[systemd.git] / src / nspawn / nspawn-seccomp.c

/* SPDX-License-Identifier: LGPL-2.1+ */

#include <errno.h>
#include <linux/netlink.h>
#include <sys/capability.h>
#include <sys/types.h>

#if HAVE_SECCOMP
#include <seccomp.h>
#endif

#include "alloc-util.h"
#include "log.h"
#include "nspawn-seccomp.h"
#if HAVE_SECCOMP
#include "seccomp-util.h"
#endif
#include "string-util.h"
#include "strv.h"

#if HAVE_SECCOMP

static int seccomp_add_default_syscall_filter(
                scmp_filter_ctx ctx,
                uint32_t arch,
                uint64_t cap_list_retain,
                char **syscall_whitelist,
                char **syscall_blacklist) {

        static const struct {
                uint64_t capability;
                const char* name;
        } whitelist[] = {
                /* Let's use set names where we can */
                { 0,                  "@aio"                   },
                { 0,                  "@basic-io"              },
                { 0,                  "@chown"                 },
                { 0,                  "@default"               },
                { 0,                  "@file-system"           },
                { 0,                  "@io-event"              },
                { 0,                  "@ipc"                   },
                { 0,                  "@mount"                 },
                { 0,                  "@network-io"            },
                { 0,                  "@process"               },
                { 0,                  "@resources"             },
                { 0,                  "@setuid"                },
                { 0,                  "@signal"                },
                { 0,                  "@sync"                  },
                { 0,                  "@timer"                 },

                /* The following four are sets we optionally enable, in case the caps have been configured for it */
                { CAP_SYS_TIME,       "@clock"                 },
                { CAP_SYS_MODULE,     "@module"                },
                { CAP_SYS_RAWIO,      "@raw-io"                },
                { CAP_IPC_LOCK,       "@memlock"               },

                /* Plus a good set of additional syscalls which are not part of any of the groups above */
                { 0,                  "brk"                    },
                { 0,                  "capget"                 },
                { 0,                  "capset"                 },
                { 0,                  "copy_file_range"        },
                { 0,                  "fadvise64"              },
                { 0,                  "fadvise64_64"           },
                { 0,                  "flock"                  },
                { 0,                  "get_mempolicy"          },
                { 0,                  "getcpu"                 },
                { 0,                  "getpriority"            },
                { 0,                  "getrandom"              },
                { 0,                  "ioctl"                  },
                { 0,                  "ioprio_get"             },
                { 0,                  "kcmp"                   },
                { 0,                  "madvise"                },
                { 0,                  "mincore"                },
                { 0,                  "mprotect"               },
                { 0,                  "mremap"                 },
                { 0,                  "name_to_handle_at"      },
                { 0,                  "oldolduname"            },
                { 0,                  "olduname"               },
                { 0,                  "personality"            },
                { 0,                  "readahead"              },
                { 0,                  "readdir"                },
                { 0,                  "remap_file_pages"       },
                { 0,                  "sched_get_priority_max" },
                { 0,                  "sched_get_priority_min" },
                { 0,                  "sched_getaffinity"      },
                { 0,                  "sched_getattr"          },
                { 0,                  "sched_getparam"         },
                { 0,                  "sched_getscheduler"     },
                { 0,                  "sched_rr_get_interval"  },
                { 0,                  "sched_yield"            },
                { 0,                  "seccomp"                },
                { 0,                  "sendfile"               },
                { 0,                  "sendfile64"             },
                { 0,                  "setdomainname"          },
                { 0,                  "setfsgid"               },
                { 0,                  "setfsgid32"             },
                { 0,                  "setfsuid"               },
                { 0,                  "setfsuid32"             },
                { 0,                  "sethostname"            },
                { 0,                  "setpgid"                },
                { 0,                  "setsid"                 },
                { 0,                  "splice"                 },
                { 0,                  "sysinfo"                },
                { 0,                  "tee"                    },
                { 0,                  "umask"                  },
                { 0,                  "uname"                  },
                { 0,                  "userfaultfd"            },
                { 0,                  "vmsplice"               },

