[mirror_lxc.git] / src / lxc / seccomp.c

/*
 * lxc: linux Container library
 *
 * (C) Copyright Canonical, Inc. 2012
 *
 * Authors:
 * Serge Hallyn <serge.hallyn@canonical.com>
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this library; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 */

#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <seccomp.h>
#include <errno.h>
#include <seccomp.h>
#include <sys/utsname.h>
#include <sys/mount.h>

#include "config.h"
#include "lxcseccomp.h"
#include "log.h"

lxc_log_define(lxc_seccomp, lxc);

static int parse_config_v1(FILE *f, struct lxc_conf *conf)
{
	char line[1024];
	int ret;

	while (fgets(line, 1024, f)) {
		int nr;
		ret = sscanf(line, "%d", &nr);
		if (ret != 1)
			return -1;
		ret = seccomp_rule_add(
#if HAVE_SCMP_FILTER_CTX
			conf->seccomp_ctx,
#endif
			SCMP_ACT_ALLOW, nr, 0);
		if (ret < 0) {
			ERROR("failed loading allow rule for %d", nr);
			return ret;
		}
	}
	return 0;
}

#if HAVE_DECL_SECCOMP_SYSCALL_RESOLVE_NAME_ARCH
static void remove_trailing_newlines(char *l)
{
	char *p = l;

	while (*p)
		p++;
	while (--p >= l && *p == '\n')
		*p = '\0';
}

static uint32_t get_v2_default_action(char *line)
{
	uint32_t ret_action = -1;

	while (*line == ' ') line++;
	// after 'whitelist' or 'blacklist' comes default behavior
	if (strncmp(line, "kill", 4) == 0)
		ret_action = SCMP_ACT_KILL;
	else if (strncmp(line, "errno", 5) == 0) {
		int e;
		if (sscanf(line+5, "%d", &e) != 1) {
			ERROR("Bad errno value in %s", line);
			return -2;
		}
		ret_action = SCMP_ACT_ERRNO(e);
	} else if (strncmp(line, "allow", 5) == 0)
		ret_action = SCMP_ACT_ALLOW;
	else if (strncmp(line, "trap", 4) == 0)
		ret_action = SCMP_ACT_TRAP;
	return ret_action;
}

static uint32_t get_and_clear_v2_action(char *line, uint32_t def_action)
{
	char *p = strchr(line, ' ');
	uint32_t ret;

	if (!p)
		return def_action;
	*p = '\0';
	p++;
	while (*p == ' ')
		p++;
	if (!*p || *p == '#')
		return def_action;
	ret = get_v2_default_action(p);
	switch(ret) {
	case -2: return -1;
	case -1: return def_action;
	default: return ret;
	}
}
#endif

#if HAVE_DECL_SECCOMP_SYSCALL_RESOLVE_NAME_ARCH
enum lxc_hostarch_t {
	lxc_seccomp_arch_all = 0,
	lxc_seccomp_arch_native,
	lxc_seccomp_arch_i386,
	lxc_seccomp_arch_amd64,
	lxc_seccomp_arch_arm,
	lxc_seccomp_arch_arm64,
	lxc_seccomp_arch_ppc64,
	lxc_seccomp_arch_ppc64le,
	lxc_seccomp_arch_ppc,
	lxc_seccomp_arch_unknown = 999,
};

int get_hostarch(void)
{
	struct utsname uts;
	if (uname(&uts) < 0) {
		SYSERROR("Failed to read host arch");
		return -1;
	}
	if (strcmp(uts.machine, "i686") == 0)
		return lxc_seccomp_arch_i386;
	else if (strcmp(uts.machine, "x86_64") == 0)
		return lxc_seccomp_arch_amd64;
	else if (strncmp(uts.machine, "armv7", 5) == 0)
		return lxc_seccomp_arch_arm;
	else if (strncmp(uts.machine, "aarch64", 7) == 0)
		return lxc_seccomp_arch_arm64;
	else if (strncmp(uts.machine, "ppc64le", 7) == 0)
		return lxc_seccomp_arch_ppc64le;
	else if (strncmp(uts.machine, "ppc64", 5) == 0)
		return lxc_seccomp_arch_ppc64;
	else if (strncmp(uts.machine, "ppc", 3) == 0)
		return lxc_seccomp_arch_ppc;
	return lxc_seccomp_arch_unknown;
}

scmp_filter_ctx get_new_ctx(enum lxc_hostarch_t n_arch, uint32_t default_policy_action)
{
	scmp_filter_ctx ctx;
	int ret;
	uint32_t arch;

	switch(n_arch) {
	case lxc_seccomp_arch_i386: arch = SCMP_ARCH_X86; break;
	case lxc_seccomp_arch_amd64: arch = SCMP_ARCH_X86_64; break;
	case lxc_seccomp_arch_arm: arch = SCMP_ARCH_ARM; break;
#ifdef SCMP_ARCH_AARCH64
	case lxc_seccomp_arch_arm64: arch = SCMP_ARCH_AARCH64; break;
#endif
#ifdef SCMP_ARCH_PPC64LE
	case lxc_seccomp_arch_ppc64le: arch = SCMP_ARCH_PPC64LE; break;
#endif
#ifdef SCMP_ARCH_PPC64
	case lxc_seccomp_arch_ppc64: arch = SCMP_ARCH_PPC64; break;
#endif
#ifdef SCMP_ARCH_PPC
	case lxc_seccomp_arch_ppc: arch = SCMP_ARCH_PPC; break;
#endif
	default: return NULL;
	}

