src/swtpm/seccomp_profile.c

   1 /*
   2  * seccomp_profile.c -- seccomp profile support
   3  *
   4  * (c) Copyright IBM Corporation 2019.
   5  *
   6  * Author: Stefan Berger <stefanb@us.ibm.com>
   7  *
   8  * All rights reserved.
   9  *
  10  * Redistribution and use in source and binary forms, with or without
  11  * modification, are permitted provided that the following conditions are
  12  * met:
  13  *
  14  * Redistributions of source code must retain the above copyright notice,
  15  * this list of conditions and the following disclaimer.
  16  *
  17  * Redistributions in binary form must reproduce the above copyright
  18  * notice, this list of conditions and the following disclaimer in the
  19  * documentation and/or other materials provided with the distribution.
  20  *
  21  * Neither the names of the IBM Corporation nor the names of its
  22  * contributors may be used to endorse or promote products derived from
  23  * this software without specific prior written permission.
  24  *
  25  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
  26  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  27  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
  28  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
  29  * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  30  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
  31  * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  32  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  33  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  34  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  35  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  36  */
  37
  38 #include "config.h"
  39
  40 #include <stdbool.h>
  41 #include <string.h>
  42
  43 #ifdef WITH_SECCOMP
  44 # include <seccomp.h>
  45 #endif
  46
  47 #include "logging.h"
  48 #include "utils.h"
  49 #include "seccomp_profile.h"
  50
  51 #ifdef WITH_SECCOMP
  52 static int create_seccomp_profile_add_rules(scmp_filter_ctx ctx,
  53                                             int *syscalls, size_t syscalls_len,
  54                                             unsigned int action)
  55 {
  56     int ret = 0;
  57     unsigned i = 0;
  58     uint32_t act = SCMP_ACT_KILL;
  59
  60 #ifdef SCMP_ACT_LOG
  61     if (action == SWTPM_SECCOMP_ACTION_LOG)
  62         act = SCMP_ACT_LOG;
  63 #endif
  64
  65     for (i = 0; i < syscalls_len; i++) {
  66         ret = seccomp_rule_add(ctx, act, syscalls[i], 0);
  67         if (ret < 0) {
  68             logprintf(STDERR_FILENO,
  69                       "seccomp_rule_add failed with errno %d: %s\n",
  70                       -ret, strerror(-ret));
  71             break;
  72         }
  73     }
  74     return ret;
  75 }
  76
  77 /*
  78  * create_seccomp_profile: Build a blacklist of syscalls
  79  *
  80  * cusetpm: whether to build for the CUSE tpm
  81  * action: the seccomp action
  82  */
  83 int create_seccomp_profile(bool cusetpm, unsigned int action)
  84 {
  85     int blacklist[] = {
  86         /* high concern */
  87         SCMP_SYS(capset),
  88         SCMP_SYS(pivot_root),
  89         SCMP_SYS(chroot),
  90         SCMP_SYS(settimeofday),
  91         SCMP_SYS(clock_adjtime),
  92         SCMP_SYS(mount),
  93         SCMP_SYS(umount2),
  94         SCMP_SYS(swapon),
  95         SCMP_SYS(swapoff),
  96         SCMP_SYS(reboot),
  97         SCMP_SYS(tgkill),
  98         SCMP_SYS(kexec_load),
  99         SCMP_SYS(unshare),
 100         SCMP_SYS(setns),
 101         SCMP_SYS(kcmp),
 102         SCMP_SYS(init_module),
 103         SCMP_SYS(finit_module),
 104         SCMP_SYS(seccomp),
 105         SCMP_SYS(kexec_file_load),
 106 #ifdef __NR_sysctl
 107         SCMP_SYS(sysctl),
 108 #endif
 109         /* semaphores and messages queues */
 110         SCMP_SYS(semget),
 111         SCMP_SYS(semop),
 112         SCMP_SYS(shmget),
 113         SCMP_SYS(shmat),
 114         SCMP_SYS(shmctl),
 115         SCMP_SYS(shmdt),
 116         SCMP_SYS(msgget),
 117         SCMP_SYS(msgsnd),
 118         SCMP_SYS(msgrcv),
 119         SCMP_SYS(msgctl),
 120         SCMP_SYS(mq_open),
 121         SCMP_SYS(mq_unlink),
 122         SCMP_SYS(mq_timedsend),
 123         SCMP_SYS(mq_timedreceive),
 124         SCMP_SYS(mq_notify),
 125         SCMP_SYS(mq_getsetattr),
 126         /* misc */
 127         SCMP_SYS(ptrace),
 128         SCMP_SYS(syslog),
 129         SCMP_SYS(capget),
 130         SCMP_SYS(capset),
