aarch64 support for seccomp-bpf sandbox

Also resort and tidy syscall list. Based on patches by Jakub Jelen bz#2361; ok dtucker@
author: Damien Miller <djm@mindrot.org> 2015-06-17 10:50:51 +1000
committer: Damien Miller <djm@mindrot.org> 2015-06-17 10:50:51 +1000
commit: 99f33d7304893bd9fa04d227cb6e870171cded19 (patch)
tree: 1ff160ec8de1743af2ccb3260400dcf8a5c161fb /sandbox-seccomp-filter.c
parent: 4ef702e1244633c1025ec7cfe044b9ab267097bf (diff)
1 files changed, 85 insertions, 20 deletions
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index b6f6258f2..badfee2ec 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -43,6 +43,7 @@
 #include <sys/resource.h>
 #include <sys/prctl.h>
+#include <linux/net.h>
 #include <linux/audit.h>
 #include <linux/filter.h>
 #include <linux/seccomp.h>
@@ -79,6 +80,16 @@
 #define SC_ALLOW(_nr) \
        BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \
        BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
+#define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \
+        BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 3), \
+        /* load first syscall argument */ \
+        BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
+            offsetof(struct seccomp_data, args[(_arg_nr)])), \
+        BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_arg_val), 0, 1), \
+        BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), \
+        /* reload syscall number; all rules expect it in accumulator */ \
+        BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
+                offsetof(struct seccomp_data, nr))
 /* Syscall filtering set for preauth. */
 static const struct sock_filter preauth_insns[] = {
@@ -90,45 +101,99 @@ static const struct sock_filter preauth_insns[] = {
        /* Load the syscall number for checking. */
        BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
                offsetof(struct seccomp_data, nr)),
+        /* Syscalls to non-fatally deny */
+#ifdef __NR_fstat
+        SC_DENY(fstat, EACCES),
+#endif
+#ifdef __NR_fstat64
+        SC_DENY(fstat64, EACCES),
+#endif
+#ifdef __NR_open
        SC_DENY(open, EACCES),
+#endif
+#ifdef __NR_openat
+        SC_DENY(openat, EACCES),
+#endif
+#ifdef __NR_newfstatat
+        SC_DENY(newfstatat, EACCES),
+#endif
+#ifdef __NR_stat
        SC_DENY(stat, EACCES),
-        SC_ALLOW(getpid),
+#endif
-        SC_ALLOW(gettimeofday),
+#ifdef __NR_stat64
+        SC_DENY(stat64, EACCES),
+#endif
+        /* Syscalls to permit */
+#ifdef __NR_brk
+        SC_ALLOW(brk),
+#endif
+#ifdef __NR_clock_gettime
        SC_ALLOW(clock_gettime),
-#ifdef __NR_time /* not defined on EABI ARM */
-        SC_ALLOW(time),
 #endif
-        SC_ALLOW(read),
+#ifdef __NR_close
-        SC_ALLOW(write),
        SC_ALLOW(close),
-#ifdef __NR_shutdown /* not defined on archs that go via socketcall(2) */
-        SC_ALLOW(shutdown),
 #endif
-        SC_ALLOW(brk),
+#ifdef __NR_exit
-        SC_ALLOW(poll),
+        SC_ALLOW(exit),
-#ifdef __NR__newselect
+#endif
-        SC_ALLOW(_newselect),
+#ifdef __NR_exit_group
-#else
+        SC_ALLOW(exit_group),
-        SC_ALLOW(select),
+#endif
+#ifdef __NR_getpid
+        SC_ALLOW(getpid),
 #endif
+#ifdef __NR_gettimeofday