	if ((ctx = seccomp_init(default_policy_action)) == NULL) {
		ERROR("Error initializing seccomp context");
		return NULL;
	}
	if (seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 0)) {
		ERROR("failed to turn off n-new-privs");
		seccomp_release(ctx);
		return NULL;
	}
	ret = seccomp_arch_add(ctx, arch);
	if (ret != 0) {
		ERROR("Seccomp error %d (%s) adding arch: %d", ret,
				strerror(ret), (int)n_arch);
		seccomp_release(ctx);
		return NULL;
	}
	if (seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE) != 0) {
		ERROR("Seccomp error removing native arch");
		seccomp_release(ctx);
		return NULL;
	}

	return ctx;
}

bool do_resolve_add_rule(uint32_t arch, char *line, scmp_filter_ctx ctx,
			uint32_t action)
{
	int nr, ret;

	if (arch && seccomp_arch_exist(ctx, arch) != 0) {
		ERROR("BUG: seccomp: rule and context arch do not match (arch %d)", arch);
		return false;
	}

	if (strncmp(line, "reject_force_umount", 19) == 0) {
		INFO("Setting seccomp rule to reject force umounts\n");
		ret = seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(umount2),
				1, SCMP_A1(SCMP_CMP_MASKED_EQ , MNT_FORCE , MNT_FORCE ));
		if (ret < 0) {
			ERROR("failed (%d) loading rule to reject force umount", ret);
			return false;
		}
		return true;
	}

	nr = seccomp_syscall_resolve_name(line);
	if (nr == __NR_SCMP_ERROR) {
		WARN("Seccomp: failed to resolve syscall: %s", line);
		WARN("This syscall will NOT be blacklisted");
		return true;
	}
	if (nr < 0) {
		WARN("Seccomp: got negative # for syscall: %s", line);
		WARN("This syscall will NOT be blacklisted");
		return true;
	}
	ret = seccomp_rule_add_exact(ctx, action, nr, 0);
	if (ret < 0) {
		ERROR("failed (%d) loading rule for %s (nr %d action %d)", ret, line, nr, action);
		return false;
	}
	return true;
}

/*
 * v2 consists of
 * [x86]
 * open
 * read
 * write
 * close
 * # a comment
 * [x86_64]
 * open
 * read
 * write
 * close
 */
static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
{
	char *p;
	int ret;
	scmp_filter_ctx compat_ctx = NULL;
	bool blacklist = false;
	uint32_t default_policy_action = -1, default_rule_action = -1, action;
	enum lxc_hostarch_t native_arch = get_hostarch(),
			    cur_rule_arch = native_arch;
	uint32_t compat_arch = SCMP_ARCH_NATIVE;

	if (strncmp(line, "blacklist", 9) == 0)
		blacklist = true;
	else if (strncmp(line, "whitelist", 9) != 0) {
		ERROR("Bad seccomp policy style: %s", line);
		return -1;
	}

	if ((p = strchr(line, ' '))) {
		default_policy_action = get_v2_default_action(p+1);
		if (default_policy_action == -2)
			return -1;
	}

	/* for blacklist, allow any syscall which has no rule */
	if (blacklist) {
		if (default_policy_action == -1)
			default_policy_action = SCMP_ACT_ALLOW;
		if (default_rule_action == -1)
			default_rule_action = SCMP_ACT_KILL;
	} else {
		if (default_policy_action == -1)
			default_policy_action = SCMP_ACT_KILL;
		if (default_rule_action == -1)
			default_rule_action = SCMP_ACT_ALLOW;
	}

	if (native_arch == lxc_seccomp_arch_amd64) {
		cur_rule_arch = lxc_seccomp_arch_all;
		compat_arch = SCMP_ARCH_X86;
		// Detect if we are on x86_64 kernel with 32-bit userspace
		if (seccomp_arch_exist(conf->seccomp_ctx, SCMP_ARCH_X86)) {
			compat_ctx = conf->seccomp_ctx;
			conf->seccomp_ctx = get_new_ctx(lxc_seccomp_arch_amd64,
					default_policy_action);
			if (!conf->seccomp_ctx)
				goto bad;
		} else {
			compat_ctx = get_new_ctx(lxc_seccomp_arch_i386,
					default_policy_action);
			if (!compat_ctx)
				goto bad;
		}
	}

	if (default_policy_action != SCMP_ACT_KILL) {
		ret = seccomp_reset(conf->seccomp_ctx, default_policy_action);
		if (ret != 0) {
			ERROR("Error re-initializing seccomp");
			return -1;
		}
		if (seccomp_attr_set(conf->seccomp_ctx, SCMP_FLTATR_CTL_NNP, 0)) {
			ERROR("failed to turn off n-new-privs");
			return -1;
		}
	}

