src/swtpm/seccomp_profile.c

   1 /*
   2  * seccomp_profile.c -- seccomp profile support
   3  *
   4  * (c) Copyright IBM Corporation 2019.
   5  *
   6  * Author: Stefan Berger <stefanb@us.ibm.com>
   7  *
   8  * All rights reserved.
   9  *
  10  * Redistribution and use in source and binary forms, with or without
  11  * modification, are permitted provided that the following conditions are
  12  * met:
  13  *
  14  * Redistributions of source code must retain the above copyright notice,
  15  * this list of conditions and the following disclaimer.
  16  *
  17  * Redistributions in binary form must reproduce the above copyright
  18  * notice, this list of conditions and the following disclaimer in the
  19  * documentation and/or other materials provided with the distribution.
  20  *
  21  * Neither the names of the IBM Corporation nor the names of its
  22  * contributors may be used to endorse or promote products derived from
  23  * this software without specific prior written permission.
  24  *
  25  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
  26  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  27  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
  28  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
  29  * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  30  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
  31  * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  32  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  33  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  34  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  35  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  36  */
  37
  38 #include "config.h"
  39
  40 #include <stdbool.h>
  41 #include <string.h>
  42
  43 #ifdef WITH_SECCOMP
  44 # include <seccomp.h>
  45 #endif
  46
  47 #include "logging.h"
  48 #include "utils.h"
  49 #include "seccomp_profile.h"
  50
  51 #ifdef WITH_SECCOMP
  52 static int create_seccomp_profile_add_rules(scmp_filter_ctx ctx,
  53                                             int *syscalls, size_t syscalls_len,
  54                                             unsigned int action)
  55 {
  56     int ret = 0;
  57     unsigned i = 0;
  58     uint32_t act = SCMP_ACT_KILL;
  59
  60 #ifdef SCMP_ACT_LOG
  61     if (action == SWTPM_SECCOMP_ACTION_LOG)
  62         act = SCMP_ACT_LOG;
  63 #endif
  64
  65     for (i = 0; i < syscalls_len; i++) {
  66         ret = seccomp_rule_add(ctx, act, syscalls[i], 0);
  67         if (ret < 0) {
  68             logprintf(STDERR_FILENO,
  69                       "seccomp_rule_add failed with errno %d: %s\n",
  70                       -ret, strerror(-ret));
  71             break;
  72         }
  73     }
  74     return ret;
  75 }
  76
  77 /*
  78  * create_seccomp_profile: Build a blacklist of syscalls
  79  *
  80  * cusetpm: whether to build for the CUSE tpm
  81  * action: the seccomp action
  82  */
  83 int create_seccomp_profile(bool cusetpm, unsigned int action)
  84 {
  85     int blacklist[] = {
  86         /* high concern */
  87         SCMP_SYS(capset),
  88         SCMP_SYS(pivot_root),
  89         SCMP_SYS(chroot),
  90         SCMP_SYS(settimeofday),
  91         SCMP_SYS(clock_adjtime),
  92         SCMP_SYS(clock_settime),
  93 #ifdef __NR_clock_settime64
  94         SCMP_SYS(clock_settime64),
  95 #endif
  96         SCMP_SYS(adjtimex),
  97         SCMP_SYS(mount),
  98         SCMP_SYS(umount2),
  99 #ifdef __NR_fsmount
 100         SCMP_SYS(fsmount),
 101 #endif
 102 #ifdef __NR_move_mount
 103         SCMP_SYS(move_mount),
 104 #endif
 105         SCMP_SYS(swapon),
 106         SCMP_SYS(swapoff),
 107         SCMP_SYS(reboot),
 108         SCMP_SYS(tgkill),
 109         SCMP_SYS(kexec_load),
 110         SCMP_SYS(unshare),
 111         SCMP_SYS(setns),
 112         SCMP_SYS(kcmp),
 113         SCMP_SYS(init_module),
 114         SCMP_SYS(finit_module),
 115         SCMP_SYS(delete_module),
 116         SCMP_SYS(seccomp),
 117         SCMP_SYS(kexec_file_load),
 118 #ifdef __NR_sysctl
 119         SCMP_SYS(sysctl),
 120 #endif
 121         /* semaphores and messages queues */
 122         SCMP_SYS(semget),
 123         SCMP_SYS(semop),
 124         SCMP_SYS(shmget),
 125         SCMP_SYS(shmat),
 126         SCMP_SYS(shmctl),
 127         SCMP_SYS(shmdt),
 128         SCMP_SYS(msgget),
 129         SCMP_SYS(msgsnd),
 130         SCMP_SYS(msgrcv),
 131         SCMP_SYS(msgctl),
 132         SCMP_SYS(mq_open),
 133         SCMP_SYS(mq_unlink),
 134         SCMP_SYS(mq_timedsend),
 135         SCMP_SYS(mq_timedreceive),
 136         SCMP_SYS(mq_notify),
 137         SCMP_SYS(mq_getsetattr),
 138         /* misc */
 139         SCMP_SYS(ptrace),
 140         SCMP_SYS(syslog),
 141         SCMP_SYS(capget),
 142         SCMP_SYS(capset),
