]> git.proxmox.com Git - mirror_lxc.git/blame - src/lxc/seccomp.c
projects / mirror_lxc.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
seccomp: s/seccomp_notif_send_resp/seccomp_notify_respond/g
[mirror_lxc.git] / src / lxc / seccomp.c
CommitLineData
8f2c3a70
SH		 1/*
2 * lxc: linux Container library
3 *
4 * (C) Copyright Canonical, Inc. 2012
5 *
6 * Authors:
7 * Serge Hallyn <serge.hallyn@canonical.com>
8 *
9 * This library is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public
11 * License as published by the Free Software Foundation; either
12 * version 2.1 of the License, or (at your option) any later version.
13 *
14 * This library is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
18 *
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
250b1eec 21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
8f2c3a70
SH		 22 */
23
d38dd64a
CB		 24#ifndef _GNU_SOURCE
25#define _GNU_SOURCE 1
26#endif
567b2049 27#include <errno.h>
ccf8d128 28#include <seccomp.h>
8f2c3a70
SH		 29#include <stdio.h>
30#include <stdlib.h>
6166fa6d 31#include <sys/mount.h>
567b2049 32#include <sys/utsname.h>
f2363e38 33
e35b7bf8 34#include "af_unix.h"
c3e3c21a 35#include "commands.h"
769872f9 36#include "config.h"
8f2c3a70 37#include "log.h"
cdb2a47f 38#include "lxccontainer.h"
567b2049 39#include "lxcseccomp.h"
c3e3c21a 40#include "mainloop.h"
cdb2a47f 41#include "memory_utils.h"
eacebcc3 42#include "utils.h"
8f2c3a70 43
0b5c590d
CB		 44#ifdef __MIPSEL__
45#define MIPS_ARCH_O32 lxc_seccomp_arch_mipsel
46#define MIPS_ARCH_N64 lxc_seccomp_arch_mipsel64
47#else
48#define MIPS_ARCH_O32 lxc_seccomp_arch_mips
49#define MIPS_ARCH_N64 lxc_seccomp_arch_mips64
50#endif
51
ac2cecc4 52lxc_log_define(seccomp, lxc);
8f2c3a70 53
9dbd8ff3 54static int parse_config_v1(FILE *f, char *line, size_t *line_bufsz, struct lxc_conf *conf)
50798138 55{
ccf8d128 56 int ret = 0;
50798138 57
9dbd8ff3 58 while (getline(&line, line_bufsz, f) != -1) {
50798138 59 int nr;
ccf8d128 60
50798138 61 ret = sscanf(line, "%d", &nr);
97a9b258
WB		 62 if (ret != 1) {
63 ret = -1;
64 break;
65 }
ccf8d128 66
50798138 67#if HAVE_SCMP_FILTER_CTX
c3e3c21a 68 ret = seccomp_rule_add(conf->seccomp.seccomp_ctx, SCMP_ACT_ALLOW, nr, 0);
ccf8d128
CB		 69#else
70 ret = seccomp_rule_add(SCMP_ACT_ALLOW, nr, 0);
50798138 71#endif
50798138 72 if (ret < 0) {
3ee26d19 73 ERROR("Failed loading allow rule for %d", nr);
ccf8d128 74 break;
50798138
SH		 75 }
76 }
ccf8d128
CB		 77 free(line);
78
79 return ret;
50798138
SH		 80}
81
2b0ae718 82#if HAVE_DECL_SECCOMP_SYSCALL_RESOLVE_NAME_ARCH
1ab6b4a1
CB		 83static const char *get_action_name(uint32_t action)
84{
85 /* The upper 16 bits indicate the type of the seccomp action. */
86 switch (action & 0xffff0000) {
87 case SCMP_ACT_KILL:
88 return "kill";
89 case SCMP_ACT_ALLOW:
90 return "allow";
91 case SCMP_ACT_TRAP:
92 return "trap";
93 case SCMP_ACT_ERRNO(0):
94 return "errno";
cdb2a47f 95#if HAVE_DECL_SECCOMP_NOTIF_GET_FD
02ca9d75 96 case SCMP_ACT_NOTIFY:
cdb2a47f
CB		 97 return "notify";
98#endif
1ab6b4a1
CB		 99 }
100
101 return "invalid action";
102}
103
50798138
SH		 104static uint32_t get_v2_default_action(char *line)
105{
106 uint32_t ret_action = -1;
107
f06c6207
CB		 108 while (*line == ' ')
109 line++;
30448a13 110
1a0e70ac 111 /* After 'whitelist' or 'blacklist' comes default behavior. */
30448a13 112 if (strncmp(line, "kill", 4) == 0) {
50798138 113 ret_action = SCMP_ACT_KILL;
30448a13
CB		 114 } else if (strncmp(line, "errno", 5) == 0) {
115 int e, ret;
116
117 ret = sscanf(line + 5, "%d", &e);
118 if (ret != 1) {
119 ERROR("Failed to parse errno value from %s", line);
50798138
SH		 120 return -2;
121 }
30448a13 122
50798138 123 ret_action = SCMP_ACT_ERRNO(e);
30448a13 124 } else if (strncmp(line, "allow", 5) == 0) {
50798138 125 ret_action = SCMP_ACT_ALLOW;
30448a13 126 } else if (strncmp(line, "trap", 4) == 0) {
50798138 127 ret_action = SCMP_ACT_TRAP;
cdb2a47f
CB		 128#if HAVE_DECL_SECCOMP_NOTIF_GET_FD
129 } else if (strncmp(line, "notify", 6) == 0) {
02ca9d75 130 ret_action = SCMP_ACT_NOTIFY;
cdb2a47f 131#endif
7474b5b3 132 } else if (line[0]) {
54a051c1 133 ERROR("Unrecognized seccomp action \"%s\"", line);
7474b5b3 134 return -2;
30448a13
CB		 135 }
136
50798138
SH		 137 return ret_action;
138}
139
3ee26d19 140static uint32_t get_v2_action(char *line, uint32_t def_action)
50798138 141{
1ab6b4a1 142 char *p;
50798138
SH		 143 uint32_t ret;
144
1ab6b4a1 145 p = strchr(line, ' ');
50798138
SH		 146 if (!p)
147 return def_action;
50798138 148 p++;
1ab6b4a1 149
50798138
SH		 150 while (*p == ' ')
151 p++;
1ab6b4a1 152
50798138
SH		 153 if (!*p || *p == '#')
154 return def_action;
1ab6b4a1 155
50798138 156 ret = get_v2_default_action(p);
1ab6b4a1
CB		 157 switch (ret) {
158 case -2:
159 return -1;
160 case -1:
161 return def_action;
50798138 162 }
1ab6b4a1
CB		 163
164 return ret;
50798138 165}
3ee26d19 166
63a49b03 167struct seccomp_v2_rule_args {
3ee26d19
L		 168 uint32_t index;
169 uint64_t value;
170 uint64_t mask;
171 enum scmp_compare op;
172};
173
174struct seccomp_v2_rule {
175 uint32_t action;
176 uint32_t args_num;
63a49b03 177 struct seccomp_v2_rule_args args_value[6];
3ee26d19
L		 178};
179
180static enum scmp_compare parse_v2_rule_op(char *s)
181{
3ee26d19 182 if (strcmp(s, "SCMP_CMP_NE") == 0 || strcmp(s, "!=") == 0)
29cb2617 183 return SCMP_CMP_NE;
3ee26d19 184 else if (strcmp(s, "SCMP_CMP_LT") == 0 || strcmp(s, "<") == 0)
29cb2617 185 return SCMP_CMP_LT;
3ee26d19 186 else if (strcmp(s, "SCMP_CMP_LE") == 0 || strcmp(s, "<=") == 0)
29cb2617 187 return SCMP_CMP_LE;
3ee26d19 188 else if (strcmp(s, "SCMP_CMP_EQ") == 0 || strcmp(s, "==") == 0)
29cb2617 189 return SCMP_CMP_EQ;
3ee26d19 190 else if (strcmp(s, "SCMP_CMP_GE") == 0 || strcmp(s, ">=") == 0)
29cb2617 191 return SCMP_CMP_GE;
3ee26d19 192 else if (strcmp(s, "SCMP_CMP_GT") == 0 || strcmp(s, ">") == 0)
29cb2617 193 return SCMP_CMP_GT;
3ee26d19 194 else if (strcmp(s, "SCMP_CMP_MASKED_EQ") == 0 || strcmp(s, "&=") == 0)
29cb2617 195 return SCMP_CMP_MASKED_EQ;
3ee26d19 196
29cb2617 197 return _SCMP_CMP_MAX;
3ee26d19
L		 198}
199
63a49b03
CB		 200/*
201 * This function is used to parse the args string into the structure.
