diff options
| author | Colin Watson <cjwatson@debian.org> | 2017-04-02 01:26:17 +0100 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2017-04-02 01:54:08 +0100 |
| commit | 20adc7e0fc13ff9c7d270db250aac1fa140e3851 (patch) | |
| tree | 5d9f06b0ff195db88093037d9102f0cdcf3884c6 /sandbox-seccomp-filter.c | |
| parent | af27669f905133925224acc753067dea710881dd (diff) | |
| parent | ec338656a3d6b21bb87f3b6367b232d297f601e5 (diff) | |
New upstream release (7.5p1)
Diffstat (limited to 'sandbox-seccomp-filter.c')
| -rw-r--r-- | sandbox-seccomp-filter.c | 119 |
1 files changed, 70 insertions, 49 deletions
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index 62c578d3c..3a1aedce7 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c | |||
| @@ -73,19 +73,35 @@ | |||
| 73 | # define SECCOMP_FILTER_FAIL SECCOMP_RET_TRAP | 73 | # define SECCOMP_FILTER_FAIL SECCOMP_RET_TRAP |
| 74 | #endif /* SANDBOX_SECCOMP_FILTER_DEBUG */ | 74 | #endif /* SANDBOX_SECCOMP_FILTER_DEBUG */ |
| 75 | 75 | ||
| 76 | #if __BYTE_ORDER == __LITTLE_ENDIAN | ||
| 77 | # define ARG_LO_OFFSET 0 | ||
| 78 | # define ARG_HI_OFFSET sizeof(uint32_t) | ||
| 79 | #elif __BYTE_ORDER == __BIG_ENDIAN | ||
| 80 | # define ARG_LO_OFFSET sizeof(uint32_t) | ||
| 81 | # define ARG_HI_OFFSET 0 | ||
| 82 | #else | ||
| 83 | #error "Unknown endianness" | ||
| 84 | #endif | ||
| 85 | |||
| 76 | /* Simple helpers to avoid manual errors (but larger BPF programs). */ | 86 | /* Simple helpers to avoid manual errors (but larger BPF programs). */ |
| 77 | #define SC_DENY(_nr, _errno) \ | 87 | #define SC_DENY(_nr, _errno) \ |
| 78 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \ | 88 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_nr), 0, 1), \ |
| 79 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO|(_errno)) | 89 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO|(_errno)) |
| 80 | #define SC_ALLOW(_nr) \ | 90 | #define SC_ALLOW(_nr) \ |
| 81 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \ | 91 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_nr), 0, 1), \ |
| 82 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) | 92 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) |
| 83 | #define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \ | 93 | #define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \ |
| 84 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 4), \ | 94 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_nr), 0, 6), \ |
| 85 | /* load first syscall argument */ \ | 95 | /* load and test first syscall argument, low word */ \ |
| 86 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ | 96 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ |
| 87 | offsetof(struct seccomp_data, args[(_arg_nr)])), \ | 97 | offsetof(struct seccomp_data, args[(_arg_nr)]) + ARG_LO_OFFSET), \ |
| 88 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_arg_val), 0, 1), \ | 98 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, \ |
| 99 | ((_arg_val) & 0xFFFFFFFF), 0, 3), \ | ||
| 100 | /* load and test first syscall argument, high word */ \ | ||
| 101 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ | ||
| 102 | offsetof(struct seccomp_data, args[(_arg_nr)]) + ARG_HI_OFFSET), \ | ||
| 103 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, \ | ||
| 104 | (((uint32_t)((uint64_t)(_arg_val) >> 32)) & 0xFFFFFFFF), 0, 1), \ | ||
| 89 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), \ | 105 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), \ |
