commit b226b6ca89fa96b31a39bddd6196b55149cba8c6
parent aa01e5e50458099b5adeea31fb2c3c06d9d799ce
Author: Joris Vink <joris@coders.se>
Date: Tue, 5 Nov 2019 13:12:43 +0100
Allow seccomp to work on arm64 and i386.
Diffstat:
2 files changed, 43 insertions(+), 5 deletions(-)
diff --git a/src/keymgr.c b/src/keymgr.c
@@ -56,7 +56,9 @@
/* The syscalls our keymgr is allowed to perform, only. */
static struct sock_filter filter_keymgr[] = {
/* Required to deal with private keys and certs. */
+#if defined(SYS_open)
KORE_SYSCALL_ALLOW(open),
+#endif
KORE_SYSCALL_ALLOW(read),
KORE_SYSCALL_ALLOW(write),
KORE_SYSCALL_ALLOW(close),
@@ -66,10 +68,14 @@ static struct sock_filter filter_keymgr[] = {
KORE_SYSCALL_ALLOW(openat),
/* Net related. */
+#if defined(SYS_poll)
KORE_SYSCALL_ALLOW(poll),
+#endif
KORE_SYSCALL_ALLOW(sendto),
KORE_SYSCALL_ALLOW(recvfrom),
+#if defined(SYS_epoll_wait)
KORE_SYSCALL_ALLOW(epoll_wait),
+#endif
KORE_SYSCALL_ALLOW(epoll_pwait),
/* Process things. */
@@ -77,7 +83,9 @@ static struct sock_filter filter_keymgr[] = {
KORE_SYSCALL_ALLOW(kill),
KORE_SYSCALL_ALLOW(getuid),
KORE_SYSCALL_ALLOW(getpid),
+#if defined(SYS_arch_prctl)
KORE_SYSCALL_ALLOW(arch_prctl),
+#endif
KORE_SYSCALL_ALLOW(exit_group),
KORE_SYSCALL_ALLOW(sigaltstack),
KORE_SYSCALL_ALLOW(rt_sigreturn),
diff --git a/src/seccomp.c b/src/seccomp.c
@@ -19,7 +19,7 @@
#include <sys/epoll.h>
#include <sys/ptrace.h>
#include <sys/prctl.h>
-#include <sys/reg.h>
+#include <sys/user.h>
#include <sys/syscall.h>
#include <linux/seccomp.h>
@@ -50,21 +50,33 @@ static struct sock_filter filter_kore[] = {
KORE_SYSCALL_DENY(ioctl, EACCES),
/* File related. */
+#if defined(SYS_open)
KORE_SYSCALL_ALLOW(open),
+#endif
KORE_SYSCALL_ALLOW(read),
+#if defined(SYS_stat)
KORE_SYSCALL_ALLOW(stat),
+#endif
+#if defined(SYS_lstat)
KORE_SYSCALL_ALLOW(lstat),
+#endif
KORE_SYSCALL_ALLOW(fstat),
KORE_SYSCALL_ALLOW(write),
KORE_SYSCALL_ALLOW(fcntl),
KORE_SYSCALL_ALLOW(lseek),
KORE_SYSCALL_ALLOW(close),
KORE_SYSCALL_ALLOW(openat),
+#if defined(SYS_access)
KORE_SYSCALL_ALLOW(access),
+#endif
KORE_SYSCALL_ALLOW(writev),
KORE_SYSCALL_ALLOW(getcwd),
+#if defined(SYS_unlink)
KORE_SYSCALL_ALLOW(unlink),
+#endif
+#if defined(SYS_readlink)
KORE_SYSCALL_ALLOW(readlink),
+#endif
/* Process related. */
KORE_SYSCALL_ALLOW(exit),
@@ -88,14 +100,18 @@ static struct sock_filter filter_kore[] = {
KORE_SYSCALL_ALLOW(mprotect),
/* Net related. */
+#if defined(SYS_poll)
KORE_SYSCALL_ALLOW(poll),
+#endif
KORE_SYSCALL_ALLOW(sendto),
KORE_SYSCALL_ALLOW(accept),
KORE_SYSCALL_ALLOW(sendfile),
KORE_SYSCALL_ALLOW(recvfrom),
KORE_SYSCALL_ALLOW(epoll_ctl),
KORE_SYSCALL_ALLOW(setsockopt),
+#if defined(SYS_epoll_wait)
KORE_SYSCALL_ALLOW(epoll_wait),
+#endif
KORE_SYSCALL_ALLOW(epoll_pwait),
/* Signal related. */
@@ -291,7 +307,7 @@ kore_seccomp_traceme(void)
return;
if (ptrace(PTRACE_TRACEME, 0, NULL, NULL) == -1)
- fatalx("ptrace. %s", errno_s);
+ fatalx("ptrace: %s", errno_s);
if (kill(worker->pid, SIGSTOP) == -1)
fatalx("kill: %s", errno_s);
}
@@ -406,12 +422,26 @@ kore_seccomp_syscall_flag(const char *name, int action, int arg, int value)
static void
seccomp_register_violation(struct kore_worker *kw)
{
- long sysnr;
+ struct iovec iov;
+ struct user_regs_struct regs;
+ long sysnr;
+
+ iov.iov_base = ®s;
+ iov.iov_len = sizeof(regs);
- if ((sysnr = ptrace(PTRACE_PEEKUSER, kw->pid,
- sizeof(long) * ORIG_RAX, NULL)) == -1)
+ if (ptrace(PTRACE_GETREGSET, kw->pid, 1, &iov) == -1)
fatal("ptrace: %s", errno_s);
+#if SECCOMP_AUDIT_ARCH == AUDIT_ARCH_X86_64
+ sysnr = regs.orig_rax;
+#elif SECCOMP_AUDIT_ARCH == AUDIT_ARCH_I386
+ sysnr = regs.orig_ax;
+#elif SECCOMP_AUDIT_ARCH == AUDIT_ARCH_AARCH64
+ sysnr = regs.regs[8];
+#else
+#error "platform not yet supported"
+#endif
+
kore_log(LOG_INFO, "seccomp violation, worker=%d, syscall=%s",
kw->id, kore_seccomp_syscall_name(sysnr));
}