73e3cb9a 202 * args string format:[index,value,op,mask] or [index,value,op]
3ee26d19
L		 203 * index: the index for syscall arguments (type uint)
204 * value: the value for syscall arguments (type uint64)
205 * op: the operator for syscall arguments(string),
206 a valid list of constants as of libseccomp v2.3.2 is
207 SCMP_CMP_NE,SCMP_CMP_LE,SCMP_CMP_LE, SCMP_CMP_EQ, SCMP_CMP_GE,
208 SCMP_CMP_GT, SCMP_CMP_MASKED_EQ, or !=,<=,==,>=,>,&=
73e3cb9a 209 * mask: the mask to apply on "value" for SCMP_CMP_MASKED_EQ (type uint64, optional)
3ee26d19
L		 210 * Returns 0 on success, < 0 otherwise.
211 */
63a49b03 212static int get_seccomp_arg_value(char *key, struct seccomp_v2_rule_args *rule_args)
3ee26d19
L		 213{
214 int ret = 0;
3ee26d19 215 uint32_t index = 0;
63a49b03
CB		 216 uint64_t mask = 0, value = 0;
217 enum scmp_compare op = 0;
3ee26d19 218 char *tmp = NULL;
f42183e6 219 char s[31] = {0}, v[24] = {0}, m[24] = {'0'};
3ee26d19 220
3ee26d19
L		 221 tmp = strchr(key, '[');
222 if (!tmp) {
223 ERROR("Failed to interpret args");
224 return -1;
225 }
63a49b03 226
eacebcc3 227 ret = sscanf(tmp, "[%i,%23[^,],%30[^0-9^,],%23[^,]", &index, v, s, m);
3ee26d19
L		 228 if ((ret != 3 && ret != 4) || index >= 6) {
229 ERROR("Failed to interpret args value");
230 return -1;
231 }
232
573ad77f 233 ret = lxc_safe_uint64(v, &value, 0);
eacebcc3
FA		 234 if (ret < 0) {
235 ERROR("Invalid argument value");
236 return -1;
237 }
238
573ad77f 239 ret = lxc_safe_uint64(m, &mask, 0);
eacebcc3
FA		 240 if (ret < 0) {
241 ERROR("Invalid argument mask");
242 return -1;
243 }
244
3ee26d19
L		 245 op = parse_v2_rule_op(s);
246 if (op == _SCMP_CMP_MAX) {
247 ERROR("Failed to interpret args operator value");
248 return -1;
249 }
250
251 rule_args->index = index;
252 rule_args->value = value;
253 rule_args->mask = mask;
254 rule_args->op = op;
255 return 0;
256}
257
258/* This function is used to parse the seccomp rule entry.
259 * @line : seccomp rule entry string.
260 * @def_action : default action used in the case if the 'line' contain non valid action.
261 * @rules : output struct.
262 * Returns 0 on success, < 0 otherwise.
263 */
f67c94d0
CB		 264static int parse_v2_rules(char *line, uint32_t def_action,
265 struct seccomp_v2_rule *rules)
3ee26d19 266{
f67c94d0
CB		 267 int i = 0, ret = -1;
268 char *key = NULL, *saveptr = NULL, *tmp = NULL;
3ee26d19
L		 269
270 tmp = strdup(line);
271 if (!tmp)
272 return -1;
273
274 /* read optional action which follows the syscall */
275 rules->action = get_v2_action(tmp, def_action);
f858dd50
WB		 276 if (rules->action == -1) {
277 ERROR("Failed to interpret action");
278 ret = -1;
54a051c1 279 goto on_error;
f858dd50 280 }
3ee26d19 281
f67c94d0 282 ret = 0;
3ee26d19 283 rules->args_num = 0;
f67c94d0 284 if (!strchr(tmp, '['))
54a051c1 285 goto on_error;
3ee26d19 286
f67c94d0
CB		 287 ret = -1;
288 for ((key = strtok_r(tmp, "]", &saveptr)), i = 0; key && i < 6;
289 (key = strtok_r(NULL, "]", &saveptr)), i++) {
3ee26d19 290 ret = get_seccomp_arg_value(key, &rules->args_value[i]);
f67c94d0 291 if (ret < 0)
54a051c1 292 goto on_error;
f67c94d0 293
3ee26d19
L		 294 rules->args_num++;
295 }
296
297 ret = 0;
f67c94d0 298
54a051c1 299on_error:
3ee26d19 300 free(tmp);
f67c94d0 301
3ee26d19
L		 302 return ret;
303}
2b0ae718 304#endif
50798138 305
d58c6ad0 306#if HAVE_DECL_SECCOMP_SYSCALL_RESOLVE_NAME_ARCH
3e9671a1 307enum lxc_hostarch_t {
d58c6ad0
SH		 308 lxc_seccomp_arch_all = 0,
309 lxc_seccomp_arch_native,
310 lxc_seccomp_arch_i386,
11de80d6 311 lxc_seccomp_arch_x32,
d58c6ad0
SH		 312 lxc_seccomp_arch_amd64,
313 lxc_seccomp_arch_arm,
9d291dd2 314 lxc_seccomp_arch_arm64,
b4067426
BP		 315 lxc_seccomp_arch_ppc64,
316 lxc_seccomp_arch_ppc64le,
317 lxc_seccomp_arch_ppc,
2ccd9eda
JC		 318 lxc_seccomp_arch_mips,
319 lxc_seccomp_arch_mips64,
320 lxc_seccomp_arch_mips64n32,
321 lxc_seccomp_arch_mipsel,
322 lxc_seccomp_arch_mipsel64,
323 lxc_seccomp_arch_mipsel64n32,
be038e49 324 lxc_seccomp_arch_s390x,
d58c6ad0
SH		 325 lxc_seccomp_arch_unknown = 999,
326};
327
328int get_hostarch(void)
329{
330 struct utsname uts;
331 if (uname(&uts) < 0) {
3ee26d19 332 SYSERROR("Failed to read host arch");
d58c6ad0
SH		 333 return -1;
334 }
0197fe2e 335
d58c6ad0
SH		 336 if (strcmp(uts.machine, "i686") == 0)
337 return lxc_seccomp_arch_i386;
1a0e70ac 338 /* no x32 kernels */
d58c6ad0
SH		 339 else if (strcmp(uts.machine, "x86_64") == 0)
340 return lxc_seccomp_arch_amd64;
341 else if (strncmp(uts.machine, "armv7", 5) == 0)
342 return lxc_seccomp_arch_arm;
9d291dd2
BP		 343 else if (strncmp(uts.machine, "aarch64", 7) == 0)
344 return lxc_seccomp_arch_arm64;
b4067426
BP		 345 else if (strncmp(uts.machine, "ppc64le", 7) == 0)
346 return lxc_seccomp_arch_ppc64le;
347 else if (strncmp(uts.machine, "ppc64", 5) == 0)
348 return lxc_seccomp_arch_ppc64;
349 else if (strncmp(uts.machine, "ppc", 3) == 0)
350 return lxc_seccomp_arch_ppc;
2ccd9eda
JC		 351 else if (strncmp(uts.machine, "mips64", 6) == 0)
352 return MIPS_ARCH_N64;
353 else if (strncmp(uts.machine, "mips", 4) == 0)
354 return MIPS_ARCH_O32;
be038e49
CB		 355 else if (strncmp(uts.machine, "s390x", 5) == 0)
356 return lxc_seccomp_arch_s390x;
0197fe2e 357
d58c6ad0
SH		 358 return lxc_seccomp_arch_unknown;
359}
360
3e9671a1
CB		 361scmp_filter_ctx get_new_ctx(enum lxc_hostarch_t n_arch,
362 uint32_t default_policy_action, bool *needs_merge)
d58c6ad0 363{
d58c6ad0
SH		 364 int ret;
365 uint32_t arch;
04263914 366 scmp_filter_ctx ctx;
d58c6ad0 367
04263914
CB		 368 switch (n_arch) {
369 case lxc_seccomp_arch_i386:
370 arch = SCMP_ARCH_X86;
371 break;
372 case lxc_seccomp_arch_x32:
373 arch = SCMP_ARCH_X32;
374 break;
375 case lxc_seccomp_arch_amd64:
376 arch = SCMP_ARCH_X86_64;
377 break;
378 case lxc_seccomp_arch_arm:
379 arch = SCMP_ARCH_ARM;
380 break;
9d291dd2 381#ifdef SCMP_ARCH_AARCH64
04263914
CB		 382 case lxc_seccomp_arch_arm64:
383 arch = SCMP_ARCH_AARCH64;
384 break;
9d291dd2 385#endif
b4067426 386#ifdef SCMP_ARCH_PPC64LE
04263914
CB		 387 case lxc_seccomp_arch_ppc64le:
388 arch = SCMP_ARCH_PPC64LE;
389 break;
b4067426
BP		 390#endif