+        SC_ALLOW(gettimeofday),
+#endif
+#ifdef __NR_madvise
        SC_ALLOW(madvise),
-#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */
-        SC_ALLOW(mmap2),
 #endif
 #ifdef __NR_mmap
        SC_ALLOW(mmap),
 #endif
-#ifdef __dietlibc__
+#ifdef __NR_mmap2
+        SC_ALLOW(mmap2),
+#endif
+#ifdef __NR_mremap
        SC_ALLOW(mremap),
-        SC_ALLOW(exit),
 #endif
+#ifdef __NR_munmap
        SC_ALLOW(munmap),
-        SC_ALLOW(exit_group),
+#endif
+#ifdef __NR__newselect
+        SC_ALLOW(_newselect),
+#endif
+#ifdef __NR_poll
+        SC_ALLOW(poll),
+#endif
+#ifdef __NR_read
+        SC_ALLOW(read),
+#endif
 #ifdef __NR_rt_sigprocmask
        SC_ALLOW(rt_sigprocmask),
-#else
+#endif
+#ifdef __NR_select
+        SC_ALLOW(select),
+#endif
+#ifdef __NR_shutdown
+        SC_ALLOW(shutdown),
+#endif
+#ifdef __NR_sigprocmask
        SC_ALLOW(sigprocmask),
 #endif
+#ifdef __NR_time
+        SC_ALLOW(time),
+#endif
+#ifdef __NR_write
+        SC_ALLOW(write),
+#endif
+#ifdef __NR_socketcall
+        SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN),
+#endif
+        /* Default deny */
        BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
 };
author	Damien Miller <djm@mindrot.org>	2015-06-17 10:50:51 +1000
committer	Damien Miller <djm@mindrot.org>	2015-06-17 10:50:51 +1000
commit	99f33d7304893bd9fa04d227cb6e870171cded19 (patch)
tree	1ff160ec8de1743af2ccb3260400dcf8a5c161fb /sandbox-seccomp-filter.c
parent	4ef702e1244633c1025ec7cfe044b9ab267097bf (diff)

diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index b6f6258f2..badfee2ec 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c
@@ -43,6 +43,7 @@
43	#include <sys/resource.h>	43	#include <sys/resource.h>
44	#include <sys/prctl.h>	44	#include <sys/prctl.h>
45		45
		46	#include <linux/net.h>
46	#include <linux/audit.h>	47	#include <linux/audit.h>
47	#include <linux/filter.h>	48	#include <linux/filter.h>
48	#include <linux/seccomp.h>	49	#include <linux/seccomp.h>
@@ -79,6 +80,16 @@
79	#define SC_ALLOW(_nr) \	80	#define SC_ALLOW(_nr) \
80	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \	81	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \
81	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)	82	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
		83	#define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \
		84	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 3), \
		85	/* load first syscall argument */ \
		86	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
		87	offsetof(struct seccomp_data, args[(_arg_nr)])), \
		88	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_arg_val), 0, 1), \
		89	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), \
		90	/* reload syscall number; all rules expect it in accumulator */ \
		91	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
		92	offsetof(struct seccomp_data, nr))
82		93
83	/* Syscall filtering set for preauth. */	94	/* Syscall filtering set for preauth. */
84	static const struct sock_filter preauth_insns[] = {	95	static const struct sock_filter preauth_insns[] = {
@@ -90,45 +101,99 @@ static const struct sock_filter preauth_insns[] = {
90	/* Load the syscall number for checking. */	101	/* Load the syscall number for checking. */