	while (fgets(line, 1024, f)) {

		if (line[0] == '#')
			continue;
		if (strlen(line) == 0)
			continue;
		remove_trailing_newlines(line);
		INFO("processing: .%s.", line);
		if (line[0] == '[') {
			// read the architecture for next set of rules
			if (strcmp(line, "[x86]") == 0 ||
					strcmp(line, "[X86]") == 0) {
				if (native_arch != lxc_seccomp_arch_i386 &&
					native_arch != lxc_seccomp_arch_amd64) {
					cur_rule_arch = lxc_seccomp_arch_unknown;
					continue;
				}
				cur_rule_arch = lxc_seccomp_arch_i386;
			} else if (strcmp(line, "[X86_64]") == 0 ||
					strcmp(line, "[x86_64]") == 0) {
				if (native_arch != lxc_seccomp_arch_amd64) {
					cur_rule_arch = lxc_seccomp_arch_unknown;
					continue;
				}
				cur_rule_arch = lxc_seccomp_arch_amd64;
			} else if (strcmp(line, "[all]") == 0 ||
					strcmp(line, "[ALL]") == 0) {
				cur_rule_arch = lxc_seccomp_arch_all;
			}
#ifdef SCMP_ARCH_ARM
			else if (strcmp(line, "[arm]") == 0 ||
					strcmp(line, "[ARM]") == 0) {
				if (native_arch != lxc_seccomp_arch_arm) {
					cur_rule_arch = lxc_seccomp_arch_unknown;
					continue;
				}
				cur_rule_arch = lxc_seccomp_arch_arm;
			}
#endif
#ifdef SCMP_ARCH_AARCH64
			else if (strcmp(line, "[arm64]") == 0 ||
					strcmp(line, "[ARM64]") == 0) {
				if (native_arch != lxc_seccomp_arch_arm64) {
					cur_rule_arch = lxc_seccomp_arch_unknown;
					continue;
				}
				cur_rule_arch = lxc_seccomp_arch_arm64;
			}
#endif
#ifdef SCMP_ARCH_PPC64LE
			else if (strcmp(line, "[ppc64le]") == 0 ||
					strcmp(line, "[PPC64LE]") == 0) {
				if (native_arch != lxc_seccomp_arch_ppc64le) {
					cur_rule_arch = lxc_seccomp_arch_unknown;
					continue;
				}
				cur_rule_arch = lxc_seccomp_arch_ppc64le;
			}
#endif
#ifdef SCMP_ARCH_PPC64
			else if (strcmp(line, "[ppc64]") == 0 ||
					strcmp(line, "[PPC64]") == 0) {
				if (native_arch != lxc_seccomp_arch_ppc64) {
					cur_rule_arch = lxc_seccomp_arch_unknown;
					continue;
				}
				cur_rule_arch = lxc_seccomp_arch_ppc64;
			}
#endif
#ifdef SCMP_ARCH_PPC
			else if (strcmp(line, "[ppc]") == 0 ||
					strcmp(line, "[PPC]") == 0) {
				if (native_arch != lxc_seccomp_arch_ppc) {
					cur_rule_arch = lxc_seccomp_arch_unknown;
					continue;
				}
				cur_rule_arch = lxc_seccomp_arch_ppc;
			}
#endif
			else
				goto bad_arch;

			continue;
		}

		/* irrelevant arch - i.e. arm on i386 */
		if (cur_rule_arch == lxc_seccomp_arch_unknown)
			continue;

		/* read optional action which follows the syscall */
		action = get_and_clear_v2_action(line, default_rule_action);
		if (action == -1) {
			ERROR("Failed to interpret action");
			goto bad_rule;
		}

		if (cur_rule_arch == native_arch ||
		    cur_rule_arch == lxc_seccomp_arch_native ||
		    compat_arch == SCMP_ARCH_NATIVE) {
			INFO("Adding native rule for %s action %d", line, action);
			if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line, conf->seccomp_ctx, action))
				goto bad_rule;
		}
		else if (cur_rule_arch != lxc_seccomp_arch_all) {
			INFO("Adding compat-only rule for %s action %d", line, action);
			if (!do_resolve_add_rule(compat_arch, line, compat_ctx, action))
				goto bad_rule;
		}
		else {
			INFO("Adding native rule for %s action %d", line, action);
			if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line, conf->seccomp_ctx, action))
				goto bad_rule;
			INFO("Adding compat rule for %s action %d", line, action);
			if (!do_resolve_add_rule(compat_arch, line, compat_ctx, action))
				goto bad_rule;
		}
	}

	if (compat_ctx) {
		INFO("Merging in the compat seccomp ctx into the main one");
		if (seccomp_merge(conf->seccomp_ctx, compat_ctx) != 0) {
			ERROR("Error merging i386 seccomp contexts");
			goto bad;
		}
	}

	return 0;

bad_arch:
	ERROR("Unsupported arch: %s", line);
bad_rule:
bad:
	if (compat_ctx)
		seccomp_release(compat_ctx);
	return -1;
}
#else /* HAVE_DECL_SECCOMP_SYSCALL_RESOLVE_NAME_ARCH */
static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
{
	return -1;
}
#endif /* HAVE_DECL_SECCOMP_SYSCALL_RESOLVE_NAME_ARCH */

/*
 * The first line of the config file has a policy language version
 * the second line has some directives
 * then comes policy subject to the directives
 * right now version must be '1'
 * the directives must include 'whitelist' (only type of policy currently
 * supported) and can include 'debug' (though debug is not yet supported).
 */
static int parse_config(FILE *f, struct lxc_conf *conf)
{
	char line[1024];
	int ret, version;

	ret = fscanf(f, "%d\n", &version);
	if (ret != 1 || (version != 1 && version != 2)) {
		ERROR("invalid version");
		return -1;
	}
	if (!fgets(line, 1024, f)) {
		ERROR("invalid config file");
		return -1;
	}
	if (version == 1 && !strstr(line, "whitelist")) {
		ERROR("only whitelist policy is supported");
		return -1;
	}

	if (strstr(line, "debug")) {
		ERROR("debug not yet implemented");
		return -1;
	}

	if (version == 1)
		return parse_config_v1(f, conf);
	return parse_config_v2(f, line, conf);
}