391#ifdef SCMP_ARCH_PPC64
04263914
CB		 392 case lxc_seccomp_arch_ppc64:
393 arch = SCMP_ARCH_PPC64;
394 break;
b4067426
BP		 395#endif
396#ifdef SCMP_ARCH_PPC
04263914
CB		 397 case lxc_seccomp_arch_ppc:
398 arch = SCMP_ARCH_PPC;
399 break;
2ccd9eda
JC		 400#endif
401#ifdef SCMP_ARCH_MIPS
04263914
CB		 402 case lxc_seccomp_arch_mips:
403 arch = SCMP_ARCH_MIPS;
404 break;
405 case lxc_seccomp_arch_mips64:
406 arch = SCMP_ARCH_MIPS64;
407 break;
408 case lxc_seccomp_arch_mips64n32:
409 arch = SCMP_ARCH_MIPS64N32;
410 break;
411 case lxc_seccomp_arch_mipsel:
412 arch = SCMP_ARCH_MIPSEL;
413 break;
414 case lxc_seccomp_arch_mipsel64:
415 arch = SCMP_ARCH_MIPSEL64;
416 break;
417 case lxc_seccomp_arch_mipsel64n32:
418 arch = SCMP_ARCH_MIPSEL64N32;
419 break;
be038e49
CB		 420#endif
421#ifdef SCMP_ARCH_S390X
04263914
CB		 422 case lxc_seccomp_arch_s390x:
423 arch = SCMP_ARCH_S390X;
424 break;
b4067426 425#endif
04263914
CB		 426 default:
427 return NULL;
d58c6ad0
SH		 428 }
429
04263914
CB		 430 ctx = seccomp_init(default_policy_action);
431 if (!ctx) {
3ee26d19 432 ERROR("Error initializing seccomp context");
d58c6ad0
SH		 433 return NULL;
434 }
04263914
CB		 435
436 ret = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 0);
437 if (ret < 0) {
6d1400b5 438 errno = -ret;
439 SYSERROR("Failed to turn off no-new-privs");
d58c6ad0
SH		 440 seccomp_release(ctx);
441 return NULL;
442 }
04263914 443
127c5293 444#ifdef SCMP_FLTATR_ATL_TSKIP
04263914 445 ret = seccomp_attr_set(ctx, SCMP_FLTATR_ATL_TSKIP, 1);
a24c5678 446 if (ret < 0) {
447 errno = -ret;
448 SYSWARN("Failed to turn on seccomp nop-skip, continuing");
449 }
127c5293 450#endif
b5ed021b 451
adfee3a8
CB		 452 ret = seccomp_arch_exist(ctx, arch);
453 if (ret < 0) {
454 if (ret != -EEXIST) {
6d1400b5 455 errno = -ret;
456 SYSERROR("Failed to determine whether arch %d is "
457 "already present in the main seccomp context",
458 (int)n_arch);
adfee3a8
CB		 459 seccomp_release(ctx);
460 return NULL;
461 }
462
b5ed021b
CB		 463 ret = seccomp_arch_add(ctx, arch);
464 if (ret != 0) {
6d1400b5 465 errno = -ret;
466 SYSERROR("Failed to add arch %d to main seccomp context",
467 (int)n_arch);
b5ed021b
CB		 468 seccomp_release(ctx);
469 return NULL;
470 }
adfee3a8 471 TRACE("Added arch %d to main seccomp context", (int)n_arch);
b5ed021b 472
adfee3a8
CB		 473 ret = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE);
474 if (ret != 0) {
475 ERROR("Failed to remove native arch from main seccomp context");
b5ed021b
CB		 476 seccomp_release(ctx);
477 return NULL;
478 }
adfee3a8 479 TRACE("Removed native arch from main seccomp context");
3e9671a1
CB		 480
481 *needs_merge = true;
adfee3a8 482 } else {
3e9671a1 483 *needs_merge = false;
adfee3a8 484 TRACE("Arch %d already present in main seccomp context", (int)n_arch);
d58c6ad0
SH		 485 }
486
487 return ctx;
488}
489
490bool do_resolve_add_rule(uint32_t arch, char *line, scmp_filter_ctx ctx,
ad9a5b72 491 struct seccomp_v2_rule *rule)
d58c6ad0 492{
ad9a5b72 493 int i, nr, ret;
3ee26d19
L		 494 struct scmp_arg_cmp arg_cmp[6];
495
f06c6207
CB		 496 ret = seccomp_arch_exist(ctx, arch);
497 if (arch && ret != 0) {
6d1400b5 498 errno = -ret;
499 SYSERROR("Seccomp: rule and context arch do not match (arch %d)", arch);
d58c6ad0
SH		 500 return false;
501 }
6166fa6d 502
3ee26d19
L		 503 /*get the syscall name*/
504 char *p = strchr(line, ' ');
505 if (p)
506 *p = '\0';
507
6166fa6d 508 if (strncmp(line, "reject_force_umount", 19) == 0) {
ad9a5b72
CB		 509 ret = seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(EACCES),
510 SCMP_SYS(umount2), 1,
511 SCMP_A1(SCMP_CMP_MASKED_EQ, MNT_FORCE, MNT_FORCE));
6166fa6d 512 if (ret < 0) {
6d1400b5 513 errno = -ret;
514 SYSERROR("Failed loading rule to reject force umount");
6166fa6d
SH		 515 return false;
516 }
ad9a5b72
CB		 517
518 INFO("Set seccomp rule to reject force umounts");
6166fa6d
SH		 519 return true;
520 }
521
cd75548b 522 nr = seccomp_syscall_resolve_name(line);
d58c6ad0 523 if (nr == __NR_SCMP_ERROR) {
ad9a5b72 524 WARN("Failed to resolve syscall \"%s\"", line);
8c26014b 525 WARN("This syscall will NOT be handled by seccomp");
24b9874f 526 return true;
d58c6ad0 527 }
ad9a5b72 528
d58c6ad0 529 if (nr < 0) {
ad9a5b72 530 WARN("Got negative return value %d for syscall \"%s\"", nr, line);
8c26014b 531 WARN("This syscall will NOT be handled by seccomp");
24b9874f 532 return true;
d58c6ad0 533 }
3ee26d19 534
ad9a5b72 535 memset(&arg_cmp, 0, sizeof(arg_cmp));
3ee26d19 536 for (i = 0; i < rule->args_num; i++) {
ad9a5b72
CB		 537 INFO("arg_cmp[%d]: SCMP_CMP(%u, %llu, %llu, %llu)", i,
538 rule->args_value[i].index,
539 (long long unsigned int)rule->args_value[i].op,
540 (long long unsigned int)rule->args_value[i].mask,
541 (long long unsigned int)rule->args_value[i].value);
3ee26d19
L		 542
543 if (SCMP_CMP_MASKED_EQ == rule->args_value[i].op)
ad9a5b72
CB		 544 arg_cmp[i] = SCMP_CMP(rule->args_value[i].index,
545 rule->args_value[i].op,
546 rule->args_value[i].mask,
547 rule->args_value[i].value);
3ee26d19 548 else
ad9a5b72
CB		 549 arg_cmp[i] = SCMP_CMP(rule->args_value[i].index,
550 rule->args_value[i].op,
551 rule->args_value[i].value);
3ee26d19
L		 552 }
553
ad9a5b72
CB		 554 ret = seccomp_rule_add_exact_array(ctx, rule->action, nr,
555 rule->args_num, arg_cmp);
d58c6ad0 556 if (ret < 0) {
6d1400b5 557 errno = -ret;
558 SYSERROR("Failed loading rule for %s (nr %d action %d (%s))",
559 line, nr, rule->action, get_action_name(rule->action));
d58c6ad0
SH		 560 return false;
561 }
ad9a5b72 562
d58c6ad0
SH		 563 return true;
564}
565
50798138
SH		 566/*
567 * v2 consists of
568 * [x86]
569 * open
570 * read
571 * write
572 * close
573 * # a comment
574 * [x86_64]
575 * open
576 * read
577 * write
578 * close
579 */
9dbd8ff3 580static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_conf *conf)
50798138 581{
50798138 582 int ret;
9c3798eb 583 char *p;
3e9671a1 584 enum lxc_hostarch_t cur_rule_arch, native_arch;
50798138 585 bool blacklist = false;
3ee26d19 586 uint32_t default_policy_action = -1, default_rule_action = -1;
