[mirror_lxc.git] / src / lxc / seccomp.c

/*
 * lxc: linux Container library
 *
 * (C) Copyright Canonical, Inc. 2012
 *
 * Authors:
 * Serge Hallyn <serge.hallyn@canonical.com>
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this library; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 */

#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <seccomp.h>
#include <errno.h>
#include <seccomp.h>

#include "config.h"
#include "lxcseccomp.h"
#include "log.h"

lxc_log_define(lxc_seccomp, lxc);

static int parse_config_v1(FILE *f, struct lxc_conf *conf)
{
	char line[1024];
	int ret;

	while (fgets(line, 1024, f)) {
		int nr;
		ret = sscanf(line, "%d", &nr);
		if (ret != 1)
			return -1;
		ret = seccomp_rule_add(
#if HAVE_SCMP_FILTER_CTX
			conf->seccomp_ctx,
#endif
			SCMP_ACT_ALLOW, nr, 0);
		if (ret < 0) {
			ERROR("failed loading allow rule for %d", nr);
			return ret;
		}
	}
	return 0;
}

#if HAVE_DECL_SECCOMP_SYSCALL_RESOLVE_NAME_ARCH
static void remove_trailing_newlines(char *l)
{
	char *p = l;

	while (*p)
		p++;
	while (--p >= l && *p == '\n')
		*p = '\0';
}

static uint32_t get_v2_default_action(char *line)
{
	uint32_t ret_action = -1;

	while (*line == ' ') line++;
	// after 'whitelist' or 'blacklist' comes default behavior
	if (strncmp(line, "kill", 4) == 0)
		ret_action = SCMP_ACT_KILL;
	else if (strncmp(line, "errno", 5) == 0) {
		int e;
		if (sscanf(line+5, "%d", &e) != 1) {
			ERROR("Bad errno value in %s", line);
			return -2;
		}
		ret_action = SCMP_ACT_ERRNO(e);
	} else if (strncmp(line, "allow", 5) == 0)
		ret_action = SCMP_ACT_ALLOW;
	else if (strncmp(line, "trap", 4) == 0)
		ret_action = SCMP_ACT_TRAP;
	return ret_action;
}

static uint32_t get_and_clear_v2_action(char *line, uint32_t def_action)
{
	char *p = strchr(line, ' ');
	uint32_t ret;

	if (!p)
		return def_action;
	*p = '\0';
	p++;
	while (*p == ' ')
		p++;
	if (!*p || *p == '#')
		return def_action;
	ret = get_v2_default_action(p);
	switch(ret) {
	case -2: return -1;
	case -1: return def_action;
	default: return ret;
	}
}
#endif

/*
 * v2 consists of
 * [x86]
 * open
 * read
 * write
 * close
 * # a comment
 * [x86_64]
 * open
 * read
 * write
 * close
 */
static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
{
#if HAVE_DECL_SECCOMP_SYSCALL_RESOLVE_NAME_ARCH
	char *p;
	int ret;
	scmp_filter_ctx *ctx = NULL;
	bool blacklist = false;
	uint32_t default_policy_action = -1, default_rule_action = -1, action;
	uint32_t arch = SCMP_ARCH_NATIVE;

	if (strncmp(line, "blacklist", 9) == 0)
		blacklist = true;
	else if (strncmp(line, "whitelist", 9) != 0) {
		ERROR("Bad seccomp policy style: %s", line);
		return -1;
	}

	if ((p = strchr(line, ' '))) {
		default_policy_action = get_v2_default_action(p+1);
		if (default_policy_action == -2)
			return -1;
	}

