summaryrefslogtreecommitdiff
path: root/sandbox-seccomp-filter.c
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2017-03-29 01:35:00 +0100
committerColin Watson <cjwatson@debian.org>2017-03-29 01:35:00 +0100
commit6fabaf6fd9b07cc8bc6a17c9c4a5b76849cfc874 (patch)
treeb4377d09196e24e2c6f2c2128f66f92cf7891105 /sandbox-seccomp-filter.c
parent971a7653746a6972b907dfe0ce139c06e4a6f482 (diff)
parentd38f05dbdd291212bc95ea80648b72b7177e9f4e (diff)
Import openssh_7.5p1.orig.tar.gz
Diffstat (limited to 'sandbox-seccomp-filter.c')
-rw-r--r--sandbox-seccomp-filter.c110
1 files changed, 70 insertions, 40 deletions
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 2e1ed2c52..3a1aedce7 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -73,19 +73,35 @@
73# define SECCOMP_FILTER_FAIL SECCOMP_RET_TRAP 73# define SECCOMP_FILTER_FAIL SECCOMP_RET_TRAP
74#endif /* SANDBOX_SECCOMP_FILTER_DEBUG */ 74#endif /* SANDBOX_SECCOMP_FILTER_DEBUG */
75 75
76#if __BYTE_ORDER == __LITTLE_ENDIAN
77# define ARG_LO_OFFSET 0
78# define ARG_HI_OFFSET sizeof(uint32_t)
79#elif __BYTE_ORDER == __BIG_ENDIAN
80# define ARG_LO_OFFSET sizeof(uint32_t)
81# define ARG_HI_OFFSET 0
82#else
83#error "Unknown endianness"
84#endif
85
76/* Simple helpers to avoid manual errors (but larger BPF programs). */ 86/* Simple helpers to avoid manual errors (but larger BPF programs). */
77#define SC_DENY(_nr, _errno) \ 87#define SC_DENY(_nr, _errno) \
78 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \ 88 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_nr), 0, 1), \
79 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO|(_errno)) 89 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO|(_errno))
80#define SC_ALLOW(_nr) \ 90#define SC_ALLOW(_nr) \
81 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \ 91 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_nr), 0, 1), \
82 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) 92 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
83#define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \ 93#define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \
84 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 4), \ 94 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_nr), 0, 6), \
85 /* load first syscall argument */ \ 95 /* load and test first syscall argument, low word */ \
86 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ 96 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
87 offsetof(struct seccomp_data, args[(_arg_nr)])), \ 97 offsetof(struct seccomp_data, args[(_arg_nr)]) + ARG_LO_OFFSET), \
88 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_arg_val), 0, 1), \ 98 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, \
99 ((_arg_val) & 0xFFFFFFFF), 0, 3), \
100 /* load and test first syscall argument, high word */ \
101 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
102 offsetof(struct seccomp_data, args[(_arg_nr)]) + ARG_HI_OFFSET), \
103 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, \
104 (((uint32_t)((uint64_t)(_arg_val) >> 32)) & 0xFFFFFFFF), 0, 1), \
89 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), \ 105 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), \
90 /* reload syscall number; all rules expect it in accumulator */ \ 106 /* reload syscall number; all rules expect it in accumulator */ \
91 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ 107 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
@@ -104,108 +120,122 @@ static const struct sock_filter preauth_insns[] = {
104 120
105 /* Syscalls to non-fatally deny */ 121 /* Syscalls to non-fatally deny */
106#ifdef __NR_lstat 122#ifdef __NR_lstat
107 SC_DENY(lstat, EACCES), 123 SC_DENY(__NR_lstat, EACCES),
108#endif 124#endif
109#ifdef __NR_lstat64 125#ifdef __NR_lstat64
110 SC_DENY(lstat64, EACCES), 126 SC_DENY(__NR_lstat64, EACCES),
111#endif 127#endif
112#ifdef __NR_fstat 128#ifdef __NR_fstat
113 SC_DENY(fstat, EACCES), 129 SC_DENY(__NR_fstat, EACCES),
114#endif 130#endif
115#ifdef __NR_fstat64 131#ifdef __NR_fstat64
116 SC_DENY(fstat64, EACCES), 132 SC_DENY(__NR_fstat64, EACCES),
117#endif 133#endif
118#ifdef __NR_open 134#ifdef __NR_open
119 SC_DENY(open, EACCES), 135 SC_DENY(__NR_open, EACCES),
120#endif 136#endif
121#ifdef __NR_openat 137#ifdef __NR_openat
