seccomp.c 7.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290
  1. /*
  2. * Redistribution and use in source and binary forms, with or without
  3. * modification, are permitted provided that the following conditions
  4. * are met:
  5. * 1. Redistributions of source code must retain the above copyright
  6. * notice immediately at the beginning of the file, without modification,
  7. * this list of conditions, and the following disclaimer.
  8. * 2. Redistributions in binary form must reproduce the above copyright
  9. * notice, this list of conditions and the following disclaimer in the
  10. * documentation and/or other materials provided with the distribution.
  11. *
  12. * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  13. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  14. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  15. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR
  16. * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  17. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  18. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  19. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  20. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  21. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  22. * SUCH DAMAGE.
  23. */
  24. /*
  25. * libseccomp hooks.
  26. */
  27. #include "file.h"
  28. #ifndef lint
  29. FILE_RCSID("@(#)$File: seccomp.c,v 1.25 2022/12/26 18:57:29 christos Exp $")
  30. #endif /* lint */
  31. #if HAVE_LIBSECCOMP
  32. #include <seccomp.h> /* libseccomp */
  33. #include <sys/prctl.h> /* prctl */
  34. #include <sys/ioctl.h>
  35. #include <sys/socket.h>
  36. #include <termios.h>
  37. #include <fcntl.h>
  38. #include <stdlib.h>
  39. #include <errno.h>
  40. #define DENY_RULE(call) \
  41. do \
  42. if (seccomp_rule_add (ctx, SCMP_ACT_KILL, SCMP_SYS(call), 0) == -1) \
  43. goto out; \
  44. while (/*CONSTCOND*/0)
  45. #define ALLOW_RULE(call) \
  46. do \
  47. if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(call), 0) == -1) \
  48. goto out; \
  49. while (/*CONSTCOND*/0)
  50. #define ALLOW_IOCTL_RULE(param) \
  51. do \
  52. if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1, \
  53. SCMP_CMP(1, SCMP_CMP_EQ, (scmp_datum_t)param, \
  54. (scmp_datum_t)0)) == -1) \
  55. goto out; \
  56. while (/*CONSTCOND*/0)
  57. static scmp_filter_ctx ctx;
  58. int
  59. enable_sandbox_basic(void)
  60. {
  61. if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
  62. return -1;
  63. if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) == -1)
  64. return -1;
  65. // initialize the filter
  66. ctx = seccomp_init(SCMP_ACT_ALLOW);
  67. if (ctx == NULL)
  68. return 1;
  69. DENY_RULE(_sysctl);
  70. DENY_RULE(acct);
  71. DENY_RULE(add_key);
  72. DENY_RULE(adjtimex);
  73. DENY_RULE(chroot);
  74. DENY_RULE(clock_adjtime);
  75. DENY_RULE(create_module);
  76. DENY_RULE(delete_module);
  77. DENY_RULE(fanotify_init);
  78. DENY_RULE(finit_module);
  79. DENY_RULE(get_kernel_syms);
  80. DENY_RULE(get_mempolicy);
  81. DENY_RULE(init_module);
  82. DENY_RULE(io_cancel);
  83. DENY_RULE(io_destroy);
  84. DENY_RULE(io_getevents);
  85. DENY_RULE(io_setup);
  86. DENY_RULE(io_submit);
  87. DENY_RULE(ioperm);
  88. DENY_RULE(iopl);
  89. DENY_RULE(ioprio_set);
  90. DENY_RULE(kcmp);
  91. #ifdef __NR_kexec_file_load
  92. DENY_RULE(kexec_file_load);
  93. #endif
  94. DENY_RULE(kexec_load);
  95. DENY_RULE(keyctl);
  96. DENY_RULE(lookup_dcookie);
  97. DENY_RULE(mbind);
  98. DENY_RULE(nfsservctl);
  99. DENY_RULE(migrate_pages);
  100. DENY_RULE(modify_ldt);
  101. DENY_RULE(mount);
  102. DENY_RULE(move_pages);
  103. DENY_RULE(name_to_handle_at);
  104. DENY_RULE(open_by_handle_at);
  105. DENY_RULE(perf_event_open);
  106. DENY_RULE(pivot_root);
  107. DENY_RULE(process_vm_readv);
  108. DENY_RULE(process_vm_writev);
  109. DENY_RULE(ptrace);
  110. DENY_RULE(reboot);
  111. DENY_RULE(remap_file_pages);
  112. DENY_RULE(request_key);
  113. DENY_RULE(set_mempolicy);
  114. DENY_RULE(swapoff);
  115. DENY_RULE(swapon);
  116. DENY_RULE(sysfs);
  117. DENY_RULE(syslog);
  118. DENY_RULE(tuxcall);
  119. DENY_RULE(umount2);
  120. DENY_RULE(uselib);
  121. DENY_RULE(vmsplice);
  122. // blocking dangerous syscalls that file should not need
  123. DENY_RULE (execve);
  124. DENY_RULE (socket);
  125. // ...
  126. // applying filter...