	/* for blacklist, allow any syscall which has no rule */
	if (blacklist) {
		if (default_policy_action == -1)
			default_policy_action = SCMP_ACT_ALLOW;
		if (default_rule_action == -1)
			default_rule_action = SCMP_ACT_KILL;
	} else {
		if (default_policy_action == -1)
			default_policy_action = SCMP_ACT_KILL;
		if (default_rule_action == -1)
			default_rule_action = SCMP_ACT_ALLOW;
	}

	if (default_policy_action != SCMP_ACT_KILL) {
		ret = seccomp_reset(conf->seccomp_ctx, default_policy_action);
		if (ret != 0) {
			ERROR("Error re-initializing seccomp");
			return -1;
		}
		if (seccomp_attr_set(conf->seccomp_ctx, SCMP_FLTATR_CTL_NNP, 0)) {
			ERROR("failed to turn off n-new-privs");
			return -1;
		}
	}

	while (fgets(line, 1024, f)) {
		int nr;

		if (line[0] == '#')
			continue;
		if (strlen(line) == 0)
			continue;
		remove_trailing_newlines(line);
		INFO("processing: .%s.", line);
		if (line[0] == '[') {
			// read the architecture for next set of rules
			if (strcmp(line, "[x86]") == 0 ||
					strcmp(line, "[X86]") == 0)
				arch = SCMP_ARCH_X86;
			else if (strcmp(line, "[X86_64]") == 0 ||
					strcmp(line, "[x86_64]") == 0)
				arch = SCMP_ARCH_X86_64;
#ifdef SCMP_ARCH_ARM
			else if (strcmp(line, "[arm]") == 0 ||
					strcmp(line, "[ARM]") == 0)
				arch = SCMP_ARCH_ARM;
#endif
			else
				goto bad_arch;
			if (ctx) {
				ERROR("Only two arch sections per policy supported");
				goto bad_arch;
			}
			if ((ctx = seccomp_init(default_policy_action)) == NULL) {
				ERROR("Error initializing seccomp context");
				return -1;
			}
			if (seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 0)) {
				ERROR("failed to turn off n-new-privs");
				seccomp_release(ctx);
				return -1;
			}
			ret = seccomp_arch_add(ctx, arch);
			if (ret == -EEXIST) {
				seccomp_release(ctx);
				ctx = NULL;
				continue;
			}
			if (ret != 0) {
				ERROR("Error %d adding arch: %s", ret, line);
				goto bad_arch;
			}
			if (seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE) != 0) {
				ERROR("Error removing native arch from %s", line);
				goto bad_arch;
			}
			continue;
		}

		action = get_and_clear_v2_action(line, default_rule_action);
		if (action == -1) {
			ERROR("Failed to interpret action");
			goto bad_rule;
		}
		nr = seccomp_syscall_resolve_name_arch(arch, line);
		if (nr < 0) {
			WARN("Seccomp: failed to resolve syscall: %s (returned %d)",
				line, nr);
			WARN("This syscall will NOT be blacklisted");
			continue;
		}
		ret = seccomp_rule_add(ctx ? ctx : conf->seccomp_ctx,
				action, nr, 0);
		if (ret < 0) {
			ERROR("failed (%d) loading rule for %s", ret, line);
			goto bad_rule;
		}
	}
	if (ctx) {
		if (seccomp_merge(conf->seccomp_ctx, ctx) != 0) {
			seccomp_release(ctx);
			ERROR("Error merging seccomp contexts");
			return -1;
		}
	}
	return 0;

bad_arch:
	ERROR("Unsupported arch: %s", line);
bad_rule:
	if (ctx)
		seccomp_release(ctx);
	return -1;
#else
	return -1;
#endif
}

/*
 * The first line of the config file has a policy language version
 * the second line has some directives
 * then comes policy subject to the directives
 * right now version must be '1'
 * the directives must include 'whitelist' (only type of policy currently
 * supported) and can include 'debug' (though debug is not yet supported).
 */
static int parse_config(FILE *f, struct lxc_conf *conf)
{
	char line[1024];
	int ret, version;

	ret = fscanf(f, "%d\n", &version);
	if (ret != 1 || (version != 1 && version != 2)) {
		ERROR("invalid version");
		return -1;
	}
	if (!fgets(line, 1024, f)) {
		ERROR("invalid config file");
		return -1;
	}
	if (version == 1 && !strstr(line, "whitelist")) {
		ERROR("only whitelist policy is supported");
		return -1;
	}

	if (strstr(line, "debug")) {
		ERROR("debug not yet implemented");
		return -1;
	}

	if (version == 1)
		return parse_config_v1(f, conf);
	return parse_config_v2(f, line, conf);
}

int lxc_read_seccomp_config(struct lxc_conf *conf)
{
	FILE *f;
	int ret;

	if (!conf->seccomp)
		return 0;

