2 * lxc: linux Container library
4 * (C) Copyright Canonical, Inc. 2012
7 * Serge Hallyn <serge.hallyn@canonical.com>
9 * This library is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public
11 * License as published by the Free Software Foundation; either
12 * version 2.1 of the License, or (at your option) any later version.
14 * This library is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
29 #include <sys/mount.h>
30 #include <sys/utsname.h>
34 #include "lxcseccomp.h"
36 lxc_log_define(lxc_seccomp
, lxc
);
38 static int parse_config_v1(FILE *f
, struct lxc_conf
*conf
)
43 while (fgets(line
, 1024, f
)) {
45 ret
= sscanf(line
, "%d", &nr
);
48 ret
= seccomp_rule_add(
49 #if HAVE_SCMP_FILTER_CTX
52 SCMP_ACT_ALLOW
, nr
, 0);
54 ERROR("Failed loading allow rule for %d", nr
);
61 #if HAVE_DECL_SECCOMP_SYSCALL_RESOLVE_NAME_ARCH
62 static void remove_trailing_newlines(char *l
)
68 while (--p
>= l
&& *p
== '\n')
72 static uint32_t get_v2_default_action(char *line
)
74 uint32_t ret_action
= -1;
78 /* After 'whitelist' or 'blacklist' comes default behavior. */
79 if (strncmp(line
, "kill", 4) == 0)
80 ret_action
= SCMP_ACT_KILL
;
81 else if (strncmp(line
, "errno", 5) == 0) {
83 if (sscanf(line
+ 5, "%d", &e
) != 1) {
84 ERROR("Bad errno value in %s", line
);
87 ret_action
= SCMP_ACT_ERRNO(e
);
88 } else if (strncmp(line
, "allow", 5) == 0)
89 ret_action
= SCMP_ACT_ALLOW
;
90 else if (strncmp(line
, "trap", 4) == 0)
91 ret_action
= SCMP_ACT_TRAP
;
95 static const char *get_action_name(uint32_t action
)
97 /* The upper 16 bits indicate the type of the seccomp action. */
98 switch(action
& 0xffff0000){
105 case SCMP_ACT_ERRNO(0):
108 return "invalid action";
112 static uint32_t get_v2_action(char *line
, uint32_t def_action
)
114 char *p
= strchr(line
, ' ');
122 if (!*p
|| *p
== '#')
124 ret
= get_v2_default_action(p
);
127 case -1: return def_action
;
132 struct v2_rule_args
{
136 enum scmp_compare op
;
139 struct seccomp_v2_rule
{
142 struct v2_rule_args args_value
[6];
145 static enum scmp_compare
parse_v2_rule_op(char *s
)
147 if (strcmp(s
, "SCMP_CMP_NE") == 0 || strcmp(s
, "!=") == 0)
149 else if (strcmp(s
, "SCMP_CMP_LT") == 0 || strcmp(s
, "<") == 0)
151 else if (strcmp(s
, "SCMP_CMP_LE") == 0 || strcmp(s
, "<=") == 0)
153 else if (strcmp(s
, "SCMP_CMP_EQ") == 0 || strcmp(s
, "==") == 0)
155 else if (strcmp(s
, "SCMP_CMP_GE") == 0 || strcmp(s
, ">=") == 0)
157 else if (strcmp(s
, "SCMP_CMP_GT") == 0 || strcmp(s
, ">") == 0)
159 else if (strcmp(s
, "SCMP_CMP_MASKED_EQ") == 0 || strcmp(s
, "&=") == 0)
160 return SCMP_CMP_MASKED_EQ
;
162 return _SCMP_CMP_MAX
;
165 /* This function is used to parse the args string into the structure.
166 * args string format:[index,value,op,valueTwo] or [index,value,op]
167 * For one arguments, [index,value,valueTwo,op]
168 * index: the index for syscall arguments (type uint)
169 * value: the value for syscall arguments (type uint64)
170 * op: the operator for syscall arguments(string),
171 a valid list of constants as of libseccomp v2.3.2 is
172 SCMP_CMP_NE,SCMP_CMP_LE,SCMP_CMP_LE, SCMP_CMP_EQ, SCMP_CMP_GE,
173 SCMP_CMP_GT, SCMP_CMP_MASKED_EQ, or !=,<=,==,>=,>,&=
174 * valueTwo: the value for syscall arguments only used for mask eq (type uint64, optional)
175 * Returns 0 on success, < 0 otherwise.
