seccomp.c 6.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253
  1. /*
  2. * Redistribution and use in source and binary forms, with or without
  3. * modification, are permitted provided that the following conditions
  4. * are met:
  5. * 1. Redistributions of source code must retain the above copyright
  6. * notice immediately at the beginning of the file, without modification,
  7. * this list of conditions, and the following disclaimer.
  8. * 2. Redistributions in binary form must reproduce the above copyright
  9. * notice, this list of conditions and the following disclaimer in the
  10. * documentation and/or other materials provided with the distribution.
  11. *
  12. * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  13. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  14. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  15. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR
  16. * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  17. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  18. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  19. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  20. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  21. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  22. * SUCH DAMAGE.
  23. */
  24. /*
  25. * libseccomp hooks.
  26. */
  27. #include "file.h"
  28. #ifndef lint
  29. FILE_RCSID("@(#)$File: seccomp.c,v 1.7 2018/09/09 20:33:28 christos Exp $")
  30. #endif /* lint */
  31. #if HAVE_LIBSECCOMP
  32. #include <seccomp.h> /* libseccomp */
  33. #include <sys/prctl.h> /* prctl */
  34. #include <sys/socket.h>
  35. #include <fcntl.h>
  36. #include <stdlib.h>
  37. #include <errno.h>
  38. #define DENY_RULE(call) \
  39. do \
  40. if (seccomp_rule_add (ctx, SCMP_ACT_KILL, SCMP_SYS(call), 0) == -1) \
  41. goto out; \
  42. while (/*CONSTCOND*/0)
  43. #define ALLOW_RULE(call) \
  44. do \
  45. if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(call), 0) == -1) \
  46. goto out; \
  47. while (/*CONSTCOND*/0)
  48. static scmp_filter_ctx ctx;
  49. int
  50. enable_sandbox_basic(void)
  51. {
  52. if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
  53. return -1;
  54. if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) == -1)
  55. return -1;
  56. // initialize the filter
  57. ctx = seccomp_init(SCMP_ACT_ALLOW);
  58. if (ctx == NULL)
  59. return 1;
  60. DENY_RULE(_sysctl);
  61. DENY_RULE(acct);
  62. DENY_RULE(add_key);
  63. DENY_RULE(adjtimex);
  64. DENY_RULE(chroot);
  65. DENY_RULE(clock_adjtime);
  66. DENY_RULE(create_module);
  67. DENY_RULE(delete_module);
  68. DENY_RULE(fanotify_init);
  69. DENY_RULE(finit_module);
  70. DENY_RULE(get_kernel_syms);
  71. DENY_RULE(get_mempolicy);
  72. DENY_RULE(init_module);
  73. DENY_RULE(io_cancel);
  74. DENY_RULE(io_destroy);
  75. DENY_RULE(io_getevents);
  76. DENY_RULE(io_setup);
  77. DENY_RULE(io_submit);
  78. DENY_RULE(ioperm);
  79. DENY_RULE(iopl);
  80. DENY_RULE(ioprio_set);
  81. DENY_RULE(kcmp);
  82. #ifdef __NR_kexec_file_load
  83. DENY_RULE(kexec_file_load);
  84. #endif
  85. DENY_RULE(kexec_load);
  86. DENY_RULE(keyctl);
  87. DENY_RULE(lookup_dcookie);
  88. DENY_RULE(mbind);
  89. DENY_RULE(nfsservctl);
  90. DENY_RULE(migrate_pages);
  91. DENY_RULE(modify_ldt);
  92. DENY_RULE(mount);
  93. DENY_RULE(move_pages);
  94. DENY_RULE(name_to_handle_at);
  95. DENY_RULE(open_by_handle_at);
  96. DENY_RULE(perf_event_open);
  97. DENY_RULE(pivot_root);
  98. DENY_RULE(process_vm_readv);
  99. DENY_RULE(process_vm_writev);
  100. DENY_RULE(ptrace);
  101. DENY_RULE(reboot);
  102. DENY_RULE(remap_file_pages);
  103. DENY_RULE(request_key);
  104. DENY_RULE(set_mempolicy);
  105. DENY_RULE(swapoff);
  106. DENY_RULE(swapon);
  107. DENY_RULE(sysfs);
  108. DENY_RULE(syslog);
  109. DENY_RULE(tuxcall);
  110. DENY_RULE(umount2);
  111. DENY_RULE(uselib);
  112. DENY_RULE(vmsplice);
  113. // blocking dangerous syscalls that file should not need
  114. DENY_RULE (execve);
  115. DENY_RULE (socket);
  116. // ...