#if HAVE_SCMP_FILTER_CTX
	/* XXX for debug, pass in SCMP_ACT_TRAP */
	conf->seccomp_ctx = seccomp_init(SCMP_ACT_KILL);
	ret = !conf->seccomp_ctx;
#else
	ret = seccomp_init(SCMP_ACT_KILL) < 0;
#endif
	if (ret) {
		ERROR("failed initializing seccomp");
		return -1;
	}

	/* turn of no-new-privs.  We don't want it in lxc, and it breaks
	 * with apparmor */
	if (seccomp_attr_set(
#if HAVE_SCMP_FILTER_CTX
			conf->seccomp_ctx,
#endif
			SCMP_FLTATR_CTL_NNP, 0)) {
		ERROR("failed to turn off n-new-privs");
		return -1;
	}

	f = fopen(conf->seccomp, "r");
	if (!f) {
		SYSERROR("failed to open seccomp policy file %s", conf->seccomp);
		return -1;
	}
	ret = parse_config(f, conf);
	fclose(f);
	return ret;
}

int lxc_seccomp_load(struct lxc_conf *conf)
{
	int ret;
	if (!conf->seccomp)
		return 0;
	ret = seccomp_load(
#if HAVE_SCMP_FILTER_CTX
			conf->seccomp_ctx
#endif
	);
	if (ret < 0) {
		ERROR("Error loading the seccomp policy");
		return -1;
	}
	return 0;
}

