sandbox-seccomp-filter.c (294328) | sandbox-seccomp-filter.c (294336) |
---|---|
1/* 2 * Copyright (c) 2012 Will Drewry <wad@dataspill.org> 3 * 4 * Permission to use, copy, modify, and distribute this software for any 5 * purpose with or without fee is hereby granted, provided that the above 6 * copyright notice and this permission notice appear in all copies. 7 * 8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES --- 29 unchanged lines hidden (view full) --- 38#include "includes.h" 39 40#ifdef SANDBOX_SECCOMP_FILTER 41 42#include <sys/types.h> 43#include <sys/resource.h> 44#include <sys/prctl.h> 45 | 1/* 2 * Copyright (c) 2012 Will Drewry <wad@dataspill.org> 3 * 4 * Permission to use, copy, modify, and distribute this software for any 5 * purpose with or without fee is hereby granted, provided that the above 6 * copyright notice and this permission notice appear in all copies. 7 * 8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES --- 29 unchanged lines hidden (view full) --- 38#include "includes.h" 39 40#ifdef SANDBOX_SECCOMP_FILTER 41 42#include <sys/types.h> 43#include <sys/resource.h> 44#include <sys/prctl.h> 45 |
46#include <linux/net.h> |
|
46#include <linux/audit.h> 47#include <linux/filter.h> 48#include <linux/seccomp.h> 49#include <elf.h> 50 51#include <asm/unistd.h> 52 53#include <errno.h> --- 20 unchanged lines hidden (view full) --- 74 75/* Simple helpers to avoid manual errors (but larger BPF programs). */ 76#define SC_DENY(_nr, _errno) \ 77 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \ 78 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO|(_errno)) 79#define SC_ALLOW(_nr) \ 80 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \ 81 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) | 47#include <linux/audit.h> 48#include <linux/filter.h> 49#include <linux/seccomp.h> 50#include <elf.h> 51 52#include <asm/unistd.h> 53 54#include <errno.h> --- 20 unchanged lines hidden (view full) --- 75 76/* Simple helpers to avoid manual errors (but larger BPF programs). */ 77#define SC_DENY(_nr, _errno) \ 78 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \ 79 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO|(_errno)) 80#define SC_ALLOW(_nr) \ 81 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \ 82 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) |
83#define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \ 84 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 4), \ 85 /* load first syscall argument */ \ 86 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ 87 offsetof(struct seccomp_data, args[(_arg_nr)])), \ 88 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_arg_val), 0, 1), \ 89 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), \ 90 /* reload syscall number; all rules expect it in accumulator */ \ 91 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ 92 offsetof(struct seccomp_data, nr)) |
|
82 83/* Syscall filtering set for preauth. */ 84static const struct sock_filter preauth_insns[] = { 85 /* Ensure the syscall arch convention is as expected. */ 86 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, 87 offsetof(struct seccomp_data, arch)), 88 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SECCOMP_AUDIT_ARCH, 1, 0), 89 BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), 90 /* Load the syscall number for checking. */ 91 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, 92 offsetof(struct seccomp_data, nr)), | 93 94/* Syscall filtering set for preauth. */ 95static const struct sock_filter preauth_insns[] = { 96 /* Ensure the syscall arch convention is as expected. */ 97 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, 98 offsetof(struct seccomp_data, arch)), 99 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SECCOMP_AUDIT_ARCH, 1, 0), 100 BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), 101 /* Load the syscall number for checking. */ 102 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, 103 offsetof(struct seccomp_data, nr)), |
