seccomp.c (12519B)
1 /*
2 * Copyright (c) 2019-2022 Joris Vink <joris@coders.se>
3 *
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
7 *
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 */
16
17 #include <sys/param.h>
18 #include <sys/mman.h>
19 #include <sys/epoll.h>
20 #include <sys/ptrace.h>
21 #include <sys/prctl.h>
22 #include <sys/user.h>
23 #include <sys/syscall.h>
24
25 #include <linux/ptrace.h>
26 #include <linux/seccomp.h>
27 #include <linux/filter.h>
28 #include <linux/audit.h>
29
30 #include <stddef.h>
31 #include <sched.h>
32
33 #include "kore.h"
34 #include "seccomp.h"
35 #include "platform.h"
36
37 #if defined(KORE_USE_PYTHON)
38 #include "python_api.h"
39 #endif
40
41 #if !defined(SECCOMP_KILL_POLICY)
42 #define SECCOMP_KILL_POLICY SECCOMP_RET_KILL
43 #endif
44
45 /*
46 * The bare minimum to be able to run kore. These are added last and can
47 * be overwritten by a filter program that is added before hand.
48 */
49 static struct sock_filter filter_kore[] = {
50 /* Deny these, but with EACCESS instead of dying. */
51 KORE_SYSCALL_DENY(ioctl, EACCES),
52
53 /* File related. */
54 #if defined(SYS_open)
55 KORE_SYSCALL_ALLOW(open),
56 #endif
57 KORE_SYSCALL_ALLOW(read),
58 #if defined(SYS_stat)
59 KORE_SYSCALL_ALLOW(stat),
60 #endif
61 #if defined(SYS_stat64)
62 KORE_SYSCALL_ALLOW(stat64),
63 #endif
64 #if defined(SYS_lstat)
65 KORE_SYSCALL_ALLOW(lstat),
66 #endif
67 KORE_SYSCALL_ALLOW(fstat),
68 #if defined(SYS_fstat64)
69 KORE_SYSCALL_ALLOW(fstat64),
70 #endif
71 #if defined(SYS_newfstatat)
72 KORE_SYSCALL_ALLOW(newfstatat),
73 #endif
74 KORE_SYSCALL_ALLOW(write),
75 KORE_SYSCALL_ALLOW(fcntl),
76 #if defined(SYS_fcntl64)
77 KORE_SYSCALL_ALLOW(fcntl64),
78 #endif
79 KORE_SYSCALL_ALLOW(lseek),
80 #if defined(SYS__llseek)
81 KORE_SYSCALL_ALLOW(_llseek),
82 #endif
83 KORE_SYSCALL_ALLOW(close),
84 KORE_SYSCALL_ALLOW(openat),
85 #if defined(SYS_access)
86 KORE_SYSCALL_ALLOW(access),
87 #endif
88 KORE_SYSCALL_ALLOW(writev),
89 KORE_SYSCALL_ALLOW(getcwd),
90 #if defined(SYS_unlink)
91 KORE_SYSCALL_ALLOW(unlink),
92 #endif
93 #if defined(SYS_readlink)
94 KORE_SYSCALL_ALLOW(readlink),
95 #endif
96 #if defined(SYS_readlinkat)
97 KORE_SYSCALL_ALLOW(readlinkat),
98 #endif
99
100 /* Process related. */
101 KORE_SYSCALL_ALLOW(exit),
102 KORE_SYSCALL_ALLOW(kill),
103 KORE_SYSCALL_ALLOW(getpid),
104 KORE_SYSCALL_ALLOW(getuid),
105 KORE_SYSCALL_ALLOW(geteuid),
106 KORE_SYSCALL_ALLOW(exit_group),
107 KORE_SYSCALL_ALLOW(nanosleep),
108 #if defined(SYS_clock_nanosleep)
109 KORE_SYSCALL_ALLOW(clock_nanosleep),
110 #endif
111 #if defined(SYS_sigreturn)
112 KORE_SYSCALL_ALLOW(sigreturn),
113 #endif
114
115 /* Memory related. */
116 KORE_SYSCALL_ALLOW(brk),
117 KORE_SYSCALL_ALLOW(munmap),
118
119 /* Deny mmap/mprotect calls with PROT_EXEC/PROT_WRITE protection. */
120 #if defined(SYS_mmap)
121 KORE_SYSCALL_DENY_WITH_FLAG(mmap, 2, PROT_EXEC | PROT_WRITE, EINVAL),
122 #endif
123 #if defined(SYS_mmap2)
124 KORE_SYSCALL_DENY_WITH_FLAG(mmap2, 2, PROT_EXEC | PROT_WRITE, EINVAL),
125 #endif
126 KORE_SYSCALL_DENY_WITH_FLAG(mprotect, 2, PROT_EXEC, EINVAL),
127
128 #if defined(SYS_mmap)
129 KORE_SYSCALL_ALLOW(mmap),
130 #endif
131 #if defined(SYS_mmap2)
132 KORE_SYSCALL_ALLOW(mmap2),
133 #endif
134 KORE_SYSCALL_ALLOW(madvise),
135 KORE_SYSCALL_ALLOW(mprotect),
136
137 /* Net related. */
138 #if defined(SYS_poll)
139 KORE_SYSCALL_ALLOW(poll),
140 #endif
141 KORE_SYSCALL_ALLOW(ppoll),
142 #if defined(SYS_send)
143 KORE_SYSCALL_ALLOW(send),
144 #endif
145 KORE_SYSCALL_ALLOW(sendto),
146 KORE_SYSCALL_ALLOW(accept),
147 KORE_SYSCALL_ALLOW(sendfile),
148 #if defined(SYS_recv)
149 KORE_SYSCALL_ALLOW(recv),
150 #endif
151 KORE_SYSCALL_ALLOW(recvfrom),
152 KORE_SYSCALL_ALLOW(epoll_ctl),
153 KORE_SYSCALL_ALLOW(setsockopt),
154 #if defined(SYS_epoll_wait)
155 KORE_SYSCALL_ALLOW(epoll_wait),
156 #endif
157 KORE_SYSCALL_ALLOW(epoll_pwait),
158