void lxc_seccomp_free(struct lxc_conf *conf) {
	if (conf->seccomp) {
		free(conf->seccomp);
		conf->seccomp = NULL;
	}
#if HAVE_SCMP_FILTER_CTX
	if (conf->seccomp_ctx) {
		seccomp_release(conf->seccomp_ctx);
		conf->seccomp_ctx = NULL;
	}
#endif
}
Commit	Line	Data
8f2c3a70 SH	1	/*
	2	* lxc: linux Container library
	3	*
	4	* (C) Copyright Canonical, Inc. 2012
	5	*
	6	* Authors:
	7	* Serge Hallyn <serge.hallyn@canonical.com>
	8	*
	9	* This library is free software; you can redistribute it and/or
	10	* modify it under the terms of the GNU Lesser General Public
	11	* License as published by the Free Software Foundation; either
	12	* version 2.1 of the License, or (at your option) any later version.
	13	*
	14	* This library is distributed in the hope that it will be useful,
	15	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	16	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	17	* Lesser General Public License for more details.
	18	*
	19	* You should have received a copy of the GNU Lesser General Public
	20	* License along with this library; if not, write to the Free Software
250b1eec	21	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
8f2c3a70 SH	22	*/
	23
	24	#define _GNU_SOURCE
	25	#include <stdio.h>
	26	#include <stdlib.h>
	27	#include <seccomp.h>
	28	#include <errno.h>
	29	#include <seccomp.h>
f2363e38	30
769872f9	31	#include "config.h"
8f2c3a70	32	#include "lxcseccomp.h"
8f2c3a70 SH	33	#include "log.h"
	34
	35	lxc_log_define(lxc_seccomp, lxc);
	36
50798138 SH	37	static int parse_config_v1(FILE f, struct lxc_conf conf)
	38	{
	39	char line[1024];
	40	int ret;
	41
	42	while (fgets(line, 1024, f)) {
	43	int nr;
	44	ret = sscanf(line, "%d", &nr);
	45	if (ret != 1)
	46	return -1;
	47	ret = seccomp_rule_add(
	48	#if HAVE_SCMP_FILTER_CTX
	49	conf->seccomp_ctx,
	50	#endif
	51	SCMP_ACT_ALLOW, nr, 0);
	52	if (ret < 0) {
	53	ERROR("failed loading allow rule for %d", nr);
	54	return ret;
	55	}
	56	}
	57	return 0;
	58	}
	59
2b0ae718	60	#if HAVE_DECL_SECCOMP_SYSCALL_RESOLVE_NAME_ARCH
50798138 SH	61	static void remove_trailing_newlines(char *l)
	62	{
	63	char *p = l;
	64
	65	while (*p)
	66	p++;
	67	while (--p >= l && *p == '\n')
	68	*p = '\0';
	69	}
	70
	71	static uint32_t get_v2_default_action(char *line)
	72	{
	73	uint32_t ret_action = -1;
	74
	75	while (*line == ' ') line++;
	76	// after 'whitelist' or 'blacklist' comes default behavior
	77	if (strncmp(line, "kill", 4) == 0)
	78	ret_action = SCMP_ACT_KILL;
	79	else if (strncmp(line, "errno", 5) == 0) {
	80	int e;
	81	if (sscanf(line+5, "%d", &e) != 1) {
	82	ERROR("Bad errno value in %s", line);
	83	return -2;
	84	}
	85	ret_action = SCMP_ACT_ERRNO(e);
	86	} else if (strncmp(line, "allow", 5) == 0)
	87	ret_action = SCMP_ACT_ALLOW;
	88	else if (strncmp(line, "trap", 4) == 0)
	89	ret_action = SCMP_ACT_TRAP;
	90	return ret_action;
	91	}
	92
	93	static uint32_t get_and_clear_v2_action(char *line, uint32_t def_action)
	94	{
	95	char *p = strchr(line, ' ');
	96	uint32_t ret;
	97
	98	if (!p)
	99	return def_action;
	100	*p = '\0';
	101	p++;
	102	while (*p == ' ')
	103	p++;
	104	if (!p \|\| p == '#')
	105	return def_action;
	106	ret = get_v2_default_action(p);
	107	switch(ret) {
	108	case -2: return -1;
	109	case -1: return def_action;
	110	default: return ret;
	111	}
	112	}
2b0ae718	113	#endif
50798138 SH	114
	115	/*
	116	* v2 consists of
	117	* [x86]
	118	* open
	119	* read
	120	* write
	121	* close
	122	* # a comment
	123	* [x86_64]
	124	* open
	125	* read
	126	* write
	127	* close
