From 9e96b41682aed793fadbea5ccd472f862179fb02 Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Tue, 14 Mar 2017 12:24:47 +1100
Subject: Fix weakness in seccomp-bpf sandbox arg inspection

Syscall arguments are passed via an array of 64-bit values in struct
seccomp_data, but we were only inspecting the bottom 32 bits and not
even those correctly for BE systems.

Fortunately, the only case argument inspection was used was in the
socketcall filtering so using this for sandbox escape seems
impossible.

ok dtucker
---
 sandbox-seccomp-filter.c | 24 ++++++++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

(limited to 'sandbox-seccomp-filter.c')

diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 2e1ed2c52..af5525abb 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -73,6 +73,16 @@
 # define SECCOMP_FILTER_FAIL SECCOMP_RET_TRAP
 #endif /* SANDBOX_SECCOMP_FILTER_DEBUG */
 
+#if __BYTE_ORDER == __LITTLE_ENDIAN
+# define ARG_LO_OFFSET  0
+# define ARG_HI_OFFSET  sizeof(uint32_t)
+#elif __BYTE_ORDER == __BIG_ENDIAN
+# define ARG_LO_OFFSET  sizeof(uint32_t)
+# define ARG_HI_OFFSET  0
+#else
+#error "Unknown endianness"
+#endif
+
 /* Simple helpers to avoid manual errors (but larger BPF programs). */
 #define SC_DENY(_nr, _errno) \
 	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \
@@ -81,11 +91,17 @@
 	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \
 	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
 #define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \
-	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 4), \
-	/* load first syscall argument */ \
+	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 6), \
+	/* load and test first syscall argument, low word */ \
+	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
+	    offsetof(struct seccomp_data, args[(_arg_nr)]) + ARG_LO_OFFSET), \
+	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, \
+	    ((_arg_val) & 0xFFFFFFFF), 0, 3), \
+	/* load and test first syscall argument, high word */ \
 	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
-	    offsetof(struct seccomp_data, args[(_arg_nr)])), \
-	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_arg_val), 0, 1), \
+	    offsetof(struct seccomp_data, args[(_arg_nr)]) + ARG_HI_OFFSET), \
+	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, \
+	    (((uint32_t)((uint64_t)(_arg_val) >> 32)) & 0xFFFFFFFF), 0, 1), \
 	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), \
 	/* reload syscall number; all rules expect it in accumulator */ \
 	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
-- 
cgit v1.2.3


From 5f1596e11d55539678c41f68aed358628d33d86f Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Tue, 14 Mar 2017 13:15:18 +1100
Subject: support ioctls for ICA crypto card on Linux/s390

Based on patch from Eduardo Barretto; ok dtucker@
---
 sandbox-seccomp-filter.c | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'sandbox-seccomp-filter.c')

diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index af5525abb..6ceee33fe 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -223,6 +223,12 @@ static const struct sock_filter preauth_insns[] = {
 #ifdef __NR_socketcall
 	SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN),
 #endif
+#if defined(__NR_ioctl) && defined(__s390__)
+	/* Allow ioctls for ICA crypto card on s390 */
+	SC_ALLOW_ARG(ioctl, 1, Z90STAT_STATUS_MASK),
+	SC_ALLOW_ARG(ioctl, 1, ICARSAMODEXPO),
+	SC_ALLOW_ARG(ioctl, 1, ICARSACRT),
+#endif /* defined(__NR_ioctl) && defined(__s390__) */
 
 	/* Default deny */
 	BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
-- 
cgit v1.2.3


From e3ea335abeab731c68f2b2141bee85a4b0bf680f Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Tue, 14 Mar 2017 17:48:43 +1100
Subject: Remove macro trickery; no binary change

This stops the SC_ALLOW(), SC_ALLOW_ARG() and SC_DENY() macros
prepending __NR_ to the syscall number parameter and just makes
them explicit in the macro invocations.

No binary change in stripped object file before/after.
---
 sandbox-seccomp-filter.c | 80 ++++++++++++++++++++++++------------------------
 1 file changed, 40 insertions(+), 40 deletions(-)

(limited to 'sandbox-seccomp-filter.c')

diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 6ceee33fe..14006b99a 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -85,13 +85,13 @@
 
 /* Simple helpers to avoid manual errors (but larger BPF programs). */
 #define SC_DENY(_nr, _errno) \
-	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \
+	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_nr), 0, 1), \
 	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO|(_errno))
 #define SC_ALLOW(_nr) \
-	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \
+	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_nr), 0, 1), \
 	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
 #define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \
-	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 6), \
+	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_nr), 0, 6), \
 	/* load and test first syscall argument, low word */ \
 	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
 	    offsetof(struct seccomp_data, args[(_arg_nr)]) + ARG_LO_OFFSET), \
@@ -120,114 +120,114 @@ static const struct sock_filter preauth_insns[] = {
 
 	/* Syscalls to non-fatally deny */
 #ifdef __NR_lstat
-	SC_DENY(lstat, EACCES),
+	SC_DENY(__NR_lstat, EACCES),
 #endif
 #ifdef __NR_lstat64
-	SC_DENY(lstat64, EACCES),
+	SC_DENY(__NR_lstat64, EACCES),
 #endif
 #ifdef __NR_fstat
-	SC_DENY(fstat, EACCES),
+	SC_DENY(__NR_fstat, EACCES),
 #endif
 #ifdef __NR_fstat64
-	SC_DENY(fstat64, EACCES),
+	SC_DENY(__NR_fstat64, EACCES),
 #endif
 #ifdef __NR_open
-	SC_DENY(open, EACCES),
+	SC_DENY(__NR_open, EACCES),
 #endif
 #ifdef __NR_openat
-	SC_DENY(openat, EACCES),
+	SC_DENY(__NR_openat, EACCES),
 #endif
 #ifdef __NR_newfstatat
-	SC_DENY(newfstatat, EACCES),
+	SC_DENY(__NR_newfstatat, EACCES),
 #endif
 #ifdef __NR_stat
-	SC_DENY(stat, EACCES),
+	SC_DENY(__NR_stat, EACCES),
 #endif
 #ifdef __NR_stat64
-	SC_DENY(stat64, EACCES),
+	SC_DENY(__NR_stat64, EACCES),
 #endif
 
