|
Packit |
56e23f |
/**
|
|
Packit |
56e23f |
* Seccomp System Interfaces
|
|
Packit |
56e23f |
*
|
|
Packit |
56e23f |
* Copyright (c) 2014 Red Hat <pmoore@redhat.com>
|
|
Packit |
56e23f |
* Author: Paul Moore <paul@paul-moore.com>
|
|
Packit |
56e23f |
*/
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
/*
|
|
Packit |
56e23f |
* This library is free software; you can redistribute it and/or modify it
|
|
Packit |
56e23f |
* under the terms of version 2.1 of the GNU Lesser General Public License as
|
|
Packit |
56e23f |
* published by the Free Software Foundation.
|
|
Packit |
56e23f |
*
|
|
Packit |
56e23f |
* This library is distributed in the hope that it will be useful, but WITHOUT
|
|
Packit |
56e23f |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
Packit |
56e23f |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
|
|
Packit |
56e23f |
* for more details.
|
|
Packit |
56e23f |
*
|
|
Packit |
56e23f |
* You should have received a copy of the GNU Lesser General Public License
|
|
Packit |
56e23f |
* along with this library; if not, see <http://www.gnu.org/licenses>.
|
|
Packit |
56e23f |
*/
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
#include <stdlib.h>
|
|
Packit |
56e23f |
#include <errno.h>
|
|
Packit |
56e23f |
#include <sys/prctl.h>
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
#define _GNU_SOURCE
|
|
Packit |
56e23f |
#include <unistd.h>
|
|
Packit |
56e23f |
|
|
Packit Service |
10c312 |
#include "system.h"
|
|
Packit Service |
10c312 |
|
|
Packit |
56e23f |
#include <seccomp.h>
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
#include "arch.h"
|
|
Packit |
56e23f |
#include "db.h"
|
|
Packit |
56e23f |
#include "gen_bpf.h"
|
|
Packit Service |
10c312 |
#include "helper.h"
|
|
Packit |
56e23f |
|
|
Packit Service |
10c312 |
/* NOTE: the seccomp syscall allowlist is currently disabled for testing
|
|
Packit |
56e23f |
* purposes, but unless we can verify all of the supported ABIs before
|
|
Packit Service |
10c312 |
* our next release we may have to enable the allowlist */
|
|
Packit Service |
10c312 |
#define SYSCALL_ALLOWLIST_ENABLE 0
|
|
Packit Service |
10c312 |
|
|
Packit Service |
10c312 |
/* task global state */
|
|
Packit Service |
10c312 |
struct task_state {
|
|
Packit Service |
10c312 |
/* seccomp(2) syscall */
|
|
Packit Service |
10c312 |
int nr_seccomp;
|
|
Packit Service |
10c312 |
|
|
Packit Service |
10c312 |
/* userspace notification fd */
|
|
Packit Service |
10c312 |
int notify_fd;
|
|
Packit Service |
10c312 |
|
|
Packit Service |
10c312 |
/* runtime support flags */
|
|
Packit Service |
10c312 |
int sup_syscall;
|
|
Packit Service |
10c312 |
int sup_flag_tsync;
|
|
Packit Service |
10c312 |
int sup_flag_log;
|
|
Packit Service |
10c312 |
int sup_action_log;
|
|
Packit Service |
10c312 |
int sup_kill_process;
|
|
Packit Service |
10c312 |
int sup_flag_spec_allow;
|
|
Packit Service |
10c312 |
int sup_flag_new_listener;
|
|
Packit Service |
10c312 |
int sup_user_notif;
|
|
Packit Service |
10c312 |
int sup_flag_tsync_esrch;
|
|
Packit Service |
10c312 |
};
|
|
Packit Service |
10c312 |
static struct task_state state = {
|
|
Packit Service |
10c312 |
.nr_seccomp = -1,
|
|
Packit Service |
10c312 |
|
|
Packit Service |
10c312 |
.notify_fd = -1,
|
|
Packit Service |
10c312 |
|
|
Packit Service |
10c312 |
.sup_syscall = -1,
|
|
Packit Service |
10c312 |
.sup_flag_tsync = -1,
|
|
Packit Service |
10c312 |
.sup_flag_log = -1,
|
|
Packit Service |
10c312 |
.sup_action_log = -1,
|
|
Packit Service |
10c312 |
.sup_kill_process = -1,
|
|
Packit Service |
10c312 |
.sup_flag_spec_allow = -1,
|
|
Packit Service |
10c312 |
.sup_flag_new_listener = -1,
|
|
Packit Service |
10c312 |
.sup_user_notif = -1,
|
|
Packit Service |
10c312 |
.sup_flag_tsync_esrch = -1,
|
|
Packit Service |
10c312 |
};
|
|
Packit Service |
10c312 |
|
|
Packit Service |
10c312 |
/**
|
|
Packit Service |
10c312 |
* Reset the task state
|
|
Packit Service |
10c312 |
*
|
|
Packit Service |
10c312 |
* This function fully resets the library's global "system task state".
