]> git.proxmox.com Git - mirror_lxc.git/blob - src/lxc/seccomp.c
projects / mirror_lxc.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
seccomp: SECCOMP_RET_USER_NOTIF support
[mirror_lxc.git] / src / lxc / seccomp.c
1 /*
2 * lxc: linux Container library
3 *
4 * (C) Copyright Canonical, Inc. 2012
5 *
6 * Authors:
7 * Serge Hallyn <serge.hallyn@canonical.com>
8 *
9 * This library is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public
11 * License as published by the Free Software Foundation; either
12 * version 2.1 of the License, or (at your option) any later version.
13 *
14 * This library is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
18 *
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
22 */
23
24 #ifndef _GNU_SOURCE
25 #define _GNU_SOURCE 1
26 #endif
27 #include <errno.h>
28 #include <seccomp.h>
29 #include <stdio.h>
30 #include <stdlib.h>
31 #include <sys/mount.h>
32 #include <sys/utsname.h>
33
34 #include "config.h"
35 #include "log.h"
36 #include "lxccontainer.h"
37 #include "lxcseccomp.h"
38 #include "memory_utils.h"
39 #include "utils.h"
40
41 #ifdef __MIPSEL__
42 #define MIPS_ARCH_O32 lxc_seccomp_arch_mipsel
43 #define MIPS_ARCH_N64 lxc_seccomp_arch_mipsel64
44 #else
45 #define MIPS_ARCH_O32 lxc_seccomp_arch_mips
46 #define MIPS_ARCH_N64 lxc_seccomp_arch_mips64
47 #endif
48
49 lxc_log_define(seccomp, lxc);
50
51 static int parse_config_v1(FILE *f, char *line, size_t *line_bufsz, struct lxc_conf *conf)
52 {
53 int ret = 0;
54
55 while (getline(&line, line_bufsz, f) != -1) {
56 int nr;
57
58 ret = sscanf(line, "%d", &nr);
59 if (ret != 1) {
60 ret = -1;
61 break;
62 }
63
64 #if HAVE_SCMP_FILTER_CTX
65 ret = seccomp_rule_add(conf->seccomp_ctx, SCMP_ACT_ALLOW, nr, 0);
66 #else
67 ret = seccomp_rule_add(SCMP_ACT_ALLOW, nr, 0);
68 #endif
69 if (ret < 0) {
70 ERROR("Failed loading allow rule for %d", nr);
71 break;
72 }
73 }
74 free(line);
75
76 return ret;
77 }
78
79 #if HAVE_DECL_SECCOMP_SYSCALL_RESOLVE_NAME_ARCH
80 static const char *get_action_name(uint32_t action)
81 {
82 /* The upper 16 bits indicate the type of the seccomp action. */
83 switch (action & 0xffff0000) {
84 case SCMP_ACT_KILL:
85 return "kill";
86 case SCMP_ACT_ALLOW:
87 return "allow";
88 case SCMP_ACT_TRAP:
89 return "trap";
90 case SCMP_ACT_ERRNO(0):
91 return "errno";
92 #if HAVE_DECL_SECCOMP_NOTIF_GET_FD
93 case SCMP_ACT_USER_NOTIF:
94 return "notify";
95 #endif
96 }
97
98 return "invalid action";
99 }
100
101 static uint32_t get_v2_default_action(char *line)
102 {
103 uint32_t ret_action = -1;
104
105 while (*line == ' ')
106 line++;
107
108 /* After 'whitelist' or 'blacklist' comes default behavior. */
109 if (strncmp(line, "kill", 4) == 0) {
110 ret_action = SCMP_ACT_KILL;
111 } else if (strncmp(line, "errno", 5) == 0) {
112 int e, ret;
113
114 ret = sscanf(line + 5, "%d", &e);
115 if (ret != 1) {
116 ERROR("Failed to parse errno value from %s", line);
117 return -2;
118 }
119
120 ret_action = SCMP_ACT_ERRNO(e);
121 } else if (strncmp(line, "allow", 5) == 0) {
122 ret_action = SCMP_ACT_ALLOW;
123 } else if (strncmp(line, "trap", 4) == 0) {
124 ret_action = SCMP_ACT_TRAP;
125 #if HAVE_DECL_SECCOMP_NOTIF_GET_FD
126 } else if (strncmp(line, "notify", 6) == 0) {
127 ret_action = SCMP_ACT_USER_NOTIF;
128 #endif
129 } else if (line[0]) {
130 ERROR("Unrecognized seccomp action \"%s\"", line);
131 return -2;
132 }
133
134 return ret_action;
135 }
136
137 static uint32_t get_v2_action(char *line, uint32_t def_action)
138 {
139 char *p;
140 uint32_t ret;
141
142 p = strchr(line, ' ');
143 if (!p)
144 return def_action;
145 p++;
146
147 while (*p == ' ')
148 p++;
149
150 if (!*p || *p == '#')
151 return def_action;
152
153 ret = get_v2_default_action(p);
154 switch (ret) {
155 case -2:
156 return -1;
157 case -1:
158 return def_action;
159 }
160
161 return ret;
162 }
163
164 struct seccomp_v2_rule_args {
165 uint32_t index;
166 uint64_t value;
167 uint64_t mask;
168 enum scmp_compare op;
169 };
170
171 struct seccomp_v2_rule {
172 uint32_t action;
173 uint32_t args_num;
174 struct seccomp_v2_rule_args args_value[6];
175 };
176
177 static enum scmp_compare parse_v2_rule_op(char *s)
178 {
179 if (strcmp(s, "SCMP_CMP_NE") == 0 || strcmp(s, "!=") == 0)
180 return SCMP_CMP_NE;
181 else if (strcmp(s, "SCMP_CMP_LT") == 0 || strcmp(s, "<") == 0)
182 return SCMP_CMP_LT;
183 else if (strcmp(s, "SCMP_CMP_LE") == 0 || strcmp(s, "<=") == 0)
184 return SCMP_CMP_LE;
185 else if (strcmp(s, "SCMP_CMP_EQ") == 0 || strcmp(s, "==") == 0)
186 return SCMP_CMP_EQ;
187 else if (strcmp(s, "SCMP_CMP_GE") == 0 || strcmp(s, ">=") == 0)
188 return SCMP_CMP_GE;
189 else if (strcmp(s, "SCMP_CMP_GT") == 0 || strcmp(s, ">") == 0)
190 return SCMP_CMP_GT;
191 else if (strcmp(s, "SCMP_CMP_MASKED_EQ") == 0 || strcmp(s, "&=") == 0)
192 return SCMP_CMP_MASKED_EQ;
193
194 return _SCMP_CMP_MAX;
195 }
196
197 /*
198 * This function is used to parse the args string into the structure.