104 105 /* Syscalls to non-fatally deny */ 106#ifdef __NR_fstat 107 SC_DENY(fstat, EACCES), 108#endif 109#ifdef __NR_fstat64 110 SC_DENY(fstat64, EACCES), 111#endif 112#ifdef __NR_open |
|
93 SC_DENY(open, EACCES), | 113 SC_DENY(open, EACCES), |
114#endif 115#ifdef __NR_openat 116 SC_DENY(openat, EACCES), 117#endif 118#ifdef __NR_newfstatat 119 SC_DENY(newfstatat, EACCES), 120#endif 121#ifdef __NR_stat |
|
94 SC_DENY(stat, EACCES), | 122 SC_DENY(stat, EACCES), |
95 SC_ALLOW(getpid), 96 SC_ALLOW(gettimeofday), | 123#endif 124#ifdef __NR_stat64 125 SC_DENY(stat64, EACCES), 126#endif 127 128 /* Syscalls to permit */ 129#ifdef __NR_brk 130 SC_ALLOW(brk), 131#endif 132#ifdef __NR_clock_gettime |
97 SC_ALLOW(clock_gettime), | 133 SC_ALLOW(clock_gettime), |
98#ifdef __NR_time /* not defined on EABI ARM */ 99 SC_ALLOW(time), | |
100#endif | 134#endif |
101 SC_ALLOW(read), 102 SC_ALLOW(write), | 135#ifdef __NR_close |
103 SC_ALLOW(close), | 136 SC_ALLOW(close), |
104#ifdef __NR_shutdown /* not defined on archs that go via socketcall(2) */ 105 SC_ALLOW(shutdown), | |
106#endif | 137#endif |
107 SC_ALLOW(brk), 108 SC_ALLOW(poll), 109#ifdef __NR__newselect 110 SC_ALLOW(_newselect), 111#else 112 SC_ALLOW(select), | 138#ifdef __NR_exit 139 SC_ALLOW(exit), |
113#endif | 140#endif |
141#ifdef __NR_exit_group 142 SC_ALLOW(exit_group), 143#endif 144#ifdef __NR_getpgid 145 SC_ALLOW(getpgid), 146#endif 147#ifdef __NR_getpid 148 SC_ALLOW(getpid), 149#endif 150#ifdef __NR_gettimeofday 151 SC_ALLOW(gettimeofday), 152#endif 153#ifdef __NR_madvise |
|
114 SC_ALLOW(madvise), | 154 SC_ALLOW(madvise), |
115#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */ 116 SC_ALLOW(mmap2), | |
117#endif 118#ifdef __NR_mmap 119 SC_ALLOW(mmap), 120#endif | 155#endif 156#ifdef __NR_mmap 157 SC_ALLOW(mmap), 158#endif |
121#ifdef __dietlibc__ | 159#ifdef __NR_mmap2 160 SC_ALLOW(mmap2), 161#endif 162#ifdef __NR_mremap |
122 SC_ALLOW(mremap), | 163 SC_ALLOW(mremap), |
123 SC_ALLOW(exit), | |
124#endif | 164#endif |
165#ifdef __NR_munmap |
|
125 SC_ALLOW(munmap), | 166 SC_ALLOW(munmap), |
126 SC_ALLOW(exit_group), | 167#endif 168#ifdef __NR__newselect 169 SC_ALLOW(_newselect), 170#endif 171#ifdef __NR_poll 172 SC_ALLOW(poll), 173#endif 174#ifdef __NR_pselect6 175 SC_ALLOW(pselect6), 176#endif 177#ifdef __NR_read 178 SC_ALLOW(read), 179#endif |
127#ifdef __NR_rt_sigprocmask 128 SC_ALLOW(rt_sigprocmask), | 180#ifdef __NR_rt_sigprocmask 181 SC_ALLOW(rt_sigprocmask), |
129#else | 182#endif 183#ifdef __NR_select 184 SC_ALLOW(select), 185#endif 186#ifdef __NR_shutdown 187 SC_ALLOW(shutdown), 188#endif 189#ifdef __NR_sigprocmask |
130 SC_ALLOW(sigprocmask), 131#endif | 190 SC_ALLOW(sigprocmask), 191#endif |
192#ifdef __NR_time 193 SC_ALLOW(time), 194#endif 195#ifdef __NR_write 196 SC_ALLOW(write), 197#endif 198#ifdef __NR_socketcall 199 SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN), 200#endif 201 202 /* Default deny */ |
|
132 BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), 133}; 134 135static const struct sock_fprog preauth_program = { 136 .len = (unsigned short)(sizeof(preauth_insns)/sizeof(preauth_insns[0])), 137 .filter = (struct sock_filter *)preauth_insns, 138}; 139 --- 108 unchanged lines hidden --- | 203 BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), 204}; 205 206static const struct sock_fprog preauth_program = { 207 .len = (unsigned short)(sizeof(preauth_insns)/sizeof(preauth_insns[0])), 208 .filter = (struct sock_filter *)preauth_insns, 209}; 210 --- 108 unchanged lines hidden --- |