177 static int get_seccomp_arg_value(char *key
, struct v2_rule_args
*rule_args
)
182 enum scmp_compare op
= 0;
187 memset(s
, 0, sizeof(s
));
188 tmp
= strchr(key
, '[');
190 ERROR("Failed to interpret args");
193 ret
= sscanf(tmp
, "[%i,%lli,%30[^0-9^,],%lli", &index
, (long long unsigned int *)&value
, s
, (long long unsigned int *)&mask
);
194 if ((ret
!= 3 && ret
!= 4) || index
>= 6) {
195 ERROR("Failed to interpret args value");
199 op
= parse_v2_rule_op(s
);
200 if (op
== _SCMP_CMP_MAX
) {
201 ERROR("Failed to interpret args operator value");
205 rule_args
->index
= index
;
206 rule_args
->value
= value
;
207 rule_args
->mask
= mask
;
212 /* This function is used to parse the seccomp rule entry.
213 * @line : seccomp rule entry string.
214 * @def_action : default action used in the case if the 'line' contain non valid action.
215 * @rules : output struct.
216 * Returns 0 on success, < 0 otherwise.
218 static int parse_v2_rules(char *line
, uint32_t def_action
, struct seccomp_v2_rule
*rules
)
224 char *saveptr
= NULL
;
230 /* read optional action which follows the syscall */
231 rules
->action
= get_v2_action(tmp
, def_action
);
232 if (rules
->action
== -1) {
233 ERROR("Failed to interpret action");
239 if (!strchr(tmp
, '[')) {
244 for ((key
= strtok_r(tmp
, "]", &saveptr
)), i
= 0; key
&& i
< 6; (key
= strtok_r(NULL
, "]", &saveptr
)), i
++) {
245 ret
= get_seccomp_arg_value(key
, &rules
->args_value
[i
]);
261 #if HAVE_DECL_SECCOMP_SYSCALL_RESOLVE_NAME_ARCH
262 enum lxc_hostarch_t
{
263 lxc_seccomp_arch_all
= 0,
264 lxc_seccomp_arch_native
,
265 lxc_seccomp_arch_i386
,
266 lxc_seccomp_arch_x32
,
267 lxc_seccomp_arch_amd64
,
268 lxc_seccomp_arch_arm
,
269 lxc_seccomp_arch_arm64
,
270 lxc_seccomp_arch_ppc64
,
271 lxc_seccomp_arch_ppc64le
,
272 lxc_seccomp_arch_ppc
,
273 lxc_seccomp_arch_mips
,
274 lxc_seccomp_arch_mips64
,
275 lxc_seccomp_arch_mips64n32
,
276 lxc_seccomp_arch_mipsel
,
277 lxc_seccomp_arch_mipsel64
,
278 lxc_seccomp_arch_mipsel64n32
,
279 lxc_seccomp_arch_s390x
,
280 lxc_seccomp_arch_unknown
= 999,
284 # define MIPS_ARCH_O32 lxc_seccomp_arch_mipsel
285 # define MIPS_ARCH_N64 lxc_seccomp_arch_mipsel64
287 # define MIPS_ARCH_O32 lxc_seccomp_arch_mips
288 # define MIPS_ARCH_N64 lxc_seccomp_arch_mips64
291 int get_hostarch(void)
294 if (uname(&uts
) < 0) {
295 SYSERROR("Failed to read host arch");
298 if (strcmp(uts
.machine
, "i686") == 0)
299 return lxc_seccomp_arch_i386
;
301 else if (strcmp(uts
.machine
, "x86_64") == 0)
302 return lxc_seccomp_arch_amd64
;
303 else if (strncmp(uts
.machine
, "armv7", 5) == 0)
304 return lxc_seccomp_arch_arm
;
305 else if (strncmp(uts
.machine
, "aarch64", 7) == 0)
306 return lxc_seccomp_arch_arm64
;
307 else if (strncmp(uts
.machine
, "ppc64le", 7) == 0)
308 return lxc_seccomp_arch_ppc64le
;
309 else if (strncmp(uts
.machine