199 * args string format:[index,value,op,mask] or [index,value,op]
200 * index: the index for syscall arguments (type uint)
201 * value: the value for syscall arguments (type uint64)
202 * op: the operator for syscall arguments(string),
203 a valid list of constants as of libseccomp v2.3.2 is
204 SCMP_CMP_NE,SCMP_CMP_LE,SCMP_CMP_LE, SCMP_CMP_EQ, SCMP_CMP_GE,
205 SCMP_CMP_GT, SCMP_CMP_MASKED_EQ, or !=,<=,==,>=,>,&=
206 * mask: the mask to apply on "value" for SCMP_CMP_MASKED_EQ (type uint64, optional)
207 * Returns 0 on success, < 0 otherwise.
208 */
209 static int get_seccomp_arg_value(char *key, struct seccomp_v2_rule_args *rule_args)
210 {
211 int ret = 0;
212 uint32_t index = 0;
213 uint64_t mask = 0, value = 0;
214 enum scmp_compare op = 0;
215 char *tmp = NULL;
216 char s[31] = {0}, v[24] = {0}, m[24] = {'0'};
217
218 tmp = strchr(key, '[');
219 if (!tmp) {
220 ERROR("Failed to interpret args");
221 return -1;
222 }
223
224 ret = sscanf(tmp, "[%i,%23[^,],%30[^0-9^,],%23[^,]", &index, v, s, m);
225 if ((ret != 3 && ret != 4) || index >= 6) {
226 ERROR("Failed to interpret args value");
227 return -1;
228 }
229
230 ret = lxc_safe_uint64(v, &value, 0);
231 if (ret < 0) {
232 ERROR("Invalid argument value");
233 return -1;
234 }
235
236 ret = lxc_safe_uint64(m, &mask, 0);
237 if (ret < 0) {
238 ERROR("Invalid argument mask");
239 return -1;
240 }
241
242 op = parse_v2_rule_op(s);
243 if (op == _SCMP_CMP_MAX) {
244 ERROR("Failed to interpret args operator value");
245 return -1;
246 }
247
248 rule_args->index = index;
249 rule_args->value = value;
250 rule_args->mask = mask;
251 rule_args->op = op;
252 return 0;
253 }
254
255 /* This function is used to parse the seccomp rule entry.
256 * @line : seccomp rule entry string.
257 * @def_action : default action used in the case if the 'line' contain non valid action.
258 * @rules : output struct.
259 * Returns 0 on success, < 0 otherwise.
260 */
261 static int parse_v2_rules(char *line, uint32_t def_action,
262 struct seccomp_v2_rule *rules)
263 {
264 int i = 0, ret = -1;
265 char *key = NULL, *saveptr = NULL, *tmp = NULL;
266
267 tmp = strdup(line);
268 if (!tmp)
269 return -1;
270
271 /* read optional action which follows the syscall */
272 rules->action = get_v2_action(tmp, def_action);
273 if (rules->action == -1) {
274 ERROR("Failed to interpret action");
275 ret = -1;
276 goto on_error;
277 }
278
279 ret = 0;
280 rules->args_num = 0;
281 if (!strchr(tmp, '['))
282 goto on_error;
283
284 ret = -1;
285 for ((key = strtok_r(tmp, "]", &saveptr)), i = 0; key && i < 6;
286 (key = strtok_r(NULL, "]", &saveptr)), i++) {
287 ret = get_seccomp_arg_value(key, &rules->args_value[i]);
288 if (ret < 0)
289 goto on_error;
290
291 rules->args_num++;
292 }
293
294 ret = 0;
295
296 on_error:
297 free(tmp);
298
299 return ret;
300 }
301 #endif
302
303 #if HAVE_DECL_SECCOMP_SYSCALL_RESOLVE_NAME_ARCH
304 enum lxc_hostarch_t {
305 lxc_seccomp_arch_all = 0,
306 lxc_seccomp_arch_native,
307 lxc_seccomp_arch_i386,
308 lxc_seccomp_arch_x32,
309 lxc_seccomp_arch_amd64,
310 lxc_seccomp_arch_arm,
311 lxc_seccomp_arch_arm64,
312 lxc_seccomp_arch_ppc64,
313 lxc_seccomp_arch_ppc64le,
314 lxc_seccomp_arch_ppc,
315 lxc_seccomp_arch_mips,
316 lxc_seccomp_arch_mips64,
317 lxc_seccomp_arch_mips64n32,
318 lxc_seccomp_arch_mipsel,
319 lxc_seccomp_arch_mipsel64,
320 lxc_seccomp_arch_mipsel64n32,
321 lxc_seccomp_arch_s390x,
322 lxc_seccomp_arch_unknown = 999,
323 };
324
325 int get_hostarch(void)
326 {
327 struct utsname uts;
328 if (uname(&uts) < 0) {
329 SYSERROR("Failed to read host arch");
330 return -1;
331 }
332
333 if (strcmp(uts.machine, "i686") == 0)
334 return lxc_seccomp_arch_i386;
335 /* no x32 kernels */
336 else if (strcmp(uts.machine, "x86_64") == 0)
337 return lxc_seccomp_arch_amd64;
338 else if (strncmp(uts.machine, "armv7", 5) == 0)
339 return lxc_seccomp_arch_arm;
340 else if (strncmp(uts.machine, "aarch64", 7) == 0)
341 return lxc_seccomp_arch_arm64;
342 else if (strncmp(uts.machine, "ppc64le", 7) == 0)
343 return lxc_seccomp_arch_ppc64le;
344 else if (strncmp(uts.machine, "ppc64", 5) == 0)
345 return lxc_seccomp_arch_ppc64;
346 else if (strncmp(uts.machine, "ppc", 3) == 0)
347 return lxc_seccomp_arch_ppc;
