Cross Reference: /freebsd-11-stable/crypto/openssh/sandbox-seccomp-filter.c

Deleted Added

sdiff udiff text old ( 294328 ) new ( 294336 )

full compact

sandbox-seccomp-filter.c (294328)	sandbox-seccomp-filter.c (294336)
1/* 2 * Copyright (c) 2012 Will Drewry <wad@dataspill.org> 3 * 4 * Permission to use, copy, modify, and distribute this software for any 5 * purpose with or without fee is hereby granted, provided that the above 6 * copyright notice and this permission notice appear in all copies. 7 * 8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES --- 29 unchanged lines hidden (view full) --- 38#include "includes.h" 39 40#ifdef SANDBOX_SECCOMP_FILTER 41 42#include <sys/types.h> 43#include <sys/resource.h> 44#include <sys/prctl.h> 45	1/* 2 * Copyright (c) 2012 Will Drewry <wad@dataspill.org> 3 * 4 * Permission to use, copy, modify, and distribute this software for any 5 * purpose with or without fee is hereby granted, provided that the above 6 * copyright notice and this permission notice appear in all copies. 7 * 8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES --- 29 unchanged lines hidden (view full) --- 38#include "includes.h" 39 40#ifdef SANDBOX_SECCOMP_FILTER 41 42#include <sys/types.h> 43#include <sys/resource.h> 44#include <sys/prctl.h> 45
	46#include <linux/net.h>
46#include <linux/audit.h> 47#include <linux/filter.h> 48#include <linux/seccomp.h> 49#include <elf.h> 50 51#include <asm/unistd.h> 52 53#include <errno.h> --- 20 unchanged lines hidden (view full) --- 74 75/* Simple helpers to avoid manual errors (but larger BPF programs). */ 76#define SC_DENY(_nr, _errno) \ 77 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \ 78 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO\|(_errno)) 79#define SC_ALLOW(_nr) \ 80 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \ 81 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)	47#include <linux/audit.h> 48#include <linux/filter.h> 49#include <linux/seccomp.h> 50#include <elf.h> 51 52#include <asm/unistd.h> 53 54#include <errno.h> --- 20 unchanged lines hidden (view full) --- 75 76/* Simple helpers to avoid manual errors (but larger BPF programs). */ 77#define SC_DENY(_nr, _errno) \ 78 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \ 79 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO\|(_errno)) 80#define SC_ALLOW(_nr) \ 81 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \ 82 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
	83#define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \ 84 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 4), \ 85 /* load first syscall argument / \ 86 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ 87 offsetof(struct seccomp_data, args[(_arg_nr)])), \ 88 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_arg_val), 0, 1), \ 89 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), \ 90 / reload syscall number; all rules expect it in accumulator */ \ 91 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ 92 offsetof(struct seccomp_data, nr))
82 83/* Syscall filtering set for preauth. / 84static const struct sock_filter preauth_insns[] = { 85 / Ensure the syscall arch convention is as expected. / 86 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, 87 offsetof(struct seccomp_data, arch)), 88 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SECCOMP_AUDIT_ARCH, 1, 0), 89 BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), 90 / Load the syscall number for checking. */ 91 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, 92 offsetof(struct seccomp_data, nr)),	93 94/* Syscall filtering set for preauth. / 95static const struct sock_filter preauth_insns[] = { 96 / Ensure the syscall arch convention is as expected. / 97 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, 98 offsetof(struct seccomp_data, arch)), 99 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SECCOMP_AUDIT_ARCH, 1, 0), 100* BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), 101 /* Load the syscall number for checking. / 102* BPF_STMT(BPF_LD+BPF_W+BPF_ABS, 103 offsetof(struct seccomp_data, nr)),