, "ppc64", 5) == 0)
310 return lxc_seccomp_arch_ppc64
;
311 else if (strncmp(uts
.machine
, "ppc", 3) == 0)
312 return lxc_seccomp_arch_ppc
;
313 else if (strncmp(uts
.machine
, "mips64", 6) == 0)
314 return MIPS_ARCH_N64
;
315 else if (strncmp(uts
.machine
, "mips", 4) == 0)
316 return MIPS_ARCH_O32
;
317 else if (strncmp(uts
.machine
, "s390x", 5) == 0)
318 return lxc_seccomp_arch_s390x
;
319 return lxc_seccomp_arch_unknown
;
322 scmp_filter_ctx
get_new_ctx(enum lxc_hostarch_t n_arch
, uint32_t default_policy_action
)
329 case lxc_seccomp_arch_i386
: arch
= SCMP_ARCH_X86
; break;
330 case lxc_seccomp_arch_x32
: arch
= SCMP_ARCH_X32
; break;
331 case lxc_seccomp_arch_amd64
: arch
= SCMP_ARCH_X86_64
; break;
332 case lxc_seccomp_arch_arm
: arch
= SCMP_ARCH_ARM
; break;
333 #ifdef SCMP_ARCH_AARCH64
334 case lxc_seccomp_arch_arm64
: arch
= SCMP_ARCH_AARCH64
; break;
336 #ifdef SCMP_ARCH_PPC64LE
337 case lxc_seccomp_arch_ppc64le
: arch
= SCMP_ARCH_PPC64LE
; break;
339 #ifdef SCMP_ARCH_PPC64
340 case lxc_seccomp_arch_ppc64
: arch
= SCMP_ARCH_PPC64
; break;
343 case lxc_seccomp_arch_ppc
: arch
= SCMP_ARCH_PPC
; break;
345 #ifdef SCMP_ARCH_MIPS
346 case lxc_seccomp_arch_mips
: arch
= SCMP_ARCH_MIPS
; break;
347 case lxc_seccomp_arch_mips64
: arch
= SCMP_ARCH_MIPS64
; break;
348 case lxc_seccomp_arch_mips64n32
: arch
= SCMP_ARCH_MIPS64N32
; break;
349 case lxc_seccomp_arch_mipsel
: arch
= SCMP_ARCH_MIPSEL
; break;
350 case lxc_seccomp_arch_mipsel64
: arch
= SCMP_ARCH_MIPSEL64
; break;
351 case lxc_seccomp_arch_mipsel64n32
: arch
= SCMP_ARCH_MIPSEL64N32
; break;
353 #ifdef SCMP_ARCH_S390X
354 case lxc_seccomp_arch_s390x
: arch
= SCMP_ARCH_S390X
; break;
356 default: return NULL
;
359 if ((ctx
= seccomp_init(default_policy_action
)) == NULL
) {
360 ERROR("Error initializing seccomp context");
363 if (seccomp_attr_set(ctx
, SCMP_FLTATR_CTL_NNP
, 0)) {
364 ERROR("Failed to turn off no-new-privs");
365 seccomp_release(ctx
);
368 #ifdef SCMP_FLTATR_ATL_TSKIP
369 if (seccomp_attr_set(ctx
, SCMP_FLTATR_ATL_TSKIP
, 1)) {
370 WARN("Failed to turn on seccomp nop-skip, continuing");
373 ret
= seccomp_arch_add(ctx
, arch
);
375 ERROR("Seccomp error %d (%s) adding arch: %d", ret
,
376 strerror(-ret
), (int)n_arch
);
377 seccomp_release(ctx
);
380 if (seccomp_arch_remove(ctx
, SCMP_ARCH_NATIVE
) != 0) {
381 ERROR("Seccomp error removing native arch");
382 seccomp_release(ctx
);
389 bool do_resolve_add_rule(uint32_t arch
, char *line
, scmp_filter_ctx ctx
,
390 struct seccomp_v2_rule
*rule
)
393 struct scmp_arg_cmp arg_cmp
[6];
395 memset(arg_cmp
, 0 ,sizeof(arg_cmp
));
397 ret
= seccomp_arch_exist(ctx
, arch
);
398 if (arch
&& ret
!= 0) {
399 ERROR("BUG: Seccomp: rule and context arch do not match (arch "
401 arch
, strerror(-ret
));
405 /*get the syscall name*/
406 char *p
= strchr(line
, ' ');
410 if (strncmp(line