/*
 * use_seccomp: return true if we should try and apply a seccomp policy
 * if defined for the container.
 * This will return false if
 *   1. seccomp is not enabled in the kernel
 *   2. a seccomp policy is already enabled for this task
 */
static bool use_seccomp(void)
{
	FILE *f = fopen("/proc/self/status", "r");
	char line[1024];
	bool already_enabled = false;
	bool found = false;
	int ret, v;

	if (!f)
		return true;

	while (fgets(line, 1024, f)) {
		if (strncmp(line, "Seccomp:", 8) == 0) {
			found = true;
			ret = sscanf(line+8, "%d", &v);
			if (ret == 1 && v != 0)
				already_enabled = true;
			break;
		}
	}

	fclose(f);
	if (!found) {  /* no Seccomp line, no seccomp in kernel */
		INFO("Seccomp is not enabled in the kernel");
		return false;
	}
	if (already_enabled) {  /* already seccomp-confined */
		INFO("Already seccomp-confined, not loading new policy");
		return false;
	}
	return true;
}

int lxc_read_seccomp_config(struct lxc_conf *conf)
{
	FILE *f;
	int ret;

	if (!conf->seccomp)
		return 0;

	if (!use_seccomp())
		return 0;
#if HAVE_SCMP_FILTER_CTX
	/* XXX for debug, pass in SCMP_ACT_TRAP */
	conf->seccomp_ctx = seccomp_init(SCMP_ACT_KILL);
	ret = !conf->seccomp_ctx;
#else
	ret = seccomp_init(SCMP_ACT_KILL) < 0;
#endif
	if (ret) {
		ERROR("failed initializing seccomp");
		return -1;
	}

	/* turn of no-new-privs.  We don't want it in lxc, and it breaks
	 * with apparmor */
	if (seccomp_attr_set(
#if HAVE_SCMP_FILTER_CTX
			conf->seccomp_ctx,
#endif
			SCMP_FLTATR_CTL_NNP, 0)) {
		ERROR("failed to turn off n-new-privs");
		return -1;
	}

	f = fopen(conf->seccomp, "r");
	if (!f) {
		SYSERROR("failed to open seccomp policy file %s", conf->seccomp);
		return -1;
	}
	ret = parse_config(f, conf);
	fclose(f);
	return ret;
}

int lxc_seccomp_load(struct lxc_conf *conf)
{
	int ret;
	if (!conf->seccomp)
		return 0;
	if (!use_seccomp())
		return 0;
	ret = seccomp_load(
#if HAVE_SCMP_FILTER_CTX
			conf->seccomp_ctx
#endif
	);
	if (ret < 0) {
		ERROR("Error loading the seccomp policy");
		return -1;
	}
	return 0;
}

