kore

An easy to use, scalable and secure web application framework for writing web APIs in C.
Commits | Files | Refs | README | LICENSE | git clone https://git.kore.io/kore.git

commit b226b6ca89fa96b31a39bddd6196b55149cba8c6
parent aa01e5e50458099b5adeea31fb2c3c06d9d799ce
Author: Joris Vink <joris@coders.se>
Date:   Tue,  5 Nov 2019 13:12:43 +0100

Allow seccomp to work on arm64 and i386.

Diffstat:
src/keymgr.c | 8++++++++
src/seccomp.c | 40+++++++++++++++++++++++++++++++++++-----
2 files changed, 43 insertions(+), 5 deletions(-)

diff --git a/src/keymgr.c b/src/keymgr.c @@ -56,7 +56,9 @@ /* The syscalls our keymgr is allowed to perform, only. */ static struct sock_filter filter_keymgr[] = { /* Required to deal with private keys and certs. */ +#if defined(SYS_open) KORE_SYSCALL_ALLOW(open), +#endif KORE_SYSCALL_ALLOW(read), KORE_SYSCALL_ALLOW(write), KORE_SYSCALL_ALLOW(close), @@ -66,10 +68,14 @@ static struct sock_filter filter_keymgr[] = { KORE_SYSCALL_ALLOW(openat), /* Net related. */ +#if defined(SYS_poll) KORE_SYSCALL_ALLOW(poll), +#endif KORE_SYSCALL_ALLOW(sendto), KORE_SYSCALL_ALLOW(recvfrom), +#if defined(SYS_epoll_wait) KORE_SYSCALL_ALLOW(epoll_wait), +#endif KORE_SYSCALL_ALLOW(epoll_pwait), /* Process things. */ @@ -77,7 +83,9 @@ static struct sock_filter filter_keymgr[] = { KORE_SYSCALL_ALLOW(kill), KORE_SYSCALL_ALLOW(getuid), KORE_SYSCALL_ALLOW(getpid), +#if defined(SYS_arch_prctl) KORE_SYSCALL_ALLOW(arch_prctl), +#endif KORE_SYSCALL_ALLOW(exit_group), KORE_SYSCALL_ALLOW(sigaltstack), KORE_SYSCALL_ALLOW(rt_sigreturn), diff --git a/src/seccomp.c b/src/seccomp.c @@ -19,7 +19,7 @@ #include <sys/epoll.h> #include <sys/ptrace.h> #include <sys/prctl.h> -#include <sys/reg.h> +#include <sys/user.h> #include <sys/syscall.h> #include <linux/seccomp.h> @@ -50,21 +50,33 @@ static struct sock_filter filter_kore[] = { KORE_SYSCALL_DENY(ioctl, EACCES), /* File related. */ +#if defined(SYS_open) KORE_SYSCALL_ALLOW(open), +#endif KORE_SYSCALL_ALLOW(read), +#if defined(SYS_stat) KORE_SYSCALL_ALLOW(stat), +#endif +#if defined(SYS_lstat) KORE_SYSCALL_ALLOW(lstat), +#endif KORE_SYSCALL_ALLOW(fstat), KORE_SYSCALL_ALLOW(write), KORE_SYSCALL_ALLOW(fcntl), KORE_SYSCALL_ALLOW(lseek), KORE_SYSCALL_ALLOW(close), KORE_SYSCALL_ALLOW(openat), +#if defined(SYS_access) KORE_SYSCALL_ALLOW(access), +#endif KORE_SYSCALL_ALLOW(writev), KORE_SYSCALL_ALLOW(getcwd), +#if defined(SYS_unlink) KORE_SYSCALL_ALLOW(unlink), +#endif +#if defined(SYS_readlink) KORE_SYSCALL_ALLOW(readlink), +#endif /* Process related. */ KORE_SYSCALL_ALLOW(exit), @@ -88,14 +100,18 @@ static struct sock_filter filter_kore[] = { KORE_SYSCALL_ALLOW(mprotect), /* Net related. */ +#if defined(SYS_poll) KORE_SYSCALL_ALLOW(poll), +#endif KORE_SYSCALL_ALLOW(sendto), KORE_SYSCALL_ALLOW(accept), KORE_SYSCALL_ALLOW(sendfile), KORE_SYSCALL_ALLOW(recvfrom), KORE_SYSCALL_ALLOW(epoll_ctl), KORE_SYSCALL_ALLOW(setsockopt), +#if defined(SYS_epoll_wait) KORE_SYSCALL_ALLOW(epoll_wait), +#endif KORE_SYSCALL_ALLOW(epoll_pwait), /* Signal related. */ @@ -291,7 +307,7 @@ kore_seccomp_traceme(void) return; if (ptrace(PTRACE_TRACEME, 0, NULL, NULL) == -1) - fatalx("ptrace. %s", errno_s); + fatalx("ptrace: %s", errno_s); if (kill(worker->pid, SIGSTOP) == -1) fatalx("kill: %s", errno_s); } @@ -406,12 +422,26 @@ kore_seccomp_syscall_flag(const char *name, int action, int arg, int value) static void seccomp_register_violation(struct kore_worker *kw) { - long sysnr; + struct iovec iov; + struct user_regs_struct regs; + long sysnr; + + iov.iov_base = &regs; + iov.iov_len = sizeof(regs); - if ((sysnr = ptrace(PTRACE_PEEKUSER, kw->pid, - sizeof(long) * ORIG_RAX, NULL)) == -1) + if (ptrace(PTRACE_GETREGSET, kw->pid, 1, &iov) == -1) fatal("ptrace: %s", errno_s); +#if SECCOMP_AUDIT_ARCH == AUDIT_ARCH_X86_64 + sysnr = regs.orig_rax; +#elif SECCOMP_AUDIT_ARCH == AUDIT_ARCH_I386 + sysnr = regs.orig_ax; +#elif SECCOMP_AUDIT_ARCH == AUDIT_ARCH_AARCH64 + sysnr = regs.regs[8]; +#else +#error "platform not yet supported" +#endif + kore_log(LOG_INFO, "seccomp violation, worker=%d, syscall=%s", kw->id, kore_seccomp_syscall_name(sysnr)); }