3ee26d19 587 struct seccomp_v2_rule rule;
3e9671a1
CB		 588 struct scmp_ctx_info {
589 uint32_t architectures[3];
590 scmp_filter_ctx contexts[3];
591 bool needs_merge[3];
592 } ctx;
50798138
SH		 593
594 if (strncmp(line, "blacklist", 9) == 0)
595 blacklist = true;
596 else if (strncmp(line, "whitelist", 9) != 0) {
9c3798eb 597 ERROR("Bad seccomp policy style \"%s\"", line);
50798138
SH		 598 return -1;
599 }
600
9c3798eb
CB		 601 p = strchr(line, ' ');
602 if (p) {
f06c6207 603 default_policy_action = get_v2_default_action(p + 1);
50798138
SH		 604 if (default_policy_action == -2)
605 return -1;
606 }
607
608 /* for blacklist, allow any syscall which has no rule */
609 if (blacklist) {
610 if (default_policy_action == -1)
611 default_policy_action = SCMP_ACT_ALLOW;
9c3798eb 612
50798138
SH		 613 if (default_rule_action == -1)
614 default_rule_action = SCMP_ACT_KILL;
615 } else {
616 if (default_policy_action == -1)
617 default_policy_action = SCMP_ACT_KILL;
9c3798eb 618
50798138
SH		 619 if (default_rule_action == -1)
620 default_rule_action = SCMP_ACT_ALLOW;
621 }
622
eca6736e
CB		 623 memset(&ctx, 0, sizeof(ctx));
624 ctx.architectures[0] = SCMP_ARCH_NATIVE;
625 ctx.architectures[1] = SCMP_ARCH_NATIVE;
626 ctx.architectures[2] = SCMP_ARCH_NATIVE;
9c3798eb
CB		 627 native_arch = get_hostarch();
628 cur_rule_arch = native_arch;
d58c6ad0
SH		 629 if (native_arch == lxc_seccomp_arch_amd64) {
630 cur_rule_arch = lxc_seccomp_arch_all;
eca6736e
CB		 631
632 ctx.architectures[0] = SCMP_ARCH_X86;
633 ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_i386,
3e9671a1
CB		 634 default_policy_action,
635 &ctx.needs_merge[0]);
eca6736e
CB		 636 if (!ctx.contexts[0])
637 goto bad;
638
639 ctx.architectures[1] = SCMP_ARCH_X32;
640 ctx.contexts[1] = get_new_ctx(lxc_seccomp_arch_x32,
3e9671a1
CB		 641 default_policy_action,
642 &ctx.needs_merge[1]);
eca6736e
CB		 643 if (!ctx.contexts[1])
644 goto bad;
645
646 ctx.architectures[2] = SCMP_ARCH_X86_64;
647 ctx.contexts[2] = get_new_ctx(lxc_seccomp_arch_amd64,
3e9671a1
CB		 648 default_policy_action,
649 &ctx.needs_merge[2]);
eca6736e 650 if (!ctx.contexts[2])
ab5e52f6 651 goto bad;
ca399594 652#ifdef SCMP_ARCH_PPC
7635139a
SH		 653 } else if (native_arch == lxc_seccomp_arch_ppc64) {
654 cur_rule_arch = lxc_seccomp_arch_all;
eca6736e
CB		 655
656 ctx.architectures[0] = SCMP_ARCH_PPC;
657 ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_ppc,
3e9671a1
CB		 658 default_policy_action,
659 &ctx.needs_merge[0]);
eca6736e
CB		 660 if (!ctx.contexts[0])
661 goto bad;
662
3e9671a1
CB		 663 ctx.architectures[2] = SCMP_ARCH_PPC64;
664 ctx.contexts[2] = get_new_ctx(lxc_seccomp_arch_ppc64,
665 default_policy_action,
666 &ctx.needs_merge[2]);
667 if (!ctx.contexts[2])
7635139a 668 goto bad;
ca399594
CB		 669#endif
670#ifdef SCMP_ARCH_ARM
7635139a
SH		 671 } else if (native_arch == lxc_seccomp_arch_arm64) {
672 cur_rule_arch = lxc_seccomp_arch_all;
eca6736e
CB		 673
674 ctx.architectures[0] = SCMP_ARCH_ARM;
9c3798eb 675 ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_arm,
3e9671a1
CB		 676 default_policy_action,
677 &ctx.needs_merge[0]);
eca6736e
CB		 678 if (!ctx.contexts[0])
679 goto bad;
680
b1c428f9 681#ifdef SCMP_ARCH_AARCH64
3e9671a1
CB		 682 ctx.architectures[2] = SCMP_ARCH_AARCH64;
683 ctx.contexts[2] = get_new_ctx(lxc_seccomp_arch_arm64,
684 default_policy_action,
685 &ctx.needs_merge[2]);
686 if (!ctx.contexts[2])
2ccd9eda
JC		 687 goto bad;
688#endif
b1c428f9 689#endif
2ccd9eda
JC		 690#ifdef SCMP_ARCH_MIPS
691 } else if (native_arch == lxc_seccomp_arch_mips64) {
692 cur_rule_arch = lxc_seccomp_arch_all;
eca6736e
CB		 693
694 ctx.architectures[0] = SCMP_ARCH_MIPS;
695 ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_mips,
3e9671a1
CB		 696 default_policy_action,
697 &ctx.needs_merge[0]);
eca6736e
CB		 698 if (!ctx.contexts[0])
699 goto bad;
700
701 ctx.architectures[1] = SCMP_ARCH_MIPS64N32;
702 ctx.contexts[1] = get_new_ctx(lxc_seccomp_arch_mips64n32,
3e9671a1
CB		 703 default_policy_action,
704 &ctx.needs_merge[1]);
eca6736e
CB		 705 if (!ctx.contexts[1])
706 goto bad;
707
708 ctx.architectures[2] = SCMP_ARCH_MIPS64;
709 ctx.contexts[2] = get_new_ctx(lxc_seccomp_arch_mips64,
3e9671a1
CB		 710 default_policy_action,
711 &ctx.needs_merge[2]);
eca6736e 712 if (!ctx.contexts[2])
2ccd9eda
JC		 713 goto bad;
714 } else if (native_arch == lxc_seccomp_arch_mipsel64) {
715 cur_rule_arch = lxc_seccomp_arch_all;
eca6736e
CB		 716
717 ctx.architectures[0] = SCMP_ARCH_MIPSEL;
718 ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_mipsel,
3e9671a1
CB		 719 default_policy_action,
720 &ctx.needs_merge[0]);
eca6736e
CB		 721 if (!ctx.contexts[0])
722 goto bad;
723
724 ctx.architectures[1] = SCMP_ARCH_MIPSEL64N32;
725 ctx.contexts[1] = get_new_ctx(lxc_seccomp_arch_mipsel64n32,
3e9671a1
CB		 726 default_policy_action,
727 &ctx.needs_merge[1]);
eca6736e
CB		 728 if (!ctx.contexts[1])
729 goto bad;
730
731 ctx.architectures[2] = SCMP_ARCH_MIPSEL64;
732 ctx.contexts[2] = get_new_ctx(lxc_seccomp_arch_mipsel64,
3e9671a1
CB		 733 default_policy_action,
734 &ctx.needs_merge[2]);
eca6736e 735 if (!ctx.contexts[2])
7635139a 736 goto bad;
be038e49 737#endif
d58c6ad0
SH		 738 }
739
50798138 740 if (default_policy_action != SCMP_ACT_KILL) {
c3e3c21a 741 ret = seccomp_reset(conf->seccomp.seccomp_ctx, default_policy_action);
50798138 742 if (ret != 0) {
3ee26d19 743 ERROR("Error re-initializing Seccomp");
50798138
SH		 744 return -1;
745 }
9c3798eb 746
c3e3c21a 747 ret = seccomp_attr_set(conf->seccomp.seccomp_ctx, SCMP_FLTATR_CTL_NNP, 0);
9c3798eb 748 if (ret < 0) {
6d1400b5 749 errno = -ret;
750 SYSERROR("Failed to turn off no-new-privs");
50798138
SH		 751 return -1;
752 }
9c3798eb 753
127c5293 754#ifdef SCMP_FLTATR_ATL_TSKIP
c3e3c21a 755 ret = seccomp_attr_set(conf->seccomp.seccomp_ctx, SCMP_FLTATR_ATL_TSKIP, 1);
a24c5678 756 if (ret < 0) {
757 errno = -ret;
758 SYSWARN("Failed to turn on seccomp nop-skip, continuing");
759 }
127c5293 760#endif
50798138
SH		 761 }
762
9dbd8ff3 763 while (getline(&line, line_bufsz, f) != -1) {
50798138
SH		 764 if (line[0] == '#')
