]>
Commit | Line | Data |
---|---|---|
cc73685d | 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ |
8f2c3a70 | 2 | |
d38dd64a CB |
3 | #ifndef _GNU_SOURCE |
4 | #define _GNU_SOURCE 1 | |
5 | #endif | |
567b2049 | 6 | #include <errno.h> |
ccf8d128 | 7 | #include <seccomp.h> |
8f2c3a70 SH |
8 | #include <stdio.h> |
9 | #include <stdlib.h> | |
e4353a7f | 10 | #include <sys/epoll.h> |
6166fa6d | 11 | #include <sys/mount.h> |
567b2049 | 12 | #include <sys/utsname.h> |
f2363e38 | 13 | |
12ae2a33 CB |
14 | #include "lxc.h" |
15 | ||
e35b7bf8 | 16 | #include "af_unix.h" |
c3e3c21a | 17 | #include "commands.h" |
769872f9 | 18 | #include "config.h" |
8f2c3a70 | 19 | #include "log.h" |
567b2049 | 20 | #include "lxcseccomp.h" |
c3e3c21a | 21 | #include "mainloop.h" |
cdb2a47f | 22 | #include "memory_utils.h" |
eacebcc3 | 23 | #include "utils.h" |
8f2c3a70 | 24 | |
0b5c590d CB |
25 | #ifdef __MIPSEL__ |
26 | #define MIPS_ARCH_O32 lxc_seccomp_arch_mipsel | |
27 | #define MIPS_ARCH_N64 lxc_seccomp_arch_mipsel64 | |
28 | #else | |
29 | #define MIPS_ARCH_O32 lxc_seccomp_arch_mips | |
30 | #define MIPS_ARCH_N64 lxc_seccomp_arch_mips64 | |
31 | #endif | |
32 | ||
4a094eec WB |
33 | #ifndef SECCOMP_GET_NOTIF_SIZES |
34 | #define SECCOMP_GET_NOTIF_SIZES 3 | |
35 | #endif | |
36 | ||
ac2cecc4 | 37 | lxc_log_define(seccomp, lxc); |
8f2c3a70 | 38 | |
4a094eec WB |
39 | #if HAVE_DECL_SECCOMP_NOTIFY_FD |
40 | static inline int __seccomp(unsigned int operation, unsigned int flags, | |
41 | void *args) | |
42 | { | |
4a094eec | 43 | return syscall(__NR_seccomp, operation, flags, args); |
4a094eec WB |
44 | } |
45 | #endif | |
46 | ||
9dbd8ff3 | 47 | static int parse_config_v1(FILE *f, char *line, size_t *line_bufsz, struct lxc_conf *conf) |
50798138 | 48 | { |
ccf8d128 | 49 | int ret = 0; |
50798138 | 50 | |
9dbd8ff3 | 51 | while (getline(&line, line_bufsz, f) != -1) { |
50798138 | 52 | int nr; |
ccf8d128 | 53 | |
50798138 | 54 | ret = sscanf(line, "%d", &nr); |
97a9b258 WB |
55 | if (ret != 1) { |
56 | ret = -1; | |
57 | break; | |
58 | } | |
ccf8d128 | 59 | |
50798138 | 60 | #if HAVE_SCMP_FILTER_CTX |
c3e3c21a | 61 | ret = seccomp_rule_add(conf->seccomp.seccomp_ctx, SCMP_ACT_ALLOW, nr, 0); |
ccf8d128 CB |
62 | #else |
63 | ret = seccomp_rule_add(SCMP_ACT_ALLOW, nr, 0); | |
50798138 | 64 | #endif |
50798138 | 65 | if (ret < 0) { |
3ee26d19 | 66 | ERROR("Failed loading allow rule for %d", nr); |
ccf8d128 | 67 | break; |
50798138 SH |
68 | } |
69 | } | |
ccf8d128 CB |
70 | free(line); |
71 | ||
72 | return ret; | |
50798138 SH |
73 | } |
74 | ||
2b0ae718 | 75 | #if HAVE_DECL_SECCOMP_SYSCALL_RESOLVE_NAME_ARCH |
1ab6b4a1 CB |
76 | static const char *get_action_name(uint32_t action) |
77 | { | |
78 | /* The upper 16 bits indicate the type of the seccomp action. */ | |
79 | switch (action & 0xffff0000) { | |
80 | case SCMP_ACT_KILL: | |
81 | return "kill"; | |
82 | case SCMP_ACT_ALLOW: | |
83 | return "allow"; | |
84 | case SCMP_ACT_TRAP: | |
85 | return "trap"; | |
86 | case SCMP_ACT_ERRNO(0): | |
87 | return "errno"; | |
d7d2d2d9 | 88 | #if HAVE_DECL_SECCOMP_NOTIFY_FD |
02ca9d75 | 89 | case SCMP_ACT_NOTIFY: |
cdb2a47f CB |
90 | return "notify"; |
91 | #endif | |
1ab6b4a1 CB |
92 | } |
93 | ||
94 | return "invalid action"; | |
95 | } | |
96 | ||
14551c8c | 97 | static int32_t get_v2_default_action(char *line) |
50798138 | 98 | { |
14551c8c | 99 | int32_t ret_action = -1; |
50798138 | 100 | |
f06c6207 CB |
101 | while (*line == ' ') |
102 | line++; | |
30448a13 | 103 | |
78522aa9 | 104 | /* After 'allowlist' or 'denylist' comes default behavior. */ |
becc8d20 | 105 | if (strnequal(line, "kill", 4)) { |
50798138 | 106 | ret_action = SCMP_ACT_KILL; |
becc8d20 | 107 | } else if (strnequal(line, "errno", 5)) { |
30448a13 CB |
108 | int e, ret; |
109 | ||
110 | ret = sscanf(line + 5, "%d", &e); | |
111 | if (ret != 1) { | |
112 | ERROR("Failed to parse errno value from %s", line); | |
50798138 SH |
113 | return -2; |
114 | } | |
30448a13 | 115 | |
50798138 | 116 | ret_action = SCMP_ACT_ERRNO(e); |
becc8d20 | 117 | } else if (strnequal(line, "allow", 5)) { |
50798138 | 118 | ret_action = SCMP_ACT_ALLOW; |
becc8d20 | 119 | } else if (strnequal(line, "trap", 4)) { |
50798138 | 120 | ret_action = SCMP_ACT_TRAP; |
d7d2d2d9 | 121 | #if HAVE_DECL_SECCOMP_NOTIFY_FD |
becc8d20 | 122 | } else if (strnequal(line, "notify", 6)) { |
02ca9d75 | 123 | ret_action = SCMP_ACT_NOTIFY; |
cdb2a47f | 124 | #endif |
7474b5b3 | 125 | } else if (line[0]) { |
54a051c1 | 126 | ERROR("Unrecognized seccomp action \"%s\"", line); |
7474b5b3 | 127 | return -2; |
30448a13 CB |
128 | } |
129 | ||
50798138 SH |
130 | return ret_action; |
131 | } | |
132 | ||
14551c8c | 133 | static int32_t get_v2_action(char *line, uint32_t def_action) |
50798138 | 134 | { |
1ab6b4a1 | 135 | char *p; |
50798138 SH |
136 | uint32_t ret; |
137 | ||
1ab6b4a1 | 138 | p = strchr(line, ' '); |
50798138 SH |
139 | if (!p) |
140 | return def_action; | |
50798138 | 141 | p++; |
1ab6b4a1 | 142 | |
50798138 SH |
143 | while (*p == ' ') |
144 | p++; | |
1ab6b4a1 | 145 | |
50798138 SH |
146 | if (!*p || *p == '#') |
147 | return def_action; | |
1ab6b4a1 | 148 | |
50798138 | 149 | ret = get_v2_default_action(p); |
1ab6b4a1 CB |
150 | switch (ret) { |
151 | case -2: | |
152 | return -1; | |
153 | case -1: | |
154 | return def_action; | |
50798138 | 155 | } |
1ab6b4a1 CB |
156 | |
157 | return ret; | |
50798138 | 158 | } |
3ee26d19 | 159 | |
63a49b03 | 160 | struct seccomp_v2_rule_args { |
3ee26d19 L |
161 | uint32_t index; |
162 | uint64_t value; | |
163 | uint64_t mask; | |
164 | enum scmp_compare op; | |
165 | }; | |
166 | ||
167 | struct seccomp_v2_rule { | |
168 | uint32_t action; | |
169 | uint32_t args_num; | |
63a49b03 | 170 | struct seccomp_v2_rule_args args_value[6]; |
3ee26d19 L |
171 | }; |
172 | ||
173 | static enum scmp_compare parse_v2_rule_op(char *s) | |
174 | { | |
dc2c2622 | 175 | if (strequal(s, "SCMP_CMP_NE") || strequal(s, "!=")) |
29cb2617 | 176 | return SCMP_CMP_NE; |
dc2c2622 | 177 | else if (strequal(s, "SCMP_CMP_LT") || strequal(s, "<")) |
29cb2617 | 178 | return SCMP_CMP_LT; |
dc2c2622 | 179 | else if (strequal(s, "SCMP_CMP_LE") || strequal(s, "<=")) |
29cb2617 | 180 | return SCMP_CMP_LE; |
dc2c2622 | 181 | else if (strequal(s, "SCMP_CMP_EQ") || strequal(s, "==")) |
29cb2617 | 182 | return SCMP_CMP_EQ; |
dc2c2622 | 183 | else if (strequal(s, "SCMP_CMP_GE") || strequal(s, ">=")) |
29cb2617 | 184 | return SCMP_CMP_GE; |
dc2c2622 | 185 | else if (strequal(s, "SCMP_CMP_GT") || strequal(s, ">")) |
29cb2617 | 186 | return SCMP_CMP_GT; |
dc2c2622 | 187 | else if (strequal(s, "SCMP_CMP_MASKED_EQ") || strequal(s, "&=")) |
29cb2617 | 188 | return SCMP_CMP_MASKED_EQ; |
3ee26d19 | 189 | |
29cb2617 | 190 | return _SCMP_CMP_MAX; |
3ee26d19 L |
191 | } |
192 | ||
63a49b03 CB |
193 | /* |
194 | * This function is used to parse the args string into the structure. | |
73e3cb9a | 195 | * args string format:[index,value,op,mask] or [index,value,op] |
3ee26d19 L |
196 | * index: the index for syscall arguments (type uint) |
197 | * value: the value for syscall arguments (type uint64) | |
198 | * op: the operator for syscall arguments(string), | |
199 | a valid list of constants as of libseccomp v2.3.2 is | |
200 | SCMP_CMP_NE,SCMP_CMP_LE,SCMP_CMP_LE, SCMP_CMP_EQ, SCMP_CMP_GE, | |
201 | SCMP_CMP_GT, SCMP_CMP_MASKED_EQ, or !=,<=,==,>=,>,&= | |
73e3cb9a | 202 | * mask: the mask to apply on "value" for SCMP_CMP_MASKED_EQ (type uint64, optional) |
3ee26d19 L |
203 | * Returns 0 on success, < 0 otherwise. |
204 | */ | |
63a49b03 | 205 | static int get_seccomp_arg_value(char *key, struct seccomp_v2_rule_args *rule_args) |
3ee26d19 L |
206 | { |
207 | int ret = 0; | |
3ee26d19 | 208 | uint32_t index = 0; |
63a49b03 CB |
209 | uint64_t mask = 0, value = 0; |
210 | enum scmp_compare op = 0; | |
3ee26d19 | 211 | char *tmp = NULL; |
f42183e6 | 212 | char s[31] = {0}, v[24] = {0}, m[24] = {'0'}; |
3ee26d19 | 213 | |
3ee26d19 L |
214 | tmp = strchr(key, '['); |
215 | if (!tmp) { | |
216 | ERROR("Failed to interpret args"); | |
217 | return -1; | |
218 | } | |
63a49b03 | 219 | |
eacebcc3 | 220 | ret = sscanf(tmp, "[%i,%23[^,],%30[^0-9^,],%23[^,]", &index, v, s, m); |
3ee26d19 L |