	128	*/
	129	static int parse_config_v2(FILE f, char line, struct lxc_conf *conf)
	130	{
2b0ae718	131	#if HAVE_DECL_SECCOMP_SYSCALL_RESOLVE_NAME_ARCH
50798138 SH	132	char *p;
	133	int ret;
	134	scmp_filter_ctx *ctx = NULL;
	135	bool blacklist = false;
	136	uint32_t default_policy_action = -1, default_rule_action = -1, action;
	137	uint32_t arch = SCMP_ARCH_NATIVE;
	138
	139	if (strncmp(line, "blacklist", 9) == 0)
	140	blacklist = true;
	141	else if (strncmp(line, "whitelist", 9) != 0) {
	142	ERROR("Bad seccomp policy style: %s", line);
	143	return -1;
	144	}
	145
	146	if ((p = strchr(line, ' '))) {
	147	default_policy_action = get_v2_default_action(p+1);
	148	if (default_policy_action == -2)
	149	return -1;
	150	}
	151
	152	/* for blacklist, allow any syscall which has no rule */
	153	if (blacklist) {
	154	if (default_policy_action == -1)
	155	default_policy_action = SCMP_ACT_ALLOW;
	156	if (default_rule_action == -1)
	157	default_rule_action = SCMP_ACT_KILL;
	158	} else {
	159	if (default_policy_action == -1)
	160	default_policy_action = SCMP_ACT_KILL;
	161	if (default_rule_action == -1)
	162	default_rule_action = SCMP_ACT_ALLOW;
	163	}
	164
	165	if (default_policy_action != SCMP_ACT_KILL) {
	166	ret = seccomp_reset(conf->seccomp_ctx, default_policy_action);
	167	if (ret != 0) {
	168	ERROR("Error re-initializing seccomp");
	169	return -1;
	170	}
	171	if (seccomp_attr_set(conf->seccomp_ctx, SCMP_FLTATR_CTL_NNP, 0)) {
	172	ERROR("failed to turn off n-new-privs");
	173	return -1;
	174	}
	175	}
	176
	177	while (fgets(line, 1024, f)) {
	178	int nr;
	179
	180	if (line[0] == '#')
	181	continue;
	182	if (strlen(line) == 0)
	183	continue;
	184	remove_trailing_newlines(line);
	185	INFO("processing: .%s.", line);
	186	if (line[0] == '[') {
	187	// read the architecture for next set of rules
	188	if (strcmp(line, "[x86]") == 0 \|\|
	189	strcmp(line, "[X86]") == 0)
	190	arch = SCMP_ARCH_X86;
	191	else if (strcmp(line, "[X86_64]") == 0 \|\|
	192	strcmp(line, "[x86_64]") == 0)
	193	arch = SCMP_ARCH_X86_64;
2b0ae718	194	#ifdef SCMP_ARCH_ARM
50798138 SH	195	else if (strcmp(line, "[arm]") == 0 \|\|
	196	strcmp(line, "[ARM]") == 0)
	197	arch = SCMP_ARCH_ARM;
2b0ae718	198	#endif
50798138 SH	199	else
	200	goto bad_arch;
	201	if (ctx) {
	202	ERROR("Only two arch sections per policy supported");
	203	goto bad_arch;
	204	}
	205	if ((ctx = seccomp_init(default_policy_action)) == NULL) {
	206	ERROR("Error initializing seccomp context");
	207	return -1;
	208	}
	209	if (seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 0)) {
	210	ERROR("failed to turn off n-new-privs");
	211	seccomp_release(ctx);
	212	return -1;
	213	}
	214	ret = seccomp_arch_add(ctx, arch);
	215	if (ret == -EEXIST) {
	216	seccomp_release(ctx);
	217	ctx = NULL;
	218	continue;
	219	}
	220	if (ret != 0) {
	221	ERROR("Error %d adding arch: %s", ret, line);
	222	goto bad_arch;
	223	}
	224	if (seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE) != 0) {
	225	ERROR("Error removing native arch from %s", line);
	226	goto bad_arch;
	227	}
	228	continue;
	229	}
	230
	231	action = get_and_clear_v2_action(line, default_rule_action);
	232	if (action == -1) {
	233	ERROR("Failed to interpret action");
	234	goto bad_rule;
	235	}
	236	nr = seccomp_syscall_resolve_name_arch(arch, line);
	237	if (nr < 0) {
52036991 SH	238	WARN("Seccomp: failed to resolve syscall: %s (returned %d)",
	239	line, nr);
	240	WARN("This syscall will NOT be blacklisted");
	241	continue;
50798138 SH	242	}