765 continue;
9c3798eb
CB		 766
767 if (line[0] == '\0')
50798138 768 continue;
9c3798eb 769
50798138 770 remove_trailing_newlines(line);
9c3798eb
CB		 771
772 INFO("Processing \"%s\"", line);
50798138 773 if (line[0] == '[') {
1a0e70ac 774 /* Read the architecture for next set of rules. */
50798138 775 if (strcmp(line, "[x86]") == 0 ||
f06c6207 776 strcmp(line, "[X86]") == 0) {
d58c6ad0 777 if (native_arch != lxc_seccomp_arch_i386 &&
7e84441e 778 native_arch != lxc_seccomp_arch_amd64) {
d58c6ad0
SH		 779 cur_rule_arch = lxc_seccomp_arch_unknown;
780 continue;
781 }
9c3798eb 782
d58c6ad0 783 cur_rule_arch = lxc_seccomp_arch_i386;
11de80d6
AB		 784 } else if (strcmp(line, "[x32]") == 0 ||
785 strcmp(line, "[X32]") == 0) {
786 if (native_arch != lxc_seccomp_arch_amd64) {
787 cur_rule_arch = lxc_seccomp_arch_unknown;
788 continue;
789 }
9c3798eb 790
11de80d6 791 cur_rule_arch = lxc_seccomp_arch_x32;
d58c6ad0 792 } else if (strcmp(line, "[X86_64]") == 0 ||
f06c6207 793 strcmp(line, "[x86_64]") == 0) {
d58c6ad0
SH		 794 if (native_arch != lxc_seccomp_arch_amd64) {
795 cur_rule_arch = lxc_seccomp_arch_unknown;
796 continue;
797 }
9c3798eb 798
d58c6ad0 799 cur_rule_arch = lxc_seccomp_arch_amd64;
d58c6ad0 800 } else if (strcmp(line, "[all]") == 0 ||
f06c6207 801 strcmp(line, "[ALL]") == 0) {
d58c6ad0 802 cur_rule_arch = lxc_seccomp_arch_all;
d58c6ad0 803 }
2b0ae718 804#ifdef SCMP_ARCH_ARM
50798138 805 else if (strcmp(line, "[arm]") == 0 ||
f06c6207 806 strcmp(line, "[ARM]") == 0) {
7635139a 807 if (native_arch != lxc_seccomp_arch_arm &&
7e84441e 808 native_arch != lxc_seccomp_arch_arm64) {
d58c6ad0
SH		 809 cur_rule_arch = lxc_seccomp_arch_unknown;
810 continue;
811 }
9c3798eb 812
d58c6ad0 813 cur_rule_arch = lxc_seccomp_arch_arm;
d58c6ad0 814 }
b4067426 815#endif
9d291dd2
BP		 816#ifdef SCMP_ARCH_AARCH64
817 else if (strcmp(line, "[arm64]") == 0 ||
f06c6207 818 strcmp(line, "[ARM64]") == 0) {
9d291dd2
BP		 819 if (native_arch != lxc_seccomp_arch_arm64) {
820 cur_rule_arch = lxc_seccomp_arch_unknown;
821 continue;
822 }
9c3798eb 823
9d291dd2
BP		 824 cur_rule_arch = lxc_seccomp_arch_arm64;
825 }
826#endif
b4067426
BP		 827#ifdef SCMP_ARCH_PPC64LE
828 else if (strcmp(line, "[ppc64le]") == 0 ||
f06c6207 829 strcmp(line, "[PPC64LE]") == 0) {
b4067426
BP		 830 if (native_arch != lxc_seccomp_arch_ppc64le) {
831 cur_rule_arch = lxc_seccomp_arch_unknown;
832 continue;
833 }
9c3798eb 834
b4067426
BP		 835 cur_rule_arch = lxc_seccomp_arch_ppc64le;
836 }
837#endif
838#ifdef SCMP_ARCH_PPC64
839 else if (strcmp(line, "[ppc64]") == 0 ||
f06c6207 840 strcmp(line, "[PPC64]") == 0) {
b4067426
BP		 841 if (native_arch != lxc_seccomp_arch_ppc64) {
842 cur_rule_arch = lxc_seccomp_arch_unknown;
843 continue;
844 }
9c3798eb 845
b4067426
BP		 846 cur_rule_arch = lxc_seccomp_arch_ppc64;
847 }
848#endif
849#ifdef SCMP_ARCH_PPC
850 else if (strcmp(line, "[ppc]") == 0 ||
f06c6207 851 strcmp(line, "[PPC]") == 0) {
7635139a 852 if (native_arch != lxc_seccomp_arch_ppc &&
7e84441e 853 native_arch != lxc_seccomp_arch_ppc64) {
b4067426
BP		 854 cur_rule_arch = lxc_seccomp_arch_unknown;
855 continue;
856 }
9c3798eb 857
b4067426
BP		 858 cur_rule_arch = lxc_seccomp_arch_ppc;
859 }
2ccd9eda
JC		 860#endif
861#ifdef SCMP_ARCH_MIPS
862 else if (strcmp(line, "[mips64]") == 0 ||
f06c6207 863 strcmp(line, "[MIPS64]") == 0) {
2ccd9eda
JC		 864 if (native_arch != lxc_seccomp_arch_mips64) {
865 cur_rule_arch = lxc_seccomp_arch_unknown;
866 continue;
867 }
9c3798eb 868
2ccd9eda
JC		 869 cur_rule_arch = lxc_seccomp_arch_mips64;
870 } else if (strcmp(line, "[mips64n32]") == 0 ||
f06c6207 871 strcmp(line, "[MIPS64N32]") == 0) {
2ccd9eda
JC		 872 if (native_arch != lxc_seccomp_arch_mips64) {
873 cur_rule_arch = lxc_seccomp_arch_unknown;
874 continue;
875 }
9c3798eb 876
2ccd9eda
JC		 877 cur_rule_arch = lxc_seccomp_arch_mips64n32;
878 } else if (strcmp(line, "[mips]") == 0 ||
f06c6207 879 strcmp(line, "[MIPS]") == 0) {
2ccd9eda 880 if (native_arch != lxc_seccomp_arch_mips &&
7e84441e 881 native_arch != lxc_seccomp_arch_mips64) {
2ccd9eda
JC		 882 cur_rule_arch = lxc_seccomp_arch_unknown;
883 continue;
884 }
9c3798eb 885
2ccd9eda
JC		 886 cur_rule_arch = lxc_seccomp_arch_mips;
887 } else if (strcmp(line, "[mipsel64]") == 0 ||
f06c6207 888 strcmp(line, "[MIPSEL64]") == 0) {
2ccd9eda
JC		 889 if (native_arch != lxc_seccomp_arch_mipsel64) {
890 cur_rule_arch = lxc_seccomp_arch_unknown;
891 continue;
892 }
9c3798eb 893
2ccd9eda
JC		 894 cur_rule_arch = lxc_seccomp_arch_mipsel64;
895 } else if (strcmp(line, "[mipsel64n32]") == 0 ||
f06c6207 896 strcmp(line, "[MIPSEL64N32]") == 0) {
2ccd9eda
JC		 897 if (native_arch != lxc_seccomp_arch_mipsel64) {
898 cur_rule_arch = lxc_seccomp_arch_unknown;
899 continue;
900 }
9c3798eb 901
2ccd9eda
JC		 902 cur_rule_arch = lxc_seccomp_arch_mipsel64n32;
903 } else if (strcmp(line, "[mipsel]") == 0 ||
f06c6207 904 strcmp(line, "[MIPSEL]") == 0) {
2ccd9eda 905 if (native_arch != lxc_seccomp_arch_mipsel &&
7e84441e 906 native_arch != lxc_seccomp_arch_mipsel64) {
2ccd9eda
JC		 907 cur_rule_arch = lxc_seccomp_arch_unknown;
908 continue;
909 }
9c3798eb 910
2ccd9eda
JC		 911 cur_rule_arch = lxc_seccomp_arch_mipsel;
912 }
be038e49
CB		 913#endif
914#ifdef SCMP_ARCH_S390X
915 else if (strcmp(line, "[s390x]") == 0 ||
f06c6207 916 strcmp(line, "[S390X]") == 0) {
be038e49
CB		 917 if (native_arch != lxc_seccomp_arch_s390x) {
918 cur_rule_arch = lxc_seccomp_arch_unknown;
919 continue;
920 }
9c3798eb 921
be038e49 922 cur_rule_arch = lxc_seccomp_arch_s390x;
b8bcbe9b 923 }
2b0ae718 924#endif
b8bcbe9b 925 else {
50798138 926 goto bad_arch;
9c3798eb 927 }
d58c6ad0 928
50798138
SH		 929 continue;
930 }
931
d58c6ad0
SH		 932 /* irrelevant arch - i.e. arm on i386 */
933 if (cur_rule_arch == lxc_seccomp_arch_unknown)
934 continue;
935
3ee26d19 936 memset(&rule, 0, sizeof(rule));
d58c6ad0 937 /* read optional action which follows the syscall */
3ee26d19
L		 938 ret = parse_v2_rules(line, default_rule_action, &rule);
939 if (ret != 0) {
940 ERROR("Failed to interpret seccomp rule");
50798138
SH		 941 goto bad_rule;
942 }
