diff options
author | Damien Miller <djm@mindrot.org> | 2015-06-17 10:50:51 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2015-06-17 10:50:51 +1000 |
commit | 99f33d7304893bd9fa04d227cb6e870171cded19 (patch) | |
tree | 1ff160ec8de1743af2ccb3260400dcf8a5c161fb /sandbox-seccomp-filter.c | |
parent | 4ef702e1244633c1025ec7cfe044b9ab267097bf (diff) |
aarch64 support for seccomp-bpf sandbox
Also resort and tidy syscall list. Based on patches by Jakub Jelen
bz#2361; ok dtucker@
Diffstat (limited to 'sandbox-seccomp-filter.c')
-rw-r--r-- | sandbox-seccomp-filter.c | 105 |
1 files changed, 85 insertions, 20 deletions
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index b6f6258f2..badfee2ec 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c | |||
@@ -43,6 +43,7 @@ | |||
43 | #include <sys/resource.h> | 43 | #include <sys/resource.h> |
44 | #include <sys/prctl.h> | 44 | #include <sys/prctl.h> |
45 | 45 | ||
46 | #include <linux/net.h> | ||
46 | #include <linux/audit.h> | 47 | #include <linux/audit.h> |
47 | #include <linux/filter.h> | 48 | #include <linux/filter.h> |
48 | #include <linux/seccomp.h> | 49 | #include <linux/seccomp.h> |
@@ -79,6 +80,16 @@ | |||
79 | #define SC_ALLOW(_nr) \ | 80 | #define SC_ALLOW(_nr) \ |
80 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \ | 81 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \ |
81 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) | 82 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) |
83 | #define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \ | ||
84 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 3), \ | ||
85 | /* load first syscall argument */ \ | ||
86 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ | ||
87 | offsetof(struct seccomp_data, args[(_arg_nr)])), \ | ||
88 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_arg_val), 0, 1), \ | ||
89 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), \ | ||
90 | /* reload syscall number; all rules expect it in accumulator */ \ | ||
91 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ | ||
92 | offsetof(struct seccomp_data, nr)) | ||
82 | 93 | ||
83 | /* Syscall filtering set for preauth. */ | 94 | /* Syscall filtering set for preauth. */ |
84 | static const struct sock_filter preauth_insns[] = { | 95 | static const struct sock_filter preauth_insns[] = { |
@@ -90,45 +101,99 @@ static const struct sock_filter preauth_insns[] = { | |||
90 | /* Load the syscall number for checking. */ | 101 | /* Load the syscall number for checking. */ |
91 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, | 102 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, |
92 | offsetof(struct seccomp_data, nr)), | 103 | offsetof(struct seccomp_data, nr)), |
104 | |||
105 | /* Syscalls to non-fatally deny */ | ||
106 | #ifdef __NR_fstat | ||
107 | SC_DENY(fstat, EACCES), | ||
108 | #endif | ||
109 | #ifdef __NR_fstat64 | ||
110 | SC_DENY(fstat64, EACCES), | ||
111 | #endif | ||
112 | #ifdef __NR_open | ||
93 | SC_DENY(open, EACCES), | 113 | SC_DENY(open, EACCES), |
114 | #endif | ||
115 | #ifdef __NR_openat | ||
116 | SC_DENY(openat, EACCES), | ||
117 | #endif | ||
118 | #ifdef __NR_newfstatat | ||