|
|
Packit Service |
10c312 |
*
|
|
Packit Service |
10c312 |
*/
|
|
Packit Service |
10c312 |
void sys_reset_state(void)
|
|
Packit Service |
10c312 |
{
|
|
Packit Service |
10c312 |
state.nr_seccomp = -1;
|
|
Packit Service |
10c312 |
|
|
Packit Service |
10c312 |
if (state.notify_fd > 0)
|
|
Packit Service |
10c312 |
close(state.notify_fd);
|
|
Packit Service |
10c312 |
state.notify_fd = -1;
|
|
Packit |
56e23f |
|
|
Packit Service |
10c312 |
state.sup_syscall = -1;
|
|
Packit Service |
10c312 |
state.sup_flag_tsync = -1;
|
|
Packit Service |
10c312 |
state.sup_flag_log = -1;
|
|
Packit Service |
10c312 |
state.sup_action_log = -1;
|
|
Packit Service |
10c312 |
state.sup_kill_process = -1;
|
|
Packit Service |
10c312 |
state.sup_flag_spec_allow = -1;
|
|
Packit Service |
10c312 |
state.sup_flag_new_listener = -1;
|
|
Packit Service |
10c312 |
state.sup_user_notif = -1;
|
|
Packit Service |
10c312 |
state.sup_flag_tsync_esrch = -1;
|
|
Packit Service |
10c312 |
}
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
/**
|
|
Packit |
56e23f |
* Check to see if the seccomp() syscall is supported
|
|
Packit |
56e23f |
*
|
|
Packit |
56e23f |
* This function attempts to see if the system supports the seccomp() syscall.
|
|
Packit |
56e23f |
* Unfortunately, there are a few reasons why this check may fail, including
|
|
Packit |
56e23f |
* a previously loaded seccomp filter, so it is hard to say for certain.
|
|
Packit |
56e23f |
* Return one if the syscall is supported, zero otherwise.
|
|
Packit |
56e23f |
*
|
|
Packit |
56e23f |
*/
|
|
Packit |
56e23f |
int sys_chk_seccomp_syscall(void)
|
|
Packit |
56e23f |
{
|
|
Packit |
56e23f |
int rc;
|
|
Packit |
56e23f |
int nr_seccomp;
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
/* NOTE: it is reasonably safe to assume that we should be able to call
|
|
Packit |
56e23f |
* seccomp() when the caller first starts, but we can't rely on
|
|
Packit |
56e23f |
* it later so we need to cache our findings for use later */
|
|
Packit Service |
10c312 |
if (state.sup_syscall >= 0)
|
|
Packit Service |
10c312 |
return state.sup_syscall;
|
|
Packit |
56e23f |
|
|
Packit Service |
10c312 |
#if SYSCALL_ALLOWLIST_ENABLE
|
|
Packit Service |
10c312 |
/* architecture allowlist */
|
|
Packit |
56e23f |
switch (arch_def_native->token) {
|
|
Packit |
56e23f |
case SCMP_ARCH_X86_64:
|
|
Packit |
56e23f |
case SCMP_ARCH_ARM:
|
|
Packit |
56e23f |
case SCMP_ARCH_AARCH64:
|
|
Packit |
56e23f |
case SCMP_ARCH_PPC64:
|
|
Packit |
56e23f |
case SCMP_ARCH_PPC64LE:
|
|
Packit |
56e23f |
case SCMP_ARCH_S390:
|
|
Packit |
56e23f |
case SCMP_ARCH_S390X:
|
|
Packit Service |
10c312 |
case SCMP_ARCH_RISCV64:
|
|
Packit |
56e23f |
break;
|
|
Packit |
56e23f |
default:
|
|
Packit |
56e23f |
goto unsupported;
|
|
Packit |
56e23f |
}
|
|
Packit |
56e23f |
#endif
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
nr_seccomp = arch_syscall_resolve_name(arch_def_native, "seccomp");
|
|
Packit |
56e23f |
if (nr_seccomp < 0)
|
|
Packit |
56e23f |
goto unsupported;
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
/* this is an invalid call because the second argument is non-zero, but
|
|
Packit |
56e23f |
* depending on the errno value of ENOSYS or EINVAL we can guess if the
|
|
Packit Service |
10c312 |
* seccomp() syscall is supported or not */
|
|
Packit |
56e23f |
rc = syscall(nr_seccomp, SECCOMP_SET_MODE_STRICT, 1, NULL);
|
|
Packit |
56e23f |
if (rc < 0 && errno == EINVAL)
|
|
Packit |
56e23f |
goto supported;
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
unsupported:
|
|
Packit Service |
10c312 |
state.sup_syscall = 0;
|
|
Packit |
56e23f |
return 0;
|
|
Packit |
56e23f |
supported:
|
|
Packit Service |
10c312 |
state.nr_seccomp = nr_seccomp;
|
|
Packit Service |
10c312 |
state.sup_syscall = 1;
|
|
Packit |
56e23f |
return 1;
|
|
Packit |
56e23f |
}
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
/**
|
|
Packit |
56e23f |
* Force the seccomp() syscall support setting
|
|
Packit |
56e23f |
* @param enable the intended support state
|
|
Packit |
56e23f |
*
|
|
Packit |
56e23f |
* This function overrides the current seccomp() syscall support setting; this
|
|
Packit |
56e23f |
* is very much a "use at your own risk" function.