                /* The following individual syscalls are added depending on specified caps */
                { CAP_SYS_PACCT,      "acct"                   },
                { CAP_SYS_PTRACE,     "process_vm_readv"       },
                { CAP_SYS_PTRACE,     "process_vm_writev"      },
                { CAP_SYS_PTRACE,     "ptrace"                 },
                { CAP_SYS_BOOT,       "reboot"                 },
                { CAP_SYSLOG,         "syslog"                 },
                { CAP_SYS_TTY_CONFIG, "vhangup"                },

                /*
                 * The following syscalls and groups are knowingly excluded:
                 *
                 * @cpu-emulation
                 * @keyring           (NB: keyring is not namespaced!)
                 * @obsolete
                 * @swap
                 *
                 * bpf                (NB: bpffs is not namespaced!)
                 * fanotify_init
                 * fanotify_mark
                 * kexec_file_load
                 * kexec_load
                 * lookup_dcookie
                 * nfsservctl
                 * open_by_handle_at
                 * perf_event_open
                 * pkey_alloc
                 * pkey_free
                 * pkey_mprotect
                 * quotactl
                 */
        };

        int r;
        size_t i;
        char **p;

        for (i = 0; i < ELEMENTSOF(whitelist); i++) {
                if (whitelist[i].capability != 0 && (cap_list_retain & (1ULL << whitelist[i].capability)) == 0)
                        continue;

                r = seccomp_add_syscall_filter_item(ctx, whitelist[i].name, SCMP_ACT_ALLOW, syscall_blacklist, false);
                if (r < 0)
                        return log_error_errno(r, "Failed to add syscall filter item %s: %m", whitelist[i].name);
        }

        STRV_FOREACH(p, syscall_whitelist) {
                r = seccomp_add_syscall_filter_item(ctx, *p, SCMP_ACT_ALLOW, syscall_blacklist, false);
                if (r < 0)
                        log_warning_errno(r, "Failed to add rule for system call %s on %s, ignoring: %m",
                                          *p, seccomp_arch_to_string(arch));
        }

        return 0;
}

int setup_seccomp(uint64_t cap_list_retain, char **syscall_whitelist, char **syscall_blacklist) {
        uint32_t arch;
        int r;

        if (!is_seccomp_available()) {
                log_debug("SECCOMP features not detected in the kernel, disabling SECCOMP filterering");
                return 0;
        }

        SECCOMP_FOREACH_LOCAL_ARCH(arch) {
                _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;

                log_debug("Applying whitelist on architecture: %s", seccomp_arch_to_string(arch));

                r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ERRNO(EPERM));
                if (r < 0)
                        return log_error_errno(r, "Failed to allocate seccomp object: %m");

                r = seccomp_add_default_syscall_filter(seccomp, arch, cap_list_retain, syscall_whitelist, syscall_blacklist);
                if (r < 0)
                        return r;

                r = seccomp_load(seccomp);
                if (IN_SET(r, -EPERM, -EACCES))
                        return log_error_errno(r, "Failed to install seccomp filter: %m");
                if (r < 0)
                        log_debug_errno(r, "Failed to install filter set for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
        }

        SECCOMP_FOREACH_LOCAL_ARCH(arch) {
                _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;

                log_debug("Applying NETLINK_AUDIT mask on architecture: %s", seccomp_arch_to_string(arch));

                r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ALLOW);
                if (r < 0)
                        return log_error_errno(r, "Failed to allocate seccomp object: %m");

                /*
                  Audit is broken in containers, much of the userspace audit hookup will fail if running inside a
                  container. We don't care and just turn off creation of audit sockets.

