src/swtpm/seccomp_profile.c

   1 /*
   2  * seccomp_profile.c -- seccomp profile support
   3  *
   4  * (c) Copyright IBM Corporation 2019.
   5  *
   6  * Author: Stefan Berger <stefanb@us.ibm.com>
   7  *
   8  * All rights reserved.
   9  *
  10  * Redistribution and use in source and binary forms, with or without
  11  * modification, are permitted provided that the following conditions are
  12  * met:
  13  *
  14  * Redistributions of source code must retain the above copyright notice,
  15  * this list of conditions and the following disclaimer.
  16  *
  17  * Redistributions in binary form must reproduce the above copyright
  18  * notice, this list of conditions and the following disclaimer in the
  19  * documentation and/or other materials provided with the distribution.
  20  *
  21  * Neither the names of the IBM Corporation nor the names of its
  22  * contributors may be used to endorse or promote products derived from
  23  * this software without specific prior written permission.
  24  *
  25  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
  26  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  27  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
  28  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
  29  * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  30  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
  31  * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  32  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  33  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  34  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  35  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  36  */
  37
  38 #include "config.h"
  39
  40 #include <stdbool.h>
  41 #include <string.h>
  42
  43 #ifdef WITH_SECCOMP
  44 # include <seccomp.h>
  45 #endif
  46
  47 #include "logging.h"
  48 #include "utils.h"
  49 #include "seccomp_profile.h"
  50 #include "swtpm_utils.h"
  51
  52 #ifdef WITH_SECCOMP
  53 static int create_seccomp_profile_add_rules(scmp_filter_ctx ctx,
  54                                             int *syscalls, size_t syscalls_len,
  55                                             unsigned int action)
  56 {
  57     int ret = 0;
  58     unsigned i = 0;
  59     uint32_t act = SCMP_ACT_KILL;
  60
  61 #ifdef SCMP_ACT_LOG
  62     if (action == SWTPM_SECCOMP_ACTION_LOG)
  63         act = SCMP_ACT_LOG;
  64 #endif
  65
  66     for (i = 0; i < syscalls_len; i++) {
  67         ret = seccomp_rule_add(ctx, act, syscalls[i], 0);
  68         if (ret < 0) {
  69             logprintf(STDERR_FILENO,
  70                       "seccomp_rule_add failed with errno %d: %s\n",
  71                       -ret, strerror(-ret));
  72             break;
  73         }
  74     }
  75     return ret;
  76 }
  77
  78 /*
  79  * create_seccomp_profile: Build a blacklist of syscalls
  80  *
  81  * cusetpm: whether to build for the CUSE tpm
  82  * action: the seccomp action
  83  */
  84 int create_seccomp_profile(bool cusetpm, unsigned int action)
  85 {
  86     int blacklist[] = {
  87         /* high concern */
  88         SCMP_SYS(capset),
  89         SCMP_SYS(pivot_root),
  90         SCMP_SYS(chroot),
  91         SCMP_SYS(settimeofday),
  92         SCMP_SYS(clock_adjtime),
  93         SCMP_SYS(clock_settime),
  94 #ifdef __SNR_clock_settime64
  95         SCMP_SYS(clock_settime64),
  96 #endif
  97         SCMP_SYS(adjtimex),