122 SC_DENY(openat, EACCES), 138 SC_DENY(__NR_openat, EACCES),
123#endif 139#endif
124#ifdef __NR_newfstatat 140#ifdef __NR_newfstatat
125 SC_DENY(newfstatat, EACCES), 141 SC_DENY(__NR_newfstatat, EACCES),
126#endif 142#endif
127#ifdef __NR_stat 143#ifdef __NR_stat
128 SC_DENY(stat, EACCES), 144 SC_DENY(__NR_stat, EACCES),
129#endif 145#endif
130#ifdef __NR_stat64 146#ifdef __NR_stat64
131 SC_DENY(stat64, EACCES), 147 SC_DENY(__NR_stat64, EACCES),
132#endif 148#endif
133 149
134 /* Syscalls to permit */ 150 /* Syscalls to permit */
135#ifdef __NR_brk 151#ifdef __NR_brk
136 SC_ALLOW(brk), 152 SC_ALLOW(__NR_brk),
137#endif 153#endif
138#ifdef __NR_clock_gettime 154#ifdef __NR_clock_gettime
139 SC_ALLOW(clock_gettime), 155 SC_ALLOW(__NR_clock_gettime),
140#endif 156#endif
141#ifdef __NR_close 157#ifdef __NR_close
142 SC_ALLOW(close), 158 SC_ALLOW(__NR_close),
143#endif 159#endif
144#ifdef __NR_exit 160#ifdef __NR_exit
145 SC_ALLOW(exit), 161 SC_ALLOW(__NR_exit),
146#endif 162#endif
147#ifdef __NR_exit_group 163#ifdef __NR_exit_group
148 SC_ALLOW(exit_group), 164 SC_ALLOW(__NR_exit_group),
149#endif 165#endif
150#ifdef __NR_getpgid 166#ifdef __NR_getpgid
151 SC_ALLOW(getpgid), 167 SC_ALLOW(__NR_getpgid),
152#endif 168#endif
153#ifdef __NR_getpid 169#ifdef __NR_getpid
154 SC_ALLOW(getpid), 170 SC_ALLOW(__NR_getpid),
155#endif 171#endif
156#ifdef __NR_getrandom 172#ifdef __NR_getrandom
157 SC_ALLOW(getrandom), 173 SC_ALLOW(__NR_getrandom),
158#endif 174#endif
159#ifdef __NR_gettimeofday 175#ifdef __NR_gettimeofday
160 SC_ALLOW(gettimeofday), 176 SC_ALLOW(__NR_gettimeofday),
161#endif 177#endif
162#ifdef __NR_madvise 178#ifdef __NR_madvise
163 SC_ALLOW(madvise), 179 SC_ALLOW(__NR_madvise),
164#endif 180#endif
165#ifdef __NR_mmap 181#ifdef __NR_mmap
166 SC_ALLOW(mmap), 182 SC_ALLOW(__NR_mmap),
167#endif 183#endif
168#ifdef __NR_mmap2 184#ifdef __NR_mmap2
169 SC_ALLOW(mmap2), 185 SC_ALLOW(__NR_mmap2),
170#endif 186#endif
171#ifdef __NR_mremap 187#ifdef __NR_mremap
172 SC_ALLOW(mremap), 188 SC_ALLOW(__NR_mremap),
173#endif 189#endif
174#ifdef __NR_munmap 190#ifdef __NR_munmap
175 SC_ALLOW(munmap), 191 SC_ALLOW(__NR_munmap),
176#endif 192#endif
177#ifdef __NR__newselect 193#ifdef __NR__newselect
178 SC_ALLOW(_newselect), 194 SC_ALLOW(__NR__newselect),
179#endif 195#endif
180#ifdef __NR_poll 196#ifdef __NR_poll
181 SC_ALLOW(poll), 197 SC_ALLOW(__NR_poll),
182#endif 198#endif
183#ifdef __NR_pselect6 199#ifdef __NR_pselect6
184 SC_ALLOW(pselect6), 200 SC_ALLOW(__NR_pselect6),
185#endif 201#endif
186#ifdef __NR_read 202#ifdef __NR_read
187 SC_ALLOW(read), 203 SC_ALLOW(__NR_read),
188#endif 204#endif
189#ifdef __NR_rt_sigprocmask 205#ifdef __NR_rt_sigprocmask
190 SC_ALLOW(rt_sigprocmask), 206 SC_ALLOW(__NR_rt_sigprocmask),
191#endif 207#endif
192#ifdef __NR_select 208#ifdef __NR_select
193 SC_ALLOW(select), 209 SC_ALLOW(__NR_select),
194#endif 210#endif
195#ifdef __NR_shutdown 211#ifdef __NR_shutdown
196 SC_ALLOW(shutdown), 212 SC_ALLOW(__NR_shutdown),
197#endif 213#endif
198#ifdef __NR_sigprocmask 214#ifdef __NR_sigprocmask
199 SC_ALLOW(sigprocmask), 215 SC_ALLOW(__NR_sigprocmask),
200#endif 216#endif
201#ifdef __NR_time 217#ifdef __NR_time
202 SC_ALLOW(time), 218 SC_ALLOW(__NR_time),
203#endif 219#endif
204#ifdef __NR_write 220#ifdef __NR_write
205 SC_ALLOW(write), 221 SC_ALLOW(__NR_write),
206#endif 222#endif
207#ifdef __NR_socketcall 223#ifdef __NR_socketcall
208 SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN), 224 SC_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN),
225#endif
226#if defined(__NR_ioctl) && defined(__s390__)
227 /* Allow ioctls for ICA crypto card on s390 */
228 SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK),
229 SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO),
230 SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT),
231#endif
232#if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
233 /*
234 * On Linux x32, the clock_gettime VDSO falls back to the
235 * x86-64 syscall under some circumstances, e.g.
236 * https://bugs.debian.org/849923
237 */
238 SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT);
209#endif 239#endif
210 240
211 /* Default deny */ 241 /* Default deny */
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-01 03:11:56 +0000