348 else if (strncmp(uts.machine, "mips64", 6) == 0)
349 return MIPS_ARCH_N64;
350 else if (strncmp(uts.machine, "mips", 4) == 0)
351 return MIPS_ARCH_O32;
352 else if (strncmp(uts.machine, "s390x", 5) == 0)
353 return lxc_seccomp_arch_s390x;
354
355 return lxc_seccomp_arch_unknown;
356 }
357
358 scmp_filter_ctx get_new_ctx(enum lxc_hostarch_t n_arch,
359 uint32_t default_policy_action, bool *needs_merge)
360 {
361 int ret;
362 uint32_t arch;
363 scmp_filter_ctx ctx;
364
365 switch (n_arch) {
366 case lxc_seccomp_arch_i386:
367 arch = SCMP_ARCH_X86;
368 break;
369 case lxc_seccomp_arch_x32:
370 arch = SCMP_ARCH_X32;
371 break;
372 case lxc_seccomp_arch_amd64:
373 arch = SCMP_ARCH_X86_64;
374 break;
375 case lxc_seccomp_arch_arm:
376 arch = SCMP_ARCH_ARM;
377 break;
378 #ifdef SCMP_ARCH_AARCH64
379 case lxc_seccomp_arch_arm64:
380 arch = SCMP_ARCH_AARCH64;
381 break;
382 #endif
383 #ifdef SCMP_ARCH_PPC64LE
384 case lxc_seccomp_arch_ppc64le:
385 arch = SCMP_ARCH_PPC64LE;
386 break;
387 #endif
388 #ifdef SCMP_ARCH_PPC64
389 case lxc_seccomp_arch_ppc64:
390 arch = SCMP_ARCH_PPC64;
391 break;
392 #endif
393 #ifdef SCMP_ARCH_PPC
394 case lxc_seccomp_arch_ppc:
395 arch = SCMP_ARCH_PPC;
396 break;
397 #endif
398 #ifdef SCMP_ARCH_MIPS
399 case lxc_seccomp_arch_mips:
400 arch = SCMP_ARCH_MIPS;
401 break;
402 case lxc_seccomp_arch_mips64:
403 arch = SCMP_ARCH_MIPS64;
404 break;
405 case lxc_seccomp_arch_mips64n32:
406 arch = SCMP_ARCH_MIPS64N32;
407 break;
408 case lxc_seccomp_arch_mipsel:
409 arch = SCMP_ARCH_MIPSEL;
410 break;
411 case lxc_seccomp_arch_mipsel64:
412 arch = SCMP_ARCH_MIPSEL64;
413 break;
414 case lxc_seccomp_arch_mipsel64n32:
415 arch = SCMP_ARCH_MIPSEL64N32;
416 break;
417 #endif
418 #ifdef SCMP_ARCH_S390X
419 case lxc_seccomp_arch_s390x:
420 arch = SCMP_ARCH_S390X;
421 break;
422 #endif
423 default:
424 return NULL;
425 }
426
427 ctx = seccomp_init(default_policy_action);
428 if (!ctx) {
429 ERROR("Error initializing seccomp context");
430 return NULL;
431 }
432
433 ret = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 0);
434 if (ret < 0) {
435 errno = -ret;
436 SYSERROR("Failed to turn off no-new-privs");
437 seccomp_release(ctx);
438 return NULL;
439 }
440
441 #ifdef SCMP_FLTATR_ATL_TSKIP
442 ret = seccomp_attr_set(ctx, SCMP_FLTATR_ATL_TSKIP, 1);
443 if (ret < 0) {
444 errno = -ret;
445 SYSWARN("Failed to turn on seccomp nop-skip, continuing");
446 }
447 #endif
448
449 ret = seccomp_arch_exist(ctx, arch);
450 if (ret < 0) {
451 if (ret != -EEXIST) {
452 errno = -ret;
453 SYSERROR("Failed to determine whether arch %d is "
454 "already present in the main seccomp context",
455 (int)n_arch);
456 seccomp_release(ctx);
457 return NULL;
458 }
459
460 ret = seccomp_arch_add(ctx, arch);
461 if (ret != 0) {
462 errno = -ret;
463 SYSERROR("Failed to add arch %d to main seccomp context",
464 (int)n_arch);
465 seccomp_release(ctx);
466 return NULL;
467 }
468 TRACE("Added arch %d to main seccomp context", (int)n_arch);
469
470 ret = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE);
471 if (ret != 0) {
472 ERROR("Failed to remove native arch from main seccomp context");
473 seccomp_release(ctx);
474 return NULL;
475 }
476 TRACE("Removed native arch from main seccomp context");
477
478 *needs_merge = true;
479 } else {
480 *needs_merge = false;
481 TRACE("Arch %d already present in main seccomp context", (int)n_arch);
482 }
483
484 return ctx;
485 }
486
487 bool do_resolve_add_rule(uint32_t arch, char *line, scmp_filter_ctx ctx,
488 struct seccomp_v2_rule *rule)
489 {
490 int i, nr, ret;
491 struct scmp_arg_cmp arg_cmp[6];
492
493 ret = seccomp_arch_exist(ctx, arch);
494 if (arch && ret != 0) {
495 errno = -ret;
496 SYSERROR("Seccomp: rule and context arch do not match (arch %d)", arch);
497 return false;
498 }
499
500 /*get the syscall name*/
501 char *p = strchr(line, ' ');
502 if (p)
503 *p = '\0';
504
505 if (strncmp(line, "reject_force_umount", 19) == 0) {
506 ret = seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(EACCES),
507 SCMP_SYS(umount2), 1,
508 SCMP_A1(SCMP_CMP_MASKED_EQ, MNT_FORCE, MNT_FORCE));
509 if (ret < 0) {
510 errno = -ret;
511 SYSERROR("Failed loading rule to reject force umount");
512 return false;
513 }
514