|
|
Packit |
56e23f |
*
|
|
Packit |
56e23f |
*/
|
|
Packit |
56e23f |
void sys_set_seccomp_syscall(bool enable)
|
|
Packit |
56e23f |
{
|
|
Packit Service |
10c312 |
state.sup_syscall = (enable ? 1 : 0);
|
|
Packit |
56e23f |
}
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
/**
|
|
Packit |
56e23f |
* Check to see if a seccomp action is supported
|
|
Packit |
56e23f |
* @param action the seccomp action
|
|
Packit |
56e23f |
*
|
|
Packit |
56e23f |
* This function checks to see if a seccomp action is supported by the system.
|
|
Packit |
56e23f |
* Return one if the action is supported, zero otherwise.
|
|
Packit |
56e23f |
*
|
|
Packit |
56e23f |
*/
|
|
Packit |
56e23f |
int sys_chk_seccomp_action(uint32_t action)
|
|
Packit |
56e23f |
{
|
|
Packit |
56e23f |
if (action == SCMP_ACT_KILL_PROCESS) {
|
|
Packit Service |
10c312 |
if (state.sup_kill_process < 0) {
|
|
Packit |
56e23f |
if (sys_chk_seccomp_syscall() == 1 &&
|
|
Packit Service |
10c312 |
syscall(state.nr_seccomp,
|
|
Packit Service |
10c312 |
SECCOMP_GET_ACTION_AVAIL, 0, &action) == 0)
|
|
Packit Service |
10c312 |
state.sup_kill_process = 1;
|
|
Packit |
56e23f |
else
|
|
Packit Service |
10c312 |
state.sup_kill_process = 0;
|
|
Packit |
56e23f |
}
|
|
Packit |
56e23f |
|
|
Packit Service |
10c312 |
return state.sup_kill_process;
|
|
Packit |
56e23f |
} else if (action == SCMP_ACT_KILL_THREAD) {
|
|
Packit |
56e23f |
return 1;
|
|
Packit |
56e23f |
} else if (action == SCMP_ACT_TRAP) {
|
|
Packit |
56e23f |
return 1;
|
|
Packit |
56e23f |
} else if ((action == SCMP_ACT_ERRNO(action & 0x0000ffff)) &&
|
|
Packit |
56e23f |
((action & 0x0000ffff) < MAX_ERRNO)) {
|
|
Packit |
56e23f |
return 1;
|
|
Packit |
56e23f |
} else if (action == SCMP_ACT_TRACE(action & 0x0000ffff)) {
|
|
Packit |
56e23f |
return 1;
|
|
Packit |
56e23f |
} else if (action == SCMP_ACT_LOG) {
|
|
Packit Service |
10c312 |
if (state.sup_action_log < 0) {
|
|
Packit |
56e23f |
if (sys_chk_seccomp_syscall() == 1 &&
|
|
Packit Service |
10c312 |
syscall(state.nr_seccomp,
|
|
Packit Service |
10c312 |
SECCOMP_GET_ACTION_AVAIL, 0, &action) == 0)
|
|
Packit Service |
10c312 |
state.sup_action_log = 1;
|
|
Packit |
56e23f |
else
|
|
Packit Service |
10c312 |
state.sup_action_log = 0;
|
|
Packit |
56e23f |
}
|
|
Packit |
56e23f |
|
|
Packit Service |
10c312 |
return state.sup_action_log;
|
|
Packit |
56e23f |
} else if (action == SCMP_ACT_ALLOW) {
|
|
Packit |
56e23f |
return 1;
|
|
Packit Service |
10c312 |
} else if (action == SCMP_ACT_NOTIFY) {
|
|
Packit Service |
10c312 |
if (state.sup_user_notif < 0) {
|
|
Packit Service |
10c312 |
struct seccomp_notif_sizes sizes;
|
|
Packit Service |
10c312 |
if (sys_chk_seccomp_syscall() == 1 &&
|
|
Packit Service |
10c312 |
syscall(state.nr_seccomp,
|
|
Packit Service |
10c312 |
SECCOMP_GET_NOTIF_SIZES, 0, &sizes) == 0)
|
|
Packit Service |
10c312 |
state.sup_user_notif = 1;
|
|
Packit Service |
10c312 |
else
|
|
Packit Service |
10c312 |