  98 #ifdef __SNR_fsopen
  99         SCMP_SYS(fsopen),
 100 #endif
 101 #ifdef __SNR_fsconfig
 102         SCMP_SYS(fsconfig),
 103 #endif
 104 #ifdef __SNR_fsmount
 105         SCMP_SYS(fsmount),
 106 #endif
 107 #ifdef __SNR_fspick
 108         SCMP_SYS(fspick),
 109 #endif
 110         SCMP_SYS(mount),
 111 #ifdef __SNR_move_mount
 112         SCMP_SYS(move_mount),
 113 #endif
 114 #if defined(__SNR_mount_setattr) && defined(__NR_mount_setattr)
 115         SCMP_SYS(mount_setattr),
 116 #endif
 117         SCMP_SYS(umount2),
 118 #ifdef __SNR_open_tree
 119         SCMP_SYS(open_tree),
 120 #endif
 121         SCMP_SYS(swapon),
 122         SCMP_SYS(swapoff),
 123         SCMP_SYS(reboot),
 124         SCMP_SYS(tgkill),
 125         SCMP_SYS(kexec_load),
 126         SCMP_SYS(unshare),
 127         SCMP_SYS(setns),
 128         SCMP_SYS(kcmp),
 129         SCMP_SYS(init_module),
 130         SCMP_SYS(finit_module),
 131         SCMP_SYS(delete_module),
 132         SCMP_SYS(seccomp),
 133         SCMP_SYS(kexec_file_load),
 134 #ifdef __SNR_sysctl
 135         SCMP_SYS(sysctl),
 136 #endif
 137         /* semaphores and messages queues */
 138         SCMP_SYS(semget),
 139         SCMP_SYS(semop),
 140         SCMP_SYS(shmget),
 141         SCMP_SYS(shmat),
 142         SCMP_SYS(shmctl),
 143         SCMP_SYS(shmdt),
 144         SCMP_SYS(msgget),
 145         SCMP_SYS(msgsnd),
 146         SCMP_SYS(msgrcv),
 147         SCMP_SYS(msgctl),
 148         SCMP_SYS(mq_open),
 149         SCMP_SYS(mq_unlink),
 150         SCMP_SYS(mq_timedsend),
 151         SCMP_SYS(mq_timedreceive),
 152         SCMP_SYS(mq_notify),
 153         SCMP_SYS(mq_getsetattr),
 154         /* misc */
 155         SCMP_SYS(ptrace),
 156         SCMP_SYS(syslog),
 157         SCMP_SYS(capget),
 158         SCMP_SYS(capset),
 159         SCMP_SYS(sigaltstack),
 160         SCMP_SYS(personality),
 161         SCMP_SYS(sysfs),
 162         SCMP_SYS(getpriority),
 163         SCMP_SYS(setpriority),
 164         SCMP_SYS(sched_setparam),
 165         SCMP_SYS(sched_setscheduler),
 166         SCMP_SYS(sched_setaffinity),
 167         SCMP_SYS(vhangup),
 168         SCMP_SYS(sethostname),
 169         SCMP_SYS(setdomainname),
 170         SCMP_SYS(quotactl),
 171 #if defined(__SNR_quotactl_fd) && defined(__NR_quotactl_fd)
 172         SCMP_SYS(quotactl_fd),
 173 #endif
 174         SCMP_SYS(readahead),
 175         SCMP_SYS(lookup_dcookie),
 176         SCMP_SYS(add_key),
 177         SCMP_SYS(request_key),
 178         SCMP_SYS(keyctl),
 179         SCMP_SYS(inotify_init),
 180         SCMP_SYS(inotify_init1),
 181         SCMP_SYS(inotify_add_watch),
 182         SCMP_SYS(inotify_rm_watch),
 183         SCMP_SYS(splice),
 184         SCMP_SYS(tee),
 185         SCMP_SYS(vmsplice),
 186         SCMP_SYS(signalfd),
 187         SCMP_SYS(eventfd),
 188         SCMP_SYS(timerfd_settime),
 189 #ifdef __SNR_timer_settime64
 190         SCMP_SYS(timer_settime64),
 191 #endif
 192 #ifdef __SNR_timerfd_settime64
 193         SCMP_SYS(timerfd_settime64),
 194 #endif
 195         SCMP_SYS(timerfd_gettime),
 196         SCMP_SYS(signalfd4),
 197         SCMP_SYS(eventfd2),
 198         SCMP_SYS(fanotify_init),
 199         SCMP_SYS(fanotify_mark),
 200         SCMP_SYS(mknod),
 201         SCMP_SYS(mknodat),
 202         SCMP_SYS(acct),
 203         SCMP_SYS(prlimit64),
 204         SCMP_SYS(setrlimit),
 205 #ifdef __SNR_bpf