515 INFO("Set seccomp rule to reject force umounts");
516 return true;
517 }
518
519 nr = seccomp_syscall_resolve_name(line);
520 if (nr == __NR_SCMP_ERROR) {
521 WARN("Failed to resolve syscall \"%s\"", line);
522 WARN("This syscall will NOT be handled by seccomp");
523 return true;
524 }
525
526 if (nr < 0) {
527 WARN("Got negative return value %d for syscall \"%s\"", nr, line);
528 WARN("This syscall will NOT be handled by seccomp");
529 return true;
530 }
531
532 memset(&arg_cmp, 0, sizeof(arg_cmp));
533 for (i = 0; i < rule->args_num; i++) {
534 INFO("arg_cmp[%d]: SCMP_CMP(%u, %llu, %llu, %llu)", i,
535 rule->args_value[i].index,
536 (long long unsigned int)rule->args_value[i].op,
537 (long long unsigned int)rule->args_value[i].mask,
538 (long long unsigned int)rule->args_value[i].value);
539
540 if (SCMP_CMP_MASKED_EQ == rule->args_value[i].op)
541 arg_cmp[i] = SCMP_CMP(rule->args_value[i].index,
542 rule->args_value[i].op,
543 rule->args_value[i].mask,
544 rule->args_value[i].value);
545 else
546 arg_cmp[i] = SCMP_CMP(rule->args_value[i].index,
547 rule->args_value[i].op,
548 rule->args_value[i].value);
549 }
550
551 ret = seccomp_rule_add_exact_array(ctx, rule->action, nr,
552 rule->args_num, arg_cmp);
553 if (ret < 0) {
554 errno = -ret;
555 SYSERROR("Failed loading rule for %s (nr %d action %d (%s))",
556 line, nr, rule->action, get_action_name(rule->action));
557 return false;
558 }
559
560 return true;
561 }
562
563 /*
564 * v2 consists of
565 * [x86]
566 * open
567 * read
568 * write
569 * close
570 * # a comment
571 * [x86_64]
572 * open
573 * read
574 * write
575 * close
576 */
577 static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_conf *conf)
578 {
579 int ret;
580 char *p;
581 enum lxc_hostarch_t cur_rule_arch, native_arch;
582 bool blacklist = false;
583 uint32_t default_policy_action = -1, default_rule_action = -1;
584 struct seccomp_v2_rule rule;
585 struct scmp_ctx_info {
586 uint32_t architectures[3];
587 scmp_filter_ctx contexts[3];
588 bool needs_merge[3];
589 } ctx;
590
591 if (strncmp(line, "blacklist", 9) == 0)
592 blacklist = true;
593 else if (strncmp(line, "whitelist", 9) != 0) {
594 ERROR("Bad seccomp policy style \"%s\"", line);
595 return -1;
596 }
597
598 p = strchr(line, ' ');
599 if (p) {
600 default_policy_action = get_v2_default_action(p + 1);
601 if (default_policy_action == -2)
602 return -1;
603 }
604
605 /* for blacklist, allow any syscall which has no rule */
606 if (blacklist) {
607 if (default_policy_action == -1)
608 default_policy_action = SCMP_ACT_ALLOW;
609
610 if (default_rule_action == -1)
611 default_rule_action = SCMP_ACT_KILL;
612 } else {
613 if (default_policy_action == -1)
614 default_policy_action = SCMP_ACT_KILL;
615
616 if (default_rule_action == -1)
617 default_rule_action = SCMP_ACT_ALLOW;
618 }
619
620 memset(&ctx, 0, sizeof(ctx));
621 ctx.architectures[0] = SCMP_ARCH_NATIVE;
622 ctx.architectures[1] = SCMP_ARCH_NATIVE;
623 ctx.architectures[2] = SCMP_ARCH_NATIVE;
624 native_arch = get_hostarch();
625 cur_rule_arch = native_arch;
626 if (native_arch == lxc_seccomp_arch_amd64) {
627 cur_rule_arch = lxc_seccomp_arch_all;
628
629 ctx.architectures[0] = SCMP_ARCH_X86;
630 ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_i386,
631 default_policy_action,
632 &ctx.needs_merge[0]);
633 if (!ctx.contexts[0])
634 goto bad;
635
636 ctx.architectures[1] = SCMP_ARCH_X32;
637 ctx.contexts[1] = get_new_ctx(lxc_seccomp_arch_x32,
638 default_policy_action,
639 &ctx.needs_merge[1]);
640 if (!ctx.contexts[1])
641 goto bad;
642
643 ctx.architectures[2] = SCMP_ARCH_X86_64;
644 ctx.contexts[2] = get_new_ctx(lxc_seccomp_arch_amd64,
645 default_policy_action,
646 &ctx.needs_merge[2]);
647 if (!ctx.contexts[2])
648 goto bad;
649 #ifdef SCMP_ARCH_PPC
650 } else if (native_arch == lxc_seccomp_arch_ppc64) {
651 cur_rule_arch = lxc_seccomp_arch_all;
652
653 ctx.architectures[0] = SCMP_ARCH_PPC;
654 ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_ppc,
655 default_policy_action,
656 &ctx.needs_merge[0]);
657 if (!ctx.contexts[0])
658 goto bad;
659
660 ctx.architectures[2] = SCMP_ARCH_PPC64;
661 ctx.contexts[2] = get_new_ctx(lxc_seccomp_arch_ppc64,
662 default_policy_action,
663 &ctx.needs_merge[2]);