 131         SCMP_SYS(sigaltstack),
 132         SCMP_SYS(personality),
 133         SCMP_SYS(sysfs),
 134         SCMP_SYS(getpriority),
 135         SCMP_SYS(setpriority),
 136         SCMP_SYS(sched_setparam),
 137         SCMP_SYS(sched_setscheduler),
 138         SCMP_SYS(sched_setaffinity),
 139         SCMP_SYS(sched_setattr),
 140         SCMP_SYS(vhangup),
 141         SCMP_SYS(sethostname),
 142         SCMP_SYS(setdomainname),
 143         SCMP_SYS(quotactl),
 144         SCMP_SYS(readahead),
 145         SCMP_SYS(lookup_dcookie),
 146         SCMP_SYS(add_key),
 147         SCMP_SYS(request_key),
 148         SCMP_SYS(keyctl),
 149         SCMP_SYS(inotify_init),
 150         SCMP_SYS(inotify_init1),
 151         SCMP_SYS(inotify_add_watch),
 152         SCMP_SYS(inotify_rm_watch),
 153         SCMP_SYS(splice),
 154         SCMP_SYS(tee),
 155         SCMP_SYS(vmsplice),
 156         SCMP_SYS(signalfd),
 157         SCMP_SYS(eventfd),
 158         SCMP_SYS(timerfd_settime),
 159         SCMP_SYS(timerfd_gettime),
 160         SCMP_SYS(signalfd4),
 161         SCMP_SYS(eventfd2),
 162         SCMP_SYS(fanotify_init),
 163         SCMP_SYS(fanotify_mark),
 164         SCMP_SYS(clock_adjtime),
 165 #ifdef __NR_bpf
 166         SCMP_SYS(bpf),
 167 #endif
 168 #ifdef __NR_copy_filerange
 169         SCMP_SYS(copy_filerange),
 170 #endif
 171         /* xattrs */
 172         SCMP_SYS(setxattr),
 173         SCMP_SYS(lsetxattr),
 174         SCMP_SYS(fsetxattr),
 175         SCMP_SYS(getxattr),
 176         SCMP_SYS(lgetxattr),
 177         SCMP_SYS(fgetxattr),
 178         SCMP_SYS(listxattr),
 179         SCMP_SYS(llistxattr),
 180         SCMP_SYS(flistxattr),
 181         SCMP_SYS(removexattr),
 182         SCMP_SYS(lremovexattr),
 183         SCMP_SYS(fremovexattr),
 184         /* processs forking */
 185         SCMP_SYS(execve),
 186         /* io */
 187         SCMP_SYS(iopl),
 188         SCMP_SYS(ioperm),
 189         SCMP_SYS(io_setup),
 190         SCMP_SYS(io_destroy),
 191         SCMP_SYS(io_getevents),
 192         SCMP_SYS(io_submit),
 193         SCMP_SYS(io_cancel),
 194         SCMP_SYS(ioprio_set),
 195         SCMP_SYS(ioprio_get),
 196         /* not implemented, removed */
 197         SCMP_SYS(create_module),
 198         SCMP_SYS(get_kernel_syms),
 199         SCMP_SYS(query_module),
 200         SCMP_SYS(uselib),
 201         SCMP_SYS(nfsservctl),
 202         SCMP_SYS(getpmsg),
 203         SCMP_SYS(putpmsg),
 204         SCMP_SYS(afs_syscall),
 205         SCMP_SYS(tuxcall),
 206         SCMP_SYS(security),
 207         SCMP_SYS(set_thread_area),
 208         SCMP_SYS(get_thread_area),
 209         SCMP_SYS(epoll_ctl_old),
 210         SCMP_SYS(epoll_wait_old),
 211         SCMP_SYS(vserver),
 212         /* privileged */
 213         SCMP_SYS(setuid),
 214         SCMP_SYS(setgid),
 215         SCMP_SYS(setpgid),
 216         SCMP_SYS(setsid),
 217         SCMP_SYS(setreuid),
 218         SCMP_SYS(setregid),
 219         SCMP_SYS(setgroups),
 220         SCMP_SYS(setresuid),
 221         SCMP_SYS(setresgid),
 222         SCMP_SYS(setfsuid),
 223         SCMP_SYS(setfsgid)
 224     };
 225     /* CUSE TPM needs to clone or fork */
 226     int blacklist_noncuse[] = {
 227         SCMP_SYS(clone),
 228         SCMP_SYS(fork),
 229         SCMP_SYS(vfork)
 230     };
 231     scmp_filter_ctx ctx;
 232     int ret;
 233
 234     if (action == SWTPM_SECCOMP_ACTION_NONE)
 235         return 0;
 236
 237     ctx = seccomp_init(SCMP_ACT_ALLOW);
 238     if (!ctx) {
 239         logprintf(STDERR_FILENO, "seccomp_init failed\n");
 240         return -1;
 241     }
 242
 243     if ((ret = create_seccomp_profile_add_rules(ctx, blacklist,
 244                                                 ARRAY_LEN(blacklist),
 245                                                 action)) < 0)
 246         goto error_seccomp_rule_add;
 247
 248     if (!cusetpm &&
 249         (ret = create_seccomp_profile_add_rules(ctx, blacklist_noncuse,
 250                                                 ARRAY_LEN(blacklist_noncuse),
 251                                                 action)) < 0)
 252         goto error_seccomp_rule_add;
 253
 254     if ((ret = seccomp_load(ctx)) < 0)
 255         logprintf(STDERR_FILENO, "seccomp_load failed with errno %d: %s\n",
 256                   -ret, strerror(-ret));
 257
 258 error_seccomp_rule_add:
 259     seccomp_release(ctx);
 260
 261     return ret;
 262 }
 263 #endif