state.sup_user_notif = 0;
|
|
Packit Service |
10c312 |
}
|
|
Packit Service |
10c312 |
|
|
Packit Service |
10c312 |
return state.sup_user_notif;
|
|
Packit |
56e23f |
}
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
return 0;
|
|
Packit |
56e23f |
}
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
/**
|
|
Packit |
56e23f |
* Force a seccomp action support setting
|
|
Packit |
56e23f |
* @param action the seccomp action
|
|
Packit |
56e23f |
* @param enable the intended support state
|
|
Packit |
56e23f |
*
|
|
Packit |
56e23f |
* This function overrides the current seccomp action support setting; this
|
|
Packit |
56e23f |
* is very much a "use at your own risk" function.
|
|
Packit |
56e23f |
*/
|
|
Packit |
56e23f |
void sys_set_seccomp_action(uint32_t action, bool enable)
|
|
Packit |
56e23f |
{
|
|
Packit Service |
10c312 |
switch (action) {
|
|
Packit Service |
10c312 |
case SCMP_ACT_LOG:
|
|
Packit Service |
10c312 |
state.sup_action_log = (enable ? 1 : 0);
|
|
Packit Service |
10c312 |
break;
|
|
Packit Service |
10c312 |
case SCMP_ACT_KILL_PROCESS:
|
|
Packit Service |
10c312 |
state.sup_kill_process = (enable ? 1 : 0);
|
|
Packit Service |
10c312 |
break;
|
|
Packit Service |
10c312 |
case SCMP_ACT_NOTIFY:
|
|
Packit Service |
10c312 |
state.sup_user_notif = (enable ? 1 : 0);
|
|
Packit Service |
10c312 |
break;
|
|
Packit Service |
10c312 |
}
|
|
Packit |
56e23f |
}
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
/**
|
|
Packit |
56e23f |
* Check to see if a seccomp() flag is supported by the kernel
|
|
Packit |
56e23f |
* @param flag the seccomp() flag
|
|
Packit |
56e23f |
*
|
|
Packit |
56e23f |
* This function checks to see if a seccomp() flag is supported by the kernel.
|
|
Packit |
56e23f |
* Return one if the flag is supported, zero otherwise.
|
|
Packit |
56e23f |
*
|
|
Packit |
56e23f |
*/
|
|
Packit Service |
10c312 |
static int _sys_chk_flag_kernel(int flag)
|
|
Packit |
56e23f |
{
|
|
Packit |
56e23f |
/* this is an invalid seccomp(2) call because the last argument
|
|
Packit |
56e23f |
* is NULL, but depending on the errno value of EFAULT we can
|
|
Packit |
56e23f |
* guess if the filter flag is supported or not */
|
|
Packit |
56e23f |
if (sys_chk_seccomp_syscall() == 1 &&
|
|
Packit Service |
10c312 |
syscall(state.nr_seccomp,
|
|
Packit Service |
10c312 |
SECCOMP_SET_MODE_FILTER, flag, NULL) == -1 &&
|
|
Packit |
56e23f |
errno == EFAULT)
|
|
Packit |
56e23f |
return 1;
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
return 0;
|
|
Packit |
56e23f |
}
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
/**
|
|
Packit |
56e23f |
* Check to see if a seccomp() flag is supported
|
|
Packit |
56e23f |
* @param flag the seccomp() flag
|
|
Packit |
56e23f |
*
|
|
Packit |
56e23f |
* This function checks to see if a seccomp() flag is supported by the system.
|
|
Packit |
56e23f |
* Return one if the syscall is supported, zero if unsupported, negative values
|
|
Packit |
56e23f |
* on error.