664 if (!ctx.contexts[2])
665 goto bad;
666 #endif
667 #ifdef SCMP_ARCH_ARM
668 } else if (native_arch == lxc_seccomp_arch_arm64) {
669 cur_rule_arch = lxc_seccomp_arch_all;
670
671 ctx.architectures[0] = SCMP_ARCH_ARM;
672 ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_arm,
673 default_policy_action,
674 &ctx.needs_merge[0]);
675 if (!ctx.contexts[0])
676 goto bad;
677
678 #ifdef SCMP_ARCH_AARCH64
679 ctx.architectures[2] = SCMP_ARCH_AARCH64;
680 ctx.contexts[2] = get_new_ctx(lxc_seccomp_arch_arm64,
681 default_policy_action,
682 &ctx.needs_merge[2]);
683 if (!ctx.contexts[2])
684 goto bad;
685 #endif
686 #endif
687 #ifdef SCMP_ARCH_MIPS
688 } else if (native_arch == lxc_seccomp_arch_mips64) {
689 cur_rule_arch = lxc_seccomp_arch_all;
690
691 ctx.architectures[0] = SCMP_ARCH_MIPS;
692 ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_mips,
693 default_policy_action,
694 &ctx.needs_merge[0]);
695 if (!ctx.contexts[0])
696 goto bad;
697
698 ctx.architectures[1] = SCMP_ARCH_MIPS64N32;
699 ctx.contexts[1] = get_new_ctx(lxc_seccomp_arch_mips64n32,
700 default_policy_action,
701 &ctx.needs_merge[1]);
702 if (!ctx.contexts[1])
703 goto bad;
704
705 ctx.architectures[2] = SCMP_ARCH_MIPS64;
706 ctx.contexts[2] = get_new_ctx(lxc_seccomp_arch_mips64,
707 default_policy_action,
708 &ctx.needs_merge[2]);
709 if (!ctx.contexts[2])
710 goto bad;
711 } else if (native_arch == lxc_seccomp_arch_mipsel64) {
712 cur_rule_arch = lxc_seccomp_arch_all;
713
714 ctx.architectures[0] = SCMP_ARCH_MIPSEL;
715 ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_mipsel,
716 default_policy_action,
717 &ctx.needs_merge[0]);
718 if (!ctx.contexts[0])
719 goto bad;
720
721 ctx.architectures[1] = SCMP_ARCH_MIPSEL64N32;
722 ctx.contexts[1] = get_new_ctx(lxc_seccomp_arch_mipsel64n32,
723 default_policy_action,
724 &ctx.needs_merge[1]);
725 if (!ctx.contexts[1])
726 goto bad;
727
728 ctx.architectures[2] = SCMP_ARCH_MIPSEL64;
729 ctx.contexts[2] = get_new_ctx(lxc_seccomp_arch_mipsel64,
730 default_policy_action,
731 &ctx.needs_merge[2]);
732 if (!ctx.contexts[2])
733 goto bad;
734 #endif
735 }
736
737 if (default_policy_action != SCMP_ACT_KILL) {
738 ret = seccomp_reset(conf->seccomp_ctx, default_policy_action);
739 if (ret != 0) {
740 ERROR("Error re-initializing Seccomp");
741 return -1;
742 }
743
744 ret = seccomp_attr_set(conf->seccomp_ctx, SCMP_FLTATR_CTL_NNP, 0);
745 if (ret < 0) {
746 errno = -ret;
747 SYSERROR("Failed to turn off no-new-privs");
748 return -1;
749 }
750
751 #ifdef SCMP_FLTATR_ATL_TSKIP
752 ret = seccomp_attr_set(conf->seccomp_ctx, SCMP_FLTATR_ATL_TSKIP, 1);
753 if (ret < 0) {
754 errno = -ret;
755 SYSWARN("Failed to turn on seccomp nop-skip, continuing");
756 }
757 #endif
758 }
759
760 while (getline(&line, line_bufsz, f) != -1) {
761 if (line[0] == '#')
762 continue;
763
764 if (line[0] == '\0')
765 continue;
766
767 remove_trailing_newlines(line);
768
769 INFO("Processing \"%s\"", line);
770 if (line[0] == '[') {
771 /* Read the architecture for next set of rules. */
772 if (strcmp(line, "[x86]") == 0 ||
773 strcmp(line, "[X86]") == 0) {
774 if (native_arch != lxc_seccomp_arch_i386 &&
775 native_arch != lxc_seccomp_arch_amd64) {
776 cur_rule_arch = lxc_seccomp_arch_unknown;
777 continue;
778 }
779
780 cur_rule_arch = lxc_seccomp_arch_i386;
781 } else if (strcmp(line, "[x32]") == 0 ||
782 strcmp(line, "[X32]") == 0) {
783 if (native_arch != lxc_seccomp_arch_amd64) {
784 cur_rule_arch = lxc_seccomp_arch_unknown;
785 continue;
786 }
787
788 cur_rule_arch = lxc_seccomp_arch_x32;
789 } else if (strcmp(line, "[X86_64]") == 0 ||
790 strcmp(line, "[x86_64]") == 0) {
791 if (native_arch != lxc_seccomp_arch_amd64) {
792 cur_rule_arch = lxc_seccomp_arch_unknown;
793 continue;
794 }
795
796 cur_rule_arch = lxc_seccomp_arch_amd64;
797 } else if (strcmp(line, "[all]") == 0 ||
798 strcmp(line, "[ALL]") == 0) {
799 cur_rule_arch = lxc_seccomp_arch_all;
800 }
801 #ifdef SCMP_ARCH_ARM
802 else if (strcmp(line, "[arm]") == 0 ||
803 strcmp(line, "[ARM]") == 0) {
804 if (native_arch != lxc_seccomp_arch_arm &&
805 native_arch != lxc_seccomp_arch_arm64) {
806 cur_rule_arch = lxc_seccomp_arch_unknown;
807 continue;
808 }
809
810 cur_rule_arch = lxc_seccomp_arch_arm;
811 }
812 #endif