119 | SC_DENY(newfstatat, EACCES), | ||
120 | #endif | ||
121 | #ifdef __NR_stat | ||
94 | SC_DENY(stat, EACCES), | 122 | SC_DENY(stat, EACCES), |
95 | SC_ALLOW(getpid), | 123 | #endif |
96 | SC_ALLOW(gettimeofday), | 124 | #ifdef __NR_stat64 |
125 | SC_DENY(stat64, EACCES), | ||
126 | #endif | ||
127 | |||
128 | /* Syscalls to permit */ | ||
129 | #ifdef __NR_brk | ||
130 | SC_ALLOW(brk), | ||
131 | #endif | ||
132 | #ifdef __NR_clock_gettime | ||
97 | SC_ALLOW(clock_gettime), | 133 | SC_ALLOW(clock_gettime), |
98 | #ifdef __NR_time /* not defined on EABI ARM */ | ||
99 | SC_ALLOW(time), | ||
100 | #endif | 134 | #endif |
101 | SC_ALLOW(read), | 135 | #ifdef __NR_close |
102 | SC_ALLOW(write), | ||
103 | SC_ALLOW(close), | 136 | SC_ALLOW(close), |
104 | #ifdef __NR_shutdown /* not defined on archs that go via socketcall(2) */ | ||
105 | SC_ALLOW(shutdown), | ||
106 | #endif | 137 | #endif |
107 | SC_ALLOW(brk), | 138 | #ifdef __NR_exit |
108 | SC_ALLOW(poll), | 139 | SC_ALLOW(exit), |
109 | #ifdef __NR__newselect | 140 | #endif |
110 | SC_ALLOW(_newselect), | 141 | #ifdef __NR_exit_group |
111 | #else | 142 | SC_ALLOW(exit_group), |
112 | SC_ALLOW(select), | 143 | #endif |
144 | #ifdef __NR_getpid | ||
145 | SC_ALLOW(getpid), | ||
113 | #endif | 146 | #endif |
147 | #ifdef __NR_gettimeofday | ||
148 | SC_ALLOW(gettimeofday), | ||
149 | #endif | ||
150 | #ifdef __NR_madvise | ||
114 | SC_ALLOW(madvise), | 151 | SC_ALLOW(madvise), |
115 | #ifdef __NR_mmap2 /* EABI ARM only has mmap2() */ | ||
116 | SC_ALLOW(mmap2), | ||
117 | #endif | 152 | #endif |
118 | #ifdef __NR_mmap | 153 | #ifdef __NR_mmap |
119 | SC_ALLOW(mmap), | 154 | SC_ALLOW(mmap), |
120 | #endif | 155 | #endif |
121 | #ifdef __dietlibc__ | 156 | #ifdef __NR_mmap2 |
157 | SC_ALLOW(mmap2), | ||
158 | #endif | ||
159 | #ifdef __NR_mremap | ||
122 | SC_ALLOW(mremap), | 160 | SC_ALLOW(mremap), |
123 | SC_ALLOW(exit), | ||
124 | #endif | 161 | #endif |
162 | #ifdef __NR_munmap | ||
125 | SC_ALLOW(munmap), | 163 | SC_ALLOW(munmap), |
126 | SC_ALLOW(exit_group), | 164 | #endif |
165 | #ifdef __NR__newselect | ||
166 | SC_ALLOW(_newselect), | ||
167 | #endif | ||
168 | #ifdef __NR_poll | ||
169 | SC_ALLOW(poll), | ||
170 | #endif | ||
171 | #ifdef __NR_read | ||
172 | SC_ALLOW(read), | ||
173 | #endif | ||
127 | #ifdef __NR_rt_sigprocmask | 174 | #ifdef __NR_rt_sigprocmask |
128 | SC_ALLOW(rt_sigprocmask), | 175 | SC_ALLOW(rt_sigprocmask), |
129 | #else | 176 | #endif |
177 | #ifdef __NR_select | ||
178 | SC_ALLOW(select), | ||
179 | #endif | ||
180 | #ifdef __NR_shutdown | ||
181 | SC_ALLOW(shutdown), | ||
182 | #endif | ||
183 | #ifdef __NR_sigprocmask | ||
130 | SC_ALLOW(sigprocmask), | 184 | SC_ALLOW(sigprocmask), |
131 | #endif | 185 | #endif |
186 | #ifdef __NR_time | ||
187 | SC_ALLOW(time), | ||
188 | #endif | ||
189 | #ifdef __NR_write | ||
190 | SC_ALLOW(write), | ||
191 | #endif | ||
192 | #ifdef __NR_socketcall | ||
193 | SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN), | ||
194 | #endif | ||
195 | |||
196 | /* Default deny */ | ||
132 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), | 197 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), |
133 | }; | 198 | }; |
134 | 199 | ||