 206         SCMP_SYS(bpf),
 207 #endif
 208 #ifdef __SNR_copy_filerange
 209         SCMP_SYS(copy_filerange),
 210 #endif
 211         /* xattrs */
 212         SCMP_SYS(setxattr),
 213         SCMP_SYS(lsetxattr),
 214         SCMP_SYS(fsetxattr),
 215         SCMP_SYS(getxattr),
 216         SCMP_SYS(lgetxattr),
 217         SCMP_SYS(fgetxattr),
 218         SCMP_SYS(listxattr),
 219         SCMP_SYS(llistxattr),
 220         SCMP_SYS(flistxattr),
 221         SCMP_SYS(removexattr),
 222         SCMP_SYS(lremovexattr),
 223         SCMP_SYS(fremovexattr),
 224         /* processs forking */
 225         SCMP_SYS(execve),
 226         /* io */
 227         SCMP_SYS(iopl),
 228         SCMP_SYS(ioperm),
 229         SCMP_SYS(io_setup),
 230         SCMP_SYS(io_destroy),
 231         SCMP_SYS(io_getevents),
 232         SCMP_SYS(io_submit),
 233         SCMP_SYS(io_cancel),
 234         SCMP_SYS(ioprio_set),
 235         SCMP_SYS(ioprio_get),
 236         /* not implemented, removed */
 237         SCMP_SYS(create_module),
 238         SCMP_SYS(get_kernel_syms),
 239         SCMP_SYS(query_module),
 240         SCMP_SYS(uselib),
 241         SCMP_SYS(nfsservctl),
 242         SCMP_SYS(getpmsg),
 243         SCMP_SYS(putpmsg),
 244         SCMP_SYS(afs_syscall),
 245         SCMP_SYS(tuxcall),
 246         SCMP_SYS(security),
 247         SCMP_SYS(set_thread_area),
 248         SCMP_SYS(get_thread_area),
 249         SCMP_SYS(epoll_ctl_old),
 250         SCMP_SYS(epoll_wait_old),
 251         SCMP_SYS(vserver),
 252         /* privileged */
 253         SCMP_SYS(setuid),
 254         SCMP_SYS(setgid),
 255         SCMP_SYS(setpgid),
 256         SCMP_SYS(setsid),
 257         SCMP_SYS(setreuid),
 258         SCMP_SYS(setregid),
 259         SCMP_SYS(setgroups),
 260         SCMP_SYS(setresuid),
 261         SCMP_SYS(setresgid),
 262         SCMP_SYS(setfsuid),
 263         SCMP_SYS(setfsgid)
 264     };
 265     /* CUSE TPM needs to clone or fork */
 266     int blacklist_noncuse[] = {
 267         SCMP_SYS(clone),
 268         SCMP_SYS(fork),
 269         SCMP_SYS(vfork),
 270         SCMP_SYS(prctl),
 271 #ifdef __SNR_clone3
 272         SCMP_SYS(clone3),
 273 #endif
 274         /* misc */
 275         SCMP_SYS(sched_setattr), /* caller: g_thread_pool_new() glib v2.68 */
 276     };
 277     scmp_filter_ctx ctx;
 278     int ret;
 279
 280     if (action == SWTPM_SECCOMP_ACTION_NONE)
 281         return 0;
 282
 283     ctx = seccomp_init(SCMP_ACT_ALLOW);
 284     if (!ctx) {
 285         logprintf(STDERR_FILENO, "seccomp_init failed\n");
 286         return -1;
 287     }
 288
 289     if ((ret = create_seccomp_profile_add_rules(ctx, blacklist,
 290                                                 ARRAY_LEN(blacklist),
 291                                                 action)) < 0)
 292         goto error_seccomp_rule_add;
 293
 294     if (!cusetpm &&
 295         (ret = create_seccomp_profile_add_rules(ctx, blacklist_noncuse,
 296                                                 ARRAY_LEN(blacklist_noncuse),
 297                                                 action)) < 0)
 298         goto error_seccomp_rule_add;
 299
 300     if ((ret = seccomp_load(ctx)) < 0)
 301         logprintf(STDERR_FILENO, "seccomp_load failed with errno %d: %s\n",
 302                   -ret, strerror(-ret));
 303
 304 error_seccomp_rule_add:
 305     seccomp_release(ctx);
 306
 307     return ret;
 308 }
 309 #endif