813 #ifdef SCMP_ARCH_AARCH64
814 else if (strcmp(line, "[arm64]") == 0 ||
815 strcmp(line, "[ARM64]") == 0) {
816 if (native_arch != lxc_seccomp_arch_arm64) {
817 cur_rule_arch = lxc_seccomp_arch_unknown;
818 continue;
819 }
820
821 cur_rule_arch = lxc_seccomp_arch_arm64;
822 }
823 #endif
824 #ifdef SCMP_ARCH_PPC64LE
825 else if (strcmp(line, "[ppc64le]") == 0 ||
826 strcmp(line, "[PPC64LE]") == 0) {
827 if (native_arch != lxc_seccomp_arch_ppc64le) {
828 cur_rule_arch = lxc_seccomp_arch_unknown;
829 continue;
830 }
831
832 cur_rule_arch = lxc_seccomp_arch_ppc64le;
833 }
834 #endif
835 #ifdef SCMP_ARCH_PPC64
836 else if (strcmp(line, "[ppc64]") == 0 ||
837 strcmp(line, "[PPC64]") == 0) {
838 if (native_arch != lxc_seccomp_arch_ppc64) {
839 cur_rule_arch = lxc_seccomp_arch_unknown;
840 continue;
841 }
842
843 cur_rule_arch = lxc_seccomp_arch_ppc64;
844 }
845 #endif
846 #ifdef SCMP_ARCH_PPC
847 else if (strcmp(line, "[ppc]") == 0 ||
848 strcmp(line, "[PPC]") == 0) {
849 if (native_arch != lxc_seccomp_arch_ppc &&
850 native_arch != lxc_seccomp_arch_ppc64) {
851 cur_rule_arch = lxc_seccomp_arch_unknown;
852 continue;
853 }
854
855 cur_rule_arch = lxc_seccomp_arch_ppc;
856 }
857 #endif
858 #ifdef SCMP_ARCH_MIPS
859 else if (strcmp(line, "[mips64]") == 0 ||
860 strcmp(line, "[MIPS64]") == 0) {
861 if (native_arch != lxc_seccomp_arch_mips64) {
862 cur_rule_arch = lxc_seccomp_arch_unknown;
863 continue;
864 }
865
866 cur_rule_arch = lxc_seccomp_arch_mips64;
867 } else if (strcmp(line, "[mips64n32]") == 0 ||
868 strcmp(line, "[MIPS64N32]") == 0) {
869 if (native_arch != lxc_seccomp_arch_mips64) {
870 cur_rule_arch = lxc_seccomp_arch_unknown;
871 continue;
872 }
873
874 cur_rule_arch = lxc_seccomp_arch_mips64n32;
875 } else if (strcmp(line, "[mips]") == 0 ||
876 strcmp(line, "[MIPS]") == 0) {
877 if (native_arch != lxc_seccomp_arch_mips &&
878 native_arch != lxc_seccomp_arch_mips64) {
879 cur_rule_arch = lxc_seccomp_arch_unknown;
880 continue;
881 }
882
883 cur_rule_arch = lxc_seccomp_arch_mips;
884 } else if (strcmp(line, "[mipsel64]") == 0 ||
885 strcmp(line, "[MIPSEL64]") == 0) {
886 if (native_arch != lxc_seccomp_arch_mipsel64) {
887 cur_rule_arch = lxc_seccomp_arch_unknown;
888 continue;
889 }
890
891 cur_rule_arch = lxc_seccomp_arch_mipsel64;
892 } else if (strcmp(line, "[mipsel64n32]") == 0 ||
893 strcmp(line, "[MIPSEL64N32]") == 0) {
894 if (native_arch != lxc_seccomp_arch_mipsel64) {
895 cur_rule_arch = lxc_seccomp_arch_unknown;
896 continue;
897 }
898
899 cur_rule_arch = lxc_seccomp_arch_mipsel64n32;
900 } else if (strcmp(line, "[mipsel]") == 0 ||
901 strcmp(line, "[MIPSEL]") == 0) {
902 if (native_arch != lxc_seccomp_arch_mipsel &&
903 native_arch != lxc_seccomp_arch_mipsel64) {
904 cur_rule_arch = lxc_seccomp_arch_unknown;
905 continue;
906 }
907
908 cur_rule_arch = lxc_seccomp_arch_mipsel;
909 }
910 #endif
911 #ifdef SCMP_ARCH_S390X
912 else if (strcmp(line, "[s390x]") == 0 ||
913 strcmp(line, "[S390X]") == 0) {
914 if (native_arch != lxc_seccomp_arch_s390x) {
915 cur_rule_arch = lxc_seccomp_arch_unknown;
916 continue;
917 }
918
919 cur_rule_arch = lxc_seccomp_arch_s390x;
920 }
921 #endif
922 else {
923 goto bad_arch;
924 }
925
926 continue;
927 }
928
929 /* irrelevant arch - i.e. arm on i386 */
930 if (cur_rule_arch == lxc_seccomp_arch_unknown)
931 continue;
932
933 memset(&rule, 0, sizeof(rule));
934 /* read optional action which follows the syscall */
935 ret = parse_v2_rules(line, default_rule_action, &rule);
936 if (ret != 0) {
937 ERROR("Failed to interpret seccomp rule");
938 goto bad_rule;
939 }
940
941 #if HAVE_DECL_SECCOMP_NOTIF_GET_FD
942 if ((rule.action == SCMP_ACT_USER_NOTIF) &&
943 !conf->has_seccomp_notify) {
944 ret = seccomp_attr_set(conf->seccomp_ctx,
945 SCMP_FLTATR_NEW_LISTENER, 1);
946 if (ret)
947 goto bad_rule;
948
949 conf->has_seccomp_notify = true;
950 TRACE("Set SCMP_FLTATR_NEW_LISTENER attribute");
951 }
952 #endif
953
954 if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line,
955 conf->seccomp_ctx, &rule))
956 goto bad_rule;
957
958 INFO("Added native rule for arch %d for %s action %d(%s)",
959 SCMP_ARCH_NATIVE, line, rule.action,
960 get_action_name(rule.action));
961
962 if (ctx.architectures[0] != SCMP_ARCH_NATIVE) {