91	BPF_STMT(BPF_LD+BPF_W+BPF_ABS,	102	BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
92	offsetof(struct seccomp_data, nr)),	103	offsetof(struct seccomp_data, nr)),
		104
		105	/* Syscalls to non-fatally deny */
		106	#ifdef __NR_fstat
		107	SC_DENY(fstat, EACCES),
		108	#endif
		109	#ifdef __NR_fstat64
		110	SC_DENY(fstat64, EACCES),
		111	#endif
		112	#ifdef __NR_open
93	SC_DENY(open, EACCES),	113	SC_DENY(open, EACCES),
		114	#endif
		115	#ifdef __NR_openat
		116	SC_DENY(openat, EACCES),
		117	#endif
		118	#ifdef __NR_newfstatat
		119	SC_DENY(newfstatat, EACCES),
		120	#endif
		121	#ifdef __NR_stat
94	SC_DENY(stat, EACCES),	122	SC_DENY(stat, EACCES),
95	SC_ALLOW(getpid),	123	#endif
96	SC_ALLOW(gettimeofday),	124	#ifdef __NR_stat64
		125	SC_DENY(stat64, EACCES),
		126	#endif
		127
		128	/* Syscalls to permit */
		129	#ifdef __NR_brk
		130	SC_ALLOW(brk),
		131	#endif
		132	#ifdef __NR_clock_gettime
97	SC_ALLOW(clock_gettime),	133	SC_ALLOW(clock_gettime),
98	#ifdef __NR_time /* not defined on EABI ARM */
99	SC_ALLOW(time),
100	#endif	134	#endif
101	SC_ALLOW(read),	135	#ifdef __NR_close
102	SC_ALLOW(write),
103	SC_ALLOW(close),	136	SC_ALLOW(close),
104	#ifdef __NR_shutdown /* not defined on archs that go via socketcall(2) */
105	SC_ALLOW(shutdown),
106	#endif	137	#endif
107	SC_ALLOW(brk),	138	#ifdef __NR_exit
108	SC_ALLOW(poll),	139	SC_ALLOW(exit),
109	#ifdef __NR__newselect	140	#endif
110	SC_ALLOW(_newselect),	141	#ifdef __NR_exit_group
111	#else	142	SC_ALLOW(exit_group),
112	SC_ALLOW(select),	143	#endif
		144	#ifdef __NR_getpid
		145	SC_ALLOW(getpid),
113	#endif	146	#endif
		147	#ifdef __NR_gettimeofday
		148	SC_ALLOW(gettimeofday),
		149	#endif
		150	#ifdef __NR_madvise
114	SC_ALLOW(madvise),	151	SC_ALLOW(madvise),
115	#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */
116	SC_ALLOW(mmap2),
117	#endif	152	#endif
118	#ifdef __NR_mmap	153	#ifdef __NR_mmap
119	SC_ALLOW(mmap),	154	SC_ALLOW(mmap),
120	#endif	155	#endif
121	#ifdef __dietlibc__	156	#ifdef __NR_mmap2
		157	SC_ALLOW(mmap2),
		158	#endif
		159	#ifdef __NR_mremap
122	SC_ALLOW(mremap),	160	SC_ALLOW(mremap),
123	SC_ALLOW(exit),
124	#endif	161	#endif
		162	#ifdef __NR_munmap
125	SC_ALLOW(munmap),	163	SC_ALLOW(munmap),
126	SC_ALLOW(exit_group),	164	#endif
		165	#ifdef __NR__newselect
		166	SC_ALLOW(_newselect),
		167	#endif
		168	#ifdef __NR_poll
		169	SC_ALLOW(poll),
		170	#endif
		171	#ifdef __NR_read
		172	SC_ALLOW(read),
		173	#endif
127	#ifdef __NR_rt_sigprocmask	174	#ifdef __NR_rt_sigprocmask
128	SC_ALLOW(rt_sigprocmask),	175	SC_ALLOW(rt_sigprocmask),
129	#else	176	#endif
		177	#ifdef __NR_select
		178	SC_ALLOW(select),
		179	#endif
		180	#ifdef __NR_shutdown
		181	SC_ALLOW(shutdown),
		182	#endif
		183	#ifdef __NR_sigprocmask
130	SC_ALLOW(sigprocmask),	184	SC_ALLOW(sigprocmask),
131	#endif	185	#endif
		186	#ifdef __NR_time
		187	SC_ALLOW(time),
		188	#endif
		189	#ifdef __NR_write
		190	SC_ALLOW(write),
		191	#endif
		192	#ifdef __NR_socketcall
		193	SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN),
		194	#endif
		195
		196	/* Default deny */
132	BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),	197	BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
133	};	198	};
134		199