  117. // applying filter...
  118. if (seccomp_load (ctx) == -1)
  119. goto out;
  120. // free ctx after the filter has been loaded into the kernel
  121. seccomp_release(ctx);
  122. return 0;
  123. out:
  124. seccomp_release(ctx);
  125. return -1;
  126. }
  127. int
  128. enable_sandbox_full(void)
  129. {
  130. // prevent child processes from getting more priv e.g. via setuid,
  131. // capabilities, ...
  132. if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
  133. return -1;
  134. if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) == -1)
  135. return -1;
  136. // initialize the filter
  137. ctx = seccomp_init(SCMP_ACT_KILL);
  138. if (ctx == NULL)
  139. return -1;
  140. ALLOW_RULE(access);
  141. ALLOW_RULE(brk);
  142. ALLOW_RULE(close);
  143. ALLOW_RULE(dup2);
  144. ALLOW_RULE(exit);
  145. ALLOW_RULE(exit_group);
  146. ALLOW_RULE(fcntl);
  147. ALLOW_RULE(fcntl64);
  148. ALLOW_RULE(fstat);
  149. ALLOW_RULE(fstat64);
  150. ALLOW_RULE(getdents);
  151. #ifdef __NR_getdents64
  152. ALLOW_RULE(getdents64);
  153. #endif
  154. ALLOW_RULE(ioctl);
  155. ALLOW_RULE(lseek);
  156. ALLOW_RULE(_llseek);
  157. ALLOW_RULE(lstat);
  158. ALLOW_RULE(lstat64);
  159. ALLOW_RULE(mmap);
  160. ALLOW_RULE(mmap2);
  161. ALLOW_RULE(mprotect);
  162. ALLOW_RULE(mremap);
  163. ALLOW_RULE(munmap);
  164. #ifdef __NR_newfstatat
  165. ALLOW_RULE(newfstatat);
  166. #endif
  167. ALLOW_RULE(open);
  168. ALLOW_RULE(openat);
  169. ALLOW_RULE(pread64);
  170. ALLOW_RULE(read);
  171. ALLOW_RULE(readlink);
  172. ALLOW_RULE(rt_sigaction);
  173. ALLOW_RULE(rt_sigprocmask);
  174. ALLOW_RULE(rt_sigreturn);
  175. ALLOW_RULE(select);
  176. ALLOW_RULE(stat);
  177. ALLOW_RULE(stat64);
  178. ALLOW_RULE(sysinfo);
  179. ALLOW_RULE(unlink);
  180. ALLOW_RULE(write);
  181. #if 0
  182. // needed by valgrind
  183. ALLOW_RULE(gettid);
  184. ALLOW_RULE(getpid);
  185. ALLOW_RULE(rt_sigtimedwait);
  186. #endif
  187. #if 0
  188. /* special restrictions for socket, only allow AF_UNIX/AF_LOCAL */
  189. if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 1,
  190. SCMP_CMP(0, SCMP_CMP_EQ, AF_UNIX)) == -1)
  191. goto out;
  192. if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 1,
  193. SCMP_CMP(0, SCMP_CMP_EQ, AF_LOCAL)) == -1)
  194. goto out;
  195. /* special restrictions for open, prevent opening files for writing */
  196. if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 1,
  197. SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_WRONLY | O_RDWR, 0)) == -1)
  198. goto out;
  199. if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(open), 1,
  200. SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_WRONLY, O_WRONLY)) == -1)
  201. goto out;
  202. if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(open), 1,
  203. SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_RDWR, O_RDWR)) == -1)
  204. goto out;
  205. /* allow stderr */
  206. if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1,
  207. SCMP_CMP(0, SCMP_CMP_EQ, 2)) == -1)
  208. goto out;
  209. #endif
  210. // applying filter...
  211. if (seccomp_load(ctx) == -1)
  212. goto out;
  213. // free ctx after the filter has been loaded into the kernel
  214. seccomp_release(ctx);
  215. return 0;
  216. out:
  217. // something went wrong
  218. seccomp_release(ctx);
  219. return -1;
  220. }
  221. #endif