|
|
Packit |
56e23f |
*
|
|
Packit |
56e23f |
*/
|
|
Packit |
56e23f |
int sys_chk_seccomp_flag(int flag)
|
|
Packit |
56e23f |
{
|
|
Packit |
56e23f |
switch (flag) {
|
|
Packit |
56e23f |
case SECCOMP_FILTER_FLAG_TSYNC:
|
|
Packit Service |
10c312 |
if (state.sup_flag_tsync < 0)
|
|
Packit Service |
10c312 |
state.sup_flag_tsync = _sys_chk_flag_kernel(flag);
|
|
Packit Service |
10c312 |
return state.sup_flag_tsync;
|
|
Packit |
56e23f |
case SECCOMP_FILTER_FLAG_LOG:
|
|
Packit Service |
10c312 |
if (state.sup_flag_log < 0)
|
|
Packit Service |
10c312 |
state.sup_flag_log = _sys_chk_flag_kernel(flag);
|
|
Packit Service |
10c312 |
return state.sup_flag_log;
|
|
Packit Service |
10c312 |
case SECCOMP_FILTER_FLAG_SPEC_ALLOW:
|
|
Packit Service |
10c312 |
if (state.sup_flag_spec_allow < 0)
|
|
Packit Service |
10c312 |
state.sup_flag_spec_allow = _sys_chk_flag_kernel(flag);
|
|
Packit Service |
10c312 |
return state.sup_flag_spec_allow;
|
|
Packit Service |
10c312 |
case SECCOMP_FILTER_FLAG_NEW_LISTENER:
|
|
Packit Service |
10c312 |
if (state.sup_flag_new_listener < 0)
|
|
Packit Service |
10c312 |
state.sup_flag_new_listener = _sys_chk_flag_kernel(flag);
|
|
Packit Service |
10c312 |
return state.sup_flag_new_listener;
|
|
Packit Service |
10c312 |
case SECCOMP_FILTER_FLAG_TSYNC_ESRCH:
|
|
Packit Service |
10c312 |
if (state.sup_flag_tsync_esrch < 0)
|
|
Packit Service |
10c312 |
state.sup_flag_tsync_esrch = _sys_chk_flag_kernel(flag);
|
|
Packit Service |
10c312 |
return state.sup_flag_tsync_esrch;
|
|
Packit |
56e23f |
}
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
return -EOPNOTSUPP;
|
|
Packit |
56e23f |
}
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
/**
|
|
Packit |
56e23f |
* Force a seccomp() syscall flag support setting
|
|
Packit |
56e23f |
* @param flag the seccomp() flag
|
|
Packit |
56e23f |
* @param enable the intended support state
|
|
Packit |
56e23f |
*
|
|
Packit |
56e23f |
* This function overrides the current seccomp() syscall support setting for a
|
|
Packit |
56e23f |
* given flag; this is very much a "use at your own risk" function.
|
|
Packit |
56e23f |
*
|
|
Packit |
56e23f |
*/
|
|
Packit |
56e23f |
void sys_set_seccomp_flag(int flag, bool enable)
|
|
Packit |
56e23f |
{
|
|
Packit |
56e23f |
switch (flag) {
|
|
Packit |
56e23f |
case SECCOMP_FILTER_FLAG_TSYNC:
|
|
Packit Service |
10c312 |
state.sup_flag_tsync = (enable ? 1 : 0);
|
|
Packit |
56e23f |
break;
|
|
Packit |
56e23f |
case SECCOMP_FILTER_FLAG_LOG:
|
|
Packit Service |
10c312 |
state.sup_flag_log = (enable ? 1 : 0);
|
|
Packit Service |
10c312 |
break;
|
|
Packit Service |
10c312 |
case SECCOMP_FILTER_FLAG_SPEC_ALLOW:
|
|
Packit Service |
10c312 |
state.sup_flag_spec_allow = (enable ? 1 : 0);
|
|
Packit Service |
10c312 |
break;
|
|
Packit Service |
10c312 |
case SECCOMP_FILTER_FLAG_NEW_LISTENER:
|
|
Packit Service |
10c312 |
state.sup_flag_new_listener = (enable ? 1 : 0);
|
|
Packit Service |
10c312 |
break;
|
|
Packit Service |
10c312 |
case SECCOMP_FILTER_FLAG_TSYNC_ESRCH:
|
|
Packit Service |
10c312 |
state.sup_flag_tsync_esrch = (enable ? 1 : 0);
|
|
Packit |
56e23f |
break;
|
|
Packit |
56e23f |
}
|
|
Packit |
56e23f |
}
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
/**
|
|
Packit |
56e23f |
* Loads the filter into the kernel
|
|
Packit |
56e23f |
* @param col the filter collection
|
|
Packit Service |
10c312 |
* @param rawrc pass the raw return code if true
|
|
Packit |
56e23f |
*
|
|
Packit |
56e23f |
* This function loads the given seccomp filter context into the kernel. If
|
|
Packit |
56e23f |
* the filter was loaded correctly, the kernel will be enforcing the filter
|
|
Packit |
56e23f |
* when this function returns. Returns zero on success, negative values on
|
|
Packit |
56e23f |
* error.