void lxc_seccomp_free(struct lxc_conf *conf) {
	free(conf->seccomp);
	conf->seccomp = NULL;
#if HAVE_SCMP_FILTER_CTX
	if (conf->seccomp_ctx) {
		seccomp_release(conf->seccomp_ctx);
		conf->seccomp_ctx = NULL;
	}
#endif
}
Commit	Line	Data
8f2c3a70 SH	1	/*
	2	* lxc: linux Container library
	3	*
	4	* (C) Copyright Canonical, Inc. 2012
	5	*
	6	* Authors:
	7	* Serge Hallyn <serge.hallyn@canonical.com>
	8	*
	9	* This library is free software; you can redistribute it and/or
	10	* modify it under the terms of the GNU Lesser General Public
	11	* License as published by the Free Software Foundation; either
	12	* version 2.1 of the License, or (at your option) any later version.
	13	*
	14	* This library is distributed in the hope that it will be useful,
	15	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	16	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	17	* Lesser General Public License for more details.
	18	*
	19	* You should have received a copy of the GNU Lesser General Public
	20	* License along with this library; if not, write to the Free Software
250b1eec	21	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
8f2c3a70 SH	22	*/
	23
	24	#define _GNU_SOURCE
	25	#include <stdio.h>
	26	#include <stdlib.h>
	27	#include <seccomp.h>
	28	#include <errno.h>
	29	#include <seccomp.h>
d58c6ad0	30	#include <sys/utsname.h>
6166fa6d	31	#include <sys/mount.h>
f2363e38	32
769872f9	33	#include "config.h"
8f2c3a70	34	#include "lxcseccomp.h"
8f2c3a70 SH	35	#include "log.h"
	36
	37	lxc_log_define(lxc_seccomp, lxc);
	38
50798138 SH	39	static int parse_config_v1(FILE f, struct lxc_conf conf)
	40	{
	41	char line[1024];
	42	int ret;
	43
	44	while (fgets(line, 1024, f)) {
	45	int nr;
	46	ret = sscanf(line, "%d", &nr);
	47	if (ret != 1)
	48	return -1;
	49	ret = seccomp_rule_add(
	50	#if HAVE_SCMP_FILTER_CTX
	51	conf->seccomp_ctx,
	52	#endif
	53	SCMP_ACT_ALLOW, nr, 0);
	54	if (ret < 0) {
	55	ERROR("failed loading allow rule for %d", nr);
	56	return ret;
	57	}
	58	}
	59	return 0;
	60	}
	61
2b0ae718	62	#if HAVE_DECL_SECCOMP_SYSCALL_RESOLVE_NAME_ARCH
50798138 SH	63	static void remove_trailing_newlines(char *l)
	64	{
	65	char *p = l;
	66
	67	while (*p)
	68	p++;
	69	while (--p >= l && *p == '\n')
	70	*p = '\0';
	71	}
	72
	73	static uint32_t get_v2_default_action(char *line)
	74	{
	75	uint32_t ret_action = -1;
	76
	77	while (*line == ' ') line++;
	78	// after 'whitelist' or 'blacklist' comes default behavior
	79	if (strncmp(line, "kill", 4) == 0)
	80	ret_action = SCMP_ACT_KILL;
	81	else if (strncmp(line, "errno", 5) == 0) {
	82	int e;
	83	if (sscanf(line+5, "%d", &e) != 1) {
	84	ERROR("Bad errno value in %s", line);
	85	return -2;
	86	}
	87	ret_action = SCMP_ACT_ERRNO(e);
	88	} else if (strncmp(line, "allow", 5) == 0)
	89	ret_action = SCMP_ACT_ALLOW;
	90	else if (strncmp(line, "trap", 4) == 0)
	91	ret_action = SCMP_ACT_TRAP;
	92	return ret_action;
	93	}
	94
	95	static uint32_t get_and_clear_v2_action(char *line, uint32_t def_action)
	96	{
	97	char *p = strchr(line, ' ');
	98	uint32_t ret;
	99
	100	if (!p)
	101	return def_action;
	102	*p = '\0';
	103	p++;
	104	while (*p == ' ')
	105	p++;
	106	if (!p \|\| p == '#')
	107	return def_action;
	108	ret = get_v2_default_action(p);
	109	switch(ret) {
	110	case -2: return -1;
	111	case -1: return def_action;
	112	default: return ret;
	113	}
	114	}
2b0ae718	115	#endif
50798138	116
d58c6ad0 SH	117	#if HAVE_DECL_SECCOMP_SYSCALL_RESOLVE_NAME_ARCH
	118	enum lxc_hostarch_t {
	119	lxc_seccomp_arch_all = 0,
	120	lxc_seccomp_arch_native,
	121	lxc_seccomp_arch_i386,
	122	lxc_seccomp_arch_amd64,
	123	lxc_seccomp_arch_arm,
9d291dd2	124	lxc_seccomp_arch_arm64,
b4067426 BP	125	lxc_seccomp_arch_ppc64,
	126	lxc_seccomp_arch_ppc64le,
	127	lxc_seccomp_arch_ppc,
d58c6ad0 SH	128	lxc_seccomp_arch_unknown = 999,
	129	};
	130
	131	int get_hostarch(void)
	132	{
	133	struct utsname uts;
	134	if (uname(&uts) < 0) {
	135	SYSERROR("Failed to read host arch");
	136	return -1;
	137	}
	138	if (strcmp(uts.machine, "i686") == 0)
	139	return lxc_seccomp_arch_i386;
	140	else if (strcmp(uts.machine, "x86_64") == 0)
	141	return lxc_seccomp_arch_amd64;
	142	else if (strncmp(uts.machine, "armv7", 5) == 0)
	143	return lxc_seccomp_arch_arm;
9d291dd2 BP	144	else if (strncmp(uts.machine, "aarch64", 7) == 0)
9d291dd2 BP	145	return lxc_seccomp_arch_arm64;
b4067426 BP	146	else if (strncmp(uts.machine, "ppc64le", 7) == 0)
	147	return lxc_seccomp_arch_ppc64le;
	148	else if (strncmp(uts.machine, "ppc64", 5) == 0)
	149	return lxc_seccomp_arch_ppc64;
	150	else if (strncmp(uts.machine, "ppc", 3) == 0)
	151	return lxc_seccomp_arch_ppc;
d58c6ad0 SH	152	return lxc_seccomp_arch_unknown;
	153	}
	154
	155	scmp_filter_ctx get_new_ctx(enum lxc_hostarch_t n_arch, uint32_t default_policy_action)
	156	{
	157	scmp_filter_ctx ctx;
	158	int ret;