221 | if ((ret != 3 && ret != 4) || index >= 6) { |
222 | ERROR("Failed to interpret args value"); | |
223 | return -1; | |
224 | } | |
225 | ||
573ad77f | 226 | ret = lxc_safe_uint64(v, &value, 0); |
eacebcc3 FA |
227 | if (ret < 0) { |
228 | ERROR("Invalid argument value"); | |
229 | return -1; | |
230 | } | |
231 | ||
573ad77f | 232 | ret = lxc_safe_uint64(m, &mask, 0); |
eacebcc3 FA |
233 | if (ret < 0) { |
234 | ERROR("Invalid argument mask"); | |
235 | return -1; | |
236 | } | |
237 | ||
3ee26d19 L |
238 | op = parse_v2_rule_op(s); |
239 | if (op == _SCMP_CMP_MAX) { | |
240 | ERROR("Failed to interpret args operator value"); | |
241 | return -1; | |
242 | } | |
243 | ||
244 | rule_args->index = index; | |
245 | rule_args->value = value; | |
246 | rule_args->mask = mask; | |
247 | rule_args->op = op; | |
248 | return 0; | |
249 | } | |
250 | ||
251 | /* This function is used to parse the seccomp rule entry. | |
252 | * @line : seccomp rule entry string. | |
253 | * @def_action : default action used in the case if the 'line' contain non valid action. | |
254 | * @rules : output struct. | |
255 | * Returns 0 on success, < 0 otherwise. | |
256 | */ | |
f67c94d0 CB |
257 | static int parse_v2_rules(char *line, uint32_t def_action, |
258 | struct seccomp_v2_rule *rules) | |
3ee26d19 | 259 | { |
f67c94d0 CB |
260 | int i = 0, ret = -1; |
261 | char *key = NULL, *saveptr = NULL, *tmp = NULL; | |
3ee26d19 L |
262 | |
263 | tmp = strdup(line); | |
264 | if (!tmp) | |
265 | return -1; | |
266 | ||
267 | /* read optional action which follows the syscall */ | |
14551c8c CB |
268 | ret = get_v2_action(tmp, def_action); |
269 | if (ret == -1) { | |
f858dd50 | 270 | ERROR("Failed to interpret action"); |
54a051c1 | 271 | goto on_error; |
f858dd50 | 272 | } |
3ee26d19 | 273 | |
14551c8c CB |
274 | rules->action = ret; |
275 | ||
f67c94d0 | 276 | ret = 0; |
3ee26d19 | 277 | rules->args_num = 0; |
f67c94d0 | 278 | if (!strchr(tmp, '[')) |
54a051c1 | 279 | goto on_error; |
3ee26d19 | 280 | |
f67c94d0 CB |
281 | ret = -1; |
282 | for ((key = strtok_r(tmp, "]", &saveptr)), i = 0; key && i < 6; | |
283 | (key = strtok_r(NULL, "]", &saveptr)), i++) { | |
3ee26d19 | 284 | ret = get_seccomp_arg_value(key, &rules->args_value[i]); |
f67c94d0 | 285 | if (ret < 0) |
54a051c1 | 286 | goto on_error; |
f67c94d0 | 287 | |
3ee26d19 L |
288 | rules->args_num++; |
289 | } | |
290 | ||
291 | ret = 0; | |
f67c94d0 | 292 | |
54a051c1 | 293 | on_error: |
3ee26d19 | 294 | free(tmp); |
f67c94d0 | 295 | |
3ee26d19 L |
296 | return ret; |
297 | } | |
2b0ae718 | 298 | #endif |
50798138 | 299 | |
d58c6ad0 | 300 | #if HAVE_DECL_SECCOMP_SYSCALL_RESOLVE_NAME_ARCH |
3e9671a1 | 301 | enum lxc_hostarch_t { |
d58c6ad0 SH |
302 | lxc_seccomp_arch_all = 0, |
303 | lxc_seccomp_arch_native, | |
304 | lxc_seccomp_arch_i386, | |
11de80d6 | 305 | lxc_seccomp_arch_x32, |
d58c6ad0 SH |
306 | lxc_seccomp_arch_amd64, |
307 | lxc_seccomp_arch_arm, | |
9d291dd2 | 308 | lxc_seccomp_arch_arm64, |
b4067426 BP |
309 | lxc_seccomp_arch_ppc64, |
310 | lxc_seccomp_arch_ppc64le, | |
311 | lxc_seccomp_arch_ppc, | |
2ccd9eda JC |
312 | lxc_seccomp_arch_mips, |
313 | lxc_seccomp_arch_mips64, | |
314 | lxc_seccomp_arch_mips64n32, | |
315 | lxc_seccomp_arch_mipsel, | |
316 | lxc_seccomp_arch_mipsel64, | |
317 | lxc_seccomp_arch_mipsel64n32, | |
be038e49 | 318 | lxc_seccomp_arch_s390x, |
3c3fab00 | 319 | lxc_seccomp_arch_s390, |
d58c6ad0 SH |
320 | lxc_seccomp_arch_unknown = 999, |
321 | }; | |
322 | ||
59eac805 | 323 | static int get_hostarch(void) |
d58c6ad0 SH |
324 | { |
325 | struct utsname uts; | |
326 | if (uname(&uts) < 0) { | |
3ee26d19 | 327 | SYSERROR("Failed to read host arch"); |
d58c6ad0 SH |
328 | return -1; |
329 | } | |
0197fe2e | 330 | |
dc2c2622 | 331 | if (strequal(uts.machine, "i686")) |
d58c6ad0 | 332 | return lxc_seccomp_arch_i386; |
1a0e70ac | 333 | /* no x32 kernels */ |
dc2c2622 | 334 | else if (strequal(uts.machine, "x86_64")) |
d58c6ad0 | 335 | return lxc_seccomp_arch_amd64; |
becc8d20 | 336 | else if (strnequal(uts.machine, "armv7", 5)) |
d58c6ad0 | 337 | return lxc_seccomp_arch_arm; |
becc8d20 | 338 | else if (strnequal(uts.machine, "aarch64", 7)) |
9d291dd2 | 339 | return lxc_seccomp_arch_arm64; |
becc8d20 | 340 | else if (strnequal(uts.machine, "ppc64le", 7)) |
b4067426 | 341 | return lxc_seccomp_arch_ppc64le; |
becc8d20 | 342 | else if (strnequal(uts.machine, "ppc64", 5)) |
b4067426 | 343 | return lxc_seccomp_arch_ppc64; |
becc8d20 | 344 | else if (strnequal(uts.machine, "ppc", 3)) |
b4067426 | 345 | return lxc_seccomp_arch_ppc; |
becc8d20 | 346 | else if (strnequal(uts.machine, "mips64", 6)) |
2ccd9eda | 347 | return MIPS_ARCH_N64; |
becc8d20 | 348 | else if (strnequal(uts.machine, "mips", 4)) |
2ccd9eda | 349 | return MIPS_ARCH_O32; |
becc8d20 | 350 | else if (strnequal(uts.machine, "s390x", 5)) |
be038e49 | 351 | return lxc_seccomp_arch_s390x; |
becc8d20 | 352 | else if (strnequal(uts.machine, "s390", 4)) |
3c3fab00 | 353 | return lxc_seccomp_arch_s390; |
d58c6ad0 SH |
354 | return lxc_seccomp_arch_unknown; |
355 | } | |
356 | ||
59eac805 CB |
357 | static scmp_filter_ctx get_new_ctx(enum lxc_hostarch_t n_arch, uint32_t default_policy_action, |
358 | bool *needs_merge) | |
d58c6ad0 | 359 | { |
d58c6ad0 SH |
360 | int ret; |
361 | uint32_t arch; | |
04263914 | 362 | scmp_filter_ctx ctx; |
d58c6ad0 | 363 | |
04263914 CB |
364 | switch (n_arch) { |
365 | case lxc_seccomp_arch_i386: | |
366 | arch = SCMP_ARCH_X86; | |
367 | break; | |
368 | case lxc_seccomp_arch_x32: | |
369 | arch = SCMP_ARCH_X32; | |
370 | break; | |
371 | case lxc_seccomp_arch_amd64: | |
372 | arch = SCMP_ARCH_X86_64; | |
373 | break; | |
374 | case lxc_seccomp_arch_arm: | |
375 | arch = SCMP_ARCH_ARM; | |
376 | break; | |
9d291dd2 | 377 | #ifdef SCMP_ARCH_AARCH64 |
04263914 CB |
378 | case lxc_seccomp_arch_arm64: |
379 | arch = SCMP_ARCH_AARCH64; | |
380 | break; | |
9d291dd2 | 381 | #endif |
b4067426 | 382 | #ifdef SCMP_ARCH_PPC64LE |
04263914 CB |
383 | case lxc_seccomp_arch_ppc64le: |
384 | arch = SCMP_ARCH_PPC64LE; | |
385 | break; | |
b4067426 BP |
386 | #endif |
387 | #ifdef SCMP_ARCH_PPC64 | |
04263914 CB |
388 | case lxc_seccomp_arch_ppc64: |
389 | arch = SCMP_ARCH_PPC64; | |
390 | break; | |
b4067426 BP |
391 | #endif |
392 | #ifdef SCMP_ARCH_PPC | |
04263914 CB |
393 | case lxc_seccomp_arch_ppc: |
394 | arch = SCMP_ARCH_PPC; | |
395 | break; | |
2ccd9eda JC |
396 | #endif |
397 | #ifdef SCMP_ARCH_MIPS | |
04263914 CB |
398 | case lxc_seccomp_arch_mips: |
399 | arch = SCMP_ARCH_MIPS; | |
400 | break; | |
401 | case lxc_seccomp_arch_mips64: | |
402 | arch = SCMP_ARCH_MIPS64; | |
403 | break; | |
404 | case lxc_seccomp_arch_mips64n32: | |
405 | arch = SCMP_ARCH_MIPS64N32; | |
406 | break; | |
407 | case lxc_seccomp_arch_mipsel: | |
408 | arch = SCMP_ARCH_MIPSEL; | |
409 | break; | |
410 | case lxc_seccomp_arch_mipsel64: | |
411 | arch = SCMP_ARCH_MIPSEL64; | |
412 | break; | |
413 | case lxc_seccomp_arch_mipsel64n32: | |
414 | arch = SCMP_ARCH_MIPSEL64N32; | |
415 | break; | |
be038e49 CB |
416 | #endif |
417 | #ifdef SCMP_ARCH_S390X | |
04263914 CB |
418 | case lxc_seccomp_arch_s390x: |
419 | arch = SCMP_ARCH_S390X; | |
420 | break; | |
3c3fab00 | 421 | #endif |
422 | #ifdef SCMP_ARCH_S390 | |
423 | case lxc_seccomp_arch_s390: | |
424 | arch = SCMP_ARCH_S390; | |
425 | break; | |
b4067426 | 426 | #endif |
04263914 CB |
427 | default: |
428 | return NULL; | |
d58c6ad0 SH |
429 | } |
430 | ||
04263914 CB |
431 | ctx = seccomp_init(default_policy_action); |
432 | if (!ctx) { | |
3ee26d19 | 433 | ERROR("Error initializing seccomp context"); |
d58c6ad0 SH |
434 | return NULL; |
435 | } | |
04263914 CB |
436 | |
437 | ret = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 0); | |
438 | if (ret < 0) { | |
6d1400b5 | 439 | errno = -ret; |
440 | SYSERROR("Failed to turn off no-new-privs"); | |
d58c6ad0 SH |
441 | seccomp_release(ctx); |
442 | return NULL; | |
443 | } | |
04263914 | 444 | |
127c5293 | 445 | #ifdef SCMP_FLTATR_ATL_TSKIP |
04263914 | 446 | ret = seccomp_attr_set(ctx, SCMP_FLTATR_ATL_TSKIP, 1); |
a24c5678 | 447 | if (ret < 0) { |
448 | errno = -ret; | |
449 | SYSWARN("Failed to turn on seccomp nop-skip, continuing"); | |
450 | } | |
127c5293 | 451 | #endif |
