2 * seccomp_profile.c -- seccomp profile support
4 * (c) Copyright IBM Corporation 2019.
6 * Author: Stefan Berger <stefanb@us.ibm.com>
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions are
14 * Redistributions of source code must retain the above copyright notice,
15 * this list of conditions and the following disclaimer.
17 * Redistributions in binary form must reproduce the above copyright
18 * notice, this list of conditions and the following disclaimer in the
19 * documentation and/or other materials provided with the distribution.
21 * Neither the names of the IBM Corporation nor the names of its
22 * contributors may be used to endorse or promote products derived from
23 * this software without specific prior written permission.
25 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
26 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
27 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
28 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
29 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
30 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
31 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
32 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
33 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
34 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
35 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
49 #include "seccomp_profile.h"
52 static int create_seccomp_profile_add_rules(scmp_filter_ctx ctx
,
53 int *syscalls
, size_t syscalls_len
,
58 uint32_t act
= SCMP_ACT_KILL
;
61 if (action
== SWTPM_SECCOMP_ACTION_LOG
)
65 for (i
= 0; i
< syscalls_len
; i
++) {
66 ret
= seccomp_rule_add(ctx
, act
, syscalls
[i
], 0);
68 logprintf(STDERR_FILENO
,
69 "seccomp_rule_add failed with errno %d: %s\n",
70 -ret
, strerror(-ret
));
78 * create_seccomp_profile: Build a blacklist of syscalls
80 * cusetpm: whether to build for the CUSE tpm
81 * action: the seccomp action
83 int create_seccomp_profile(bool cusetpm
, unsigned int action
)
90 SCMP_SYS(settimeofday
),
91 SCMP_SYS(clock_adjtime
),
102 SCMP_SYS(init_module
),
103 SCMP_SYS(finit_module
),
105 SCMP_SYS(kexec_file_load
),
109 /* semaphores and messages queues */
122 SCMP_SYS(mq_timedsend
),
123 SCMP_SYS(mq_timedreceive
),
125 SCMP_SYS(mq_getsetattr
),
131 SCMP_SYS(sigaltstack
),
132 SCMP_SYS(personality
),
134 SCMP_SYS(getpriority
),
135 SCMP_SYS(setpriority
),
136 SCMP_SYS(sched_setparam
),
137 SCMP_SYS(sched_setscheduler
),
138 SCMP_SYS(sched_setaffinity
),
139 SCMP_SYS(sched_setattr
),
141 SCMP_SYS(sethostname
),
142 SCMP_SYS(setdomainname
),
145 SCMP_SYS(lookup_dcookie
),
147 SCMP_SYS(request_key
),
149 SCMP_SYS(inotify_init
),
150 SCMP_SYS(inotify_init1
),
151 SCMP_SYS(inotify_add_watch
),
152 SCMP_SYS(inotify_rm_watch
),
158 SCMP_SYS(timerfd_settime
),
159 SCMP_SYS(timerfd_gettime
),
162 SCMP_SYS(fanotify_init
),
163 SCMP_SYS(fanotify_mark
),
164 SCMP_SYS(clock_adjtime
),
168 #ifdef __NR_copy_filerange
169 SCMP_SYS(copy_filerange
),
179 SCMP_SYS(llistxattr
),
180 SCMP_SYS(flistxattr
),
181 SCMP_SYS(removexattr
),
182 SCMP_SYS(lremovexattr
),
183 SCMP_SYS(fremovexattr
),
184 /* processs forking */
190 SCMP_SYS(io_destroy
),
191 SCMP_SYS(io_getevents
),
194 SCMP_SYS(ioprio_set
),
195 SCMP_SYS(ioprio_get
),
196 /* not implemented, removed */
197 SCMP_SYS(create_module
),
198 SCMP_SYS(get_kernel_syms
),
199 SCMP_SYS(query_module
),
201 SCMP_SYS(nfsservctl
),
204 SCMP_SYS(afs_syscall
),
207 SCMP_SYS(set_thread_area
),
208 SCMP_SYS(get_thread_area
),
209 SCMP_SYS(epoll_ctl_old
),
210 SCMP_SYS(epoll_wait_old
),
225 /* CUSE TPM needs to clone or fork */
226 int blacklist_noncuse
[] = {
234 if (action
== SWTPM_SECCOMP_ACTION_NONE
)
237 ctx
= seccomp_init(SCMP_ACT_ALLOW
);
239 logprintf(STDERR_FILENO
, "seccomp_init failed\n");
243 if ((ret
= create_seccomp_profile_add_rules(ctx
, blacklist
,
244 ARRAY_LEN(blacklist
),
246 goto error_seccomp_rule_add
;
249 (ret
= create_seccomp_profile_add_rules(ctx
, blacklist_noncuse
,
250 ARRAY_LEN(blacklist_noncuse
),
252 goto error_seccomp_rule_add
;
254 if ((ret
= seccomp_load(ctx
)) < 0)
255 logprintf(STDERR_FILENO
, "seccomp_load failed with errno %d: %s\n",
256 -ret
, strerror(-ret
));
258 error_seccomp_rule_add
:
259 seccomp_release(ctx
);