	159	uint32_t arch;
	160
	161	switch(n_arch) {
	162	case lxc_seccomp_arch_i386: arch = SCMP_ARCH_X86; break;
	163	case lxc_seccomp_arch_amd64: arch = SCMP_ARCH_X86_64; break;
	164	case lxc_seccomp_arch_arm: arch = SCMP_ARCH_ARM; break;
9d291dd2 BP	165	#ifdef SCMP_ARCH_AARCH64
	166	case lxc_seccomp_arch_arm64: arch = SCMP_ARCH_AARCH64; break;
	167	#endif
b4067426 BP	168	#ifdef SCMP_ARCH_PPC64LE
	169	case lxc_seccomp_arch_ppc64le: arch = SCMP_ARCH_PPC64LE; break;
	170	#endif
	171	#ifdef SCMP_ARCH_PPC64
	172	case lxc_seccomp_arch_ppc64: arch = SCMP_ARCH_PPC64; break;
	173	#endif
	174	#ifdef SCMP_ARCH_PPC
	175	case lxc_seccomp_arch_ppc: arch = SCMP_ARCH_PPC; break;
	176	#endif
d58c6ad0 SH	177	default: return NULL;
	178	}
	179
	180	if ((ctx = seccomp_init(default_policy_action)) == NULL) {
	181	ERROR("Error initializing seccomp context");
	182	return NULL;
	183	}
	184	if (seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 0)) {
	185	ERROR("failed to turn off n-new-privs");
	186	seccomp_release(ctx);
	187	return NULL;
	188	}
	189	ret = seccomp_arch_add(ctx, arch);
	190	if (ret != 0) {
	191	ERROR("Seccomp error %d (%s) adding arch: %d", ret,
	192	strerror(ret), (int)n_arch);
	193	seccomp_release(ctx);
	194	return NULL;
	195	}
	196	if (seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE) != 0) {
	197	ERROR("Seccomp error removing native arch");
	198	seccomp_release(ctx);
	199	return NULL;
	200	}
	201
	202	return ctx;
	203	}
	204
	205	bool do_resolve_add_rule(uint32_t arch, char *line, scmp_filter_ctx ctx,
	206	uint32_t action)
	207	{
	208	int nr, ret;
	209
cd75548b	210	if (arch && seccomp_arch_exist(ctx, arch) != 0) {
d58c6ad0 SH	211	ERROR("BUG: seccomp: rule and context arch do not match (arch %d)", arch);
	212	return false;
	213	}
6166fa6d SH	214
	215	if (strncmp(line, "reject_force_umount", 19) == 0) {
	216	INFO("Setting seccomp rule to reject force umounts\n");
	217	ret = seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(umount2),
	218	1, SCMP_A1(SCMP_CMP_MASKED_EQ , MNT_FORCE , MNT_FORCE ));
	219	if (ret < 0) {
	220	ERROR("failed (%d) loading rule to reject force umount", ret);
	221	return false;
	222	}
	223	return true;
	224	}
	225
cd75548b	226	nr = seccomp_syscall_resolve_name(line);
d58c6ad0 SH	227	if (nr == __NR_SCMP_ERROR) {
	228	WARN("Seccomp: failed to resolve syscall: %s", line);
	229	WARN("This syscall will NOT be blacklisted");
	230	return true;
	231	}
	232	if (nr < 0) {
	233	WARN("Seccomp: got negative # for syscall: %s", line);
	234	WARN("This syscall will NOT be blacklisted");
	235	return true;
	236	}
	237	ret = seccomp_rule_add_exact(ctx, action, nr, 0);
	238	if (ret < 0) {
	239	ERROR("failed (%d) loading rule for %s (nr %d action %d)", ret, line, nr, action);
	240	return false;
	241	}
	242	return true;
	243	}
	244
50798138 SH	245	/*
	246	* v2 consists of
	247	* [x86]
	248	* open
	249	* read
	250	* write
	251	* close
	252	* # a comment
	253	* [x86_64]
	254	* open
	255	* read
	256	* write
	257	* close
	258	*/
	259	static int parse_config_v2(FILE f, char line, struct lxc_conf *conf)
	260	{
50798138 SH	261	char *p;
50798138 SH	262	int ret;
d58c6ad0	263	scmp_filter_ctx compat_ctx = NULL;
50798138 SH	264	bool blacklist = false;
50798138 SH	265	uint32_t default_policy_action = -1, default_rule_action = -1, action;
d58c6ad0 SH	266	enum lxc_hostarch_t native_arch = get_hostarch(),
d58c6ad0 SH	267	cur_rule_arch = native_arch;
d6417887	268	uint32_t compat_arch = SCMP_ARCH_NATIVE;
50798138 SH	269
	270	if (strncmp(line, "blacklist", 9) == 0)
	271	blacklist = true;
	272	else if (strncmp(line, "whitelist", 9) != 0) {
	273	ERROR("Bad seccomp policy style: %s", line);
	274	return -1;
	275	}
	276
	277	if ((p = strchr(line, ' '))) {
	278	default_policy_action = get_v2_default_action(p+1);
	279	if (default_policy_action == -2)
	280	return -1;
	281	}
	282
	283	/* for blacklist, allow any syscall which has no rule */
	284	if (blacklist) {
	285	if (default_policy_action == -1)
	286	default_policy_action = SCMP_ACT_ALLOW;
	287	if (default_rule_action == -1)
	288	default_rule_action = SCMP_ACT_KILL;
	289	} else {
	290	if (default_policy_action == -1)
	291	default_policy_action = SCMP_ACT_KILL;
	292	if (default_rule_action == -1)
	293	default_rule_action = SCMP_ACT_ALLOW;
	294	}
	295
d58c6ad0 SH	296	if (native_arch == lxc_seccomp_arch_amd64) {
d58c6ad0 SH	297	cur_rule_arch = lxc_seccomp_arch_all;
d6417887	298	compat_arch = SCMP_ARCH_X86;
473ebc77 SH	299	// Detect if we are on x86_64 kernel with 32-bit userspace
	300	if (seccomp_arch_exist(conf->seccomp_ctx, SCMP_ARCH_X86)) {
	301	compat_ctx = conf->seccomp_ctx;
	302	conf->seccomp_ctx = get_new_ctx(lxc_seccomp_arch_amd64,
	303	default_policy_action);
	304	if (!conf->seccomp_ctx)
	305	goto bad;
	306	} else {
	307	compat_ctx = get_new_ctx(lxc_seccomp_arch_i386,