b5ed021b | 452 | |
adfee3a8 CB |
453 | ret = seccomp_arch_exist(ctx, arch); |
454 | if (ret < 0) { | |
455 | if (ret != -EEXIST) { | |
6d1400b5 | 456 | errno = -ret; |
457 | SYSERROR("Failed to determine whether arch %d is " | |
458 | "already present in the main seccomp context", | |
459 | (int)n_arch); | |
adfee3a8 CB |
460 | seccomp_release(ctx); |
461 | return NULL; | |
462 | } | |
463 | ||
b5ed021b CB |
464 | ret = seccomp_arch_add(ctx, arch); |
465 | if (ret != 0) { | |
6d1400b5 | 466 | errno = -ret; |
467 | SYSERROR("Failed to add arch %d to main seccomp context", | |
468 | (int)n_arch); | |
b5ed021b CB |
469 | seccomp_release(ctx); |
470 | return NULL; | |
471 | } | |
adfee3a8 | 472 | TRACE("Added arch %d to main seccomp context", (int)n_arch); |
b5ed021b | 473 | |
adfee3a8 CB |
474 | ret = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE); |
475 | if (ret != 0) { | |
476 | ERROR("Failed to remove native arch from main seccomp context"); | |
b5ed021b CB |
477 | seccomp_release(ctx); |
478 | return NULL; | |
479 | } | |
adfee3a8 | 480 | TRACE("Removed native arch from main seccomp context"); |
3e9671a1 CB |
481 | |
482 | *needs_merge = true; | |
adfee3a8 | 483 | } else { |
3e9671a1 | 484 | *needs_merge = false; |
adfee3a8 | 485 | TRACE("Arch %d already present in main seccomp context", (int)n_arch); |
d58c6ad0 SH |
486 | } |
487 | ||
488 | return ctx; | |
489 | } | |
490 | ||
0ff0d23e RJ |
491 | enum lxc_seccomp_rule_status_t { |
492 | lxc_seccomp_rule_added = 0, | |
493 | lxc_seccomp_rule_err, | |
494 | lxc_seccomp_rule_undefined_syscall, | |
495 | lxc_seccomp_rule_unsupported_arch, | |
496 | }; | |
497 | ||
498 | static enum lxc_seccomp_rule_status_t do_resolve_add_rule(uint32_t arch, char *line, scmp_filter_ctx ctx, | |
59eac805 | 499 | struct seccomp_v2_rule *rule) |
d58c6ad0 | 500 | { |
14551c8c | 501 | int nr, ret; |
3ee26d19 L |
502 | struct scmp_arg_cmp arg_cmp[6]; |
503 | ||
f06c6207 CB |
504 | ret = seccomp_arch_exist(ctx, arch); |
505 | if (arch && ret != 0) { | |
6d1400b5 | 506 | errno = -ret; |
507 | SYSERROR("Seccomp: rule and context arch do not match (arch %d)", arch); | |
0ff0d23e | 508 | return lxc_seccomp_rule_err; |
d58c6ad0 | 509 | } |
6166fa6d | 510 | |
3ee26d19 L |
511 | /*get the syscall name*/ |
512 | char *p = strchr(line, ' '); | |
513 | if (p) | |
514 | *p = '\0'; | |
515 | ||
becc8d20 | 516 | if (strnequal(line, "reject_force_umount", 19)) { |
ad9a5b72 CB |
517 | ret = seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(EACCES), |
518 | SCMP_SYS(umount2), 1, | |
519 | SCMP_A1(SCMP_CMP_MASKED_EQ, MNT_FORCE, MNT_FORCE)); | |
6166fa6d | 520 | if (ret < 0) { |
6d1400b5 | 521 | errno = -ret; |
522 | SYSERROR("Failed loading rule to reject force umount"); | |
0ff0d23e | 523 | return lxc_seccomp_rule_err; |
6166fa6d | 524 | } |
ad9a5b72 CB |
525 | |
526 | INFO("Set seccomp rule to reject force umounts"); | |
0ff0d23e | 527 | return lxc_seccomp_rule_added; |
6166fa6d SH |
528 | } |
529 | ||
cd75548b | 530 | nr = seccomp_syscall_resolve_name(line); |
d58c6ad0 | 531 | if (nr == __NR_SCMP_ERROR) { |
0ff0d23e RJ |
532 | INFO("The syscall[%s] is is undefined on host native arch", line); |
533 | return lxc_seccomp_rule_undefined_syscall; | |
d58c6ad0 | 534 | } |
ad9a5b72 | 535 | |
0ff0d23e RJ |
536 | // The syscall resolves to a pseudo syscall and may be available on compat archs. |
537 | if (nr < 0 && arch == SCMP_ARCH_NATIVE) { | |
538 | DEBUG("The syscall[%d:%s] is a pseudo syscall and not available on host native arch.", nr, line); | |
539 | return lxc_seccomp_rule_unsupported_arch; | |
d58c6ad0 | 540 | } |
3ee26d19 | 541 | |
fbec5f83 | 542 | if (arch != SCMP_ARCH_NATIVE && seccomp_syscall_resolve_name_arch(arch, line) < 0) { |
0ff0d23e RJ |
543 | DEBUG("The syscall[%d:%s] is not supported on compat arch[%u]", nr, line, arch); |
544 | return lxc_seccomp_rule_unsupported_arch; | |
fbec5f83 RJ |
545 | } |
546 | ||
ad9a5b72 | 547 | memset(&arg_cmp, 0, sizeof(arg_cmp)); |
14551c8c CB |
548 | for (size_t i = 0; i < rule->args_num; i++) { |
549 | INFO("arg_cmp[%zu]: SCMP_CMP(%u, %llu, %llu, %llu)", i, | |
ad9a5b72 CB |
550 | rule->args_value[i].index, |
551 | (long long unsigned int)rule->args_value[i].op, | |
552 | (long long unsigned int)rule->args_value[i].mask, | |
553 | (long long unsigned int)rule->args_value[i].value); | |
3ee26d19 L |
554 | |
555 | if (SCMP_CMP_MASKED_EQ == rule->args_value[i].op) | |
ad9a5b72 CB |
556 | arg_cmp[i] = SCMP_CMP(rule->args_value[i].index, |
557 | rule->args_value[i].op, | |
558 | rule->args_value[i].mask, | |
559 | rule->args_value[i].value); | |
3ee26d19 | 560 | else |
ad9a5b72 CB |
561 | arg_cmp[i] = SCMP_CMP(rule->args_value[i].index, |
562 | rule->args_value[i].op, | |
563 | rule->args_value[i].value); | |
3ee26d19 L |
564 | } |
565 | ||
0ff0d23e RJ |
566 | INFO("Adding %s rule for syscall[%d:%s] action[%d:%s] arch[%u]", |
567 | (arch == SCMP_ARCH_NATIVE) ? "native" : "compat", | |
568 | nr, line, rule->action, get_action_name(rule->action), arch); | |
569 | ||
ad9a5b72 CB |
570 | ret = seccomp_rule_add_exact_array(ctx, rule->action, nr, |
571 | rule->args_num, arg_cmp); | |
d58c6ad0 | 572 | if (ret < 0) { |
6d1400b5 | 573 | errno = -ret; |
0ff0d23e RJ |
574 | SYSERROR("Failed to add rule for syscall[%d:%s] action[%d:%s] arch[%u]", |
575 | nr, line, rule->action, get_action_name(rule->action), arch); | |
576 | return lxc_seccomp_rule_err; | |
d58c6ad0 | 577 | } |
ad9a5b72 | 578 | |
0ff0d23e | 579 | return lxc_seccomp_rule_added; |
d58c6ad0 SH |
580 | } |
581 | ||
78522aa9 CB |
582 | /* |
583 | * It is unfortunate, but we can't simply remove those terms since this would | |
584 | * break way too many users. | |
585 | */ | |
586 | #define BACKWARDCOMPAT_TERMINOLOGY_DENYLIST "blacklist" | |
587 | #define BACKWARDCOMPAT_TERMINOLOGY_ALLOWLIST "whitelist" | |
588 | ||
589 | static inline bool is_denylist(const char *type) | |
590 | { | |
591 | return strnequal(type, "denylist", STRLITERALLEN("denylist")) || | |
592 | strnequal(type, BACKWARDCOMPAT_TERMINOLOGY_DENYLIST, | |
593 | STRLITERALLEN(BACKWARDCOMPAT_TERMINOLOGY_DENYLIST)); | |
594 | } | |
595 | ||
596 | static inline bool is_allowlist(const char *type) | |
597 | { | |
598 | return strnequal(type, "allowlist", STRLITERALLEN("allowlist")) || | |
599 | strnequal(type, BACKWARDCOMPAT_TERMINOLOGY_ALLOWLIST, | |
600 | STRLITERALLEN(BACKWARDCOMPAT_TERMINOLOGY_ALLOWLIST)); | |
601 | } | |
602 | ||
50798138 SH |
603 | /* |
604 | * v2 consists of | |
605 | * [x86] | |
606 | * open | |
607 | * read | |
608 | * write | |
609 | * close | |
610 | * # a comment | |
611 | * [x86_64] | |
612 | * open | |
613 | * read | |
614 | * write | |
615 | * close | |
616 | */ | |
9dbd8ff3 | 617 | static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_conf *conf) |
50798138 | 618 | { |
50798138 | 619 | int ret; |
9c3798eb | 620 | char *p; |
3e9671a1 | 621 | enum lxc_hostarch_t cur_rule_arch, native_arch; |
78522aa9 | 622 | bool denylist = false; |
14551c8c | 623 | int32_t default_policy_action = -1, default_rule_action = -1; |
3ee26d19 | 624 | struct seccomp_v2_rule rule; |
3e9671a1 CB |
625 | struct scmp_ctx_info { |
626 | uint32_t architectures[3]; | |
627 | scmp_filter_ctx contexts[3]; | |
628 | bool needs_merge[3]; | |
629 | } ctx; | |
50798138 | 630 | |
78522aa9 CB |
631 | if (is_denylist(line)) |
632 | denylist = true; | |
633 | else if (!is_allowlist(line)) | |
634 | return log_error(-EINVAL, "Bad seccomp policy style \"%s\"", line); | |
50798138 | 635 | |
9c3798eb CB |
636 | p = strchr(line, ' '); |
637 | if (p) { | |
f06c6207 | 638 | default_policy_action = get_v2_default_action(p + 1); |
50798138 SH |
639 | if (default_policy_action == -2) |
640 | return -1; | |
641 | } | |
642 | ||
78522aa9 CB |
643 | /* for denylist, allow any syscall which has no rule */ |
644 | if (denylist) { | |
50798138 SH |
645 | if (default_policy_action == -1) |
646 | default_policy_action = SCMP_ACT_ALLOW; | |
9c3798eb | 647 | |
50798138 SH |
648 | if (default_rule_action == -1) |
649 | default_rule_action = SCMP_ACT_KILL; | |
650 | } else { | |
651 | if (default_policy_action == -1) | |
652 | default_policy_action = SCMP_ACT_KILL; | |
9c3798eb | 653 | |
50798138 SH |
654 | if (default_rule_action == -1) |