|
|
Packit |
56e23f |
*
|
|
Packit |
56e23f |
*/
|
|
Packit Service |
10c312 |
int sys_filter_load(struct db_filter_col *col, bool rawrc)
|
|
Packit |
56e23f |
{
|
|
Packit |
56e23f |
int rc;
|
|
Packit Service |
10c312 |
bool tsync_notify;
|
|
Packit Service |
10c312 |
bool listener_req;
|
|
Packit |
56e23f |
struct bpf_program *prgm = NULL;
|
|
Packit |
56e23f |
|
|
Packit Service |
10c312 |
rc = gen_bpf_generate(col, &prgm);
|
|
Packit Service |
10c312 |
if (rc < 0)
|
|
Packit Service |
10c312 |
return rc;
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
/* attempt to set NO_NEW_PRIVS */
|
|
Packit |
56e23f |
if (col->attr.nnp_enable) {
|
|
Packit |
56e23f |
rc = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
|
|
Packit |
56e23f |
if (rc < 0)
|
|
Packit |
56e23f |
goto filter_load_out;
|
|
Packit |
56e23f |
}
|
|
Packit |
56e23f |
|
|
Packit Service |
10c312 |
tsync_notify = state.sup_flag_tsync_esrch > 0 && state.notify_fd == -1;
|
|
Packit Service |
10c312 |
listener_req = state.sup_user_notif > 0 && \
|
|
Packit Service |
10c312 |
col->notify_used && state.notify_fd == -1;
|
|
Packit Service |
10c312 |
|
|
Packit |
56e23f |
/* load the filter into the kernel */
|
|
Packit |
56e23f |
if (sys_chk_seccomp_syscall() == 1) {
|
|
Packit |
56e23f |
int flgs = 0;
|
|
Packit Service |
10c312 |
if (tsync_notify) {
|
|
Packit Service |
10c312 |
if (col->attr.tsync_enable)
|
|
Packit Service |
10c312 |
flgs |= SECCOMP_FILTER_FLAG_TSYNC | \
|
|
Packit Service |
10c312 |
SECCOMP_FILTER_FLAG_TSYNC_ESRCH;
|
|
Packit Service |
10c312 |
if (listener_req)
|
|
Packit Service |
10c312 |
flgs |= SECCOMP_FILTER_FLAG_NEW_LISTENER;
|
|
Packit Service |
10c312 |
} else if (col->attr.tsync_enable) {
|
|
Packit Service |
10c312 |
if (listener_req) {
|
|
Packit Service |
10c312 |
/* NOTE: we _should_ catch this in db.c */
|
|
Packit Service |
10c312 |
rc = -EFAULT;
|
|
Packit Service |
10c312 |
goto filter_load_out;
|
|
Packit Service |
10c312 |
}
|
|
Packit |
56e23f |
flgs |= SECCOMP_FILTER_FLAG_TSYNC;
|
|
Packit Service |
10c312 |
} else if (listener_req)
|
|
Packit Service |
10c312 |
flgs |= SECCOMP_FILTER_FLAG_NEW_LISTENER;
|
|
Packit |
56e23f |
if (col->attr.log_enable)
|
|
Packit |
56e23f |
flgs |= SECCOMP_FILTER_FLAG_LOG;
|
|
Packit Service |
10c312 |
if (col->attr.spec_allow)
|
|
Packit Service |
10c312 |
flgs |= SECCOMP_FILTER_FLAG_SPEC_ALLOW;
|
|
Packit Service |
10c312 |
rc = syscall(state.nr_seccomp,
|
|
Packit Service |
10c312 |
SECCOMP_SET_MODE_FILTER, flgs, prgm);
|
|
Packit Service |
10c312 |
if (tsync_notify && rc > 0) {
|
|
Packit Service |
10c312 |
/* return 0 on NEW_LISTENER success, but save the fd */
|
|
Packit Service |
10c312 |
state.notify_fd = rc;
|
|
Packit Service |
10c312 |
rc = 0;
|
|
Packit Service |
10c312 |
} else if (rc > 0 && col->attr.tsync_enable) {
|
|
Packit |
56e23f |
/* always return -ESRCH if we fail to sync threads */
|
|
Packit |
56e23f |
errno = ESRCH;
|
|
Packit Service |
10c312 |
rc = -errno;
|
|
Packit Service |
10c312 |
} else if (rc > 0 && state.sup_user_notif > 0) {
|
|
Packit Service |
10c312 |
/* return 0 on NEW_LISTENER success, but save the fd */
|
|
Packit Service |
10c312 |
state.notify_fd = rc;
|
|
Packit Service |
10c312 |
rc = 0;
|
|
Packit Service |
10c312 |
}
|
|
Packit |
56e23f |
} else
|
|
Packit |
56e23f |
rc = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, prgm);
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
filter_load_out:
|
|
Packit |
56e23f |
/* cleanup and return */
|
|
Packit |
56e23f |
gen_bpf_release(prgm);
|
|
Packit Service |
10c312 |
if (rc == -ESRCH)
|
|
Packit Service |
10c312 |
return -ESRCH;
|
|
Packit |
56e23f |
if (rc < 0)
|
|
Packit Service |
10c312 |