, "reject_force_umount", 19) == 0) {
411 INFO("Setting Seccomp rule to reject force umounts");
412 ret
= seccomp_rule_add_exact(ctx
, SCMP_ACT_ERRNO(EACCES
), SCMP_SYS(umount2
),
413 1, SCMP_A1(SCMP_CMP_MASKED_EQ
, MNT_FORCE
, MNT_FORCE
));
415 ERROR("Failed (%d) loading rule to reject force "
417 ret
, strerror(-ret
));
423 nr
= seccomp_syscall_resolve_name(line
);
424 if (nr
== __NR_SCMP_ERROR
) {
425 WARN("Seccomp: failed to resolve syscall: %s", line
);
426 WARN("This syscall will NOT be blacklisted");
430 WARN("Seccomp: got negative for syscall: %d: %s", nr
, line
);
431 WARN("This syscall will NOT be blacklisted");
435 for (i
= 0; i
< rule
->args_num
; i
++) {
436 INFO("arg_cmp[%d]:SCMP_CMP(%u, %llu, %llu, %llu)", i
,
437 rule
->args_value
[i
].index
,
438 (long long unsigned int)rule
->args_value
[i
].op
,
439 (long long unsigned int)rule
->args_value
[i
].mask
,
440 (long long unsigned int)rule
->args_value
[i
].value
);
442 if (SCMP_CMP_MASKED_EQ
== rule
->args_value
[i
].op
)
443 arg_cmp
[i
] = SCMP_CMP(rule
->args_value
[i
].index
, rule
->args_value
[i
].op
, rule
->args_value
[i
].mask
, rule
->args_value
[i
].value
);
445 arg_cmp
[i
] = SCMP_CMP(rule
->args_value
[i
].index
, rule
->args_value
[i
].op
, rule
->args_value
[i
].value
);
448 ret
= seccomp_rule_add_exact_array(ctx
, rule
->action
, nr
, rule
->args_num
, arg_cmp
);
450 ERROR("Failed (%d) loading rule for %s (nr %d action %d(%s)): %s",
451 ret
, line
, nr
, rule
->action
, get_action_name(rule
->action
), strerror(-ret
));
471 static int parse_config_v2(FILE *f
, char *line
, struct lxc_conf
*conf
)
475 scmp_filter_ctx compat_ctx
[2] = {NULL
, NULL
};
476 bool blacklist
= false;
477 uint32_t default_policy_action
= -1, default_rule_action
= -1;
478 enum lxc_hostarch_t native_arch
= get_hostarch(),
479 cur_rule_arch
= native_arch
;
480 uint32_t compat_arch
[2] = {SCMP_ARCH_NATIVE
, SCMP_ARCH_NATIVE
};
481 struct seccomp_v2_rule rule
;
483 if (strncmp(line
, "blacklist", 9) == 0)
485 else if (strncmp(line
, "whitelist", 9) != 0) {
486 ERROR("Bad seccomp policy style: %s", line
);
490 if ((p
= strchr(line
, ' '))) {
491 default_policy_action
= get_v2_default_action(p
+ 1);
492 if (default_policy_action
== -2)
496 /* for blacklist, allow any syscall which has no rule */
498 if (default_policy_action
== -1)
499 default_policy_action
= SCMP_ACT_ALLOW
;
500 if (default_rule_action
== -1)
501 default_rule_action
= SCMP_ACT_KILL
;
503 if (default_policy_action
== -1)
504 default_policy_action
= SCMP_ACT_KILL
;
505 if (default_rule_action
== -1)
506 default_rule_action
= SCMP_ACT_ALLOW
;
509 if (native_arch
== lxc_seccomp_arch_amd64
) {
510 cur_rule_arch
= lxc_seccomp_arch_all
;
511 compat_arch
[0] = SCMP_ARCH_X86
;
512 compat_ctx
[0] = get_new_ctx(lxc_seccomp_arch_i386
,
513 default_policy_action
);