655 | default_rule_action = SCMP_ACT_ALLOW; | |
656 | } | |
657 | ||
15044cd1 RJ |
658 | DEBUG("Host native arch is [%u]", seccomp_arch_native()); |
659 | ||
eca6736e CB |
660 | memset(&ctx, 0, sizeof(ctx)); |
661 | ctx.architectures[0] = SCMP_ARCH_NATIVE; | |
662 | ctx.architectures[1] = SCMP_ARCH_NATIVE; | |
663 | ctx.architectures[2] = SCMP_ARCH_NATIVE; | |
9c3798eb CB |
664 | native_arch = get_hostarch(); |
665 | cur_rule_arch = native_arch; | |
d58c6ad0 SH |
666 | if (native_arch == lxc_seccomp_arch_amd64) { |
667 | cur_rule_arch = lxc_seccomp_arch_all; | |
eca6736e CB |
668 | |
669 | ctx.architectures[0] = SCMP_ARCH_X86; | |
670 | ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_i386, | |
3e9671a1 CB |
671 | default_policy_action, |
672 | &ctx.needs_merge[0]); | |
eca6736e CB |
673 | if (!ctx.contexts[0]) |
674 | goto bad; | |
675 | ||
676 | ctx.architectures[1] = SCMP_ARCH_X32; | |
677 | ctx.contexts[1] = get_new_ctx(lxc_seccomp_arch_x32, | |
3e9671a1 CB |
678 | default_policy_action, |
679 | &ctx.needs_merge[1]); | |
eca6736e CB |
680 | if (!ctx.contexts[1]) |
681 | goto bad; | |
682 | ||
683 | ctx.architectures[2] = SCMP_ARCH_X86_64; | |
684 | ctx.contexts[2] = get_new_ctx(lxc_seccomp_arch_amd64, | |
3e9671a1 CB |
685 | default_policy_action, |
686 | &ctx.needs_merge[2]); | |
eca6736e | 687 | if (!ctx.contexts[2]) |
ab5e52f6 | 688 | goto bad; |
ca399594 | 689 | #ifdef SCMP_ARCH_PPC |
7635139a SH |
690 | } else if (native_arch == lxc_seccomp_arch_ppc64) { |
691 | cur_rule_arch = lxc_seccomp_arch_all; | |
eca6736e CB |
692 | |
693 | ctx.architectures[0] = SCMP_ARCH_PPC; | |
694 | ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_ppc, | |
3e9671a1 CB |
695 | default_policy_action, |
696 | &ctx.needs_merge[0]); | |
eca6736e CB |
697 | if (!ctx.contexts[0]) |
698 | goto bad; | |
699 | ||
3e9671a1 CB |
700 | ctx.architectures[2] = SCMP_ARCH_PPC64; |
701 | ctx.contexts[2] = get_new_ctx(lxc_seccomp_arch_ppc64, | |
702 | default_policy_action, | |
703 | &ctx.needs_merge[2]); | |
704 | if (!ctx.contexts[2]) | |
7635139a | 705 | goto bad; |
ca399594 CB |
706 | #endif |
707 | #ifdef SCMP_ARCH_ARM | |
7635139a SH |
708 | } else if (native_arch == lxc_seccomp_arch_arm64) { |
709 | cur_rule_arch = lxc_seccomp_arch_all; | |
eca6736e CB |
710 | |
711 | ctx.architectures[0] = SCMP_ARCH_ARM; | |
9c3798eb | 712 | ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_arm, |
3e9671a1 CB |
713 | default_policy_action, |
714 | &ctx.needs_merge[0]); | |
eca6736e CB |
715 | if (!ctx.contexts[0]) |
716 | goto bad; | |
717 | ||
b1c428f9 | 718 | #ifdef SCMP_ARCH_AARCH64 |
3e9671a1 CB |
719 | ctx.architectures[2] = SCMP_ARCH_AARCH64; |
720 | ctx.contexts[2] = get_new_ctx(lxc_seccomp_arch_arm64, | |
721 | default_policy_action, | |
722 | &ctx.needs_merge[2]); | |
723 | if (!ctx.contexts[2]) | |
2ccd9eda JC |
724 | goto bad; |
725 | #endif | |
b1c428f9 | 726 | #endif |
2ccd9eda JC |
727 | #ifdef SCMP_ARCH_MIPS |
728 | } else if (native_arch == lxc_seccomp_arch_mips64) { | |
729 | cur_rule_arch = lxc_seccomp_arch_all; | |
eca6736e CB |
730 | |
731 | ctx.architectures[0] = SCMP_ARCH_MIPS; | |
732 | ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_mips, | |
3e9671a1 CB |
733 | default_policy_action, |
734 | &ctx.needs_merge[0]); | |
eca6736e CB |
735 | if (!ctx.contexts[0]) |
736 | goto bad; | |
737 | ||
738 | ctx.architectures[1] = SCMP_ARCH_MIPS64N32; | |
739 | ctx.contexts[1] = get_new_ctx(lxc_seccomp_arch_mips64n32, | |
3e9671a1 CB |
740 | default_policy_action, |
741 | &ctx.needs_merge[1]); | |
eca6736e CB |
742 | if (!ctx.contexts[1]) |
743 | goto bad; | |
744 | ||
745 | ctx.architectures[2] = SCMP_ARCH_MIPS64; | |
746 | ctx.contexts[2] = get_new_ctx(lxc_seccomp_arch_mips64, | |
3e9671a1 CB |
747 | default_policy_action, |
748 | &ctx.needs_merge[2]); | |
eca6736e | 749 | if (!ctx.contexts[2]) |
2ccd9eda JC |
750 | goto bad; |
751 | } else if (native_arch == lxc_seccomp_arch_mipsel64) { | |
752 | cur_rule_arch = lxc_seccomp_arch_all; | |
eca6736e CB |
753 | |
754 | ctx.architectures[0] = SCMP_ARCH_MIPSEL; | |
755 | ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_mipsel, | |
3e9671a1 CB |
756 | default_policy_action, |
757 | &ctx.needs_merge[0]); | |
eca6736e CB |
758 | if (!ctx.contexts[0]) |
759 | goto bad; | |
760 | ||
761 | ctx.architectures[1] = SCMP_ARCH_MIPSEL64N32; | |
762 | ctx.contexts[1] = get_new_ctx(lxc_seccomp_arch_mipsel64n32, | |
3e9671a1 CB |
763 | default_policy_action, |
764 | &ctx.needs_merge[1]); | |
eca6736e CB |
765 | if (!ctx.contexts[1]) |
766 | goto bad; | |
767 | ||
768 | ctx.architectures[2] = SCMP_ARCH_MIPSEL64; | |
769 | ctx.contexts[2] = get_new_ctx(lxc_seccomp_arch_mipsel64, | |
3e9671a1 CB |
770 | default_policy_action, |
771 | &ctx.needs_merge[2]); | |
eca6736e | 772 | if (!ctx.contexts[2]) |
7635139a | 773 | goto bad; |
be038e49 | 774 | #endif |
d58c6ad0 SH |
775 | } |
776 | ||
50798138 | 777 | if (default_policy_action != SCMP_ACT_KILL) { |
c3e3c21a | 778 | ret = seccomp_reset(conf->seccomp.seccomp_ctx, default_policy_action); |
50798138 | 779 | if (ret != 0) { |
3ee26d19 | 780 | ERROR("Error re-initializing Seccomp"); |
50798138 SH |
781 | return -1; |
782 | } | |
9c3798eb | 783 | |
c3e3c21a | 784 | ret = seccomp_attr_set(conf->seccomp.seccomp_ctx, SCMP_FLTATR_CTL_NNP, 0); |
9c3798eb | 785 | if (ret < 0) { |
6d1400b5 | 786 | errno = -ret; |
787 | SYSERROR("Failed to turn off no-new-privs"); | |
50798138 SH |
788 | return -1; |
789 | } | |
9c3798eb | 790 | |
127c5293 | 791 | #ifdef SCMP_FLTATR_ATL_TSKIP |
c3e3c21a | 792 | ret = seccomp_attr_set(conf->seccomp.seccomp_ctx, SCMP_FLTATR_ATL_TSKIP, 1); |
a24c5678 | 793 | if (ret < 0) { |
794 | errno = -ret; | |
795 | SYSWARN("Failed to turn on seccomp nop-skip, continuing"); | |
796 | } | |
127c5293 | 797 | #endif |
50798138 SH |
798 | } |
799 | ||
9dbd8ff3 | 800 | while (getline(&line, line_bufsz, f) != -1) { |
50798138 SH |
801 | if (line[0] == '#') |
802 | continue; | |
9c3798eb CB |
803 | |
804 | if (line[0] == '\0') | |
50798138 | 805 | continue; |
9c3798eb | 806 | |
50798138 | 807 | remove_trailing_newlines(line); |
9c3798eb CB |
808 | |
809 | INFO("Processing \"%s\"", line); | |
50798138 | 810 | if (line[0] == '[') { |
1a0e70ac | 811 | /* Read the architecture for next set of rules. */ |
dc2c2622 CB |
812 | if (strequal(line, "[x86]") || |
813 | strequal(line, "[X86]")) { | |
d58c6ad0 | 814 | if (native_arch != lxc_seccomp_arch_i386 && |
7e84441e | 815 | native_arch != lxc_seccomp_arch_amd64) { |
d58c6ad0 SH |
816 | cur_rule_arch = lxc_seccomp_arch_unknown; |
817 | continue; | |
818 | } | |
9c3798eb | 819 | |
d58c6ad0 | 820 | cur_rule_arch = lxc_seccomp_arch_i386; |
dc2c2622 CB |
821 | } else if (strequal(line, "[x32]") || |
822 | strequal(line, "[X32]")) { | |
11de80d6 AB |
823 | if (native_arch != lxc_seccomp_arch_amd64) { |
824 | cur_rule_arch = lxc_seccomp_arch_unknown; | |
825 | continue; | |
826 | } | |
9c3798eb | 827 | |
11de80d6 | 828 | cur_rule_arch = lxc_seccomp_arch_x32; |
dc2c2622 CB |
829 | } else if (strequal(line, "[X86_64]") || |
830 | strequal(line, "[x86_64]")) { | |
d58c6ad0 SH |
831 | if (native_arch != lxc_seccomp_arch_amd64) { |
832 | cur_rule_arch = lxc_seccomp_arch_unknown; | |
833 | continue; | |
834 | } | |
9c3798eb | 835 | |
d58c6ad0 | 836 | cur_rule_arch = lxc_seccomp_arch_amd64; |
dc2c2622 CB |
837 | } else if (strequal(line, "[all]") || |
838 | strequal(line, "[ALL]")) { | |
d58c6ad0 | 839 | cur_rule_arch = lxc_seccomp_arch_all; |
d58c6ad0 | 840 | } |
2b0ae718 | 841 | #ifdef SCMP_ARCH_ARM |
dc2c2622 CB |
842 | else if (strequal(line, "[arm]") || |
843 | strequal(line, "[ARM]")) { | |
7635139a | 844 | if (native_arch != lxc_seccomp_arch_arm && |
7e84441e | 845 | native_arch != lxc_seccomp_arch_arm64) { |
d58c6ad0 SH |
846 | cur_rule_arch = lxc_seccomp_arch_unknown; |
847 | continue; | |
848 | } | |
9c3798eb | 849 | |
d58c6ad0 | 850 | cur_rule_arch = lxc_seccomp_arch_arm; |
d58c6ad0 | 851 | } |
b4067426 | 852 | #endif |
9d291dd2 | 853 | #ifdef SCMP_ARCH_AARCH64 |
dc2c2622 CB |
854 | else if (strequal(line, "[arm64]") || |
855 | strequal(line, "[ARM64]")) { | |
9d291dd2 BP |
856 | if (native_arch != lxc_seccomp_arch_arm64) { |
857 | cur_rule_arch = lxc_seccomp_arch_unknown; | |