return (rawrc ? -errno : -ECANCELED);
|
|
Packit Service |
10c312 |
return rc;
|
|
Packit Service |
10c312 |
}
|
|
Packit Service |
10c312 |
|
|
Packit Service |
10c312 |
/**
|
|
Packit Service |
10c312 |
* Return the userspace notification fd
|
|
Packit Service |
10c312 |
*
|
|
Packit Service |
10c312 |
* This function returns the userspace notification fd from
|
|
Packit Service |
10c312 |
* SECCOMP_FILTER_FLAG_NEW_LISTENER. If the notification fd has not yet been
|
|
Packit Service |
10c312 |
* set, or an error has occurred, -1 is returned.
|
|
Packit Service |
10c312 |
*
|
|
Packit Service |
10c312 |
*/
|
|
Packit Service |
10c312 |
int sys_notify_fd(void)
|
|
Packit Service |
10c312 |
{
|
|
Packit Service |
10c312 |
return state.notify_fd;
|
|
Packit Service |
10c312 |
}
|
|
Packit Service |
10c312 |
|
|
Packit Service |
10c312 |
/**
|
|
Packit Service |
10c312 |
* Allocate a pair of notification request/response structures
|
|
Packit Service |
10c312 |
* @param req the request location
|
|
Packit Service |
10c312 |
* @param resp the response location
|
|
Packit Service |
10c312 |
*
|
|
Packit Service |
10c312 |
* This function allocates a pair of request/response structure by computing
|
|
Packit Service |
10c312 |
* the correct sized based on the currently running kernel. It returns zero on
|
|
Packit Service |
10c312 |
* success, and negative values on failure.
|
|
Packit Service |
10c312 |
*
|
|
Packit Service |
10c312 |
*/
|
|
Packit Service |
10c312 |
int sys_notify_alloc(struct seccomp_notif **req,
|
|
Packit Service |
10c312 |
struct seccomp_notif_resp **resp)
|
|
Packit Service |
10c312 |
{
|
|
Packit Service |
10c312 |
int rc;
|
|
Packit Service |
10c312 |
static struct seccomp_notif_sizes sizes = { 0, 0, 0 };
|
|
Packit Service |
10c312 |
|
|
Packit Service |
10c312 |
if (state.sup_syscall <= 0)
|
|
Packit Service |
10c312 |
return -EOPNOTSUPP;
|
|
Packit Service |
10c312 |
|
|
Packit Service |
10c312 |
if (sizes.seccomp_notif == 0 && sizes.seccomp_notif_resp == 0) {
|
|
Packit Service |
10c312 |
rc = syscall(__NR_seccomp, SECCOMP_GET_NOTIF_SIZES, 0, &sizes);
|
|
Packit Service |
10c312 |
if (rc < 0)
|
|
Packit Service |
10c312 |
return -ECANCELED;
|
|
Packit Service |
10c312 |
}
|
|
Packit Service |
10c312 |
if (sizes.seccomp_notif == 0 || sizes.seccomp_notif_resp == 0)
|
|
Packit Service |
10c312 |
return -EFAULT;
|
|
Packit Service |
10c312 |
|
|
Packit Service |
10c312 |
if (req) {
|
|
Packit Service |
10c312 |
*req = zmalloc(sizes.seccomp_notif);
|
|
Packit Service |
10c312 |
if (!*req)
|
|
Packit Service |
10c312 |
return -ENOMEM;
|
|
Packit Service |
10c312 |
}
|
|
Packit Service |
10c312 |
|
|
Packit Service |
10c312 |
if (resp) {
|
|
Packit Service |
10c312 |
*resp = zmalloc(sizes.seccomp_notif_resp);
|
|
Packit Service |
10c312 |
if (!*resp) {
|
|
Packit Service |
10c312 |
if (req)
|
|
Packit Service |
10c312 |
free(*req);
|
|
Packit Service |
10c312 |
return -ENOMEM;
|
|
Packit Service |
10c312 |
}
|
|
Packit Service |
10c312 |
}
|
|
Packit Service |
10c312 |
|
|
Packit Service |
10c312 |
return 0;
|
|
Packit Service |
10c312 |
}
|
|
Packit Service |
10c312 |
|
|
Packit Service |
10c312 |
/**
|
|
Packit Service |
10c312 |
* Receive a notification from a seccomp notification fd
|
|
Packit Service |
10c312 |
* @param fd the notification fd
|
|
Packit Service |
10c312 |
* @param req the request buffer to save into
|
|
Packit Service |
10c312 |
*
|
|
Packit Service |
10c312 |
* Blocks waiting for a notification on this fd. This function is thread safe
|
|
Packit Service |
10c312 |
* (synchronization is performed in the kernel). Returns zero on success,
|
|
Packit Service |
10c312 |
* negative values on error.
