API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Feb 20th, 2019
79
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.21 KB | None | 0 0
raw download clone embed print report
  1. ## scmp-confine-w
  2. Small wrapper to make applying seccomp filters easier.
  3.  
  4. ### How to use?
  5.  
  6. 1. Get scmp-confine from github.com/foxcpp/secutils.
  7. ```
  8. $ go get github.com/foxcpp/secutils/scmp-confine
  9. $ go install github.com/foxcpp/secutils/scmp-confine
  10. # cp $GOBIN/scmp-confine /usr/local/bin/scmmp-confine
  11. ```
  12.  
  13. 2. Save script below somewhere
  14. ```
  15. # curl '...' -O /usr/local/bin/scmp-confine-w
  16. # chmod +x /usr/local/bin/scmp-confine-w
  17. ```
  18.  
  19. 3. Save comma-separated whitelist of system calls to `/etc/scmp-confine/APPLICATION` where APPLICATION is path to program with forward slashes replaced with dots and leading slash removed (`/usr/bin/mpv` is `usr.bin.mpv`).
  20. ```
  21. $ cat /etc/scmp-confine/usr.bin.firefox
  22. futex,poll,recvmsg,epoll_wait,write,read,readv,sendmsg,getpid,mprotect,fdatasync,madvise,recvfrom,munmap,close,writev,gettid,fsync,open,openat,fstat,mmap,sched_yield,fcntl,socketpair,stat,dup,rt_sigreturn,ftruncate,unlink,link,wait4,statfs,lseek,sendto,access,pwrite64,pread64,getpeername,socket,connect,sendmmsg,setsockopt,ioctl,getrusage,clone,lstat,getsockname,epoll_ctl,bind,getdents,shmdt,rename,set_robust_list,fadvise64,prctl,mkdir,setpriority,fstatfs,getsockopt,getpriority,rt_sigaction,getrandom,shmget,seccomp,tgkill,readlink,getuid,sched_getaffinity,geteuid,pipe,shmat,uname,execve,dup2,rmdir,prlimit64,symlink,readahead,umask,shmctl,getgid,sysinfo,getegid,sigaltstack,getresuid,pipe2,getresgid,rt_sigprocmask,epoll_create1,inotify_add_watch,eventfd2,brk,shutdown,arch_prctl,set_tid_address,clock_getres,fallocate,inotify_init1,memfd_create,getcwd,unshare,setresuid,setresgid,setgid,setuid,exit,exit_group,select,ppoll,inotify_rm_watch,chmod,shmctl,nanosleep,sched_get_priority_min,sched_get_priority_max,inotify_init,gettimeofday,msync,fchmod,fork,splice,utime,clock_gettime,sched_setscheduler,restart_syscall,getdents64,kill,semget,semctl,semop,mlock,quotactl
  23. ```
  24.  
  25. 4. Symlink scmp-confine-w to application name in /usr/local/bin
  26.  
  27. ```
  28. # ln -s /usr/local/bin/scmp-confine-w /usr/local/bin/firefox
  29. ```
  30. 5. Make sure /usr/local/bin is in `$PATH`
  31.  
  32. 6. Verify that launching application launches it with seccomp filter:
  33. ```
  34. # firefox
  35. [scmp-confine] Shields up! 133 syscalls allowed.
  36. ...
  37. ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!