858 | continue; | |
859 | } | |
9c3798eb | 860 | |
9d291dd2 BP |
861 | cur_rule_arch = lxc_seccomp_arch_arm64; |
862 | } | |
863 | #endif | |
b4067426 | 864 | #ifdef SCMP_ARCH_PPC64LE |
dc2c2622 CB |
865 | else if (strequal(line, "[ppc64le]") || |
866 | strequal(line, "[PPC64LE]")) { | |
b4067426 BP |
867 | if (native_arch != lxc_seccomp_arch_ppc64le) { |
868 | cur_rule_arch = lxc_seccomp_arch_unknown; | |
869 | continue; | |
870 | } | |
9c3798eb | 871 | |
b4067426 BP |
872 | cur_rule_arch = lxc_seccomp_arch_ppc64le; |
873 | } | |
874 | #endif | |
875 | #ifdef SCMP_ARCH_PPC64 | |
dc2c2622 CB |
876 | else if (strequal(line, "[ppc64]") || |
877 | strequal(line, "[PPC64]")) { | |
b4067426 BP |
878 | if (native_arch != lxc_seccomp_arch_ppc64) { |
879 | cur_rule_arch = lxc_seccomp_arch_unknown; | |
880 | continue; | |
881 | } | |
9c3798eb | 882 | |
b4067426 BP |
883 | cur_rule_arch = lxc_seccomp_arch_ppc64; |
884 | } | |
885 | #endif | |
886 | #ifdef SCMP_ARCH_PPC | |
dc2c2622 CB |
887 | else if (strequal(line, "[ppc]") || |
888 | strequal(line, "[PPC]")) { | |
7635139a | 889 | if (native_arch != lxc_seccomp_arch_ppc && |
7e84441e | 890 | native_arch != lxc_seccomp_arch_ppc64) { |
b4067426 BP |
891 | cur_rule_arch = lxc_seccomp_arch_unknown; |
892 | continue; | |
893 | } | |
9c3798eb | 894 | |
b4067426 BP |
895 | cur_rule_arch = lxc_seccomp_arch_ppc; |
896 | } | |
2ccd9eda JC |
897 | #endif |
898 | #ifdef SCMP_ARCH_MIPS | |
dc2c2622 CB |
899 | else if (strequal(line, "[mips64]") || |
900 | strequal(line, "[MIPS64]")) { | |
2ccd9eda JC |
901 | if (native_arch != lxc_seccomp_arch_mips64) { |
902 | cur_rule_arch = lxc_seccomp_arch_unknown; | |
903 | continue; | |
904 | } | |
9c3798eb | 905 | |
2ccd9eda | 906 | cur_rule_arch = lxc_seccomp_arch_mips64; |
dc2c2622 CB |
907 | } else if (strequal(line, "[mips64n32]") || |
908 | strequal(line, "[MIPS64N32]")) { | |
2ccd9eda JC |
909 | if (native_arch != lxc_seccomp_arch_mips64) { |
910 | cur_rule_arch = lxc_seccomp_arch_unknown; | |
911 | continue; | |
912 | } | |
9c3798eb | 913 | |
2ccd9eda | 914 | cur_rule_arch = lxc_seccomp_arch_mips64n32; |
dc2c2622 CB |
915 | } else if (strequal(line, "[mips]") || |
916 | strequal(line, "[MIPS]")) { | |
2ccd9eda | 917 | if (native_arch != lxc_seccomp_arch_mips && |
7e84441e | 918 | native_arch != lxc_seccomp_arch_mips64) { |
2ccd9eda JC |
919 | cur_rule_arch = lxc_seccomp_arch_unknown; |
920 | continue; | |
921 | } | |
9c3798eb | 922 | |
2ccd9eda | 923 | cur_rule_arch = lxc_seccomp_arch_mips; |
dc2c2622 CB |
924 | } else if (strequal(line, "[mipsel64]") || |
925 | strequal(line, "[MIPSEL64]")) { | |
2ccd9eda JC |
926 | if (native_arch != lxc_seccomp_arch_mipsel64) { |
927 | cur_rule_arch = lxc_seccomp_arch_unknown; | |
928 | continue; | |
929 | } | |
9c3798eb | 930 | |
2ccd9eda | 931 | cur_rule_arch = lxc_seccomp_arch_mipsel64; |
dc2c2622 CB |
932 | } else if (strequal(line, "[mipsel64n32]") || |
933 | strequal(line, "[MIPSEL64N32]")) { | |
2ccd9eda JC |
934 | if (native_arch != lxc_seccomp_arch_mipsel64) { |
935 | cur_rule_arch = lxc_seccomp_arch_unknown; | |
936 | continue; | |
937 | } | |
9c3798eb | 938 | |
2ccd9eda | 939 | cur_rule_arch = lxc_seccomp_arch_mipsel64n32; |
dc2c2622 CB |
940 | } else if (strequal(line, "[mipsel]") || |
941 | strequal(line, "[MIPSEL]")) { | |
2ccd9eda | 942 | if (native_arch != lxc_seccomp_arch_mipsel && |
7e84441e | 943 | native_arch != lxc_seccomp_arch_mipsel64) { |
2ccd9eda JC |
944 | cur_rule_arch = lxc_seccomp_arch_unknown; |
945 | continue; | |
946 | } | |
9c3798eb | 947 | |
2ccd9eda JC |
948 | cur_rule_arch = lxc_seccomp_arch_mipsel; |
949 | } | |
be038e49 CB |
950 | #endif |
951 | #ifdef SCMP_ARCH_S390X | |
dc2c2622 CB |
952 | else if (strequal(line, "[s390x]") || |
953 | strequal(line, "[S390X]")) { | |
be038e49 CB |
954 | if (native_arch != lxc_seccomp_arch_s390x) { |
955 | cur_rule_arch = lxc_seccomp_arch_unknown; | |
956 | continue; | |
957 | } | |
9c3798eb | 958 | |
be038e49 | 959 | cur_rule_arch = lxc_seccomp_arch_s390x; |
b8bcbe9b | 960 | } |
3c3fab00 | 961 | #endif |
962 | #ifdef SCMP_ARCH_S390 | |
dc2c2622 CB |
963 | else if (strequal(line, "[s390]") || |
964 | strequal(line, "[S390]")) { | |
3c3fab00 | 965 | if (native_arch != lxc_seccomp_arch_s390) { |
966 | cur_rule_arch = lxc_seccomp_arch_unknown; | |
967 | continue; | |
968 | } | |
969 | ||
970 | cur_rule_arch = lxc_seccomp_arch_s390; | |
971 | } | |
2b0ae718 | 972 | #endif |
b8bcbe9b | 973 | else { |
50798138 | 974 | goto bad_arch; |
9c3798eb | 975 | } |
d58c6ad0 | 976 | |
50798138 SH |
977 | continue; |
978 | } | |
979 | ||
d58c6ad0 SH |
980 | /* irrelevant arch - i.e. arm on i386 */ |
981 | if (cur_rule_arch == lxc_seccomp_arch_unknown) | |
982 | continue; | |
983 | ||
3ee26d19 | 984 | memset(&rule, 0, sizeof(rule)); |
d58c6ad0 | 985 | /* read optional action which follows the syscall */ |
3ee26d19 L |
986 | ret = parse_v2_rules(line, default_rule_action, &rule); |
987 | if (ret != 0) { | |
988 | ERROR("Failed to interpret seccomp rule"); | |
50798138 SH |
989 | goto bad_rule; |
990 | } | |
d58c6ad0 | 991 | |
d7d2d2d9 | 992 | #if HAVE_DECL_SECCOMP_NOTIFY_FD |
02ca9d75 | 993 | if ((rule.action == SCMP_ACT_NOTIFY) && |
c3e3c21a | 994 | !conf->seccomp.notifier.wants_supervision) { |
c3e3c21a | 995 | conf->seccomp.notifier.wants_supervision = true; |
2e5bcac3 | 996 | TRACE("Set SECCOMP_FILTER_FLAG_NEW_LISTENER attribute"); |
cdb2a47f CB |
997 | } |
998 | #endif | |
999 | ||
9c3798eb | 1000 | |
0ff0d23e RJ |
1001 | ret = do_resolve_add_rule(SCMP_ARCH_NATIVE, line, |
1002 | conf->seccomp.seccomp_ctx, &rule); | |
1003 | if (ret == lxc_seccomp_rule_err) | |
1004 | goto bad_rule; | |
1005 | if (ret == lxc_seccomp_rule_undefined_syscall) | |
1006 | continue; | |
94d56054 | 1007 | |
15044cd1 RJ |
1008 | for (int i = 0; i < 3; i++ ) { |
1009 | uint32_t arch = ctx.architectures[i]; | |
1010 | if (arch != SCMP_ARCH_NATIVE && arch != seccomp_arch_native()) { | |
1011 | if (lxc_seccomp_rule_err == do_resolve_add_rule(arch, line, | |
1012 | ctx.contexts[i], &rule)) | |
1013 | goto bad_rule; | |
1014 | } | |
3e9671a1 | 1015 | } |
f1bcfc79 | 1016 | |
50798138 | 1017 | } |
d58c6ad0 | 1018 | |
d648e178 | 1019 | INFO("Merging compat seccomp contexts into main context"); |
eca6736e CB |
1020 | if (ctx.contexts[0]) { |
1021 | if (ctx.needs_merge[0]) { | |
c3e3c21a | 1022 | ret = seccomp_merge(conf->seccomp.seccomp_ctx, ctx.contexts[0]); |
b5ed021b | 1023 | if (ret < 0) { |
3e9671a1 CB |
1024 | ERROR("Failed to merge first compat seccomp " |
1025 | "context into main context"); | |
b5ed021b CB |
1026 | goto bad; |
1027 | } | |
9c3798eb | 1028 | |
b5ed021b | 1029 | TRACE("Merged first compat seccomp context into main context"); |
d648e178 | 1030 | } else { |
eca6736e CB |
1031 | seccomp_release(ctx.contexts[0]); |
1032 | ctx.contexts[0] = NULL; | |
b5ed021b | 1033 | } |
d648e178 | 1034 | } |
b5ed021b | 1035 | |
eca6736e CB |
1036 | if (ctx.contexts[1]) { |
1037 | if (ctx.needs_merge[1]) { | |
c3e3c21a | 1038 | ret = seccomp_merge(conf->seccomp.seccomp_ctx, ctx.contexts[1]); |
b5ed021b | 1039 | if (ret < 0) { |
3e9671a1 CB |
1040 | ERROR("Failed to merge first compat seccomp " |
1041 | "context into main context"); | |
b5ed021b CB |
1042 | goto bad; |
1043 | } | |
9c3798eb | 1044 | |
b5ed021b | 1045 | TRACE("Merged second compat seccomp context into main context"); |
d648e178 | 1046 | } else { |
eca6736e CB |
1047 | seccomp_release(ctx.contexts[1]); |
1048 | ctx.contexts[1] = NULL; | |
1049 | } | |
1050 | } | |
1051 | ||
1052 | if (ctx.contexts[2]) { | |
1053 | if (ctx.needs_merge[2]) { | |
c3e3c21a | 1054 | ret = seccomp_merge(conf->seccomp.seccomp_ctx, ctx.contexts[2]); |
eca6736e | 1055 | if (ret < 0) { |
3e9671a1 CB |
1056 | ERROR("Failed to merge third compat seccomp " |
1057 | "context into main context"); | |
eca6736e CB |
1058 | goto bad; |
1059 | } | |
9c3798eb | 1060 | |
eca6736e CB |
1061 | TRACE("Merged third compat seccomp context into main context"); |
1062 | } else { | |
1063 | seccomp_release(ctx.contexts[2]); | |
1064 | ctx.contexts[2] = NULL; | |
50798138 SH |
1065 | } |
1066 | } | |
6166fa6d | 1067 | |
9dbd8ff3 | 1068 | free(line); |
50798138 SH |
1069 | return 0; |
1070 | ||
1071 | bad_arch: | |
9c3798eb CB |
