* ECHILD without seeing main_child — shouldn't happen. */
132
+ }
133
+ if (r == main_child) {
134
+ if (WIFEXITED(status)) {
135
+ return WEXITSTATUS(status);
136
+ }
137
+ if (WIFSIGNALED(status)) {
138
+ return 128 + WTERMSIG(status);
139
+ }
140
+ return 1;
141
+ }
142
+ /* Reaped an orphan that died before main_child; keep waiting. */
64
143
  }
65
- if (filter_size % 8 != 0) {
66
- fprintf(stderr, "Invalid BPF filter size: %zd (must be multiple of 8)\n", filter_size);
144
+ }
145
+
146
+ int main(int argc, char *argv[]) {
147
+ if (argc < 2) {
148
+ fprintf(stderr, "Usage: %s <command> [args...]\n", argv[0]);
67
149
  return 1;
68
150
  }
69
151
 
70
- // Convert bytes to sock_filter instructions
71
- unsigned short filter_len = filter_size / 8;
72
- struct sock_filter *filter = (struct sock_filter *)filter_bytes;
152
+ char **command_argv = &argv[1];
73
153
 
74
- // Set up sock_fprog structure
154
+ _Static_assert(sizeof(unix_block_bpf) % sizeof(struct sock_filter) == 0,
155
+ "BPF filter size must be a multiple of sock_filter");
75
156
  struct sock_fprog prog = {
76
- .len = filter_len,
77
- .filter = filter,
157
+ .len = (unsigned short)(sizeof(unix_block_bpf) / sizeof(struct sock_filter)),
158
+ .filter = (struct sock_filter *)unix_block_bpf,
78
159
  };
79
160
 
80
- // Set NO_NEW_PRIVS to allow seccomp without CAP_SYS_ADMIN
81
- if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) != 0) {
82
- perror("prctl(PR_SET_NO_NEW_PRIVS) failed");
83
- return 1;
161
+ /* ---- New PID + mount namespaces. Children (not us) enter the PID ns. ----
162
+ *
163
+ * Two paths to get CAP_SYS_ADMIN for the unshare:
164
+ * (a) The caller (bwrap) kept CAP_SYS_ADMIN in this user namespace via
165
+ * --cap-add. Just unshare directly.
166
+ * (b) We don't have the cap. Create a nested user namespace to get it,
167
+ * map uid/gid, then unshare. This also works when apply-seccomp is
168
+ * run standalone outside bwrap.
169
+ *
170
+ * Path (a) is tried first. If the caller didn't give us the cap, the
171
+ * kernel returns EPERM and we fall through to (b). Path (b) can itself
172
+ * fail on hosts where unprivileged user namespaces are gated by an LSM
173
+ * (Ubuntu 24.04's AppArmor restriction, for example) — the unshare
174
+ * succeeds but the new namespace grants no capabilities, so the setgroups
175
+ * write fails. In that case we abort: the caller must supply CAP_SYS_ADMIN.
176
+ */
177
+ if (unshare(CLONE_NEWPID | CLONE_NEWNS) < 0) {
178
+ if (errno != EPERM) {
179
+ die("apply-seccomp: unshare(CLONE_NEWPID|CLONE_NEWNS)");
180
+ }
181
+
182
+ uid_t uid = geteuid();
183
+ gid_t gid = getegid();
184
+
185
+ if (unshare(CLONE_NEWUSER) < 0) {
186
+ die("apply-seccomp: unshare(CLONE_NEWUSER)");
187
+ }
188
+ if (write_file("/proc/self/setgroups", "deny") < 0) {
189
+ die("apply-seccomp: write /proc/self/setgroups "
190
+ "(nested userns is capability-restricted; "
191
+ "caller must provide CAP_SYS_ADMIN)");
192
+ }
193
+ if (write_file("/proc/self/uid_map", "%u %u 1\n", uid, uid) < 0) {
194
+ die("apply-seccomp: write /proc/self/uid_map");
195
+ }
196
+ if (write_file("/proc/self/gid_map", "%u %u 1\n", gid, gid) < 0) {
197
+ die("apply-seccomp: write /proc/self/gid_map");
198
+ }
199
+ if (unshare(CLONE_NEWPID | CLONE_NEWNS) < 0) {
200
+ die("apply-seccomp: unshare(CLONE_NEWPID|CLONE_NEWNS) after userns");
201
+ }
84
202
  }
85
203
 