 	/* Syscalls to permit */
 #ifdef __NR_brk
-	SC_ALLOW(brk),
+	SC_ALLOW(__NR_brk),
 #endif
 #ifdef __NR_clock_gettime
-	SC_ALLOW(clock_gettime),
+	SC_ALLOW(__NR_clock_gettime),
 #endif
 #ifdef __NR_close
-	SC_ALLOW(close),
+	SC_ALLOW(__NR_close),
 #endif
 #ifdef __NR_exit
-	SC_ALLOW(exit),
+	SC_ALLOW(__NR_exit),
 #endif
 #ifdef __NR_exit_group
-	SC_ALLOW(exit_group),
+	SC_ALLOW(__NR_exit_group),
 #endif
 #ifdef __NR_getpgid
-	SC_ALLOW(getpgid),
+	SC_ALLOW(__NR_getpgid),
 #endif
 #ifdef __NR_getpid
-	SC_ALLOW(getpid),
+	SC_ALLOW(__NR_getpid),
 #endif
 #ifdef __NR_getrandom
-	SC_ALLOW(getrandom),
+	SC_ALLOW(__NR_getrandom),
 #endif
 #ifdef __NR_gettimeofday
-	SC_ALLOW(gettimeofday),
+	SC_ALLOW(__NR_gettimeofday),
 #endif
 #ifdef __NR_madvise
-	SC_ALLOW(madvise),
+	SC_ALLOW(__NR_madvise),
 #endif
 #ifdef __NR_mmap
-	SC_ALLOW(mmap),
+	SC_ALLOW(__NR_mmap),
 #endif
 #ifdef __NR_mmap2
-	SC_ALLOW(mmap2),
+	SC_ALLOW(__NR_mmap2),
 #endif
 #ifdef __NR_mremap
-	SC_ALLOW(mremap),
+	SC_ALLOW(__NR_mremap),
 #endif
 #ifdef __NR_munmap
-	SC_ALLOW(munmap),
+	SC_ALLOW(__NR_munmap),
 #endif
 #ifdef __NR__newselect
-	SC_ALLOW(_newselect),
+	SC_ALLOW(__NR__newselect),
 #endif
 #ifdef __NR_poll
-	SC_ALLOW(poll),
+	SC_ALLOW(__NR_poll),
 #endif
 #ifdef __NR_pselect6
-	SC_ALLOW(pselect6),
+	SC_ALLOW(__NR_pselect6),
 #endif
 #ifdef __NR_read
-	SC_ALLOW(read),
+	SC_ALLOW(__NR_read),
 #endif
 #ifdef __NR_rt_sigprocmask
-	SC_ALLOW(rt_sigprocmask),
+	SC_ALLOW(__NR_rt_sigprocmask),
 #endif
 #ifdef __NR_select
-	SC_ALLOW(select),
+	SC_ALLOW(__NR_select),
 #endif
 #ifdef __NR_shutdown
-	SC_ALLOW(shutdown),
+	SC_ALLOW(__NR_shutdown),
 #endif
 #ifdef __NR_sigprocmask
-	SC_ALLOW(sigprocmask),
+	SC_ALLOW(__NR_sigprocmask),
 #endif
 #ifdef __NR_time
-	SC_ALLOW(time),
+	SC_ALLOW(__NR_time),
 #endif
 #ifdef __NR_write
-	SC_ALLOW(write),
+	SC_ALLOW(__NR_write),
 #endif
 #ifdef __NR_socketcall
-	SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN),
+	SC_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN),
 #endif
 #if defined(__NR_ioctl) && defined(__s390__)
 	/* Allow ioctls for ICA crypto card on s390 */
-	SC_ALLOW_ARG(ioctl, 1, Z90STAT_STATUS_MASK),
-	SC_ALLOW_ARG(ioctl, 1, ICARSAMODEXPO),
-	SC_ALLOW_ARG(ioctl, 1, ICARSACRT),
+	SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK),
+	SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO),
+	SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT),
 #endif /* defined(__NR_ioctl) && defined(__s390__) */
 
 	/* Default deny */
-- 
cgit v1.2.3


From f86586b03fe6cd8f595289bde200a94bc2c191af Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Tue, 14 Mar 2017 18:26:29 +1100
Subject: Make seccomp-bpf sandbox work on Linux/X32

Allow clock_gettime syscall with X32 bit masked off. Apparently
this is required for at least some kernel versions. bz#2142
Patch mostly by Colin Watson. ok dtucker@
---
 sandbox-seccomp-filter.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

(limited to 'sandbox-seccomp-filter.c')

diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 14006b99a..3a1aedce7 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -228,7 +228,15 @@ static const struct sock_filter preauth_insns[] = {
 	SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK),
 	SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO),
 	SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT),
-#endif /* defined(__NR_ioctl) && defined(__s390__) */
+#endif
+#if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
+	/*
+	 * On Linux x32, the clock_gettime VDSO falls back to the
+	 * x86-64 syscall under some circumstances, e.g.
+	 * https://bugs.debian.org/849923
+	 */
+	SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT);
+#endif
 
 	/* Default deny */
 	BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
-- 
cgit v1.2.3