1072 | ERROR("Unsupported architecture \"%s\"", line); |
1073 | ||
50798138 | 1074 | bad_rule: |
d58c6ad0 | 1075 | bad: |
eca6736e CB |
1076 | if (ctx.contexts[0]) |
1077 | seccomp_release(ctx.contexts[0]); | |
9c3798eb | 1078 | |
eca6736e CB |
1079 | if (ctx.contexts[1]) |
1080 | seccomp_release(ctx.contexts[1]); | |
9c3798eb | 1081 | |
eca6736e CB |
1082 | if (ctx.contexts[2]) |
1083 | seccomp_release(ctx.contexts[2]); | |
1084 | ||
9dbd8ff3 | 1085 | free(line); |
9c3798eb | 1086 | |
50798138 | 1087 | return -1; |
d58c6ad0 SH |
1088 | } |
1089 | #else /* HAVE_DECL_SECCOMP_SYSCALL_RESOLVE_NAME_ARCH */ | |
1090 | static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf) | |
1091 | { | |
50798138 | 1092 | return -1; |
50798138 | 1093 | } |
d58c6ad0 | 1094 | #endif /* HAVE_DECL_SECCOMP_SYSCALL_RESOLVE_NAME_ARCH */ |
50798138 | 1095 | |
8f2c3a70 SH |
1096 | /* |
1097 | * The first line of the config file has a policy language version | |
1098 | * the second line has some directives | |
1099 | * then comes policy subject to the directives | |
998cd2f4 | 1100 | * right now version must be '1' or '2' |
78522aa9 | 1101 | * the directives must include 'allowlist'(version == 1 or 2) or 'denylist' |
998cd2f4 | 1102 | * (version == 2) and can include 'debug' (though debug is not yet supported). |
8f2c3a70 SH |
1103 | */ |
1104 | static int parse_config(FILE *f, struct lxc_conf *conf) | |
1105 | { | |
9dbd8ff3 WB |
1106 | char *line = NULL; |
1107 | size_t line_bufsz = 0; | |
8f2c3a70 SH |
1108 | int ret, version; |
1109 | ||
1110 | ret = fscanf(f, "%d\n", &version); | |
50798138 | 1111 | if (ret != 1 || (version != 1 && version != 2)) { |
3ee26d19 | 1112 | ERROR("Invalid version"); |
8f2c3a70 SH |
1113 | return -1; |
1114 | } | |
6ca8172d | 1115 | |
9dbd8ff3 | 1116 | if (getline(&line, &line_bufsz, f) == -1) { |
3ee26d19 | 1117 | ERROR("Invalid config file"); |
9dbd8ff3 | 1118 | goto bad_line; |
8f2c3a70 | 1119 | } |
6ca8172d | 1120 | |
78522aa9 CB |
1121 | if (version == 1 && !strstr(line, "allowlist")) { |
1122 | ERROR("Only allowlist policy is supported"); | |
9dbd8ff3 | 1123 | goto bad_line; |
8f2c3a70 | 1124 | } |
50798138 | 1125 | |
8f2c3a70 | 1126 | if (strstr(line, "debug")) { |
3ee26d19 | 1127 | ERROR("Debug not yet implemented"); |
9dbd8ff3 | 1128 | goto bad_line; |
8f2c3a70 | 1129 | } |
50798138 SH |
1130 | |
1131 | if (version == 1) | |
9dbd8ff3 | 1132 | return parse_config_v1(f, line, &line_bufsz, conf); |
6ca8172d | 1133 | |
9dbd8ff3 WB |
1134 | return parse_config_v2(f, line, &line_bufsz, conf); |
1135 | ||
1136 | bad_line: | |
1137 | free(line); | |
1138 | return -1; | |
8f2c3a70 SH |
1139 | } |
1140 | ||
cd75548b SH |
1141 | /* |
1142 | * use_seccomp: return true if we should try and apply a seccomp policy | |
1143 | * if defined for the container. | |
1144 | * This will return false if | |
1145 | * 1. seccomp is not enabled in the kernel | |
1146 | * 2. a seccomp policy is already enabled for this task | |
1147 | */ | |
50d86993 | 1148 | static bool use_seccomp(const struct lxc_conf *conf) |
d58c6ad0 | 1149 | { |
4110345b CB |
1150 | __do_free char *line = NULL; |
1151 | __do_fclose FILE *f = NULL; | |
d58c6ad0 | 1152 | int ret, v; |
6ca8172d | 1153 | size_t line_bufsz = 0; |
6ca8172d | 1154 | bool already_enabled = false, found = false; |
d58c6ad0 | 1155 | |
c3e3c21a | 1156 | if (conf->seccomp.allow_nesting > 0) |
50d86993 CB |
1157 | return true; |
1158 | ||
4110345b | 1159 | f = fopen("/proc/self/status", "re"); |
d58c6ad0 | 1160 | if (!f) |
cd75548b | 1161 | return true; |
d58c6ad0 | 1162 | |
6ca8172d | 1163 | while (getline(&line, &line_bufsz, f) != -1) { |
becc8d20 | 1164 | if (strnequal(line, "Seccomp:", 8)) { |
cd75548b | 1165 | found = true; |
6ca8172d | 1166 | |
f06c6207 | 1167 | ret = sscanf(line + 8, "%d", &v); |
cd75548b SH |
1168 | if (ret == 1 && v != 0) |
1169 | already_enabled = true; | |
6ca8172d | 1170 | |
cd75548b | 1171 | break; |
d58c6ad0 SH |
1172 | } |
1173 | } | |
6ca8172d CB |
1174 | |
1175 | if (!found) { | |
3ee26d19 | 1176 | INFO("Seccomp is not enabled in the kernel"); |
cd75548b SH |
1177 | return false; |
1178 | } | |
6ca8172d CB |
1179 | |
1180 | if (already_enabled) { | |
3ee26d19 | 1181 | INFO("Already seccomp-confined, not loading new policy"); |
cd75548b SH |
1182 | return false; |
1183 | } | |
6ca8172d | 1184 | |
cd75548b | 1185 | return true; |
d58c6ad0 SH |
1186 | } |
1187 | ||
8f2c3a70 SH |
1188 | int lxc_read_seccomp_config(struct lxc_conf *conf) |
1189 | { | |
4110345b | 1190 | __do_fclose FILE *f = NULL; |
cf6624c1 | 1191 | int ret; |
8f2c3a70 | 1192 | |
c3e3c21a | 1193 | if (!conf->seccomp.seccomp) |
769872f9 SH |
1194 | return 0; |
1195 | ||
50d86993 | 1196 | if (!use_seccomp(conf)) |
d58c6ad0 | 1197 | return 0; |
47f6d547 | 1198 | |
769872f9 SH |
1199 | #if HAVE_SCMP_FILTER_CTX |
1200 | /* XXX for debug, pass in SCMP_ACT_TRAP */ | |
c3e3c21a CB |
1201 | conf->seccomp.seccomp_ctx = seccomp_init(SCMP_ACT_KILL); |
1202 | ret = !conf->seccomp.seccomp_ctx; | |
769872f9 | 1203 | #else |
50798138 | 1204 | ret = seccomp_init(SCMP_ACT_KILL) < 0; |
769872f9 SH |
1205 | #endif |
1206 | if (ret) { | |
3ee26d19 | 1207 | ERROR("Failed initializing seccomp"); |
8f2c3a70 SH |
1208 | return -1; |
1209 | } | |
8f2c3a70 | 1210 | |
47f6d547 | 1211 | /* turn off no-new-privs. We don't want it in lxc, and it breaks |
f06c6207 | 1212 | * with apparmor */ |
769872f9 | 1213 | #if HAVE_SCMP_FILTER_CTX |
c3e3c21a | 1214 | ret = seccomp_attr_set(conf->seccomp.seccomp_ctx, SCMP_FLTATR_CTL_NNP, 0); |
727c3073 | 1215 | #else |
cf6624c1 | 1216 | ret = seccomp_attr_set(SCMP_FLTATR_CTL_NNP, 0); |
769872f9 | 1217 | #endif |
cf6624c1 | 1218 | if (ret < 0) { |
6d1400b5 | 1219 | errno = -ret; |
1220 | SYSERROR("Failed to turn off no-new-privs"); | |
8f2c3a70 SH |
1221 | return -1; |
1222 | } | |
a24c5678 | 1223 | |
127c5293 | 1224 | #ifdef SCMP_FLTATR_ATL_TSKIP |
c3e3c21a | 1225 | ret = seccomp_attr_set(conf->seccomp.seccomp_ctx, SCMP_FLTATR_ATL_TSKIP, 1); |
a24c5678 | 1226 | if (ret < 0) { |
1227 | errno = -ret; | |
1228 | SYSWARN("Failed to turn on seccomp nop-skip, continuing"); | |
1229 | } | |
127c5293 | 1230 | #endif |
8f2c3a70 | 1231 | |
4110345b | 1232 | f = fopen(conf->seccomp.seccomp, "re"); |
8f2c3a70 | 1233 | if (!f) { |
c3e3c21a | 1234 | SYSERROR("Failed to open seccomp policy file %s", conf->seccomp.seccomp); |
8f2c3a70 SH |
1235 | return -1; |
1236 | } | |
47f6d547 | 1237 | |
4110345b | 1238 | return parse_config(f, conf); |
8f2c3a70 SH |
1239 | } |
1240 | ||
1241 | int lxc_seccomp_load(struct lxc_conf *conf) | |
1242 | { | |
1243 | int ret; | |
47f6d547 | 1244 | |
c3e3c21a | 1245 | if (!conf->seccomp.seccomp) |
8f2c3a70 | 1246 | return 0; |
47f6d547 | 1247 | |
50d86993 | 1248 | if (!use_seccomp(conf)) |
d58c6ad0 | 1249 | return 0; |
47f6d547 | 1250 | |
769872f9 | 1251 | #if HAVE_SCMP_FILTER_CTX |
c3e3c21a | 1252 | ret = seccomp_load(conf->seccomp.seccomp_ctx); |
47f6d547 CB |
1253 | #else |
1254 | ret = seccomp_load(); | |
769872f9 | 1255 | #endif |
8f2c3a70 | 1256 | if (ret < 0) { |
6d1400b5 | 1257 | errno = -ret; |
1258 | SYSERROR("Error loading the seccomp policy"); | |
8f2c3a70 SH |
1259 | return -1; |
1260 | } | |
5107af32 | 1261 | |
1262 | /* After load seccomp filter into the kernel successfully, export the current seccomp | |
1263 | * filter to log file */ | |
1264 | #if HAVE_SCMP_FILTER_CTX | |
de96cd60 | 1265 | if (lxc_log_trace()) { |
25a8b256 CB |
1266 | int fd_log; |
1267 | ||
1268 | fd_log = lxc_log_get_fd(); | |
1269 | if (fd_log >= 0) { | |
1270 | ret = seccomp_export_pfc(conf->seccomp.seccomp_ctx, fd_log); | |
1271 | if (ret < 0) { | |
1272 | errno = -ret; | |
1273 | SYSWARN("Failed to export seccomp filter to log file"); | |
1274 | } | |
a24c5678 | 1275 | } |
5107af32 | 1276 | } |
1277 | #endif | |
47f6d547 | 1278 | |
d7d2d2d9 | 1279 | #if HAVE_DECL_SECCOMP_NOTIFY_FD |
c3e3c21a | 1280 | if (conf->seccomp.notifier.wants_supervision) { |
da9c8317 | 1281 | ret = seccomp_notify_fd(conf->seccomp.seccomp_ctx); |
cdb2a47f CB |
1282 | if (ret < 0) { |
1283 | errno = -ret; | |
1284 | return -1; | |
1285 | } | |
1286 | ||
a60c98aa CB |
1287 | if (fd_make_nonblocking(ret)) |
1288 | return log_error_errno(-1, errno, "Failed to make seccomp listener fd non-blocking");; | |