|
|
Packit Service |
10c312 |
*
|
|
Packit Service |
10c312 |
*/
|
|
Packit Service |
10c312 |
int sys_notify_receive(int fd, struct seccomp_notif *req)
|
|
Packit Service |
10c312 |
{
|
|
Packit Service |
10c312 |
if (state.sup_user_notif <= 0)
|
|
Packit Service |
10c312 |
return -EOPNOTSUPP;
|
|
Packit Service |
10c312 |
|
|
Packit Service |
10c312 |
if (ioctl(fd, SECCOMP_IOCTL_NOTIF_RECV, req) < 0)
|
|
Packit Service |
10c312 |
return -ECANCELED;
|
|
Packit Service |
10c312 |
|
|
Packit Service |
10c312 |
return 0;
|
|
Packit Service |
10c312 |
}
|
|
Packit Service |
10c312 |
|
|
Packit Service |
10c312 |
/**
|
|
Packit Service |
10c312 |
* Send a notification response to a seccomp notification fd
|
|
Packit Service |
10c312 |
* @param fd the notification fd
|
|
Packit Service |
10c312 |
* @param resp the response buffer to use
|
|
Packit Service |
10c312 |
*
|
|
Packit Service |
10c312 |
* Sends a notification response on this fd. This function is thread safe
|
|
Packit Service |
10c312 |
* (synchronization is performed in the kernel). Returns zero on success,
|
|
Packit Service |
10c312 |
* negative values on error.
|
|
Packit Service |
10c312 |
*
|
|
Packit Service |
10c312 |
*/
|
|
Packit Service |
10c312 |
int sys_notify_respond(int fd, struct seccomp_notif_resp *resp)
|
|
Packit Service |
10c312 |
{
|
|
Packit Service |
10c312 |
if (state.sup_user_notif <= 0)
|
|
Packit Service |
10c312 |
return -EOPNOTSUPP;
|
|
Packit Service |
10c312 |
|
|
Packit Service |
10c312 |
if (ioctl(fd, SECCOMP_IOCTL_NOTIF_SEND, resp) < 0)
|
|
Packit Service |
10c312 |
return -ECANCELED;
|
|
Packit Service |
10c312 |
return 0;
|
|
Packit Service |
10c312 |
}
|
|
Packit Service |
10c312 |
|
|
Packit Service |
10c312 |
/**
|
|
Packit Service |
10c312 |
* Check if a notification id is still valid
|
|
Packit Service |
10c312 |
* @param fd the notification fd
|
|
Packit Service |
10c312 |
* @param id the id to test
|
|
Packit Service |
10c312 |
*
|
|
Packit Service |
10c312 |
* Checks to see if a notification id is still valid. Returns 0 on success, and
|
|
Packit Service |
10c312 |
* negative values on failure.
|
|
Packit Service |
10c312 |
*
|
|
Packit Service |
10c312 |
*/
|
|
Packit Service |
10c312 |
int sys_notify_id_valid(int fd, uint64_t id)
|
|
Packit Service |
10c312 |
{
|
|
Packit Service |
10c312 |
if (state.sup_user_notif <= 0)
|
|
Packit Service |
10c312 |
return -EOPNOTSUPP;
|
|
Packit Service |
10c312 |
|
|
Packit Service |
10c312 |
if (ioctl(fd, SECCOMP_IOCTL_NOTIF_ID_VALID, &id) < 0)
|
|
Packit Service |
10c312 |
return -ENOENT;
|
|
Packit |
56e23f |
return 0;
|
|
Packit |
56e23f |
}
|