963 if (!do_resolve_add_rule(ctx.architectures[0], line,
964 ctx.contexts[0], &rule))
965 goto bad_rule;
966
967 INFO("Added compat rule for arch %d for %s action %d(%s)",
968 ctx.architectures[0], line, rule.action,
969 get_action_name(rule.action));
970 }
971
972 if (ctx.architectures[1] != SCMP_ARCH_NATIVE) {
973 if (!do_resolve_add_rule(ctx.architectures[1], line,
974 ctx.contexts[1], &rule))
975 goto bad_rule;
976
977 INFO("Added compat rule for arch %d for %s action %d(%s)",
978 ctx.architectures[1], line, rule.action,
979 get_action_name(rule.action));
980 }
981
982 if (ctx.architectures[2] != SCMP_ARCH_NATIVE) {
983 if (!do_resolve_add_rule(ctx.architectures[2], line,
984 ctx.contexts[2], &rule))
985 goto bad_rule;
986
987 INFO("Added native rule for arch %d for %s action %d(%s)",
988 ctx.architectures[2], line, rule.action,
989 get_action_name(rule.action));
990 }
991 }
992
993 INFO("Merging compat seccomp contexts into main context");
994 if (ctx.contexts[0]) {
995 if (ctx.needs_merge[0]) {
996 ret = seccomp_merge(conf->seccomp_ctx, ctx.contexts[0]);
997 if (ret < 0) {
998 ERROR("Failed to merge first compat seccomp "
999 "context into main context");
1000 goto bad;
1001 }
1002
1003 TRACE("Merged first compat seccomp context into main context");
1004 } else {
1005 seccomp_release(ctx.contexts[0]);
1006 ctx.contexts[0] = NULL;
1007 }
1008 }
1009
1010 if (ctx.contexts[1]) {
1011 if (ctx.needs_merge[1]) {
1012 ret = seccomp_merge(conf->seccomp_ctx, ctx.contexts[1]);
1013 if (ret < 0) {
1014 ERROR("Failed to merge first compat seccomp "
1015 "context into main context");
1016 goto bad;
1017 }
1018
1019 TRACE("Merged second compat seccomp context into main context");
1020 } else {
1021 seccomp_release(ctx.contexts[1]);
1022 ctx.contexts[1] = NULL;
1023 }
1024 }
1025
1026 if (ctx.contexts[2]) {
1027 if (ctx.needs_merge[2]) {
1028 ret = seccomp_merge(conf->seccomp_ctx, ctx.contexts[2]);
1029 if (ret < 0) {
1030 ERROR("Failed to merge third compat seccomp "
1031 "context into main context");
1032 goto bad;
1033 }
1034
1035 TRACE("Merged third compat seccomp context into main context");
1036 } else {
1037 seccomp_release(ctx.contexts[2]);
1038 ctx.contexts[2] = NULL;
1039 }
1040 }
1041
1042 free(line);
1043 return 0;
1044
1045 bad_arch:
1046 ERROR("Unsupported architecture \"%s\"", line);
1047
1048 bad_rule:
1049 bad:
1050 if (ctx.contexts[0])
1051 seccomp_release(ctx.contexts[0]);
1052
1053 if (ctx.contexts[1])
1054 seccomp_release(ctx.contexts[1]);
1055
1056 if (ctx.contexts[2])
1057 seccomp_release(ctx.contexts[2]);
1058
1059 free(line);
1060
1061 return -1;
1062 }
1063 #else /* HAVE_DECL_SECCOMP_SYSCALL_RESOLVE_NAME_ARCH */
1064 static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
1065 {
1066 return -1;
1067 }
1068 #endif /* HAVE_DECL_SECCOMP_SYSCALL_RESOLVE_NAME_ARCH */
1069
1070 /*
1071 * The first line of the config file has a policy language version
1072 * the second line has some directives
1073 * then comes policy subject to the directives
1074 * right now version must be '1' or '2'
1075 * the directives must include 'whitelist'(version == 1 or 2) or 'blacklist'
1076 * (version == 2) and can include 'debug' (though debug is not yet supported).
1077 */
1078 static int parse_config(FILE *f, struct lxc_conf *conf)
1079 {
1080 char *line = NULL;
1081 size_t line_bufsz = 0;
1082 int ret, version;
1083
1084 ret = fscanf(f, "%d\n", &version);
1085 if (ret != 1 || (version != 1 && version != 2)) {
1086 ERROR("Invalid version");
1087 return -1;
1088 }
1089
1090 if (getline(&line, &line_bufsz, f) == -1) {
1091 ERROR("Invalid config file");
1092 goto bad_line;
1093 }
1094
1095 if (version == 1 && !strstr(line, "whitelist")) {
1096 ERROR("Only whitelist policy is supported");
1097 goto bad_line;
1098 }
1099
1100 if (strstr(line, "debug")) {
1101 ERROR("Debug not yet implemented");
1102 goto bad_line;
1103 }
1104
1105 if (version == 1)
1106 return parse_config_v1(f, line, &line_bufsz, conf);
1107
1108 return parse_config_v2(f, line, &line_bufsz, conf);
1109
1110 bad_line:
1111 free(line);
1112 return -1;
1113 }
1114
1115 /*
1116 * use_seccomp: return true if we should try and apply a seccomp policy
1117 * if defined for the container.