1289 | ||
c3e3c21a | 1290 | conf->seccomp.notifier.notify_fd = ret; |
cdb2a47f CB |
1291 | TRACE("Retrieved new seccomp listener fd %d", ret); |
1292 | } | |
1293 | #endif | |
1294 | ||
8f2c3a70 SH |
1295 | return 0; |
1296 | } | |
769872f9 | 1297 | |
c3e3c21a | 1298 | void lxc_seccomp_free(struct lxc_seccomp *seccomp) |
f06c6207 | 1299 | { |
c3e3c21a | 1300 | free_disarm(seccomp->seccomp); |
47f6d547 | 1301 | |
769872f9 | 1302 | #if HAVE_SCMP_FILTER_CTX |
c3e3c21a CB |
1303 | if (seccomp->seccomp_ctx) { |
1304 | seccomp_release(seccomp->seccomp_ctx); | |
1305 | seccomp->seccomp_ctx = NULL; | |
769872f9 SH |
1306 | } |
1307 | #endif | |
cdb2a47f | 1308 | |
d7d2d2d9 | 1309 | #if HAVE_DECL_SECCOMP_NOTIFY_FD |
c3e3c21a CB |
1310 | close_prot_errno_disarm(seccomp->notifier.notify_fd); |
1311 | close_prot_errno_disarm(seccomp->notifier.proxy_fd); | |
99656206 | 1312 | seccomp_notify_free(seccomp->notifier.req_buf, seccomp->notifier.rsp_buf); |
c3e3c21a CB |
1313 | seccomp->notifier.req_buf = NULL; |
1314 | seccomp->notifier.rsp_buf = NULL; | |
5dd07023 | 1315 | free_disarm(seccomp->notifier.cookie); |
cdb2a47f CB |
1316 | #endif |
1317 | } | |
1318 | ||
d7d2d2d9 | 1319 | #if HAVE_DECL_SECCOMP_NOTIFY_FD |
e35b7bf8 CB |
1320 | static int seccomp_notify_reconnect(struct lxc_handler *handler) |
1321 | { | |
f62cf1d4 | 1322 | __do_close int notify_fd = -EBADF; |
e35b7bf8 | 1323 | |
c3e3c21a | 1324 | close_prot_errno_disarm(handler->conf->seccomp.notifier.proxy_fd); |
e35b7bf8 | 1325 | |
045ee721 WB |
1326 | notify_fd = lxc_unix_connect_type( |
1327 | &handler->conf->seccomp.notifier.proxy_addr, SOCK_SEQPACKET); | |
e35b7bf8 CB |
1328 | if (notify_fd < 0) { |
1329 | SYSERROR("Failed to reconnect to seccomp proxy"); | |
1330 | return -1; | |
1331 | } | |
1332 | ||
1333 | /* 30 second timeout */ | |
1334 | if (lxc_socket_set_timeout(notify_fd, 30, 30)) { | |
1335 | SYSERROR("Failed to set socket timeout"); | |
1336 | return -1; | |
1337 | } | |
c3e3c21a | 1338 | handler->conf->seccomp.notifier.proxy_fd = move_fd(notify_fd); |
e35b7bf8 CB |
1339 | return 0; |
1340 | } | |
1341 | #endif | |
1342 | ||
d7d2d2d9 | 1343 | #if HAVE_DECL_SECCOMP_NOTIFY_FD |
651e63a7 WB |
1344 | static void seccomp_notify_default_answer(int fd, struct seccomp_notif *req, |
1345 | struct seccomp_notif_resp *resp, | |
1346 | struct lxc_handler *handler) | |
e35b7bf8 CB |
1347 | { |
1348 | resp->id = req->id; | |
1349 | resp->error = -ENOSYS; | |
dc70d7e4 CB |
1350 | resp->val = 0; |
1351 | resp->flags = 0; | |
e35b7bf8 | 1352 | |
3c216fe2 | 1353 | if (seccomp_notify_respond(fd, resp)) |
50926f4b CB |
1354 | SYSERROR("Failed to send default message to seccomp notification with id(%llu)", |
1355 | (long long unsigned int)resp->id); | |
dc70d7e4 | 1356 | else |
50926f4b CB |
1357 | TRACE("Sent default response for seccomp notification with id(%llu)", |
1358 | (long long unsigned int)resp->id); | |
dc70d7e4 | 1359 | memset(resp, 0, handler->conf->seccomp.notifier.sizes.seccomp_notif_resp); |
e35b7bf8 CB |
1360 | } |
1361 | #endif | |
1362 | ||
543d2f83 CB |
1363 | int seccomp_notify_cleanup_handler(int fd, void *data) |
1364 | { | |
c16d194a | 1365 | #if HAVE_DECL_SECCOMP_NOTIFY_FD |
543d2f83 CB |
1366 | struct lxc_handler *hdlr = data; |
1367 | struct lxc_conf *conf = hdlr->conf; | |
1368 | ||
1369 | /* TODO: Make sure that we don't need to free any memory in here. */ | |
1370 | if (fd == conf->seccomp.notifier.notify_fd) | |
1371 | fd = move_fd(conf->seccomp.notifier.notify_fd); | |
1372 | ||
1373 | /* | |
1374 | * If this isn't the main notify_fd it means that someone registered a | |
1375 | * seccomp notify handler through the command socket (e.g. for attach) | |
1376 | * and so we won't touch the container's config. | |
1377 | */ | |
c16d194a | 1378 | #endif |
543d2f83 CB |
1379 | return 0; |
1380 | } | |
1381 | ||
cdb2a47f | 1382 | int seccomp_notify_handler(int fd, uint32_t events, void *data, |
3298b37d | 1383 | struct lxc_async_descr *descr) |
cdb2a47f CB |
1384 | { |
1385 | ||
d7d2d2d9 | 1386 | #if HAVE_DECL_SECCOMP_NOTIFY_FD |
f62cf1d4 CB |
1387 | __do_close int fd_pid = -EBADF; |
1388 | __do_close int fd_mem = -EBADF; | |
8a99ab01 | 1389 | int ret; |
e35b7bf8 | 1390 | ssize_t bytes; |
ec49d30f | 1391 | int send_fd_list[3]; |
4a094eec WB |
1392 | struct iovec iov[4]; |
1393 | size_t iov_len, msg_base_size, msg_full_size; | |
18847d37 CB |
1394 | char mem_path[6 /* /proc/ */ |
1395 | + INTTYPE_TO_STRLEN(int64_t) | |
1396 | + 3 /* mem */ | |
1397 | + 1 /* \0 */]; | |
3745ee0e | 1398 | bool reconnected = false; |
cdb2a47f CB |
1399 | struct lxc_handler *hdlr = data; |
1400 | struct lxc_conf *conf = hdlr->conf; | |
c3e3c21a CB |
1401 | struct seccomp_notif *req = conf->seccomp.notifier.req_buf; |
1402 | struct seccomp_notif_resp *resp = conf->seccomp.notifier.rsp_buf; | |
1403 | int listener_proxy_fd = conf->seccomp.notifier.proxy_fd; | |
37046066 | 1404 | struct seccomp_notify_proxy_msg msg = {0}; |
4a094eec | 1405 | char *cookie = conf->seccomp.notifier.cookie; |
a76fe490 | 1406 | __u64 req_id; |
cdb2a47f | 1407 | |
543d2f83 CB |
1408 | if (events & EPOLLHUP) |
1409 | return log_trace(LXC_MAINLOOP_DISARM, "Removing seccomp notifier fd %d", fd); | |
b2acb9dc | 1410 | |
dc70d7e4 | 1411 | memset(req, 0, conf->seccomp.notifier.sizes.seccomp_notif); |
e3998402 | 1412 | ret = seccomp_notify_receive(fd, req); |
e35b7bf8 | 1413 | if (ret) { |
0d724ab4 CB |
1414 | if (errno == ENOENT) |
1415 | TRACE("Intercepted system call aborted"); | |
1416 | else | |
1417 | SYSERROR("Failed to read seccomp notification"); | |
e35b7bf8 CB |
1418 | goto out; |
1419 | } | |
cdb2a47f | 1420 | |
5357b872 | 1421 | if (listener_proxy_fd < 0) { |
ed3a98c4 WB |
1422 | ret = -1; |
1423 | /* Same condition as for the initial setup_proxy() */ | |
1424 | if (conf->seccomp.notifier.wants_supervision && | |
1425 | conf->seccomp.notifier.proxy_addr.sun_path[1] != '\0') { | |
1426 | ret = seccomp_notify_reconnect(hdlr); | |
1427 | } | |
1428 | if (ret) { | |
1429 | ERROR("No seccomp proxy registered"); | |
651e63a7 WB |
1430 | seccomp_notify_default_answer(fd, req, resp, hdlr); |
1431 | goto out; | |
ed3a98c4 WB |
1432 | } |
1433 | listener_proxy_fd = conf->seccomp.notifier.proxy_fd; | |
5357b872 WB |
1434 | } |
1435 | ||
4a094eec WB |
1436 | /* remember the ID in case we receive garbage from the proxy */ |
1437 | resp->id = req_id = req->id; | |
50926f4b | 1438 | TRACE("Received seccomp notification with id(%llu)", (long long unsigned int)req_id); |
4a094eec | 1439 | |
8a6bea94 CB |
1440 | ret = strnprintf(mem_path, sizeof(mem_path), "/proc/%d", req->pid); |
1441 | if (ret < 0) { | |
1442 | seccomp_notify_default_answer(fd, req, resp, hdlr); | |
1443 | SYSERROR("Failed to create path to process's proc directory"); | |
1444 | goto out; | |
1445 | } | |
1446 | ||
637996a4 WB |
1447 | fd_pid = open(mem_path, O_RDONLY | O_DIRECTORY | O_CLOEXEC); |
1448 | if (fd_pid < 0) { | |
1449 | seccomp_notify_default_answer(fd, req, resp, hdlr); | |
1450 | SYSERROR("Failed to open process pidfd for seccomp notify request"); | |
1451 | goto out; | |
1452 | } | |
1453 | ||
8a6bea94 CB |
1454 | ret = strnprintf(mem_path, sizeof(mem_path), "/proc/%d/mem", req->pid); |
1455 | if (ret < 0) { | |
1456 | seccomp_notify_default_answer(fd, req, resp, hdlr); | |
1457 | SYSERROR("Failed to create path to process's virtual memory"); | |
1458 | goto out; | |
1459 | } | |
1460 | ||
aad859c4 | 1461 | fd_mem = open(mem_path, O_RDWR | O_CLOEXEC); |
5ed06d3a | 1462 | if (fd_mem < 0) { |
651e63a7 | 1463 | seccomp_notify_default_answer(fd, req, resp, hdlr); |
5ed06d3a CB |
1464 | SYSERROR("Failed to open process memory for seccomp notify request"); |
1465 | goto out; | |
1466 | } | |
1467 | ||
1468 | /* | |
1469 | * Make sure that the fd for /proc/<pid>/mem we just opened still | |
1470 | * refers to the correct process's memory. | |
1471 | */ | |
72b101ae | 1472 | ret = seccomp_notify_id_valid(fd, req->id); |
5ed06d3a | 1473 | if (ret < 0) { |
651e63a7 | 1474 | seccomp_notify_default_answer(fd, req, resp, hdlr); |
50926f4b | 1475 | SYSERROR("Invalid seccomp notify request id(%llu)", (long long unsigned int)req->id); |
5ed06d3a CB |
1476 | goto out; |
1477 | } | |