86
- // Apply seccomp filter
87
- if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) != 0) {
88
- perror("prctl(PR_SET_SECCOMP) failed");
89
- return 1;
204
+ pid_t child = fork();
205
+ if (child < 0) {
206
+ die("apply-seccomp: fork");
90
207
  }
91
208
 
92
- // Exec the command with seccomp filter active
93
- execvp(command_argv[0], command_argv);
209
+ if (child > 0) {
210
+ /* Outer stub: still in bwrap's PID namespace. Forward signals and
211
+ * wait so the caller sees the real exit status. */
212
+ install_forwarders(child);
213
+
214
+ int status;
215
+ for (;;) {
216
+ pid_t r = waitpid(child, &status, 0);
217
+ if (r < 0 && errno == EINTR) continue;
218
+ if (r < 0) die("apply-seccomp: waitpid");
219
+ break;
220
+ }
221
+ if (WIFSIGNALED(status)) return 128 + WTERMSIG(status);
222
+ return WIFEXITED(status) ? WEXITSTATUS(status) : 1;
223
+ }
224
+
225
+ /* ================================================================
226
+ * Inner init — PID 1 in the nested PID namespace.
227
+ * ================================================================ */
228
+
229
+ /* Block ptrace and /proc/1/mem writes against this process. */
230
+ if (prctl(PR_SET_DUMPABLE, 0) < 0) {
231
+ die("apply-seccomp: prctl(PR_SET_DUMPABLE)");
232
+ }
233
+
234
+ /* Don't let our /proc mount propagate anywhere. */
235
+ if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL) < 0) {
236
+ die("apply-seccomp: mount(MS_PRIVATE)");
237
+ }
238
+ /* EPERM here means a masked /proc is underneath (unprivileged Docker)
239
+ * and the kernel domination check refused the overmount. The nested
240
+ * userns above is the isolation boundary; this remount only hides
241
+ * outer PIDs from `ls /proc`. enableWeakerNestedSandbox targets
242
+ * exactly this environment. */
243
+ if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NODEV | MS_NOEXEC, NULL) < 0
244
+ && errno != EPERM) {
245
+ die("apply-seccomp: mount(/proc)");
246
+ }
247
+
248
+ /* bwrap --cap-add places CAP_SYS_ADMIN in the ambient set so it survives
249
+ * exec. Clear it now that the mount is done; combined with
250
+ * PR_SET_NO_NEW_PRIVS, the worker's execve drops to zero capabilities. */
251
+ if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0) < 0) {
252
+ die("apply-seccomp: prctl(PR_CAP_AMBIENT_CLEAR_ALL)");
253
+ }
254
+
255
+ /* Fork the real workload so PID 1 can stay as a non-dumpable reaper. */
256
+ pid_t worker = fork();
257
+ if (worker < 0) {
258
+ die("apply-seccomp: fork(worker)");
259
+ }
94
260
 
95
- // If we get here, exec failed
96
- perror("execvp failed");
261
+ if (worker > 0) {
262
+ /* Inner init: reap everything, exit with the worker's status.
263
+ * When PID 1 exits the kernel tears down the whole namespace.
264
+ * PID 1 drops signals without handlers, so install forwarders. */
265
+ install_forwarders(worker);
266
+ _exit(reap_until(worker));
267
+ }
268
+
269
+ /* ---- Worker (inner PID 2): apply seccomp and exec. ---- */
270
+ if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
271
+ die("apply-seccomp: prctl(PR_SET_NO_NEW_PRIVS)");
272
+ }
273
+ if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) < 0) {
274
+ die("apply-seccomp: prctl(PR_SET_SECCOMP)");
275
+ }
276
+
277
+ execvp(command_argv[0], command_argv);
278
+ die("apply-seccomp: execvp");
97
279
  return 1;
98
280
  }
@@ -27,7 +27,11 @@
27
27
  * gcc -o seccomp-unix-block seccomp-unix-block.c -lseccomp
28
28
  *
29
29
  * Usage:
30
- * ./seccomp-unix-block <output-file>
30
+ * ./seccomp-unix-block <output-file> [arch]
31
+ *
32
+ * If arch is given (x86_64 or aarch64), the filter is generated for that
33
+ * architecture instead of the native one. Lets a single-arch builder emit
34
+ * filters for both x64 and arm64.
31
35
  *
32
36
  * Dependencies:
33
37
  * - libseccomp (libseccomp-dev package on Debian/Ubuntu)
@@ -48,12 +52,13 @@ int main(int argc, char *argv[]) {
48
52
  scmp_filter_ctx ctx;
49
53
  int rc;
50
54
 