                  This will make socket(AF_NETLINK, *, NETLINK_AUDIT) fail with EAFNOSUPPORT which audit userspace uses
                  as indication that audit is disabled in the kernel.
                */

                r = seccomp_rule_add_exact(
                                seccomp,
                                SCMP_ACT_ERRNO(EAFNOSUPPORT),
                                SCMP_SYS(socket),
                                2,
                                SCMP_A0(SCMP_CMP_EQ, AF_NETLINK),
                                SCMP_A2(SCMP_CMP_EQ, NETLINK_AUDIT));
                if (r < 0) {
                        log_debug_errno(r, "Failed to add audit seccomp rule, ignoring: %m");
                        continue;
                }

                r = seccomp_load(seccomp);
                if (IN_SET(r, -EPERM, -EACCES))
                        return log_error_errno(r, "Failed to install seccomp audit filter: %m");
                if (r < 0)
                        log_debug_errno(r, "Failed to install filter set for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
        }

        return 0;
}

#else

int setup_seccomp(uint64_t cap_list_retain, char **syscall_whitelist, char **syscall_blacklist) {
        return 0;
}

#endif
Commit	Line	Data
52ad194e	1	/* SPDX-License-Identifier: LGPL-2.1+ */
5a920b42 MP	2
	3	#include <errno.h>
	4	#include <linux/netlink.h>
	5	#include <sys/capability.h>
	6	#include <sys/types.h>
	7
f5e65279	8	#if HAVE_SECCOMP
5a920b42 MP	9	#include <seccomp.h>
	10	#endif
	11
2897b343	12	#include "alloc-util.h"
5a920b42	13	#include "log.h"
2897b343	14	#include "nspawn-seccomp.h"
f5e65279	15	#if HAVE_SECCOMP
5a920b42 MP	16	#include "seccomp-util.h"
5a920b42 MP	17	#endif
2897b343	18	#include "string-util.h"
f5e65279	19	#include "strv.h"
5a920b42	20
f5e65279	21	#if HAVE_SECCOMP
5a920b42	22
2897b343 MP	23	static int seccomp_add_default_syscall_filter(
	24	scmp_filter_ctx ctx,
	25	uint32_t arch,
f5e65279 MB	26	uint64_t cap_list_retain,
	27	char **syscall_whitelist,
	28	char **syscall_blacklist) {
2897b343	29
5a920b42 MP	30	static const struct {
5a920b42 MP	31	uint64_t capability;
f5e65279 MB	32	const char* name;
	33	} whitelist[] = {
	34	/* Let's use set names where we can */
	35	{ 0, "@aio" },
	36	{ 0, "@basic-io" },
	37	{ 0, "@chown" },
	38	{ 0, "@default" },
	39	{ 0, "@file-system" },
	40	{ 0, "@io-event" },
	41	{ 0, "@ipc" },
	42	{ 0, "@mount" },
	43	{ 0, "@network-io" },
	44	{ 0, "@process" },
	45	{ 0, "@resources" },
	46	{ 0, "@setuid" },
	47	{ 0, "@signal" },
	48	{ 0, "@sync" },
	49	{ 0, "@timer" },
	50
	51	/* The following four are sets we optionally enable, in case the caps have been configured for it */
	52	{ CAP_SYS_TIME, "@clock" },
	53	{ CAP_SYS_MODULE, "@module" },
	54	{ CAP_SYS_RAWIO, "@raw-io" },
	55	{ CAP_IPC_LOCK, "@memlock" },
	56
	57	/* Plus a good set of additional syscalls which are not part of any of the groups above */
	58	{ 0, "brk" },
	59	{ 0, "capget" },