| 90 | /* reload syscall number; all rules expect it in accumulator */ \ | 106 | /* reload syscall number; all rules expect it in accumulator */ \ |
| 91 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ | 107 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ |
| @@ -104,117 +120,122 @@ static const struct sock_filter preauth_insns[] = { | |||
| 104 | 120 | ||
| 105 | /* Syscalls to non-fatally deny */ | 121 | /* Syscalls to non-fatally deny */ |
| 106 | #ifdef __NR_lstat | 122 | #ifdef __NR_lstat |
| 107 | SC_DENY(lstat, EACCES), | 123 | SC_DENY(__NR_lstat, EACCES), |
| 108 | #endif | 124 | #endif |
| 109 | #ifdef __NR_lstat64 | 125 | #ifdef __NR_lstat64 |
| 110 | SC_DENY(lstat64, EACCES), | 126 | SC_DENY(__NR_lstat64, EACCES), |
| 111 | #endif | 127 | #endif |
| 112 | #ifdef __NR_fstat | 128 | #ifdef __NR_fstat |
| 113 | SC_DENY(fstat, EACCES), | 129 | SC_DENY(__NR_fstat, EACCES), |
| 114 | #endif | 130 | #endif |
| 115 | #ifdef __NR_fstat64 | 131 | #ifdef __NR_fstat64 |
| 116 | SC_DENY(fstat64, EACCES), | 132 | SC_DENY(__NR_fstat64, EACCES), |
| 117 | #endif | 133 | #endif |
| 118 | #ifdef __NR_open | 134 | #ifdef __NR_open |
| 119 | SC_DENY(open, EACCES), | 135 | SC_DENY(__NR_open, EACCES), |
| 120 | #endif | 136 | #endif |
| 121 | #ifdef __NR_openat | 137 | #ifdef __NR_openat |
| 122 | SC_DENY(openat, EACCES), | 138 | SC_DENY(__NR_openat, EACCES), |
| 123 | #endif | 139 | #endif |
| 124 | #ifdef __NR_newfstatat | 140 | #ifdef __NR_newfstatat |
| 125 | SC_DENY(newfstatat, EACCES), | 141 | SC_DENY(__NR_newfstatat, EACCES), |
| 126 | #endif | 142 | #endif |
| 127 | #ifdef __NR_stat | 143 | #ifdef __NR_stat |
| 128 | SC_DENY(stat, EACCES), | 144 | SC_DENY(__NR_stat, EACCES), |
| 129 | #endif | 145 | #endif |
| 130 | #ifdef __NR_stat64 | 146 | #ifdef __NR_stat64 |
| 131 | SC_DENY(stat64, EACCES), | 147 | SC_DENY(__NR_stat64, EACCES), |
| 132 | #endif | 148 | #endif |
| 133 | 149 | ||
| 134 | /* Syscalls to permit */ | 150 | /* Syscalls to permit */ |
| 135 | #ifdef __NR_brk | 151 | #ifdef __NR_brk |
| 136 | SC_ALLOW(brk), | 152 | SC_ALLOW(__NR_brk), |
| 137 | #endif | 153 | #endif |
| 138 | #ifdef __NR_clock_gettime | 154 | #ifdef __NR_clock_gettime |
| 139 | SC_ALLOW(clock_gettime), | 155 | SC_ALLOW(__NR_clock_gettime), |
| 140 | # if defined(__x86_64__) && defined(__ILP32__) | ||
| 141 | /* On Linux x32, the clock_gettime VDSO currently falls back to the | ||
| 142 | * x86-64 syscall (see https://bugs.debian.org/849923), so allow | ||
| 143 | * that too. | ||
| 144 | */ | ||
| 145 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, | ||
| 146 | __NR_clock_gettime & ~__X32_SYSCALL_BIT, 0, 1), | ||
| 147 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), | ||
| 148 | # endif | ||
| 149 | #endif | 156 | #endif |
| 150 | #ifdef __NR_close | 157 | #ifdef __NR_close |
| 151 | SC_ALLOW(close), | 158 | SC_ALLOW(__NR_close), |
| 152 | #endif | 159 | #endif |
| 153 | #ifdef __NR_exit | 160 | #ifdef __NR_exit |
| 154 | SC_ALLOW(exit), | 161 | SC_ALLOW(__NR_exit), |
| 155 | #endif | 162 | #endif |
| 156 | #ifdef __NR_exit_group | 163 | #ifdef __NR_exit_group |
| 157 | SC_ALLOW(exit_group), | 164 | SC_ALLOW(__NR_exit_group), |
| 158 | #endif | 165 | #endif |
| 159 | #ifdef __NR_getpgid | 166 | #ifdef __NR_getpgid |
| 160 | SC_ALLOW(getpgid), | 167 | SC_ALLOW(__NR_getpgid), |
| 161 | #endif | 168 | #endif |
| 162 | #ifdef __NR_getpid | 169 | #ifdef __NR_getpid |
| 163 | SC_ALLOW(getpid), | 170 | SC_ALLOW(__NR_getpid), |
| 164 | #endif | 171 | #endif |
| 165 | #ifdef __NR_getrandom | 172 | #ifdef __NR_getrandom |