51
- if (argc != 2) {
52
- fprintf(stderr, "Usage: %s <output-file>\n", argv[0]);
55
+ if (argc < 2 || argc > 3) {
56
+ fprintf(stderr, "Usage: %s <output-file> [x86_64|aarch64]\n", argv[0]);
53
57
  return 1;
54
58
  }
55
59
 
56
60
  const char *output_file = argv[1];
61
+ const char *arch_name = (argc == 3) ? argv[2] : NULL;
57
62
 
58
63
  /* Create seccomp context with default action ALLOW */
59
64
  ctx = seccomp_init(SCMP_ACT_ALLOW);
@@ -62,6 +67,28 @@ int main(int argc, char *argv[]) {
62
67
  return 1;
63
68
  }
64
69
 
70
+ if (arch_name != NULL) {
71
+ uint32_t target;
72
+ if (strcmp(arch_name, "x86_64") == 0) {
73
+ target = SCMP_ARCH_X86_64;
74
+ } else if (strcmp(arch_name, "aarch64") == 0) {
75
+ target = SCMP_ARCH_AARCH64;
76
+ } else {
77
+ fprintf(stderr, "Error: Unsupported arch '%s'\n", arch_name);
78
+ seccomp_release(ctx);
79
+ return 1;
80
+ }
81
+ if (target != seccomp_arch_native()) {
82
+ rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE);
83
+ if (rc == 0) rc = seccomp_arch_add(ctx, target);
84
+ if (rc < 0) {
85
+ fprintf(stderr, "Error: Failed to set target arch: %s\n", strerror(-rc));
86
+ seccomp_release(ctx);
87
+ return 1;
88
+ }
89
+ }
90
+ }
91
+
65
92
  /* Add rule to block socket(AF_UNIX, ...) */
66
93
  /* socket() syscall signature: int socket(int domain, int type, int protocol) */
67
94
  /* arg0 = domain (AF_UNIX = 1) */
@@ -77,6 +104,26 @@ int main(int argc, char *argv[]) {
77
104
  return 1;
78
105
  }
79
106
 
107
+ /* Block io_uring entirely. IORING_OP_SOCKET (Linux 5.19+) creates sockets
108
+ * in kernel context without going through the socket() syscall, bypassing
109
+ * the rule above. seccomp cannot inspect io_uring SQEs (they live in a
110
+ * shared-memory ring), so the only safe option is to deny ring creation
111
+ * and use. Blocking all three syscalls also covers the case of an
112
+ * inherited ring fd. */
113
+ int io_uring_calls[] = {
114
+ SCMP_SYS(io_uring_setup),
115
+ SCMP_SYS(io_uring_enter),
116
+ SCMP_SYS(io_uring_register),
117
+ };
118
+ for (size_t i = 0; i < sizeof(io_uring_calls) / sizeof(io_uring_calls[0]); i++) {
119
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), io_uring_calls[i], 0);
120
+ if (rc < 0) {
121
+ fprintf(stderr, "Error: Failed to add io_uring rule: %s\n", strerror(-rc));
122
+ seccomp_release(ctx);
123
+ return 1;
124
+ }
125
+ }
126
+
80
127
  /* Export the filter to a file */
81
128
  int fd = open(output_file, O_CREAT | O_WRONLY | O_TRUNC, 0600);
82
129
  if (fd < 0) {
Binary file
Binary file
Binary file
Binary file