 143         SCMP_SYS(sigaltstack),
 144         SCMP_SYS(personality),
 145         SCMP_SYS(sysfs),
 146         SCMP_SYS(getpriority),
 147         SCMP_SYS(setpriority),
 148         SCMP_SYS(sched_setparam),
 149         SCMP_SYS(sched_setscheduler),
 150         SCMP_SYS(sched_setaffinity),
 151         SCMP_SYS(sched_setattr),
 152         SCMP_SYS(vhangup),
 153         SCMP_SYS(sethostname),
 154         SCMP_SYS(setdomainname),
 155         SCMP_SYS(quotactl),
 156         SCMP_SYS(readahead),
 157         SCMP_SYS(lookup_dcookie),
 158         SCMP_SYS(add_key),
 159         SCMP_SYS(request_key),
 160         SCMP_SYS(keyctl),
 161         SCMP_SYS(inotify_init),
 162         SCMP_SYS(inotify_init1),
 163         SCMP_SYS(inotify_add_watch),
 164         SCMP_SYS(inotify_rm_watch),
 165         SCMP_SYS(splice),
 166         SCMP_SYS(tee),
 167         SCMP_SYS(vmsplice),
 168         SCMP_SYS(signalfd),
 169         SCMP_SYS(eventfd),
 170         SCMP_SYS(timerfd_settime),
 171 #ifdef __NR_timer_settime64
 172         SCMP_SYS(timer_settime64),
 173 #endif
 174 #ifdef __NR_timerfd_settime64
 175         SCMP_SYS(timerfd_settime64),
 176 #endif
 177         SCMP_SYS(timerfd_gettime),
 178         SCMP_SYS(signalfd4),
 179         SCMP_SYS(eventfd2),
 180         SCMP_SYS(fanotify_init),
 181         SCMP_SYS(fanotify_mark),
 182         SCMP_SYS(mknod),
 183         SCMP_SYS(mknodat),
 184         SCMP_SYS(acct),
 185         SCMP_SYS(prlimit64),
 186         SCMP_SYS(setrlimit),
 187 #ifdef __NR_bpf
 188         SCMP_SYS(bpf),
 189 #endif
 190 #ifdef __NR_copy_filerange
 191         SCMP_SYS(copy_filerange),
 192 #endif
 193         /* xattrs */
 194         SCMP_SYS(setxattr),
 195         SCMP_SYS(lsetxattr),
 196         SCMP_SYS(fsetxattr),
 197         SCMP_SYS(getxattr),
 198         SCMP_SYS(lgetxattr),
 199         SCMP_SYS(fgetxattr),
 200         SCMP_SYS(listxattr),
 201         SCMP_SYS(llistxattr),
 202         SCMP_SYS(flistxattr),
 203         SCMP_SYS(removexattr),
 204         SCMP_SYS(lremovexattr),
 205         SCMP_SYS(fremovexattr),
 206         /* processs forking */
 207         SCMP_SYS(execve),
 208         /* io */
 209         SCMP_SYS(iopl),
 210         SCMP_SYS(ioperm),
 211         SCMP_SYS(io_setup),
 212         SCMP_SYS(io_destroy),
 213         SCMP_SYS(io_getevents),
 214         SCMP_SYS(io_submit),
 215         SCMP_SYS(io_cancel),
 216         SCMP_SYS(ioprio_set),
 217         SCMP_SYS(ioprio_get),
 218         /* not implemented, removed */
 219         SCMP_SYS(create_module),
 220         SCMP_SYS(get_kernel_syms),
 221         SCMP_SYS(query_module),
 222         SCMP_SYS(uselib),
 223         SCMP_SYS(nfsservctl),
 224         SCMP_SYS(getpmsg),
 225         SCMP_SYS(putpmsg),
 226         SCMP_SYS(afs_syscall),
 227         SCMP_SYS(tuxcall),
 228         SCMP_SYS(security),
 229         SCMP_SYS(set_thread_area),
 230         SCMP_SYS(get_thread_area),
 231         SCMP_SYS(epoll_ctl_old),
 232         SCMP_SYS(epoll_wait_old),
 233         SCMP_SYS(vserver),
 234         /* privileged */
 235         SCMP_SYS(setuid),
 236         SCMP_SYS(setgid),
 237         SCMP_SYS(setpgid),
 238         SCMP_SYS(setsid),
 239         SCMP_SYS(setreuid),
 240         SCMP_SYS(setregid),
 241         SCMP_SYS(setgroups),
 242         SCMP_SYS(setresuid),
 243         SCMP_SYS(setresgid),
 244         SCMP_SYS(setfsuid),
 245         SCMP_SYS(setfsgid)
 246     };
 247     /* CUSE TPM needs to clone or fork */
 248     int blacklist_noncuse[] = {
 249         SCMP_SYS(clone),
 250         SCMP_SYS(fork),
 251         SCMP_SYS(vfork),
 252         SCMP_SYS(prctl),
 253 #ifdef __NR_clone3
 254         SCMP_SYS(clone3),
 255 #endif
 256     };
 257     scmp_filter_ctx ctx;
 258     int ret;
 259
 260     if (action == SWTPM_SECCOMP_ACTION_NONE)
 261         return 0;
 262
 263     ctx = seccomp_init(SCMP_ACT_ALLOW);
 264     if (!ctx) {
 265         logprintf(STDERR_FILENO, "seccomp_init failed\n");
 266         return -1;
 267     }
 268
 269     if ((ret = create_seccomp_profile_add_rules(ctx, blacklist,
 270                                                 ARRAY_LEN(blacklist),
 271                                                 action)) < 0)
 272         goto error_seccomp_rule_add;
 273
 274     if (!cusetpm &&
 275         (ret = create_seccomp_profile_add_rules(ctx, blacklist_noncuse,
 276                                                 ARRAY_LEN(blacklist_noncuse),
 277                                                 action)) < 0)
 278         goto error_seccomp_rule_add;
 279
 280     if ((ret = seccomp_load(ctx)) < 0)
 281         logprintf(STDERR_FILENO, "seccomp_load failed with errno %d: %s\n",
 282                   -ret, strerror(-ret));
 283
 284 error_seccomp_rule_add:
 285     seccomp_release(ctx);
 286
 287     return ret;
 288 }
 289 #endif