1118 * This will return false if
1119 * 1. seccomp is not enabled in the kernel
1120 * 2. a seccomp policy is already enabled for this task
1121 */
1122 static bool use_seccomp(const struct lxc_conf *conf)
1123 {
1124 int ret, v;
1125 FILE *f;
1126 size_t line_bufsz = 0;
1127 char *line = NULL;
1128 bool already_enabled = false, found = false;
1129
1130 if (conf->seccomp_allow_nesting > 0)
1131 return true;
1132
1133 f = fopen("/proc/self/status", "r");
1134 if (!f)
1135 return true;
1136
1137 while (getline(&line, &line_bufsz, f) != -1) {
1138 if (strncmp(line, "Seccomp:", 8) == 0) {
1139 found = true;
1140
1141 ret = sscanf(line + 8, "%d", &v);
1142 if (ret == 1 && v != 0)
1143 already_enabled = true;
1144
1145 break;
1146 }
1147 }
1148 free(line);
1149 fclose(f);
1150
1151 if (!found) {
1152 INFO("Seccomp is not enabled in the kernel");
1153 return false;
1154 }
1155
1156 if (already_enabled) {
1157 INFO("Already seccomp-confined, not loading new policy");
1158 return false;
1159 }
1160
1161 return true;
1162 }
1163
1164 int lxc_read_seccomp_config(struct lxc_conf *conf)
1165 {
1166 int ret;
1167 FILE *f;
1168
1169 if (!conf->seccomp)
1170 return 0;
1171
1172 if (!use_seccomp(conf))
1173 return 0;
1174
1175 #if HAVE_SCMP_FILTER_CTX
1176 /* XXX for debug, pass in SCMP_ACT_TRAP */
1177 conf->seccomp_ctx = seccomp_init(SCMP_ACT_KILL);
1178 ret = !conf->seccomp_ctx;
1179 #else
1180 ret = seccomp_init(SCMP_ACT_KILL) < 0;
1181 #endif
1182 if (ret) {
1183 ERROR("Failed initializing seccomp");
1184 return -1;
1185 }
1186
1187 /* turn off no-new-privs. We don't want it in lxc, and it breaks
1188 * with apparmor */
1189 #if HAVE_SCMP_FILTER_CTX
1190 ret = seccomp_attr_set(conf->seccomp_ctx, SCMP_FLTATR_CTL_NNP, 0);
1191 #else
1192 ret = seccomp_attr_set(SCMP_FLTATR_CTL_NNP, 0);
1193 #endif
1194 if (ret < 0) {
1195 errno = -ret;
1196 SYSERROR("Failed to turn off no-new-privs");
1197 return -1;
1198 }
1199
1200 #ifdef SCMP_FLTATR_ATL_TSKIP
1201 ret = seccomp_attr_set(conf->seccomp_ctx, SCMP_FLTATR_ATL_TSKIP, 1);
1202 if (ret < 0) {
1203 errno = -ret;
1204 SYSWARN("Failed to turn on seccomp nop-skip, continuing");
1205 }
1206 #endif
1207
1208 f = fopen(conf->seccomp, "r");
1209 if (!f) {
1210 SYSERROR("Failed to open seccomp policy file %s", conf->seccomp);
1211 return -1;
1212 }
1213
1214 ret = parse_config(f, conf);
1215 fclose(f);
1216
1217 return ret;
1218 }
1219
1220 int lxc_seccomp_load(struct lxc_conf *conf)
1221 {
1222 int ret;
1223
1224 if (!conf->seccomp)
1225 return 0;
1226
1227 if (!use_seccomp(conf))
1228 return 0;
1229
1230 #if HAVE_SCMP_FILTER_CTX
1231 ret = seccomp_load(conf->seccomp_ctx);
1232 #else
1233 ret = seccomp_load();
1234 #endif
1235 if (ret < 0) {
1236 errno = -ret;
1237 SYSERROR("Error loading the seccomp policy");
1238 return -1;
1239 }
1240
1241 /* After load seccomp filter into the kernel successfully, export the current seccomp
1242 * filter to log file */
1243 #if HAVE_SCMP_FILTER_CTX
1244 if ((lxc_log_get_level() <= LXC_LOG_LEVEL_TRACE ||
1245 conf->loglevel <= LXC_LOG_LEVEL_TRACE) &&
1246 lxc_log_fd >= 0) {
1247 ret = seccomp_export_pfc(conf->seccomp_ctx, lxc_log_fd);
1248 /* Just give an warning when export error */
1249 if (ret < 0) {
1250 errno = -ret;
1251 SYSWARN("Failed to export seccomp filter to log file");
1252 }
1253 }
1254 #endif
1255
1256 #if HAVE_DECL_SECCOMP_NOTIF_GET_FD
1257 if (conf->has_seccomp_notify) {
1258 ret = seccomp_notif_get_fd(conf->seccomp_ctx);
1259 if (ret < 0) {
1260 errno = -ret;
1261 return -1;
1262 }
1263
1264 conf->seccomp_notify_fd = ret;
1265 TRACE("Retrieved new seccomp listener fd %d", ret);
1266 }
1267 #endif
1268
1269 return 0;
1270 }
1271
1272 void lxc_seccomp_free(struct lxc_conf *conf)
1273 {
1274 free(conf->seccomp);
1275 conf->seccomp = NULL;
1276
1277 #if HAVE_SCMP_FILTER_CTX
1278 if (conf->seccomp_ctx) {
1279 seccomp_release(conf->seccomp_ctx);
1280 conf->seccomp_ctx = NULL;
1281 }
1282 #endif
1283
1284 #if HAVE_DECL_SECCOMP_NOTIF_GET_FD
1285 close_prot_errno_disarm(conf->seccomp_notify_fd);
1286 close_prot_errno_disarm(conf->seccomp_notify_proxy_fd);
1287 seccomp_notif_free(conf->seccomp_notify_req, conf->seccomp_notify_resp);
1288 conf->seccomp_notify_req = NULL;
1289 conf->seccomp_notify_resp = NULL;
1290 #endif
1291 }
1292
1293 int seccomp_notify_handler(int fd, uint32_t events, void *data,
1294 struct lxc_epoll_descr *descr)
1295 {
1296
1297 #if HAVE_DECL_SECCOMP_NOTIF_GET_FD
1298 int ret;
1299 struct lxc_handler *hdlr = data;
1300 struct lxc_conf *conf = hdlr->conf;
1301 struct seccomp_notif *req = conf->seccomp_notify_req;
1302 struct seccomp_notif_resp *resp = conf->seccomp_notify_resp;
1303 int listener_proxy_fd = conf->seccomp_notify_proxy_fd;
1304 struct seccomp_notify_proxy_msg msg;
1305
1306 if (listener_proxy_fd < 0)
1307 return minus_one_set_errno(EINVAL);
1308
1309 ret = seccomp_notif_receive(fd, req);
1310 if (ret)
1311 return minus_one_set_errno(-ret);
1312
1313 memcpy(&msg.req, req, sizeof(msg.req));
1314 msg.monitor_pid = hdlr->monitor_pid;
1315 msg.init_pid = hdlr->pid;
1316
1317 ret = lxc_send_nointr(listener_proxy_fd, &msg, sizeof(msg), MSG_NOSIGNAL);
1318 if (ret < 0 || ret != (ssize_t)sizeof(msg))
1319 return -1;
1320
1321 ret = lxc_recv_nointr(listener_proxy_fd, &msg, sizeof(msg), 0);
1322 if (ret != (ssize_t)sizeof(msg))
1323 return -1;
1324
1325 memcpy(resp, &msg.resp, sizeof(*resp));
1326
1327 ret = seccomp_notif_send_resp(fd, resp);
1328 if (ret)
1329 return minus_one_set_errno(-ret);
1330
1331 return 0;
1332 #else
1333 return -ENOSYS;
1334 #endif
1335 }
LXC mirror