514 compat_arch
[1] = SCMP_ARCH_X32
;
515 compat_ctx
[1] = get_new_ctx(lxc_seccomp_arch_x32
,
516 default_policy_action
);
517 if (!compat_ctx
[0] || !compat_ctx
[1])
520 } else if (native_arch
== lxc_seccomp_arch_ppc64
) {
521 cur_rule_arch
= lxc_seccomp_arch_all
;
522 compat_arch
[0] = SCMP_ARCH_PPC
;
523 compat_ctx
[0] = get_new_ctx(lxc_seccomp_arch_ppc
,
524 default_policy_action
);
529 } else if (native_arch
== lxc_seccomp_arch_arm64
) {
530 cur_rule_arch
= lxc_seccomp_arch_all
;
531 compat_arch
[0] = SCMP_ARCH_ARM
;
532 compat_ctx
[0] = get_new_ctx(lxc_seccomp_arch_arm
,
533 default_policy_action
);
537 #ifdef SCMP_ARCH_MIPS
538 } else if (native_arch
== lxc_seccomp_arch_mips64
) {
539 cur_rule_arch
= lxc_seccomp_arch_all
;
540 compat_arch
[0] = SCMP_ARCH_MIPS
;
541 compat_arch
[1] = SCMP_ARCH_MIPS64N32
;
542 compat_ctx
[0] = get_new_ctx(lxc_seccomp_arch_mips
,
543 default_policy_action
);
544 compat_ctx
[1] = get_new_ctx(lxc_seccomp_arch_mips64n32
,
545 default_policy_action
);
546 if (!compat_ctx
[0] || !compat_ctx
[1])
548 } else if (native_arch
== lxc_seccomp_arch_mipsel64
) {
549 cur_rule_arch
= lxc_seccomp_arch_all
;
550 compat_arch
[0] = SCMP_ARCH_MIPSEL
;
551 compat_arch
[1] = SCMP_ARCH_MIPSEL64N32
;
552 compat_ctx
[0] = get_new_ctx(lxc_seccomp_arch_mipsel
,
553 default_policy_action
);
554 compat_ctx
[1] = get_new_ctx(lxc_seccomp_arch_mipsel64n32
,
555 default_policy_action
);
556 if (!compat_ctx
[0] || !compat_ctx
[1])
561 if (default_policy_action
!= SCMP_ACT_KILL
) {
562 ret
= seccomp_reset(conf
->seccomp_ctx
, default_policy_action
);
564 ERROR("Error re-initializing Seccomp");
567 if (seccomp_attr_set(conf
->seccomp_ctx
, SCMP_FLTATR_CTL_NNP
, 0)) {
568 ERROR("Failed to turn off no-new-privs");
571 #ifdef SCMP_FLTATR_ATL_TSKIP
572 if (seccomp_attr_set(conf
->seccomp_ctx
, SCMP_FLTATR_ATL_TSKIP
, 1)) {
573 WARN("Failed to turn on seccomp nop-skip, continuing");
578 while (fgets(line
, 1024, f
)) {
582 if (strlen(line
) == 0)
584 remove_trailing_newlines(line
);
585 INFO("processing: .%s", line
);
586 if (line
[0] == '[') {
587 /* Read the architecture for next set of rules. */
588 if (strcmp(line
, "[x86]") == 0 ||
589 strcmp(line
, "[X86]") == 0) {
590 if (native_arch
!= lxc_seccomp_arch_i386
&&
591 native_arch
!= lxc_seccomp_arch_amd64
) {
592 cur_rule_arch
= lxc_seccomp_arch_unknown
;
595 cur_rule_arch
= lxc_seccomp_arch_i386
;
596 } else if (strcmp(line
, "[x32]") == 0 ||
597 strcmp(line
, "[X32]") == 0) {
598 if (native_arch
!= lxc_seccomp_arch_amd64
) {
599 cur_rule_arch
= lxc_seccomp_arch_unknown
;
602 cur_rule_arch
= lxc_seccomp_arch_x32
;
603 } else if (strcmp(line
, "[X86_64]") == 0 ||
604 strcmp(line
, "[x86_64]") == 0) {
605 if (native_arch
!= lxc_seccomp_arch_amd64
) {
606 cur_rule_arch
= lxc_seccomp_arch_unknown
;
609 cur_rule_arch
= lxc_seccomp_arch_amd64
;