	308	default_policy_action);
	309	if (!compat_ctx)
	310	goto bad;
	311	}
d58c6ad0 SH	312	}
d58c6ad0 SH	313
50798138 SH	314	if (default_policy_action != SCMP_ACT_KILL) {
	315	ret = seccomp_reset(conf->seccomp_ctx, default_policy_action);
	316	if (ret != 0) {
	317	ERROR("Error re-initializing seccomp");
	318	return -1;
	319	}
	320	if (seccomp_attr_set(conf->seccomp_ctx, SCMP_FLTATR_CTL_NNP, 0)) {
	321	ERROR("failed to turn off n-new-privs");
	322	return -1;
	323	}
	324	}
	325
	326	while (fgets(line, 1024, f)) {
50798138 SH	327
	328	if (line[0] == '#')
	329	continue;
	330	if (strlen(line) == 0)
	331	continue;
	332	remove_trailing_newlines(line);
	333	INFO("processing: .%s.", line);
	334	if (line[0] == '[') {
	335	// read the architecture for next set of rules
	336	if (strcmp(line, "[x86]") == 0 \|\|
d58c6ad0 SH	337	strcmp(line, "[X86]") == 0) {
	338	if (native_arch != lxc_seccomp_arch_i386 &&
	339	native_arch != lxc_seccomp_arch_amd64) {
	340	cur_rule_arch = lxc_seccomp_arch_unknown;
	341	continue;
	342	}
	343	cur_rule_arch = lxc_seccomp_arch_i386;
d58c6ad0 SH	344	} else if (strcmp(line, "[X86_64]") == 0 \|\|
	345	strcmp(line, "[x86_64]") == 0) {
	346	if (native_arch != lxc_seccomp_arch_amd64) {
	347	cur_rule_arch = lxc_seccomp_arch_unknown;
	348	continue;
	349	}
	350	cur_rule_arch = lxc_seccomp_arch_amd64;
d58c6ad0 SH	351	} else if (strcmp(line, "[all]") == 0 \|\|
	352	strcmp(line, "[ALL]") == 0) {
	353	cur_rule_arch = lxc_seccomp_arch_all;
d58c6ad0	354	}
2b0ae718	355	#ifdef SCMP_ARCH_ARM
50798138	356	else if (strcmp(line, "[arm]") == 0 \|\|
d58c6ad0 SH	357	strcmp(line, "[ARM]") == 0) {
	358	if (native_arch != lxc_seccomp_arch_arm) {
	359	cur_rule_arch = lxc_seccomp_arch_unknown;
	360	continue;
	361	}
	362	cur_rule_arch = lxc_seccomp_arch_arm;
d58c6ad0	363	}
b4067426	364	#endif
9d291dd2 BP	365	#ifdef SCMP_ARCH_AARCH64
	366	else if (strcmp(line, "[arm64]") == 0 \|\|
	367	strcmp(line, "[ARM64]") == 0) {
	368	if (native_arch != lxc_seccomp_arch_arm64) {
	369	cur_rule_arch = lxc_seccomp_arch_unknown;
	370	continue;
	371	}
	372	cur_rule_arch = lxc_seccomp_arch_arm64;
	373	}
	374	#endif
b4067426 BP	375	#ifdef SCMP_ARCH_PPC64LE
	376	else if (strcmp(line, "[ppc64le]") == 0 \|\|
	377	strcmp(line, "[PPC64LE]") == 0) {
	378	if (native_arch != lxc_seccomp_arch_ppc64le) {
	379	cur_rule_arch = lxc_seccomp_arch_unknown;
	380	continue;
	381	}
	382	cur_rule_arch = lxc_seccomp_arch_ppc64le;
	383	}
	384	#endif
	385	#ifdef SCMP_ARCH_PPC64
	386	else if (strcmp(line, "[ppc64]") == 0 \|\|
	387	strcmp(line, "[PPC64]") == 0) {
	388	if (native_arch != lxc_seccomp_arch_ppc64) {
	389	cur_rule_arch = lxc_seccomp_arch_unknown;
	390	continue;
	391	}
	392	cur_rule_arch = lxc_seccomp_arch_ppc64;
	393	}
	394	#endif
	395	#ifdef SCMP_ARCH_PPC
	396	else if (strcmp(line, "[ppc]") == 0 \|\|
	397	strcmp(line, "[PPC]") == 0) {
	398	if (native_arch != lxc_seccomp_arch_ppc) {
	399	cur_rule_arch = lxc_seccomp_arch_unknown;
	400	continue;
	401	}
	402	cur_rule_arch = lxc_seccomp_arch_ppc;
	403	}
2b0ae718	404	#endif
50798138 SH	405	else
50798138 SH	406	goto bad_arch;
d58c6ad0	407
50798138 SH	408	continue;
	409	}
	410
d58c6ad0 SH	411	/* irrelevant arch - i.e. arm on i386 */
	412	if (cur_rule_arch == lxc_seccomp_arch_unknown)
	413	continue;
	414
	415	/* read optional action which follows the syscall */
50798138 SH	416	action = get_and_clear_v2_action(line, default_rule_action);
	417	if (action == -1) {
	418	ERROR("Failed to interpret action");
	419	goto bad_rule;
	420	}
d58c6ad0	421
d6417887 WB	422	if (cur_rule_arch == native_arch \|\|
	423	cur_rule_arch == lxc_seccomp_arch_native \|\|
	424	compat_arch == SCMP_ARCH_NATIVE) {
	425	INFO("Adding native rule for %s action %d", line, action);
cd75548b	426	if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line, conf->seccomp_ctx, action))
d58c6ad0	427	goto bad_rule;
50798138	428	}
d6417887 WB	429	else if (cur_rule_arch != lxc_seccomp_arch_all) {
	430	INFO("Adding compat-only rule for %s action %d", line, action);
	431	if (!do_resolve_add_rule(compat_arch, line, compat_ctx, action))
	432	goto bad_rule;
	433	}
	434	else {
	435	INFO("Adding native rule for %s action %d", line, action);
	436	if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line, conf->seccomp_ctx, action))
	437	goto bad_rule;
d58c6ad0	438	INFO("Adding compat rule for %s action %d", line, action);
d6417887	439	if (!do_resolve_add_rule(compat_arch, line, compat_ctx, action))
d58c6ad0	440	goto bad_rule;
50798138 SH	441	}
50798138 SH	442	}
d58c6ad0 SH	443
	444	if (compat_ctx) {
	445	INFO("Merging in the compat seccomp ctx into the main one");
	446	if (seccomp_merge(conf->seccomp_ctx, compat_ctx) != 0) {
	447	ERROR("Error merging i386 seccomp contexts");
	448	goto bad;
50798138 SH	449	}
50798138 SH	450	}
6166fa6d	451
50798138 SH	452	return 0;