d58c6ad0 943
cdb2a47f 944#if HAVE_DECL_SECCOMP_NOTIF_GET_FD
02ca9d75 945 if ((rule.action == SCMP_ACT_NOTIFY) &&
c3e3c21a
CB		 946 !conf->seccomp.notifier.wants_supervision) {
947 ret = seccomp_attr_set(conf->seccomp.seccomp_ctx,
cdb2a47f
CB		 948 SCMP_FLTATR_NEW_LISTENER, 1);
949 if (ret)
950 goto bad_rule;
951
c3e3c21a 952 conf->seccomp.notifier.wants_supervision = true;
cdb2a47f
CB		 953 TRACE("Set SCMP_FLTATR_NEW_LISTENER attribute");
954 }
955#endif
956
3e9671a1 957 if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line,
c3e3c21a 958 conf->seccomp.seccomp_ctx, &rule))
3e9671a1 959 goto bad_rule;
9c3798eb 960
3e9671a1
CB		 961 INFO("Added native rule for arch %d for %s action %d(%s)",
962 SCMP_ARCH_NATIVE, line, rule.action,
963 get_action_name(rule.action));
94d56054 964
3e9671a1
CB		 965 if (ctx.architectures[0] != SCMP_ARCH_NATIVE) {
966 if (!do_resolve_add_rule(ctx.architectures[0], line,
967 ctx.contexts[0], &rule))
d6417887 968 goto bad_rule;
9c3798eb 969
eca6736e 970 INFO("Added compat rule for arch %d for %s action %d(%s)",
3e9671a1 971 ctx.architectures[0], line, rule.action,
3ee26d19 972 get_action_name(rule.action));
3e9671a1 973 }
eca6736e 974
3e9671a1
CB		 975 if (ctx.architectures[1] != SCMP_ARCH_NATIVE) {
976 if (!do_resolve_add_rule(ctx.architectures[1], line,
977 ctx.contexts[1], &rule))
978 goto bad_rule;
9c3798eb 979
3e9671a1
CB		 980 INFO("Added compat rule for arch %d for %s action %d(%s)",
981 ctx.architectures[1], line, rule.action,
982 get_action_name(rule.action));
983 }
f1bcfc79 984
3e9671a1
CB		 985 if (ctx.architectures[2] != SCMP_ARCH_NATIVE) {
986 if (!do_resolve_add_rule(ctx.architectures[2], line,
987 ctx.contexts[2], &rule))
988 goto bad_rule;
f1bcfc79 989
3e9671a1
CB		 990 INFO("Added native rule for arch %d for %s action %d(%s)",
991 ctx.architectures[2], line, rule.action,
992 get_action_name(rule.action));
50798138
SH		 993 }
994 }
d58c6ad0 995
d648e178 996 INFO("Merging compat seccomp contexts into main context");
eca6736e
CB		 997 if (ctx.contexts[0]) {
998 if (ctx.needs_merge[0]) {
c3e3c21a 999 ret = seccomp_merge(conf->seccomp.seccomp_ctx, ctx.contexts[0]);
b5ed021b 1000 if (ret < 0) {
3e9671a1
CB		 1001 ERROR("Failed to merge first compat seccomp "
1002 "context into main context");
b5ed021b
CB		 1003 goto bad;
1004 }
9c3798eb 1005
b5ed021b 1006 TRACE("Merged first compat seccomp context into main context");
d648e178 1007 } else {
eca6736e
CB		 1008 seccomp_release(ctx.contexts[0]);
1009 ctx.contexts[0] = NULL;
b5ed021b 1010 }
d648e178 1011 }
b5ed021b 1012
eca6736e
CB		 1013 if (ctx.contexts[1]) {
1014 if (ctx.needs_merge[1]) {
c3e3c21a 1015 ret = seccomp_merge(conf->seccomp.seccomp_ctx, ctx.contexts[1]);
b5ed021b 1016 if (ret < 0) {
3e9671a1
CB		 1017 ERROR("Failed to merge first compat seccomp "
1018 "context into main context");
b5ed021b
CB		 1019 goto bad;
1020 }
9c3798eb 1021
b5ed021b 1022 TRACE("Merged second compat seccomp context into main context");
d648e178 1023 } else {
eca6736e
CB		 1024 seccomp_release(ctx.contexts[1]);
1025 ctx.contexts[1] = NULL;
1026 }
1027 }
1028
1029 if (ctx.contexts[2]) {
1030 if (ctx.needs_merge[2]) {
c3e3c21a 1031 ret = seccomp_merge(conf->seccomp.seccomp_ctx, ctx.contexts[2]);
eca6736e 1032 if (ret < 0) {
3e9671a1
CB		 1033 ERROR("Failed to merge third compat seccomp "
1034 "context into main context");
eca6736e
CB		 1035 goto bad;
1036 }
9c3798eb 1037
eca6736e
CB		 1038 TRACE("Merged third compat seccomp context into main context");
1039 } else {
1040 seccomp_release(ctx.contexts[2]);
1041 ctx.contexts[2] = NULL;
50798138
SH		 1042 }
1043 }
6166fa6d 1044
9dbd8ff3 1045 free(line);
50798138
SH		 1046 return 0;
1047
1048bad_arch:
9c3798eb
CB		 1049 ERROR("Unsupported architecture \"%s\"", line);
1050
50798138 1051bad_rule:
d58c6ad0 1052bad:
eca6736e
CB		 1053 if (ctx.contexts[0])
1054 seccomp_release(ctx.contexts[0]);
9c3798eb 1055
eca6736e
CB		 1056 if (ctx.contexts[1])
1057 seccomp_release(ctx.contexts[1]);
9c3798eb 1058
eca6736e
CB		 1059 if (ctx.contexts[2])
1060 seccomp_release(ctx.contexts[2]);
1061
9dbd8ff3 1062 free(line);
9c3798eb 1063
50798138 1064 return -1;
d58c6ad0
SH		 1065}
1066#else /* HAVE_DECL_SECCOMP_SYSCALL_RESOLVE_NAME_ARCH */
1067static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
1068{
50798138 1069 return -1;
50798138 1070}
d58c6ad0 1071#endif /* HAVE_DECL_SECCOMP_SYSCALL_RESOLVE_NAME_ARCH */
50798138 1072
8f2c3a70
SH		 1073/*
1074 * The first line of the config file has a policy language version
1075 * the second line has some directives
1076 * then comes policy subject to the directives
998cd2f4 1077 * right now version must be '1' or '2'
1078 * the directives must include 'whitelist'(version == 1 or 2) or 'blacklist'
1079 * (version == 2) and can include 'debug' (though debug is not yet supported).
8f2c3a70
SH		 1080 */
1081static int parse_config(FILE *f, struct lxc_conf *conf)
1082{
9dbd8ff3
WB		 1083 char *line = NULL;
1084 size_t line_bufsz = 0;
8f2c3a70
SH		 1085 int ret, version;
1086
1087 ret = fscanf(f, "%d\n", &version);
50798138 1088 if (ret != 1 || (version != 1 && version != 2)) {
3ee26d19 1089 ERROR("Invalid version");
8f2c3a70
SH		 1090 return -1;
1091 }
6ca8172d 1092
9dbd8ff3 1093 if (getline(&line, &line_bufsz, f) == -1) {
3ee26d19 1094 ERROR("Invalid config file");
9dbd8ff3 1095 goto bad_line;
8f2c3a70 1096 }
6ca8172d 1097
50798138 1098 if (version == 1 && !strstr(line, "whitelist")) {
3ee26d19 1099 ERROR("Only whitelist policy is supported");
9dbd8ff3 1100 goto bad_line;
8f2c3a70 1101 }
50798138 1102
8f2c3a70 1103 if (strstr(line, "debug")) {
3ee26d19 1104 ERROR("Debug not yet implemented");
9dbd8ff3 1105 goto bad_line;
8f2c3a70 1106 }
50798138
SH		 1107
1108 if (version == 1)
9dbd8ff3 1109 return parse_config_v1(f, line, &line_bufsz, conf);
6ca8172d 1110
9dbd8ff3
WB		 1111 return parse_config_v2(f, line, &line_bufsz, conf);
1112
1113bad_line:
1114 free(line);
1115 return -1;
8f2c3a70
SH		 1116}
1117
cd75548b
SH		 1118/*
1119 * use_seccomp: return true if we should try and apply a seccomp policy
1120 * if defined for the container.