| 166 | SC_ALLOW(getrandom), | 173 | SC_ALLOW(__NR_getrandom), |
| 167 | #endif | 174 | #endif |
| 168 | #ifdef __NR_gettimeofday | 175 | #ifdef __NR_gettimeofday |
| 169 | SC_ALLOW(gettimeofday), | 176 | SC_ALLOW(__NR_gettimeofday), |
| 170 | #endif | 177 | #endif |
| 171 | #ifdef __NR_madvise | 178 | #ifdef __NR_madvise |
| 172 | SC_ALLOW(madvise), | 179 | SC_ALLOW(__NR_madvise), |
| 173 | #endif | 180 | #endif |
| 174 | #ifdef __NR_mmap | 181 | #ifdef __NR_mmap |
| 175 | SC_ALLOW(mmap), | 182 | SC_ALLOW(__NR_mmap), |
| 176 | #endif | 183 | #endif |
| 177 | #ifdef __NR_mmap2 | 184 | #ifdef __NR_mmap2 |
| 178 | SC_ALLOW(mmap2), | 185 | SC_ALLOW(__NR_mmap2), |
| 179 | #endif | 186 | #endif |
| 180 | #ifdef __NR_mremap | 187 | #ifdef __NR_mremap |
| 181 | SC_ALLOW(mremap), | 188 | SC_ALLOW(__NR_mremap), |
| 182 | #endif | 189 | #endif |
| 183 | #ifdef __NR_munmap | 190 | #ifdef __NR_munmap |
| 184 | SC_ALLOW(munmap), | 191 | SC_ALLOW(__NR_munmap), |
| 185 | #endif | 192 | #endif |
| 186 | #ifdef __NR__newselect | 193 | #ifdef __NR__newselect |
| 187 | SC_ALLOW(_newselect), | 194 | SC_ALLOW(__NR__newselect), |
| 188 | #endif | 195 | #endif |
| 189 | #ifdef __NR_poll | 196 | #ifdef __NR_poll |
| 190 | SC_ALLOW(poll), | 197 | SC_ALLOW(__NR_poll), |
| 191 | #endif | 198 | #endif |
| 192 | #ifdef __NR_pselect6 | 199 | #ifdef __NR_pselect6 |
| 193 | SC_ALLOW(pselect6), | 200 | SC_ALLOW(__NR_pselect6), |
| 194 | #endif | 201 | #endif |
| 195 | #ifdef __NR_read | 202 | #ifdef __NR_read |
| 196 | SC_ALLOW(read), | 203 | SC_ALLOW(__NR_read), |
| 197 | #endif | 204 | #endif |
| 198 | #ifdef __NR_rt_sigprocmask | 205 | #ifdef __NR_rt_sigprocmask |
| 199 | SC_ALLOW(rt_sigprocmask), | 206 | SC_ALLOW(__NR_rt_sigprocmask), |
| 200 | #endif | 207 | #endif |
| 201 | #ifdef __NR_select | 208 | #ifdef __NR_select |
| 202 | SC_ALLOW(select), | 209 | SC_ALLOW(__NR_select), |
| 203 | #endif | 210 | #endif |
| 204 | #ifdef __NR_shutdown | 211 | #ifdef __NR_shutdown |
| 205 | SC_ALLOW(shutdown), | 212 | SC_ALLOW(__NR_shutdown), |
| 206 | #endif | 213 | #endif |
| 207 | #ifdef __NR_sigprocmask | 214 | #ifdef __NR_sigprocmask |
| 208 | SC_ALLOW(sigprocmask), | 215 | SC_ALLOW(__NR_sigprocmask), |
| 209 | #endif | 216 | #endif |
| 210 | #ifdef __NR_time | 217 | #ifdef __NR_time |
| 211 | SC_ALLOW(time), | 218 | SC_ALLOW(__NR_time), |
| 212 | #endif | 219 | #endif |
| 213 | #ifdef __NR_write | 220 | #ifdef __NR_write |
| 214 | SC_ALLOW(write), | 221 | SC_ALLOW(__NR_write), |
| 215 | #endif | 222 | #endif |
| 216 | #ifdef __NR_socketcall | 223 | #ifdef __NR_socketcall |
| 217 | SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN), | 224 | SC_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN), |
| 225 | #endif | ||
| 226 | #if defined(__NR_ioctl) && defined(__s390__) | ||
| 227 | /* Allow ioctls for ICA crypto card on s390 */ | ||
| 228 | SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK), | ||
| 229 | SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO), | ||
| 230 | SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT), | ||
| 231 | #endif | ||
| 232 | #if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT) | ||
| 233 | /* | ||
| 234 | * On Linux x32, the clock_gettime VDSO falls back to the | ||
| 235 | * x86-64 syscall under some circumstances, e.g. | ||
| 236 | * https://bugs.debian.org/849923 | ||
| 237 | */ | ||
| 238 | SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT); | ||
| 218 | #endif | 239 | #endif |
| 219 | 240 | ||
| 220 | /* Default deny */ | 241 | /* Default deny */ |