610 } else if (strcmp(line
, "[all]") == 0 ||
611 strcmp(line
, "[ALL]") == 0) {
612 cur_rule_arch
= lxc_seccomp_arch_all
;
615 else if (strcmp(line
, "[arm]") == 0 ||
616 strcmp(line
, "[ARM]") == 0) {
617 if (native_arch
!= lxc_seccomp_arch_arm
&&
618 native_arch
!= lxc_seccomp_arch_arm64
) {
619 cur_rule_arch
= lxc_seccomp_arch_unknown
;
622 cur_rule_arch
= lxc_seccomp_arch_arm
;
625 #ifdef SCMP_ARCH_AARCH64
626 else if (strcmp(line
, "[arm64]") == 0 ||
627 strcmp(line
, "[ARM64]") == 0) {
628 if (native_arch
!= lxc_seccomp_arch_arm64
) {
629 cur_rule_arch
= lxc_seccomp_arch_unknown
;
632 cur_rule_arch
= lxc_seccomp_arch_arm64
;
635 #ifdef SCMP_ARCH_PPC64LE
636 else if (strcmp(line
, "[ppc64le]") == 0 ||
637 strcmp(line
, "[PPC64LE]") == 0) {
638 if (native_arch
!= lxc_seccomp_arch_ppc64le
) {
639 cur_rule_arch
= lxc_seccomp_arch_unknown
;
642 cur_rule_arch
= lxc_seccomp_arch_ppc64le
;
645 #ifdef SCMP_ARCH_PPC64
646 else if (strcmp(line
, "[ppc64]") == 0 ||
647 strcmp(line
, "[PPC64]") == 0) {
648 if (native_arch
!= lxc_seccomp_arch_ppc64
) {
649 cur_rule_arch
= lxc_seccomp_arch_unknown
;
652 cur_rule_arch
= lxc_seccomp_arch_ppc64
;
656 else if (strcmp(line
, "[ppc]") == 0 ||
657 strcmp(line
, "[PPC]") == 0) {
658 if (native_arch
!= lxc_seccomp_arch_ppc
&&
659 native_arch
!= lxc_seccomp_arch_ppc64
) {
660 cur_rule_arch
= lxc_seccomp_arch_unknown
;
663 cur_rule_arch
= lxc_seccomp_arch_ppc
;
666 #ifdef SCMP_ARCH_MIPS
667 else if (strcmp(line
, "[mips64]") == 0 ||
668 strcmp(line
, "[MIPS64]") == 0) {
669 if (native_arch
!= lxc_seccomp_arch_mips64
) {
670 cur_rule_arch
= lxc_seccomp_arch_unknown
;
673 cur_rule_arch
= lxc_seccomp_arch_mips64
;
674 } else if (strcmp(line
, "[mips64n32]") == 0 ||
675 strcmp(line
, "[MIPS64N32]") == 0) {
676 if (native_arch
!= lxc_seccomp_arch_mips64
) {
677 cur_rule_arch
= lxc_seccomp_arch_unknown
;
680 cur_rule_arch
= lxc_seccomp_arch_mips64n32
;
681 } else if (strcmp(line
, "[mips]") == 0 ||
682 strcmp(line
, "[MIPS]") == 0) {
683 if (native_arch
!= lxc_seccomp_arch_mips
&&
684 native_arch
!= lxc_seccomp_arch_mips64
) {
685 cur_rule_arch
= lxc_seccomp_arch_unknown
;
688 cur_rule_arch
= lxc_seccomp_arch_mips
;
689 } else if (strcmp(line
, "[mipsel64]") == 0 ||
690 strcmp(line
, "[MIPSEL64]") == 0) {
691 if (native_arch
!= lxc_seccomp_arch_mipsel64
) {
692 cur_rule_arch
= lxc_seccomp_arch_unknown
;
695 cur_rule_arch
= lxc_seccomp_arch_mipsel64
;
696 } else if (strcmp(line
, "[mipsel64n32]") == 0 ||
697 strcmp(line
, "[MIPSEL64N32]") == 0) {
698 if (native_arch
!= lxc_seccomp_arch_mipsel64
) {
699 cur_rule_arch
= lxc_seccomp_arch_unknown
;
702 cur_rule_arch
= lxc_seccomp_arch_mipsel64n32
;
703 } else if (strcmp(line
, "[mipsel]") == 0 ||
704 strcmp(line
, "[MIPSEL]") == 0) {
705 if (native_arch
!= lxc_seccomp_arch_mipsel
&&
706 native_arch
!= lxc_seccomp_arch_mipsel64