1121 * This will return false if
1122 * 1. seccomp is not enabled in the kernel
1123 * 2. a seccomp policy is already enabled for this task
1124 */
50d86993 1125static bool use_seccomp(const struct lxc_conf *conf)
d58c6ad0 1126{
d58c6ad0 1127 int ret, v;
6ca8172d
CB		 1128 FILE *f;
1129 size_t line_bufsz = 0;
1130 char *line = NULL;
1131 bool already_enabled = false, found = false;
d58c6ad0 1132
c3e3c21a 1133 if (conf->seccomp.allow_nesting > 0)
50d86993
CB		 1134 return true;
1135
6ca8172d 1136 f = fopen("/proc/self/status", "r");
d58c6ad0 1137 if (!f)
cd75548b 1138 return true;
d58c6ad0 1139
6ca8172d 1140 while (getline(&line, &line_bufsz, f) != -1) {
d58c6ad0 1141 if (strncmp(line, "Seccomp:", 8) == 0) {
cd75548b 1142 found = true;
6ca8172d 1143
f06c6207 1144 ret = sscanf(line + 8, "%d", &v);
cd75548b
SH		 1145 if (ret == 1 && v != 0)
1146 already_enabled = true;
6ca8172d 1147
cd75548b 1148 break;
d58c6ad0
SH		 1149 }
1150 }
6ca8172d 1151 free(line);
d58c6ad0 1152 fclose(f);
6ca8172d
CB		 1153
1154 if (!found) {
3ee26d19 1155 INFO("Seccomp is not enabled in the kernel");
cd75548b
SH		 1156 return false;
1157 }
6ca8172d
CB		 1158
1159 if (already_enabled) {
3ee26d19 1160 INFO("Already seccomp-confined, not loading new policy");
cd75548b
SH		 1161 return false;
1162 }
6ca8172d 1163
cd75548b 1164 return true;
d58c6ad0
SH		 1165}
1166
8f2c3a70
SH		 1167int lxc_read_seccomp_config(struct lxc_conf *conf)
1168{
cf6624c1 1169 int ret;
8f2c3a70 1170 FILE *f;
8f2c3a70 1171
c3e3c21a 1172 if (!conf->seccomp.seccomp)
769872f9
SH		 1173 return 0;
1174
50d86993 1175 if (!use_seccomp(conf))
d58c6ad0 1176 return 0;
47f6d547 1177
769872f9
SH		 1178#if HAVE_SCMP_FILTER_CTX
1179 /* XXX for debug, pass in SCMP_ACT_TRAP */
c3e3c21a
CB		 1180 conf->seccomp.seccomp_ctx = seccomp_init(SCMP_ACT_KILL);
1181 ret = !conf->seccomp.seccomp_ctx;
769872f9 1182#else
50798138 1183 ret = seccomp_init(SCMP_ACT_KILL) < 0;
769872f9
SH		 1184#endif
1185 if (ret) {
3ee26d19 1186 ERROR("Failed initializing seccomp");
8f2c3a70
SH		 1187 return -1;
1188 }
8f2c3a70 1189
47f6d547 1190/* turn off no-new-privs. We don't want it in lxc, and it breaks
f06c6207 1191 * with apparmor */
769872f9 1192#if HAVE_SCMP_FILTER_CTX
c3e3c21a 1193 ret = seccomp_attr_set(conf->seccomp.seccomp_ctx, SCMP_FLTATR_CTL_NNP, 0);
727c3073 1194#else
cf6624c1 1195 ret = seccomp_attr_set(SCMP_FLTATR_CTL_NNP, 0);
769872f9 1196#endif
cf6624c1 1197 if (ret < 0) {
6d1400b5 1198 errno = -ret;
1199 SYSERROR("Failed to turn off no-new-privs");
8f2c3a70
SH		 1200 return -1;
1201 }
a24c5678 1202
127c5293 1203#ifdef SCMP_FLTATR_ATL_TSKIP
c3e3c21a 1204 ret = seccomp_attr_set(conf->seccomp.seccomp_ctx, SCMP_FLTATR_ATL_TSKIP, 1);
a24c5678 1205 if (ret < 0) {
1206 errno = -ret;
1207 SYSWARN("Failed to turn on seccomp nop-skip, continuing");
1208 }
127c5293 1209#endif
8f2c3a70 1210
c3e3c21a 1211 f = fopen(conf->seccomp.seccomp, "r");
8f2c3a70 1212 if (!f) {
c3e3c21a 1213 SYSERROR("Failed to open seccomp policy file %s", conf->seccomp.seccomp);
8f2c3a70
SH		 1214 return -1;
1215 }
47f6d547 1216
8f2c3a70
SH		 1217 ret = parse_config(f, conf);
1218 fclose(f);
47f6d547 1219
8f2c3a70
SH		 1220 return ret;
1221}
1222
1223int lxc_seccomp_load(struct lxc_conf *conf)
1224{
1225 int ret;
47f6d547 1226
c3e3c21a 1227 if (!conf->seccomp.seccomp)
8f2c3a70 1228 return 0;
47f6d547 1229
50d86993 1230 if (!use_seccomp(conf))
d58c6ad0 1231 return 0;
47f6d547 1232
769872f9 1233#if HAVE_SCMP_FILTER_CTX
c3e3c21a 1234 ret = seccomp_load(conf->seccomp.seccomp_ctx);
47f6d547
CB		 1235#else
1236 ret = seccomp_load();
769872f9 1237#endif
8f2c3a70 1238 if (ret < 0) {
6d1400b5 1239 errno = -ret;
1240 SYSERROR("Error loading the seccomp policy");
8f2c3a70
SH		 1241 return -1;
1242 }
5107af32 1243
1244/* After load seccomp filter into the kernel successfully, export the current seccomp
1245 * filter to log file */
1246#if HAVE_SCMP_FILTER_CTX
47f6d547
CB		 1247 if ((lxc_log_get_level() <= LXC_LOG_LEVEL_TRACE ||
1248 conf->loglevel <= LXC_LOG_LEVEL_TRACE) &&
5107af32 1249 lxc_log_fd >= 0) {
c3e3c21a 1250 ret = seccomp_export_pfc(conf->seccomp.seccomp_ctx, lxc_log_fd);
5107af32 1251 /* Just give an warning when export error */
a24c5678 1252 if (ret < 0) {
1253 errno = -ret;
1254 SYSWARN("Failed to export seccomp filter to log file");
1255 }
5107af32 1256 }
1257#endif
47f6d547 1258
cdb2a47f 1259#if HAVE_DECL_SECCOMP_NOTIF_GET_FD
c3e3c21a 1260 if (conf->seccomp.notifier.wants_supervision) {
da9c8317 1261 ret = seccomp_notify_fd(conf->seccomp.seccomp_ctx);
cdb2a47f
CB		 1262 if (ret < 0) {
1263 errno = -ret;
1264 return -1;
1265 }
1266
c3e3c21a 1267 conf->seccomp.notifier.notify_fd = ret;
cdb2a47f
CB		 1268 TRACE("Retrieved new seccomp listener fd %d", ret);
1269 }
1270#endif
1271
8f2c3a70
SH		 1272 return 0;
1273}
769872f9 1274
c3e3c21a 1275void lxc_seccomp_free(struct lxc_seccomp *seccomp)
f06c6207 1276{
c3e3c21a 1277 free_disarm(seccomp->seccomp);
47f6d547 1278
769872f9 1279#if HAVE_SCMP_FILTER_CTX
c3e3c21a
CB		 1280 if (seccomp->seccomp_ctx) {
1281 seccomp_release(seccomp->seccomp_ctx);
1282 seccomp->seccomp_ctx = NULL;
769872f9
SH		 1283 }
1284#endif
cdb2a47f
CB		 1285
1286#if HAVE_DECL_SECCOMP_NOTIF_GET_FD
c3e3c21a
CB		 1287 close_prot_errno_disarm(seccomp->notifier.notify_fd);
1288 close_prot_errno_disarm(seccomp->notifier.proxy_fd);
1289 seccomp_notif_free(seccomp->notifier.req_buf, seccomp->notifier.rsp_buf);
1290 seccomp->notifier.req_buf = NULL;
1291 seccomp->notifier.rsp_buf = NULL;
cdb2a47f
CB		 1292#endif
1293}
1294
e35b7bf8
CB		 1295#if HAVE_DECL_SECCOMP_NOTIF_GET_FD
1296static int seccomp_notify_reconnect(struct lxc_handler *handler)
1297{
1298 __do_close_prot_errno int notify_fd = -EBADF;
1299
c3e3c21a 1300 close_prot_errno_disarm(handler->conf->seccomp.notifier.proxy_fd);
e35b7bf8 1301
c3e3c21a 1302 notify_fd = lxc_unix_connect(&handler->conf->seccomp.notifier.proxy_addr);
e35b7bf8
CB		 1303 if (notify_fd < 0) {
1304 SYSERROR("Failed to reconnect to seccomp proxy");
1305 return -1;
1306 }
1307
1308 /* 30 second timeout */
1309 if (lxc_socket_set_timeout(notify_fd, 30, 30)) {
1310 SYSERROR("Failed to set socket timeout");
1311 return -1;
1312 }
c3e3c21a 1313 handler->conf->seccomp.notifier.proxy_fd = move_fd(notify_fd);
e35b7bf8
CB		 1314 return 0;
1315}
1316#endif
1317
1318#if HAVE_DECL_SECCOMP_NOTIF_GET_FD
1319static int seccomp_notify_default_answer(int fd, struct seccomp_notif *req,
1320 struct seccomp_notif_resp *resp,
1321 struct lxc_handler *handler)
1322{
1323 resp->id = req->id;
1324 resp->error = -ENOSYS;
1325
3c216fe2 1326 if (seccomp_notify_respond(fd, resp))
e35b7bf8
CB		 1327 SYSERROR("Failed to send default message to seccomp");
1328
1329 return seccomp_notify_reconnect(handler);
1330}
1331#endif
1332
cdb2a47f
CB		 1333int seccomp_notify_handler(int fd, uint32_t events, void *data,
1334 struct lxc_epoll_descr *descr)
1335{
1336
1337#if HAVE_DECL_SECCOMP_NOTIF_GET_FD
5ed06d3a 1338 __do_close_prot_errno int fd_mem = -EBADF;
e35b7bf8
CB		 1339 int reconnect_count, ret;
1340 ssize_t bytes;
18847d37
CB		 1341 char mem_path[6 /* /proc/ */
1342 + INTTYPE_TO_STRLEN(int64_t)
1343 + 3 /* mem */
1344 + 1 /* \0 */];
cdb2a47f
CB		 1345 struct lxc_handler *hdlr = data;
1346 struct lxc_conf *conf = hdlr->conf;
c3e3c21a
CB		 1347 struct seccomp_notif *req = conf->seccomp.notifier.req_buf;
1348 struct seccomp_notif_resp *resp = conf->seccomp.notifier.rsp_buf;
1349 int listener_proxy_fd = conf->seccomp.notifier.proxy_fd;
37046066 1350 struct seccomp_notify_proxy_msg msg = {0};
cdb2a47f 1351
e35b7bf8
CB		 1352 if (listener_proxy_fd < 0) {
1353 ERROR("No seccomp proxy registered");
cdb2a47f 1354 return minus_one_set_errno(EINVAL);
e35b7bf8 1355 }
cdb2a47f 1356
e3998402 1357 ret = seccomp_notify_receive(fd, req);
e35b7bf8
CB		 1358 if (ret) {
1359 SYSERROR("Failed to read seccomp notification");
1360 goto out;
1361 }
cdb2a47f 1362
5ed06d3a
CB		 1363 snprintf(mem_path, sizeof(mem_path), "/proc/%d/mem", req->pid);
1364 fd_mem = open(mem_path, O_RDONLY | O_CLOEXEC);
1365 if (fd_mem < 0) {
1366 (void)seccomp_notify_default_answer(fd, req, resp, hdlr);
1367 SYSERROR("Failed to open process memory for seccomp notify request");
1368 goto out;
1369 }
1370
1371 /*
1372 * Make sure that the fd for /proc/<pid>/mem we just opened still
1373 * refers to the correct process's memory.