	60	{ 0, "capset" },
	61	{ 0, "copy_file_range" },
	62	{ 0, "fadvise64" },
	63	{ 0, "fadvise64_64" },
	64	{ 0, "flock" },
	65	{ 0, "get_mempolicy" },
	66	{ 0, "getcpu" },
	67	{ 0, "getpriority" },
	68	{ 0, "getrandom" },
	69	{ 0, "ioctl" },
	70	{ 0, "ioprio_get" },
	71	{ 0, "kcmp" },
	72	{ 0, "madvise" },
	73	{ 0, "mincore" },
	74	{ 0, "mprotect" },
	75	{ 0, "mremap" },
	76	{ 0, "name_to_handle_at" },
	77	{ 0, "oldolduname" },
	78	{ 0, "olduname" },
	79	{ 0, "personality" },
	80	{ 0, "readahead" },
	81	{ 0, "readdir" },
	82	{ 0, "remap_file_pages" },
	83	{ 0, "sched_get_priority_max" },
	84	{ 0, "sched_get_priority_min" },
	85	{ 0, "sched_getaffinity" },
	86	{ 0, "sched_getattr" },
	87	{ 0, "sched_getparam" },
	88	{ 0, "sched_getscheduler" },
	89	{ 0, "sched_rr_get_interval" },
	90	{ 0, "sched_yield" },
	91	{ 0, "seccomp" },
	92	{ 0, "sendfile" },
	93	{ 0, "sendfile64" },
	94	{ 0, "setdomainname" },
	95	{ 0, "setfsgid" },
96	{ 0, "setfsgid32" },
97	{ 0, "setfsuid" },
98	{ 0, "setfsuid32" },
99	{ 0, "sethostname" },
100	{ 0, "setpgid" },
101	{ 0, "setsid" },
102	{ 0, "splice" },
103	{ 0, "sysinfo" },
104	{ 0, "tee" },
105	{ 0, "umask" },
106	{ 0, "uname" },
107	{ 0, "userfaultfd" },
108	{ 0, "vmsplice" },
109
110	/* The following individual syscalls are added depending on specified caps */
111	{ CAP_SYS_PACCT, "acct" },
112	{ CAP_SYS_PTRACE, "process_vm_readv" },
113	{ CAP_SYS_PTRACE, "process_vm_writev" },
114	{ CAP_SYS_PTRACE, "ptrace" },
115	{ CAP_SYS_BOOT, "reboot" },
116	{ CAP_SYSLOG, "syslog" },
117	{ CAP_SYS_TTY_CONFIG, "vhangup" },
118
119	/*
120	* The following syscalls and groups are knowingly excluded:
121	*
122	* @cpu-emulation
123	* @keyring (NB: keyring is not namespaced!)
124	* @obsolete
125	* @swap
126	*
127	* bpf (NB: bpffs is not namespaced!)
128	* fanotify_init
129	* fanotify_mark
130	* kexec_file_load
131	* kexec_load
132	* lookup_dcookie
133	* nfsservctl
134	* open_by_handle_at
135	* perf_event_open
136	* pkey_alloc
137	* pkey_free
138	* pkey_mprotect
139	* quotactl
140	*/
5a920b42	141	};
f5e65279	142
6e866b33	143	int r;
f5e65279 MB	144	size_t i;
f5e65279 MB	145	char **p;
5a920b42	146
f5e65279 MB	147	for (i = 0; i < ELEMENTSOF(whitelist); i++) {
f5e65279 MB	148	if (whitelist[i].capability != 0 && (cap_list_retain & (1ULL << whitelist[i].capability)) == 0)
5a920b42 MP	149	continue;
5a920b42 MP	150
6e866b33	151	r = seccomp_add_syscall_filter_item(ctx, whitelist[i].name, SCMP_ACT_ALLOW, syscall_blacklist, false);
f5e65279	152	if (r < 0)
6e866b33	153	return log_error_errno(r, "Failed to add syscall filter item %s: %m", whitelist[i].name);
f5e65279	154	}
2897b343	155
f5e65279	156	STRV_FOREACH(p, syscall_whitelist) {
6e866b33	157	r = seccomp_add_syscall_filter_item(ctx, *p, SCMP_ACT_ALLOW, syscall_blacklist, false);
f5e65279	158	if (r < 0)
6e866b33 MB	159	log_warning_errno(r, "Failed to add rule for system call %s on %s, ignoring: %m",
6e866b33 MB	160	*p, seccomp_arch_to_string(arch));
5a920b42 MP	161	}
