2 * seccomp_profile.c -- seccomp profile support
4 * (c) Copyright IBM Corporation 2019.
6 * Author: Stefan Berger <stefanb@us.ibm.com>
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions are
14 * Redistributions of source code must retain the above copyright notice,
15 * this list of conditions and the following disclaimer.
17 * Redistributions in binary form must reproduce the above copyright
18 * notice, this list of conditions and the following disclaimer in the
19 * documentation and/or other materials provided with the distribution.
21 * Neither the names of the IBM Corporation nor the names of its
22 * contributors may be used to endorse or promote products derived from
23 * this software without specific prior written permission.
25 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
26 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
27 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
28 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
29 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
30 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
31 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
32 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
33 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
34 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
35 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
49 #include "seccomp_profile.h"
52 static int create_seccomp_profile_add_rules(scmp_filter_ctx ctx
,
53 int *syscalls
, size_t syscalls_len
,
58 uint32_t act
= SCMP_ACT_KILL
;
61 if (action
== SWTPM_SECCOMP_ACTION_LOG
)
65 for (i
= 0; i
< syscalls_len
; i
++) {
66 ret
= seccomp_rule_add(ctx
, act
, syscalls
[i
], 0);
68 logprintf(STDERR_FILENO
,
69 "seccomp_rule_add failed with errno %d: %s\n",
70 -ret
, strerror(-ret
));
78 * create_seccomp_profile: Build a blacklist of syscalls
80 * cusetpm: whether to build for the CUSE tpm
81 * action: the seccomp action
83 int create_seccomp_profile(bool cusetpm
, unsigned int action
)
90 SCMP_SYS(settimeofday
),
91 SCMP_SYS(clock_adjtime
),
92 SCMP_SYS(clock_settime
),
93 #ifdef __NR_clock_settime64
94 SCMP_SYS(clock_settime64
),
102 #ifdef __NR_move_mount
103 SCMP_SYS(move_mount
),
109 SCMP_SYS(kexec_load
),
113 SCMP_SYS(init_module
),
114 SCMP_SYS(finit_module
),
115 SCMP_SYS(delete_module
),
117 SCMP_SYS(kexec_file_load
),
121 /* semaphores and messages queues */
134 SCMP_SYS(mq_timedsend
),
135 SCMP_SYS(mq_timedreceive
),
137 SCMP_SYS(mq_getsetattr
),
143 SCMP_SYS(sigaltstack
),
144 SCMP_SYS(personality
),
146 SCMP_SYS(getpriority
),
147 SCMP_SYS(setpriority
),
148 SCMP_SYS(sched_setparam
),
149 SCMP_SYS(sched_setscheduler
),
150 SCMP_SYS(sched_setaffinity
),
151 SCMP_SYS(sched_setattr
),
153 SCMP_SYS(sethostname
),
154 SCMP_SYS(setdomainname
),
157 SCMP_SYS(lookup_dcookie
),
159 SCMP_SYS(request_key
),
161 SCMP_SYS(inotify_init
),
162 SCMP_SYS(inotify_init1
),
163 SCMP_SYS(inotify_add_watch
),
164 SCMP_SYS(inotify_rm_watch
),
170 SCMP_SYS(timerfd_settime
),
171 #ifdef __NR_timer_settime64
172 SCMP_SYS(timer_settime64
),
174 #ifdef __NR_timerfd_settime64
175 SCMP_SYS(timerfd_settime64
),
177 SCMP_SYS(timerfd_gettime
),
180 SCMP_SYS(fanotify_init
),
181 SCMP_SYS(fanotify_mark
),
190 #ifdef __NR_copy_filerange
191 SCMP_SYS(copy_filerange
),
201 SCMP_SYS(llistxattr
),
202 SCMP_SYS(flistxattr
),
203 SCMP_SYS(removexattr
),
204 SCMP_SYS(lremovexattr
),
205 SCMP_SYS(fremovexattr
),
206 /* processs forking */
212 SCMP_SYS(io_destroy
),
213 SCMP_SYS(io_getevents
),
216 SCMP_SYS(ioprio_set
),
217 SCMP_SYS(ioprio_get
),
218 /* not implemented, removed */
219 SCMP_SYS(create_module
),
220 SCMP_SYS(get_kernel_syms
),
221 SCMP_SYS(query_module
),
223 SCMP_SYS(nfsservctl
),
226 SCMP_SYS(afs_syscall
),
229 SCMP_SYS(set_thread_area
),
230 SCMP_SYS(get_thread_area
),
231 SCMP_SYS(epoll_ctl_old
),
232 SCMP_SYS(epoll_wait_old
),
247 /* CUSE TPM needs to clone or fork */
248 int blacklist_noncuse
[] = {
260 if (action
== SWTPM_SECCOMP_ACTION_NONE
)
263 ctx
= seccomp_init(SCMP_ACT_ALLOW
);
265 logprintf(STDERR_FILENO
, "seccomp_init failed\n");
269 if ((ret
= create_seccomp_profile_add_rules(ctx
, blacklist
,
270 ARRAY_LEN(blacklist
),
272 goto error_seccomp_rule_add
;
275 (ret
= create_seccomp_profile_add_rules(ctx
, blacklist_noncuse
,
276 ARRAY_LEN(blacklist_noncuse
),
278 goto error_seccomp_rule_add
;
280 if ((ret
= seccomp_load(ctx
)) < 0)
281 logprintf(STDERR_FILENO
, "seccomp_load failed with errno %d: %s\n",
282 -ret
, strerror(-ret
));
284 error_seccomp_rule_add
:
285 seccomp_release(ctx
);