) {
707 cur_rule_arch
= lxc_seccomp_arch_unknown
;
710 cur_rule_arch
= lxc_seccomp_arch_mipsel
;
713 #ifdef SCMP_ARCH_S390X
714 else if (strcmp(line
, "[s390x]") == 0 ||
715 strcmp(line
, "[S390X]") == 0) {
716 if (native_arch
!= lxc_seccomp_arch_s390x
) {
717 cur_rule_arch
= lxc_seccomp_arch_unknown
;
720 cur_rule_arch
= lxc_seccomp_arch_s390x
;
729 /* irrelevant arch - i.e. arm on i386 */
730 if (cur_rule_arch
== lxc_seccomp_arch_unknown
)
733 memset(&rule
, 0, sizeof(rule
));
734 /* read optional action which follows the syscall */
735 ret
= parse_v2_rules(line
, default_rule_action
, &rule
);
737 ERROR("Failed to interpret seccomp rule");
741 if (cur_rule_arch
== native_arch
||
742 cur_rule_arch
== lxc_seccomp_arch_native
||
743 compat_arch
[0] == SCMP_ARCH_NATIVE
) {
744 INFO("Adding native rule for %s action %d(%s)", line
, rule
.action
,
745 get_action_name(rule
.action
));
746 if (!do_resolve_add_rule(SCMP_ARCH_NATIVE
, line
, conf
->seccomp_ctx
, &rule
))
749 else if (cur_rule_arch
!= lxc_seccomp_arch_all
) {
751 cur_rule_arch
== lxc_seccomp_arch_mips64n32
||
752 cur_rule_arch
== lxc_seccomp_arch_mipsel64n32
? 1 : 0;
754 INFO("Adding compat-only rule for %s action %d(%s)", line
, rule
.action
,
755 get_action_name(rule
.action
));
756 if (!do_resolve_add_rule(compat_arch
[arch_index
], line
, compat_ctx
[arch_index
], &rule
))
760 INFO("Adding native rule for %s action %d(%s)", line
, rule
.action
,
761 get_action_name(rule
.action
));
762 if (!do_resolve_add_rule(SCMP_ARCH_NATIVE
, line
, conf
->seccomp_ctx
, &rule
))
764 INFO("Adding compat rule for %s action %d(%s)", line
, rule
.action
,
765 get_action_name(rule
.action
));
766 if (!do_resolve_add_rule(compat_arch
[0], line
, compat_ctx
[0], &rule
))
768 if (compat_arch
[1] != SCMP_ARCH_NATIVE
&&
769 !do_resolve_add_rule(compat_arch
[1], line
, compat_ctx
[1], &rule
))
775 INFO("Merging in the compat Seccomp ctx into the main one");
776 if (seccomp_merge(conf
->seccomp_ctx
, compat_ctx
[0]) != 0 ||
777 (compat_ctx
[1] != NULL
&& seccomp_merge(conf
->seccomp_ctx
, compat_ctx
[1]) != 0)) {
778 ERROR("Error merging compat Seccomp contexts");
786 ERROR("Unsupported arch: %s.", line
);
790 seccomp_release(compat_ctx
[0]);
792 seccomp_release(compat_ctx
[1]);
795 #else /* HAVE_DECL_SECCOMP_SYSCALL_RESOLVE_NAME_ARCH */
796 static int parse_config_v2(FILE *f
, char *line
, struct lxc_conf
*conf
)
800 #endif /* HAVE_DECL_SECCOMP_SYSCALL_RESOLVE_NAME_ARCH */
803 * The first line of the config file has a policy language version
804 * the second line has some directives
805 * then comes policy subject to the directives
806 * right now version must be '1' or '2'
807 * the directives must include 'whitelist'(version == 1 or 2) or 'blacklist'
808 * (version == 2) and can include 'debug' (though debug is not yet supported).