5a920b42 MP	162
6e866b33	163	return 0;
5a920b42 MP	164	}
5a920b42 MP	165
f5e65279	166	int setup_seccomp(uint64_t cap_list_retain, char syscall_whitelist, char syscall_blacklist) {
2897b343	167	uint32_t arch;
5a920b42 MP	168	int r;
5a920b42 MP	169
8a584da2	170	if (!is_seccomp_available()) {
f5e65279	171	log_debug("SECCOMP features not detected in the kernel, disabling SECCOMP filterering");
8a584da2	172	return 0;
5a920b42 MP	173	}
5a920b42 MP	174
2897b343 MP	175	SECCOMP_FOREACH_LOCAL_ARCH(arch) {
2897b343 MP	176	_cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;
2897b343	177
f5e65279	178	log_debug("Applying whitelist on architecture: %s", seccomp_arch_to_string(arch));
2897b343	179
f5e65279	180	r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ERRNO(EPERM));
2897b343 MP	181	if (r < 0)
	182	return log_error_errno(r, "Failed to allocate seccomp object: %m");
	183
f5e65279 MB	184	r = seccomp_add_default_syscall_filter(seccomp, arch, cap_list_retain, syscall_whitelist, syscall_blacklist);
	185	if (r < 0)
	186	return r;
	187
	188	r = seccomp_load(seccomp);
	189	if (IN_SET(r, -EPERM, -EACCES))
	190	return log_error_errno(r, "Failed to install seccomp filter: %m");
	191	if (r < 0)
	192	log_debug_errno(r, "Failed to install filter set for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
	193	}
	194
	195	SECCOMP_FOREACH_LOCAL_ARCH(arch) {
	196	_cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;
	197
	198	log_debug("Applying NETLINK_AUDIT mask on architecture: %s", seccomp_arch_to_string(arch));
	199
	200	r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ALLOW);
	201	if (r < 0)
	202	return log_error_errno(r, "Failed to allocate seccomp object: %m");
2897b343 MP	203
	204	/*
	205	Audit is broken in containers, much of the userspace audit hookup will fail if running inside a
	206	container. We don't care and just turn off creation of audit sockets.
	207
	208	This will make socket(AF_NETLINK, *, NETLINK_AUDIT) fail with EAFNOSUPPORT which audit userspace uses
	209	as indication that audit is disabled in the kernel.
	210	*/
	211
	212	r = seccomp_rule_add_exact(
	213	seccomp,
	214	SCMP_ACT_ERRNO(EAFNOSUPPORT),
	215	SCMP_SYS(socket),
	216	2,
	217	SCMP_A0(SCMP_CMP_EQ, AF_NETLINK),
	218	SCMP_A2(SCMP_CMP_EQ, NETLINK_AUDIT));
f5e65279	219	if (r < 0) {
2897b343	220	log_debug_errno(r, "Failed to add audit seccomp rule, ignoring: %m");
2897b343	221	continue;
f5e65279	222	}
5a920b42	223
2897b343 MP	224	r = seccomp_load(seccomp);
	225	if (IN_SET(r, -EPERM, -EACCES))
	226	return log_error_errno(r, "Failed to install seccomp audit filter: %m");
	227	if (r < 0)
	228	log_debug_errno(r, "Failed to install filter set for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
5a920b42 MP	229	}
5a920b42 MP	230
2897b343	231	return 0;
5a920b42 MP	232	}
	233
	234	#else
	235
f5e65279	236	int setup_seccomp(uint64_t cap_list_retain, char syscall_whitelist, char syscall_blacklist) {
5a920b42 MP	237	return 0;
	238	}
	239
	240	#endif