1374 */
1375 ret = seccomp_notif_id_valid(fd, req->id);
1376 if (ret < 0) {
1377 (void)seccomp_notify_default_answer(fd, req, resp, hdlr);
1378 SYSERROR("Invalid seccomp notify request id");
1379 goto out;
1380 }
1381
cdb2a47f
CB		 1382 memcpy(&msg.req, req, sizeof(msg.req));
1383 msg.monitor_pid = hdlr->monitor_pid;
1384 msg.init_pid = hdlr->pid;
1385
e35b7bf8
CB		 1386 reconnect_count = 0;
1387 do {
5ed06d3a
CB		 1388 bytes = lxc_unix_send_fds(listener_proxy_fd, &fd_mem, 1, &msg,
1389 sizeof(msg));
e35b7bf8
CB		 1390 if (bytes != (ssize_t)sizeof(msg)) {
1391 SYSERROR("Failed to forward message to seccomp proxy");
1392 if (seccomp_notify_default_answer(fd, req, resp, hdlr))
1393 goto out;
1394 }
1395 } while (reconnect_count++);
1396
5ed06d3a
CB		 1397 close_prot_errno_disarm(fd_mem);
1398
e35b7bf8
CB		 1399 reconnect_count = 0;
1400 do {
1401 bytes = lxc_recv_nointr(listener_proxy_fd, &msg, sizeof(msg), 0);
1402 if (bytes != (ssize_t)sizeof(msg)) {
1403 SYSERROR("Failed to receive message from seccomp proxy");
1404 if (seccomp_notify_default_answer(fd, req, resp, hdlr))
1405 goto out;
1406 }
1407 } while (reconnect_count++);
cdb2a47f
CB		 1408
1409 memcpy(resp, &msg.resp, sizeof(*resp));
3c216fe2 1410 ret = seccomp_notify_respond(fd, resp);
cdb2a47f 1411 if (ret)
e35b7bf8 1412 SYSERROR("Failed to send seccomp notification");
cdb2a47f 1413
e35b7bf8 1414out:
cdb2a47f
CB		 1415 return 0;
1416#else
1417 return -ENOSYS;
1418#endif
769872f9 1419}
c3e3c21a
CB		 1420
1421void seccomp_conf_init(struct lxc_conf *conf)
1422{
1423 conf->seccomp.seccomp = NULL;
1424#if HAVE_SCMP_FILTER_CTX
1425 conf->seccomp.allow_nesting = 0;
1426 memset(&conf->seccomp.seccomp_ctx, 0, sizeof(conf->seccomp.seccomp_ctx));
1427#endif /* HAVE_SCMP_FILTER_CTX */
1428#if HAVE_DECL_SECCOMP_NOTIF_GET_FD
1429 conf->seccomp.notifier.wants_supervision = false;
1430 conf->seccomp.notifier.notify_fd = -EBADF;
1431 conf->seccomp.notifier.proxy_fd = -EBADF;
1432 memset(&conf->seccomp.notifier.proxy_addr, 0,
1433 sizeof(conf->seccomp.notifier.proxy_addr));
1434 conf->seccomp.notifier.req_buf = NULL;
1435 conf->seccomp.notifier.rsp_buf = NULL;
1436#endif
1437}
1438
2ac0f627
CB		 1439int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp,
1440 struct lxc_epoll_descr *descr,
1441 struct lxc_handler *handler)
c3e3c21a
CB		 1442{
1443#if HAVE_DECL_SECCOMP_NOTIF_GET_FD
1444 if (seccomp->notifier.wants_supervision &&
1445 seccomp->notifier.proxy_addr.sun_path[1] != '\0') {
1446 __do_close_prot_errno int notify_fd = -EBADF;
1447 int ret;
1448
1449 notify_fd = lxc_unix_connect(&seccomp->notifier.proxy_addr);
2ac0f627
CB		 1450 if (notify_fd < 0) {
1451 SYSERROR("Failed to connect to seccomp proxy");
c3e3c21a 1452 return -1;
2ac0f627 1453 }
c3e3c21a
CB		 1454
1455 /* 30 second timeout */
1456 ret = lxc_socket_set_timeout(notify_fd, 30, 30);
2ac0f627
CB		 1457 if (ret) {
1458 SYSERROR("Failed to set timeouts for seccomp proxy");
c3e3c21a 1459 return -1;
2ac0f627
CB		 1460 }
1461
1462 ret = seccomp_notif_alloc(&seccomp->notifier.req_buf,
1463 &seccomp->notifier.rsp_buf);
1464 if (ret) {
1465 ERROR("Failed to allocate seccomp notify request and response buffers");
1466 errno = ret;
1467 return -1;
1468 }
c3e3c21a
CB		 1469
1470 ret = lxc_mainloop_add_handler(descr,
1471 seccomp->notifier.notify_fd,
1472 seccomp_notify_handler, handler);
1473 if (ret < 0) {
1474 ERROR("Failed to add seccomp notify handler for %d to mainloop",
2ac0f627 1475 notify_fd);
c3e3c21a
CB		 1476 return -1;
1477 }
1478
1479 seccomp->notifier.proxy_fd = move_fd(notify_fd);
1480 }
1481#endif
1482 return 0;
1483}
1484
1485int lxc_seccomp_send_notifier_fd(struct lxc_seccomp *seccomp, int socket_fd)
1486{
1487#if HAVE_DECL_SECCOMP_NOTIF_GET_FD
1488 if (seccomp->notifier.wants_supervision) {
1489 if (lxc_abstract_unix_send_fds(socket_fd,
1490 &seccomp->notifier.notify_fd, 1,
1491 NULL, 0) < 0)
1492 return -1;
1493 close_prot_errno_disarm(seccomp->notifier.notify_fd);
1494 }
1495#endif
1496 return 0;
1497}
1498
1499int lxc_seccomp_recv_notifier_fd(struct lxc_seccomp *seccomp, int socket_fd)
1500{
1501#if HAVE_DECL_SECCOMP_NOTIF_GET_FD
1502 if (seccomp->notifier.wants_supervision) {
1503 int ret;
1504
1505 ret = lxc_abstract_unix_recv_fds(socket_fd,
1506 &seccomp->notifier.notify_fd,
1507 1, NULL, 0);
1508 if (ret < 0)
1509 return -1;
c3e3c21a
CB		 1510 }
1511#endif
1512 return 0;
1513}
1514
1515int lxc_seccomp_add_notifier(const char *name, const char *lxcpath,
1516 struct lxc_seccomp *seccomp)
1517{
1518
1519#if HAVE_DECL_SECCOMP_NOTIF_GET_FD
2ac0f627 1520 if (seccomp->notifier.wants_supervision) {
c3e3c21a
CB		 1521 int ret;
1522
1523 ret = lxc_cmd_seccomp_notify_add_listener(name, lxcpath,
2ac0f627 1524 seccomp->notifier.notify_fd,
c3e3c21a
CB		 1525 -1, 0);
1526 close_prot_errno_disarm(seccomp->notifier.notify_fd);
1527 if (ret < 0)
1528 return -1;
1529 }
1530#endif
1531 return 0;
1532}
LXC mirror