	453
	454	bad_arch:
	455	ERROR("Unsupported arch: %s", line);
	456	bad_rule:
d58c6ad0 SH	457	bad:
	458	if (compat_ctx)
	459	seccomp_release(compat_ctx);
50798138	460	return -1;
d58c6ad0 SH	461	}
	462	#else /* HAVE_DECL_SECCOMP_SYSCALL_RESOLVE_NAME_ARCH */
	463	static int parse_config_v2(FILE f, char line, struct lxc_conf *conf)
	464	{
50798138	465	return -1;
50798138	466	}
d58c6ad0	467	#endif /* HAVE_DECL_SECCOMP_SYSCALL_RESOLVE_NAME_ARCH */
50798138	468
8f2c3a70 SH	469	/*
	470	* The first line of the config file has a policy language version
	471	* the second line has some directives
	472	* then comes policy subject to the directives
	473	* right now version must be '1'
	474	* the directives must include 'whitelist' (only type of policy currently
	475	* supported) and can include 'debug' (though debug is not yet supported).
	476	*/
	477	static int parse_config(FILE f, struct lxc_conf conf)
	478	{
	479	char line[1024];
	480	int ret, version;
	481
	482	ret = fscanf(f, "%d\n", &version);
50798138	483	if (ret != 1 \|\| (version != 1 && version != 2)) {
8f2c3a70 SH	484	ERROR("invalid version");
	485	return -1;
	486	}
	487	if (!fgets(line, 1024, f)) {
	488	ERROR("invalid config file");
	489	return -1;
	490	}
50798138	491	if (version == 1 && !strstr(line, "whitelist")) {
8f2c3a70 SH	492	ERROR("only whitelist policy is supported");
	493	return -1;
	494	}
50798138	495
8f2c3a70 SH	496	if (strstr(line, "debug")) {
	497	ERROR("debug not yet implemented");
	498	return -1;
	499	}
50798138 SH	500
	501	if (version == 1)
	502	return parse_config_v1(f, conf);
	503	return parse_config_v2(f, line, conf);
8f2c3a70 SH	504	}
8f2c3a70 SH	505
cd75548b SH	506	/*
	507	* use_seccomp: return true if we should try and apply a seccomp policy
	508	* if defined for the container.
	509	* This will return false if
	510	* 1. seccomp is not enabled in the kernel
	511	* 2. a seccomp policy is already enabled for this task
	512	*/
	513	static bool use_seccomp(void)
d58c6ad0 SH	514	{
	515	FILE *f = fopen("/proc/self/status", "r");
	516	char line[1024];
cd75548b SH	517	bool already_enabled = false;
cd75548b SH	518	bool found = false;
d58c6ad0 SH	519	int ret, v;
	520
	521	if (!f)
cd75548b	522	return true;
d58c6ad0 SH	523
	524	while (fgets(line, 1024, f)) {
	525	if (strncmp(line, "Seccomp:", 8) == 0) {
cd75548b	526	found = true;
d58c6ad0	527	ret = sscanf(line+8, "%d", &v);
cd75548b SH	528	if (ret == 1 && v != 0)
	529	already_enabled = true;
	530	break;
d58c6ad0 SH	531	}
	532	}
	533
d58c6ad0	534	fclose(f);
cd75548b SH	535	if (!found) { /* no Seccomp line, no seccomp in kernel */
	536	INFO("Seccomp is not enabled in the kernel");
	537	return false;
	538	}
	539	if (already_enabled) { /* already seccomp-confined */
	540	INFO("Already seccomp-confined, not loading new policy");
	541	return false;
	542	}
	543	return true;
d58c6ad0 SH	544	}
d58c6ad0 SH	545
8f2c3a70 SH	546	int lxc_read_seccomp_config(struct lxc_conf *conf)
	547	{
	548	FILE *f;
	549	int ret;
	550
769872f9 SH	551	if (!conf->seccomp)
	552	return 0;
	553
cd75548b	554	if (!use_seccomp())
d58c6ad0	555	return 0;
769872f9 SH	556	#if HAVE_SCMP_FILTER_CTX
769872f9 SH	557	/* XXX for debug, pass in SCMP_ACT_TRAP */
50798138	558	conf->seccomp_ctx = seccomp_init(SCMP_ACT_KILL);
769872f9 SH	559	ret = !conf->seccomp_ctx;
769872f9 SH	560	#else
50798138	561	ret = seccomp_init(SCMP_ACT_KILL) < 0;
769872f9 SH	562	#endif
769872f9 SH	563	if (ret) {
8f2c3a70 SH	564	ERROR("failed initializing seccomp");
	565	return -1;
	566	}
8f2c3a70 SH	567
	568	/* turn of no-new-privs. We don't want it in lxc, and it breaks
	569	* with apparmor */
769872f9 SH	570	if (seccomp_attr_set(
	571	#if HAVE_SCMP_FILTER_CTX
	572	conf->seccomp_ctx,
	573	#endif
	574	SCMP_FLTATR_CTL_NNP, 0)) {
959aee9c	575	ERROR("failed to turn off n-new-privs");
8f2c3a70 SH	576	return -1;
	577	}
	578
	579	f = fopen(conf->seccomp, "r");
	580	if (!f) {
959aee9c	581	SYSERROR("failed to open seccomp policy file %s", conf->seccomp);
8f2c3a70 SH	582	return -1;
	583	}
	584	ret = parse_config(f, conf);
	585	fclose(f);
	586	return ret;
	587	}
	588
	589	int lxc_seccomp_load(struct lxc_conf *conf)
	590	{
	591	int ret;
	592	if (!conf->seccomp)
	593	return 0;
cd75548b	594	if (!use_seccomp())
d58c6ad0	595	return 0;
769872f9 SH	596	ret = seccomp_load(
	597	#if HAVE_SCMP_FILTER_CTX
	598	conf->seccomp_ctx
	599	#endif
	600	);
8f2c3a70 SH	601	if (ret < 0) {
	602	ERROR("Error loading the seccomp policy");
	603	return -1;
	604	}
	605	return 0;
	606	}
769872f9 SH	607
769872f9 SH	608	void lxc_seccomp_free(struct lxc_conf *conf) {
f10fad2f ME	609	free(conf->seccomp);
f10fad2f ME	610	conf->seccomp = NULL;
769872f9 SH	611	#if HAVE_SCMP_FILTER_CTX
	612	if (conf->seccomp_ctx) {
	613	seccomp_release(conf->seccomp_ctx);
	614	conf->seccomp_ctx = NULL;
	615	}
	616	#endif
	617	}