	243	ret = seccomp_rule_add(ctx ? ctx : conf->seccomp_ctx,
	244	action, nr, 0);
	245	if (ret < 0) {
	246	ERROR("failed (%d) loading rule for %s", ret, line);
	247	goto bad_rule;
	248	}
	249	}
	250	if (ctx) {
	251	if (seccomp_merge(conf->seccomp_ctx, ctx) != 0) {
	252	seccomp_release(ctx);
	253	ERROR("Error merging seccomp contexts");
	254	return -1;
	255	}
	256	}
	257	return 0;
	258
	259	bad_arch:
	260	ERROR("Unsupported arch: %s", line);
	261	bad_rule:
	262	if (ctx)
	263	seccomp_release(ctx);
	264	return -1;
	265	#else
	266	return -1;
	267	#endif
	268	}
	269
8f2c3a70 SH	270	/*
	271	* The first line of the config file has a policy language version
	272	* the second line has some directives
	273	* then comes policy subject to the directives
	274	* right now version must be '1'
	275	* the directives must include 'whitelist' (only type of policy currently
	276	* supported) and can include 'debug' (though debug is not yet supported).
	277	*/
	278	static int parse_config(FILE f, struct lxc_conf conf)
	279	{
	280	char line[1024];
	281	int ret, version;
	282
	283	ret = fscanf(f, "%d\n", &version);
50798138	284	if (ret != 1 \|\| (version != 1 && version != 2)) {
8f2c3a70 SH	285	ERROR("invalid version");
	286	return -1;
	287	}
	288	if (!fgets(line, 1024, f)) {
	289	ERROR("invalid config file");
	290	return -1;
	291	}
50798138	292	if (version == 1 && !strstr(line, "whitelist")) {
8f2c3a70 SH	293	ERROR("only whitelist policy is supported");
	294	return -1;
	295	}
50798138	296
8f2c3a70 SH	297	if (strstr(line, "debug")) {
	298	ERROR("debug not yet implemented");
	299	return -1;
	300	}
50798138 SH	301
	302	if (version == 1)
	303	return parse_config_v1(f, conf);
	304	return parse_config_v2(f, line, conf);
8f2c3a70 SH	305	}
	306
	307	int lxc_read_seccomp_config(struct lxc_conf *conf)
	308	{
	309	FILE *f;
	310	int ret;
	311
769872f9 SH	312	if (!conf->seccomp)
	313	return 0;
	314
	315	#if HAVE_SCMP_FILTER_CTX
	316	/* XXX for debug, pass in SCMP_ACT_TRAP */
50798138	317	conf->seccomp_ctx = seccomp_init(SCMP_ACT_KILL);
769872f9 SH	318	ret = !conf->seccomp_ctx;
769872f9 SH	319	#else
50798138	320	ret = seccomp_init(SCMP_ACT_KILL) < 0;
769872f9 SH	321	#endif
769872f9 SH	322	if (ret) {
8f2c3a70 SH	323	ERROR("failed initializing seccomp");
	324	return -1;
	325	}
8f2c3a70 SH	326
	327	/* turn of no-new-privs. We don't want it in lxc, and it breaks
	328	* with apparmor */
769872f9 SH	329	if (seccomp_attr_set(
	330	#if HAVE_SCMP_FILTER_CTX
	331	conf->seccomp_ctx,
	332	#endif
	333	SCMP_FLTATR_CTL_NNP, 0)) {
959aee9c	334	ERROR("failed to turn off n-new-privs");
8f2c3a70 SH	335	return -1;
	336	}
	337
	338	f = fopen(conf->seccomp, "r");
	339	if (!f) {
959aee9c	340	SYSERROR("failed to open seccomp policy file %s", conf->seccomp);
8f2c3a70 SH	341	return -1;
	342	}
	343	ret = parse_config(f, conf);
	344	fclose(f);
	345	return ret;
	346	}
	347
	348	int lxc_seccomp_load(struct lxc_conf *conf)
	349	{
	350	int ret;
	351	if (!conf->seccomp)
	352	return 0;
769872f9 SH	353	ret = seccomp_load(
	354	#if HAVE_SCMP_FILTER_CTX
	355	conf->seccomp_ctx
	356	#endif
	357	);
8f2c3a70 SH	358	if (ret < 0) {
	359	ERROR("Error loading the seccomp policy");
	360	return -1;
	361	}
	362	return 0;
	363	}
769872f9 SH	364
	365	void lxc_seccomp_free(struct lxc_conf *conf) {
	366	if (conf->seccomp) {
	367	free(conf->seccomp);
	368	conf->seccomp = NULL;
	369	}
	370	#if HAVE_SCMP_FILTER_CTX
	371	if (conf->seccomp_ctx) {
	372	seccomp_release(conf->seccomp_ctx);
	373	conf->seccomp_ctx = NULL;
	374	}
	375	#endif
	376	}