810 static int parse_config(FILE *f
, struct lxc_conf
*conf
)
815 ret
= fscanf(f
, "%d\n", &version
);
816 if (ret
!= 1 || (version
!= 1 && version
!= 2)) {
817 ERROR("Invalid version");
820 if (!fgets(line
, 1024, f
)) {
821 ERROR("Invalid config file");
824 if (version
== 1 && !strstr(line
, "whitelist")) {
825 ERROR("Only whitelist policy is supported");
829 if (strstr(line
, "debug")) {
830 ERROR("Debug not yet implemented");
835 return parse_config_v1(f
, conf
);
836 return parse_config_v2(f
, line
, conf
);
840 * use_seccomp: return true if we should try and apply a seccomp policy
841 * if defined for the container.
842 * This will return false if
843 * 1. seccomp is not enabled in the kernel
844 * 2. a seccomp policy is already enabled for this task
846 static bool use_seccomp(void)
848 FILE *f
= fopen("/proc/self/status", "r");
850 bool already_enabled
= false;
857 while (fgets(line
, 1024, f
)) {
858 if (strncmp(line
, "Seccomp:", 8) == 0) {
860 ret
= sscanf(line
+ 8, "%d", &v
);
861 if (ret
== 1 && v
!= 0)
862 already_enabled
= true;
868 if (!found
) { /* no Seccomp line, no seccomp in kernel */
869 INFO("Seccomp is not enabled in the kernel");
872 if (already_enabled
) { /* already seccomp-confined */
873 INFO("Already seccomp-confined, not loading new policy");
879 int lxc_read_seccomp_config(struct lxc_conf
*conf
)
883 int check_seccomp_attr_set
;
890 #if HAVE_SCMP_FILTER_CTX
891 /* XXX for debug, pass in SCMP_ACT_TRAP */
892 conf
->seccomp_ctx
= seccomp_init(SCMP_ACT_KILL
);
893 ret
= !conf
->seccomp_ctx
;
895 ret
= seccomp_init(SCMP_ACT_KILL
) < 0;
898 ERROR("Failed initializing seccomp");
902 /* turn off no-new-privs. We don't want it in lxc, and it breaks
904 #if HAVE_SCMP_FILTER_CTX
905 check_seccomp_attr_set
= seccomp_attr_set(conf
->seccomp_ctx
, SCMP_FLTATR_CTL_NNP
, 0);
907 check_seccomp_attr_set
= seccomp_attr_set(SCMP_FLTATR_CTL_NNP
, 0);
909 if (check_seccomp_attr_set
) {
910 ERROR("Failed to turn off no-new-privs");
913 #ifdef SCMP_FLTATR_ATL_TSKIP
914 if (seccomp_attr_set(conf
->seccomp_ctx
, SCMP_FLTATR_ATL_TSKIP
, 1)) {
915 WARN("Failed to turn on seccomp nop-skip, continuing");
919 f
= fopen(conf
->seccomp
, "r");
921 SYSERROR("Failed to open seccomp policy file %s", conf
->seccomp
);
924 ret
= parse_config(f
, conf
);
929 int lxc_seccomp_load(struct lxc_conf
*conf
)
937 #if HAVE_SCMP_FILTER_CTX
942 ERROR("Error loading the seccomp policy: %s", strerror(-ret
));
946 /* After load seccomp filter into the kernel successfully, export the current seccomp
947 * filter to log file */
948 #if HAVE_SCMP_FILTER_CTX
949 if ((lxc_log_get_level() <= LXC_LOG_LEVEL_TRACE
|| conf
->loglevel
<= LXC_LOG_LEVEL_TRACE
) &&
951 ret
= seccomp_export_pfc(conf
->seccomp_ctx
, lxc_log_fd
);
952 /* Just give an warning when export error */
954 WARN("Failed to export seccomp filter to log file: %s", strerror(-ret
));
960 void lxc_seccomp_free(struct lxc_conf
*conf
)
963 conf
->seccomp
= NULL
;
964 #if HAVE_SCMP_FILTER_CTX
965 if (conf
->seccomp_ctx
) {
966 seccomp_release(conf
->seccomp_ctx
);
967 conf
->seccomp_ctx
= NULL
;