  127. if (seccomp_load (ctx) == -1)
  128. goto out;
  129. // free ctx after the filter has been loaded into the kernel
  130. seccomp_release(ctx);
  131. return 0;
  132. out:
  133. seccomp_release(ctx);
  134. return -1;
  135. }
  136. int
  137. enable_sandbox_full(void)
  138. {
  139. // prevent child processes from getting more priv e.g. via setuid,
  140. // capabilities, ...
  141. if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
  142. return -1;
  143. if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) == -1)
  144. return -1;
  145. // initialize the filter
  146. ctx = seccomp_init(SCMP_ACT_KILL);
  147. if (ctx == NULL)
  148. return -1;
  149. ALLOW_RULE(access);
  150. ALLOW_RULE(brk);
  151. ALLOW_RULE(close);
  152. ALLOW_RULE(dup2);
  153. ALLOW_RULE(exit);
  154. ALLOW_RULE(exit_group);
  155. #ifdef __NR_faccessat
  156. ALLOW_RULE(faccessat);
  157. #endif
  158. ALLOW_RULE(fcntl);
  159. ALLOW_RULE(fcntl64);
  160. #ifdef __NR_fstat
  161. ALLOW_RULE(fstat);
  162. #endif
  163. ALLOW_RULE(fstat64);
  164. #ifdef __NR_fstatat64
  165. ALLOW_RULE(fstatat64);
  166. #endif
  167. ALLOW_RULE(futex);
  168. ALLOW_RULE(getdents);
  169. #ifdef __NR_getdents64
  170. ALLOW_RULE(getdents64);
  171. #endif
  172. #ifdef FIONREAD
  173. // called in src/compress.c under sread
  174. ALLOW_IOCTL_RULE(FIONREAD);
  175. #endif
  176. #ifdef TIOCGWINSZ
  177. // musl libc may call ioctl TIOCGWINSZ on stdout
  178. ALLOW_IOCTL_RULE(TIOCGWINSZ);
  179. #endif
  180. #ifdef TCGETS
  181. // glibc may call ioctl TCGETS on stdout on physical terminal
  182. ALLOW_IOCTL_RULE(TCGETS);
  183. #endif
  184. ALLOW_RULE(lseek);
  185. ALLOW_RULE(_llseek);
  186. ALLOW_RULE(lstat);
  187. ALLOW_RULE(lstat64);
  188. ALLOW_RULE(madvise);
  189. ALLOW_RULE(mmap);
  190. ALLOW_RULE(mmap2);
  191. ALLOW_RULE(mprotect);
  192. ALLOW_RULE(mremap);
  193. ALLOW_RULE(munmap);
  194. #ifdef __NR_newfstatat
  195. ALLOW_RULE(newfstatat);
  196. #endif
  197. ALLOW_RULE(open);
  198. ALLOW_RULE(openat);
  199. ALLOW_RULE(pread64);
  200. ALLOW_RULE(read);
  201. ALLOW_RULE(readlink);
  202. #ifdef __NR_readlinkat
  203. ALLOW_RULE(readlinkat);
  204. #endif
  205. ALLOW_RULE(rt_sigaction);
  206. ALLOW_RULE(rt_sigprocmask);
  207. ALLOW_RULE(rt_sigreturn);
  208. ALLOW_RULE(select);
  209. ALLOW_RULE(stat);
  210. ALLOW_RULE(statx);
  211. ALLOW_RULE(stat64);
  212. ALLOW_RULE(sysinfo);
  213. ALLOW_RULE(umask); // Used in file_pipe2file()
  214. ALLOW_RULE(getpid); // Used by glibc in file_pipe2file()
  215. ALLOW_RULE(unlink);
  216. ALLOW_RULE(utimes);
  217. ALLOW_RULE(write);
  218. ALLOW_RULE(writev);
  219. #if 0
  220. // needed by valgrind
  221. ALLOW_RULE(gettid);
  222. ALLOW_RULE(rt_sigtimedwait);
  223. #endif
  224. #if 0
  225. /* special restrictions for socket, only allow AF_UNIX/AF_LOCAL */
  226. if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 1,
  227. SCMP_CMP(0, SCMP_CMP_EQ, AF_UNIX)) == -1)
  228. goto out;
  229. if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 1,
  230. SCMP_CMP(0, SCMP_CMP_EQ, AF_LOCAL)) == -1)
  231. goto out;
  232. /* special restrictions for open, prevent opening files for writing */
  233. if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 1,
  234. SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_WRONLY | O_RDWR, 0)) == -1)
  235. goto out;
  236. if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(open), 1,
  237. SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_WRONLY, O_WRONLY)) == -1)
  238. goto out;
  239. if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(open), 1,
  240. SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_RDWR, O_RDWR)) == -1)
  241. goto out;
  242. /* allow stderr */
  243. if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1,
  244. SCMP_CMP(0, SCMP_CMP_EQ, 2)) == -1)
  245. goto out;
  246. #endif
  247. // applying filter...
  248. if (seccomp_load(ctx) == -1)
  249. goto out;
  250. // free ctx after the filter has been loaded into the kernel
  251. seccomp_release(ctx);
  252. return 0;
  253. out:
  254. // something went wrong
  255. seccomp_release(ctx);
  256. return -1;
  257. }
  258. #endif