1478 | ||
cdb2a47f CB |
1479 | msg.monitor_pid = hdlr->monitor_pid; |
1480 | msg.init_pid = hdlr->pid; | |
4a094eec WB |
1481 | memcpy(&msg.sizes, &conf->seccomp.notifier.sizes, sizeof(msg.sizes)); |
1482 | ||
1483 | msg_base_size = 0; | |
1484 | iov[0].iov_base = &msg; | |
1485 | msg_base_size += (iov[0].iov_len = sizeof(msg)); | |
1486 | iov[1].iov_base = req; | |
1487 | msg_base_size += (iov[1].iov_len = msg.sizes.seccomp_notif); | |
1488 | iov[2].iov_base = resp; | |
1489 | msg_base_size += (iov[2].iov_len = msg.sizes.seccomp_notif_resp); | |
1490 | msg_full_size = msg_base_size; | |
1491 | ||
1492 | if (cookie) { | |
1493 | size_t len = strlen(cookie); | |
1494 | ||
1495 | msg.cookie_len = (uint64_t)len; | |
1496 | ||
1497 | iov[3].iov_base = cookie; | |
1498 | msg_full_size += (iov[3].iov_len = len); | |
1499 | ||
1500 | iov_len = 4; | |
1501 | } else { | |
1502 | iov_len = 3; | |
1503 | } | |
cdb2a47f | 1504 | |
637996a4 WB |
1505 | send_fd_list[0] = fd_pid; |
1506 | send_fd_list[1] = fd_mem; | |
ec49d30f | 1507 | send_fd_list[2] = fd; |
637996a4 | 1508 | |
3745ee0e | 1509 | retry: |
ec49d30f | 1510 | bytes = lxc_abstract_unix_send_fds_iov(listener_proxy_fd, send_fd_list, 3, iov, iov_len); |
8a99ab01 WB |
1511 | if (bytes != (ssize_t)msg_full_size) { |
1512 | SYSERROR("Failed to forward message to seccomp proxy"); | |
3745ee0e WB |
1513 | if (!reconnected) { |
1514 | ret = seccomp_notify_reconnect(hdlr); | |
1515 | if (ret == 0) { | |
1516 | reconnected = true; | |
1517 | goto retry; | |
1518 | } | |
1519 | } | |
1520 | ||
651e63a7 | 1521 | seccomp_notify_default_answer(fd, req, resp, hdlr); |
8a99ab01 WB |
1522 | goto out; |
1523 | } | |
e35b7bf8 | 1524 | |
5ed06d3a CB |
1525 | close_prot_errno_disarm(fd_mem); |
1526 | ||
f910c9e5 WB |
1527 | if (msg.__reserved != 0) { |
1528 | ERROR("Proxy filled reserved data in response"); | |
1529 | seccomp_notify_default_answer(fd, req, resp, hdlr); | |
1530 | goto out; | |
1531 | } | |
1532 | ||
4a094eec | 1533 | if (resp->id != req_id) { |
1c01dc2c | 1534 | ERROR("Proxy returned response with invalid id(%llu) != id(%llu)", |
50926f4b | 1535 | (long long unsigned int)resp->id, (long long unsigned int)req_id); |
4a094eec | 1536 | resp->id = req_id; |
651e63a7 | 1537 | seccomp_notify_default_answer(fd, req, resp, hdlr); |
4a094eec WB |
1538 | goto out; |
1539 | } | |
1540 | ||
cbbdd1dd | 1541 | bytes = lxc_recvmsg_nointr_iov(listener_proxy_fd, iov, iov_len, MSG_TRUNC); |
8a99ab01 WB |
1542 | if (bytes != (ssize_t)msg_base_size) { |
1543 | SYSERROR("Failed to receive message from seccomp proxy"); | |
651e63a7 | 1544 | seccomp_notify_default_answer(fd, req, resp, hdlr); |
8a99ab01 WB |
1545 | goto out; |
1546 | } | |
cdb2a47f | 1547 | |
a76fe490 | 1548 | if (resp->id != req_id) { |
1c01dc2c | 1549 | ERROR("Proxy returned response with invalid id(%llu) != id(%llu)", |
50926f4b | 1550 | (long long unsigned int)resp->id, (long long unsigned int)req_id); |
a76fe490 CB |
1551 | resp->id = req_id; |
1552 | } | |
1553 | ||
3c216fe2 | 1554 | ret = seccomp_notify_respond(fd, resp); |
cdb2a47f | 1555 | if (ret) |
e35b7bf8 | 1556 | SYSERROR("Failed to send seccomp notification"); |
a76fe490 | 1557 | else |
50926f4b CB |
1558 | TRACE("Sent response for seccomp notification with id(%llu)", |
1559 | (long long unsigned int)resp->id); | |
dc70d7e4 | 1560 | memset(resp, 0, conf->seccomp.notifier.sizes.seccomp_notif_resp); |
cdb2a47f | 1561 | |
e35b7bf8 | 1562 | out: |
cdb2a47f | 1563 | #endif |
f7a97743 | 1564 | return LXC_MAINLOOP_CONTINUE; |
769872f9 | 1565 | } |
c3e3c21a CB |
1566 | |
1567 | void seccomp_conf_init(struct lxc_conf *conf) | |
1568 | { | |
1569 | conf->seccomp.seccomp = NULL; | |
1570 | #if HAVE_SCMP_FILTER_CTX | |
1571 | conf->seccomp.allow_nesting = 0; | |
1572 | memset(&conf->seccomp.seccomp_ctx, 0, sizeof(conf->seccomp.seccomp_ctx)); | |
1573 | #endif /* HAVE_SCMP_FILTER_CTX */ | |
d7d2d2d9 | 1574 | #if HAVE_DECL_SECCOMP_NOTIFY_FD |
c3e3c21a CB |
1575 | conf->seccomp.notifier.wants_supervision = false; |
1576 | conf->seccomp.notifier.notify_fd = -EBADF; | |
1577 | conf->seccomp.notifier.proxy_fd = -EBADF; | |
1578 | memset(&conf->seccomp.notifier.proxy_addr, 0, | |
1579 | sizeof(conf->seccomp.notifier.proxy_addr)); | |
1580 | conf->seccomp.notifier.req_buf = NULL; | |
1581 | conf->seccomp.notifier.rsp_buf = NULL; | |
5dd07023 | 1582 | conf->seccomp.notifier.cookie = NULL; |
c3e3c21a CB |
1583 | #endif |
1584 | } | |
1585 | ||
2ac0f627 | 1586 | int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp, |
3298b37d | 1587 | struct lxc_async_descr *descr, |
2ac0f627 | 1588 | struct lxc_handler *handler) |
c3e3c21a | 1589 | { |
d7d2d2d9 | 1590 | #if HAVE_DECL_SECCOMP_NOTIFY_FD |
c3e3c21a CB |
1591 | if (seccomp->notifier.wants_supervision && |
1592 | seccomp->notifier.proxy_addr.sun_path[1] != '\0') { | |
f62cf1d4 | 1593 | __do_close int notify_fd = -EBADF; |
c3e3c21a CB |
1594 | int ret; |
1595 | ||
045ee721 WB |
1596 | notify_fd = lxc_unix_connect_type(&seccomp->notifier.proxy_addr, |
1597 | SOCK_SEQPACKET); | |
2ac0f627 CB |
1598 | if (notify_fd < 0) { |
1599 | SYSERROR("Failed to connect to seccomp proxy"); | |
c3e3c21a | 1600 | return -1; |
2ac0f627 | 1601 | } |
c3e3c21a CB |
1602 | |
1603 | /* 30 second timeout */ | |
1604 | ret = lxc_socket_set_timeout(notify_fd, 30, 30); | |
2ac0f627 CB |
1605 | if (ret) { |
1606 | SYSERROR("Failed to set timeouts for seccomp proxy"); | |
c3e3c21a | 1607 | return -1; |
2ac0f627 CB |
1608 | } |
1609 | ||
4a094eec WB |
1610 | ret = __seccomp(SECCOMP_GET_NOTIF_SIZES, 0, |
1611 | &seccomp->notifier.sizes); | |
1612 | if (ret) { | |
1613 | SYSERROR("Failed to query seccomp notify struct sizes"); | |
1614 | return -1; | |
1615 | } | |
1616 | ||
1f51fc70 | 1617 | ret = seccomp_notify_alloc(&seccomp->notifier.req_buf, |
2ac0f627 CB |
1618 | &seccomp->notifier.rsp_buf); |
1619 | if (ret) { | |
1620 | ERROR("Failed to allocate seccomp notify request and response buffers"); | |
1621 | errno = ret; | |
1622 | return -1; | |
1623 | } | |
c3e3c21a | 1624 | |
543d2f83 CB |
1625 | ret = lxc_mainloop_add_handler(descr, seccomp->notifier.notify_fd, |
1626 | seccomp_notify_handler, | |
1627 | seccomp_notify_cleanup_handler, | |
1628 | handler, | |
1629 | "seccomp_notify_handler"); | |
c3e3c21a CB |
1630 | if (ret < 0) { |
1631 | ERROR("Failed to add seccomp notify handler for %d to mainloop", | |
2ac0f627 | 1632 | notify_fd); |
c3e3c21a CB |
1633 | return -1; |
1634 | } | |
1635 | ||
1636 | seccomp->notifier.proxy_fd = move_fd(notify_fd); | |
1637 | } | |
1638 | #endif | |
1639 | return 0; | |
1640 | } | |
1641 | ||
1642 | int lxc_seccomp_send_notifier_fd(struct lxc_seccomp *seccomp, int socket_fd) | |
1643 | { | |
d7d2d2d9 | 1644 | #if HAVE_DECL_SECCOMP_NOTIFY_FD |
c3e3c21a CB |
1645 | if (seccomp->notifier.wants_supervision) { |
1646 | if (lxc_abstract_unix_send_fds(socket_fd, | |
1647 | &seccomp->notifier.notify_fd, 1, | |
1648 | NULL, 0) < 0) | |
1649 | return -1; | |
1650 | close_prot_errno_disarm(seccomp->notifier.notify_fd); | |
1651 | } | |
1652 | #endif | |
1653 | return 0; | |
1654 | } | |
1655 | ||
1656 | int lxc_seccomp_recv_notifier_fd(struct lxc_seccomp *seccomp, int socket_fd) | |
1657 | { | |
d7d2d2d9 | 1658 | #if HAVE_DECL_SECCOMP_NOTIFY_FD |
c3e3c21a CB |
1659 | if (seccomp->notifier.wants_supervision) { |
1660 | int ret; | |
1661 | ||
d17c815d CB |
1662 | ret = lxc_abstract_unix_recv_one_fd(socket_fd, |
1663 | &seccomp->notifier.notify_fd, | |
1664 | NULL, 0); | |
c3e3c21a CB |
1665 | if (ret < 0) |
1666 | return -1; | |
c3e3c21a CB |
1667 | } |
1668 | #endif | |
1669 | return 0; | |
1670 | } | |
1671 | ||
1672 | int lxc_seccomp_add_notifier(const char *name, const char *lxcpath, | |
1673 | struct lxc_seccomp *seccomp) | |
1674 | { | |
d7d2d2d9 | 1675 | #if HAVE_DECL_SECCOMP_NOTIFY_FD |
2ac0f627 | 1676 | if (seccomp->notifier.wants_supervision) { |
c3e3c21a CB |
1677 | int ret; |
1678 | ||
1679 | ret = lxc_cmd_seccomp_notify_add_listener(name, lxcpath, | |
2ac0f627 | 1680 | seccomp->notifier.notify_fd, |
c3e3c21a CB |
1681 | -1, 0); |
1682 | close_prot_errno_disarm(seccomp->notifier.notify_fd); | |
1683 | if (ret < 0) | |
1684 | return -1; | |
1685 | } | |
1686 | #endif | |
1687 | return 0; | |
1688 | } |