2 * seccomp_profile.c -- seccomp profile support
4 * (c) Copyright IBM Corporation 2019.
6 * Author: Stefan Berger <stefanb@us.ibm.com>
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions are
14 * Redistributions of source code must retain the above copyright notice,
15 * this list of conditions and the following disclaimer.
17 * Redistributions in binary form must reproduce the above copyright
18 * notice, this list of conditions and the following disclaimer in the
19 * documentation and/or other materials provided with the distribution.
21 * Neither the names of the IBM Corporation nor the names of its
22 * contributors may be used to endorse or promote products derived from
23 * this software without specific prior written permission.
25 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
26 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
27 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
28 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
29 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
30 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
31 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
32 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
33 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
34 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
35 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
49 #include "seccomp_profile.h"
50 #include "swtpm_utils.h"
53 static int create_seccomp_profile_add_rules(scmp_filter_ctx ctx
,
54 int *syscalls
, size_t syscalls_len
,
59 uint32_t act
= SCMP_ACT_KILL
;
62 if (action
== SWTPM_SECCOMP_ACTION_LOG
)
66 for (i
= 0; i
< syscalls_len
; i
++) {
67 ret
= seccomp_rule_add(ctx
, act
, syscalls
[i
], 0);
69 logprintf(STDERR_FILENO
,
70 "seccomp_rule_add failed with errno %d: %s\n",
71 -ret
, strerror(-ret
));
79 * create_seccomp_profile: Build a blacklist of syscalls
81 * cusetpm: whether to build for the CUSE tpm
82 * action: the seccomp action
84 int create_seccomp_profile(bool cusetpm
, unsigned int action
)
91 SCMP_SYS(settimeofday
),
92 SCMP_SYS(clock_adjtime
),
93 SCMP_SYS(clock_settime
),
94 #ifdef __SNR_clock_settime64
95 SCMP_SYS(clock_settime64
),
101 #ifdef __SNR_fsconfig
111 #ifdef __SNR_move_mount
112 SCMP_SYS(move_mount
),
114 #if defined(__SNR_mount_setattr) && defined(__NR_mount_setattr)
115 SCMP_SYS(mount_setattr
),
118 #ifdef __SNR_open_tree
125 SCMP_SYS(kexec_load
),
129 SCMP_SYS(init_module
),
130 SCMP_SYS(finit_module
),
131 SCMP_SYS(delete_module
),
133 SCMP_SYS(kexec_file_load
),
137 /* semaphores and messages queues */
150 SCMP_SYS(mq_timedsend
),
151 SCMP_SYS(mq_timedreceive
),
153 SCMP_SYS(mq_getsetattr
),
159 SCMP_SYS(sigaltstack
),
160 SCMP_SYS(personality
),
162 SCMP_SYS(getpriority
),
163 SCMP_SYS(setpriority
),
164 SCMP_SYS(sched_setparam
),
165 SCMP_SYS(sched_setscheduler
),
166 SCMP_SYS(sched_setaffinity
),
168 SCMP_SYS(sethostname
),
169 SCMP_SYS(setdomainname
),
171 #if defined(__SNR_quotactl_fd) && defined(__NR_quotactl_fd)
172 SCMP_SYS(quotactl_fd
),
175 SCMP_SYS(lookup_dcookie
),
177 SCMP_SYS(request_key
),
179 SCMP_SYS(inotify_init
),
180 SCMP_SYS(inotify_init1
),
181 SCMP_SYS(inotify_add_watch
),
182 SCMP_SYS(inotify_rm_watch
),
188 SCMP_SYS(timerfd_settime
),
189 #ifdef __SNR_timer_settime64
190 SCMP_SYS(timer_settime64
),
192 #ifdef __SNR_timerfd_settime64
193 SCMP_SYS(timerfd_settime64
),
195 SCMP_SYS(timerfd_gettime
),
198 SCMP_SYS(fanotify_init
),
199 SCMP_SYS(fanotify_mark
),
208 #ifdef __SNR_copy_filerange
209 SCMP_SYS(copy_filerange
),
219 SCMP_SYS(llistxattr
),
220 SCMP_SYS(flistxattr
),
221 SCMP_SYS(removexattr
),
222 SCMP_SYS(lremovexattr
),
223 SCMP_SYS(fremovexattr
),
224 /* processs forking */
230 SCMP_SYS(io_destroy
),
231 SCMP_SYS(io_getevents
),
234 SCMP_SYS(ioprio_set
),
235 SCMP_SYS(ioprio_get
),
236 /* not implemented, removed */
237 SCMP_SYS(create_module
),
238 SCMP_SYS(get_kernel_syms
),
239 SCMP_SYS(query_module
),
241 SCMP_SYS(nfsservctl
),
244 SCMP_SYS(afs_syscall
),
247 SCMP_SYS(set_thread_area
),
248 SCMP_SYS(get_thread_area
),
249 SCMP_SYS(epoll_ctl_old
),
250 SCMP_SYS(epoll_wait_old
),
265 /* CUSE TPM needs to clone or fork */
266 int blacklist_noncuse
[] = {
275 SCMP_SYS(sched_setattr
), /* caller: g_thread_pool_new() glib v2.68 */
280 if (action
== SWTPM_SECCOMP_ACTION_NONE
)
283 ctx
= seccomp_init(SCMP_ACT_ALLOW
);
285 logprintf(STDERR_FILENO
, "seccomp_init failed\n");
289 if ((ret
= create_seccomp_profile_add_rules(ctx
, blacklist
,
290 ARRAY_LEN(blacklist
),
292 goto error_seccomp_rule_add
;
295 (ret
= create_seccomp_profile_add_rules(ctx
, blacklist_noncuse
,
296 ARRAY_LEN(blacklist_noncuse
),
298 goto error_seccomp_rule_add
;
300 if ((ret
= seccomp_load(ctx
)) < 0)
301 logprintf(STDERR_FILENO
, "seccomp_load failed with errno %d: %s\n",
302 -ret
, strerror(-ret
));
304 error_seccomp_rule_add
:
305 seccomp_release(ctx
);