	104 105 /* Syscalls to non-fatally deny / 106#ifdef __NR_fstat 107* SC_DENY(fstat, EACCES), 108#endif 109#ifdef __NR_fstat64 110 SC_DENY(fstat64, EACCES), 111#endif 112#ifdef __NR_open
93 SC_DENY(open, EACCES),	113 SC_DENY(open, EACCES),
	114#endif 115#ifdef __NR_openat 116 SC_DENY(openat, EACCES), 117#endif 118#ifdef __NR_newfstatat 119 SC_DENY(newfstatat, EACCES), 120#endif 121#ifdef __NR_stat
94 SC_DENY(stat, EACCES),	122 SC_DENY(stat, EACCES),
95 SC_ALLOW(getpid), 96 SC_ALLOW(gettimeofday),	123#endif 124#ifdef __NR_stat64 125 SC_DENY(stat64, EACCES), 126#endif 127 128 /* Syscalls to permit / 129#ifdef __NR_brk 130* SC_ALLOW(brk), 131#endif 132#ifdef __NR_clock_gettime
97 SC_ALLOW(clock_gettime),	133 SC_ALLOW(clock_gettime),
98#ifdef __NR_time /* not defined on EABI ARM */ 99 SC_ALLOW(time),
100#endif	134#endif
101 SC_ALLOW(read), 102 SC_ALLOW(write),	135#ifdef __NR_close
103 SC_ALLOW(close),	136 SC_ALLOW(close),
104#ifdef __NR_shutdown /* not defined on archs that go via socketcall(2) / 105* SC_ALLOW(shutdown),
106#endif	137#endif
107 SC_ALLOW(brk), 108 SC_ALLOW(poll), 109#ifdef __NR__newselect 110 SC_ALLOW(_newselect), 111#else 112 SC_ALLOW(select),	138#ifdef __NR_exit 139 SC_ALLOW(exit),
113#endif	140#endif
	141#ifdef __NR_exit_group 142 SC_ALLOW(exit_group), 143#endif 144#ifdef __NR_getpgid 145 SC_ALLOW(getpgid), 146#endif 147#ifdef __NR_getpid 148 SC_ALLOW(getpid), 149#endif 150#ifdef __NR_gettimeofday 151 SC_ALLOW(gettimeofday), 152#endif 153#ifdef __NR_madvise
114 SC_ALLOW(madvise),	154 SC_ALLOW(madvise),
115#ifdef __NR_mmap2 /* EABI ARM only has mmap2() / 116* SC_ALLOW(mmap2),
117#endif 118#ifdef __NR_mmap 119 SC_ALLOW(mmap), 120#endif	155#endif 156#ifdef __NR_mmap 157 SC_ALLOW(mmap), 158#endif
121#ifdef __dietlibc__	159#ifdef __NR_mmap2 160 SC_ALLOW(mmap2), 161#endif 162#ifdef __NR_mremap
122 SC_ALLOW(mremap),	163 SC_ALLOW(mremap),
123 SC_ALLOW(exit),
124#endif	164#endif
	165#ifdef __NR_munmap
125 SC_ALLOW(munmap),	166 SC_ALLOW(munmap),
126 SC_ALLOW(exit_group),	167#endif 168#ifdef __NR__newselect 169 SC_ALLOW(_newselect), 170#endif 171#ifdef __NR_poll 172 SC_ALLOW(poll), 173#endif 174#ifdef __NR_pselect6 175 SC_ALLOW(pselect6), 176#endif 177#ifdef __NR_read 178 SC_ALLOW(read), 179#endif
127#ifdef __NR_rt_sigprocmask 128 SC_ALLOW(rt_sigprocmask),	180#ifdef __NR_rt_sigprocmask 181 SC_ALLOW(rt_sigprocmask),
129#else	182#endif 183#ifdef __NR_select 184 SC_ALLOW(select), 185#endif 186#ifdef __NR_shutdown 187 SC_ALLOW(shutdown), 188#endif 189#ifdef __NR_sigprocmask
130 SC_ALLOW(sigprocmask), 131#endif	190 SC_ALLOW(sigprocmask), 191#endif
	192#ifdef __NR_time 193 SC_ALLOW(time), 194#endif 195#ifdef __NR_write 196 SC_ALLOW(write), 197#endif 198#ifdef __NR_socketcall 199 SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN), 200#endif 201 202 /* Default deny */
132 BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), 133}; 134 135static const struct sock_fprog preauth_program = { 136 .len = (unsigned short)(sizeof(preauth_insns)/sizeof(preauth_insns[0])), 137 .filter = (struct sock_filter )preauth_insns, 138}; 139* --- 108 unchanged lines hidden ---	203 BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), 204}; 205 206static const struct sock_fprog preauth_program = { 207 .len = (unsigned short)(sizeof(preauth_insns)/sizeof(preauth_insns[0])), 208 .filter = (struct sock_filter )preauth_insns, 209}; 210* --- 108 unchanged lines hidden ---