159 /* Signal related. */
160 KORE_SYSCALL_ALLOW(sigaltstack),
161 KORE_SYSCALL_ALLOW(rt_sigreturn),
162 KORE_SYSCALL_ALLOW(rt_sigaction),
163 KORE_SYSCALL_ALLOW(rt_sigprocmask),
164
165 /* "Other" without clear category. */
166 KORE_SYSCALL_ALLOW(futex),
167 #if defined(SYS_clock_gettime)
168 KORE_SYSCALL_ALLOW(clock_gettime),
169 #endif
170
171 #if defined(__NR_getrandom)
172 KORE_SYSCALL_ALLOW(getrandom),
173 #endif
174 };
175
176 /* bpf program prologue. */
177 static struct sock_filter filter_prologue[] = {
178 /* Load arch member into accumulator (A) (arch is __u32). */
179 KORE_BPF_LOAD(arch, 0),
180
181 /* Compare accumulator against constant, if false jump over kill. */
182 KORE_BPF_CMP(SECCOMP_AUDIT_ARCH, 1, 0),
183 KORE_BPF_RET(SECCOMP_RET_KILL),
184
185 /* Load the system call number into the accumulator. */
186 KORE_BPF_LOAD(nr, 0),
187 };
188
189 /* bpf program epilogue. */
190 static struct sock_filter filter_epilogue[] = {
191 /* Return hit if no system calls matched our list. */
192 BPF_STMT(BPF_RET+BPF_K, SECCOMP_KILL_POLICY)
193 };
194
195 static struct sock_filter *seccomp_filter_update(struct sock_filter *,
196 const char *, size_t);
197
198 #define filter_prologue_len KORE_FILTER_LEN(filter_prologue)
199 #define filter_epilogue_len KORE_FILTER_LEN(filter_epilogue)
200
201 static void seccomp_register_violation(pid_t);
202
203 struct filter {
204 char *name;
205 struct sock_filter *prog;
206 size_t instructions;
207 TAILQ_ENTRY(filter) list;
208 };
209
210 static TAILQ_HEAD(, filter) filters;
211 static struct filter *ufilter = NULL;
212
213 /*
214 * If enabled will instruct the parent process to ptrace its children and
215 * log any seccomp SECCOMP_RET_TRACE rule.
216 */
217 int kore_seccomp_tracing = 0;
218
219 void
220 kore_seccomp_init(void)
221 {
222 TAILQ_INIT(&filters);
223 }
224
225 void
226 kore_seccomp_drop(void)
227 {
228 struct filter *filter;
229
230 while ((filter = TAILQ_FIRST(&filters)) != NULL) {
231 if (!kore_quiet) {
232 kore_log(LOG_INFO,
233 "seccomp filter '%s' dropped", filter->name);
234 }
235 TAILQ_REMOVE(&filters, filter, list);
236 kore_free(filter->name);
237 kore_free(filter);
238 }
239
240 TAILQ_INIT(&filters);
241 }
242
243 void
244 kore_seccomp_enable(void)
245 {
246 struct sock_filter *sf;
247 struct sock_fprog prog;
248 struct kore_runtime_call *rcall;
249 struct filter *filter;
250 size_t prog_len, off, i;
251
252 /*
253 * If kore_seccomp_tracing is turned on, set the default policy to
254 * SECCOMP_RET_TRACE so we can log the system calls.
255 */
256 if (kore_seccomp_tracing) {
257 filter_epilogue[0].k = SECCOMP_RET_TRACE;
258 kore_log(LOG_NOTICE, "seccomp tracing enabled");
259 }
260
261 #if defined(KORE_USE_PYTHON)
262 ufilter = TAILQ_FIRST(&filters);
263 kore_python_seccomp_hook("koreapp.seccomp");
264 ufilter = NULL;
265 #endif
266
267 /* Allow application to add its own filters. */
268 if ((rcall = kore_runtime_getcall("kore_seccomp_hook")) != NULL) {
269 ufilter = TAILQ_FIRST(&filters);
270 kore_runtime_execute(rcall);
271 kore_free(rcall);
272 ufilter = NULL;
273 }
274
275 if (worker->id != KORE_WORKER_KEYMGR) {
276 /* Add worker required syscalls. */
277 kore_seccomp_filter("worker", filter_kore,
278 KORE_FILTER_LEN(filter_kore));
279 }
280
281 /* Start with the prologue. */
282 prog_len = filter_prologue_len;
283
284 /* Now account for all enabled filters. */
285 TAILQ_FOREACH(filter, &filters, list)
286 prog_len += filter->instructions;
287
288 /* Finally add the epilogue. */
289 prog_len += filter_epilogue_len;
290
291 /* Build the entire bpf program now. */
292 if ((sf = calloc(prog_len, sizeof(*sf))) == NULL)
293 fatalx("calloc");
294
295 off = 0;
296 for (i = 0; i < filter_prologue_len; i++)
297 sf[off++] = filter_prologue[i];
298
299 TAILQ_FOREACH(filter, &filters, list) {
300 for (i = 0; i < filter->instructions; i++)
301 sf[off++] = filter->prog[i];
302 }
303
304 for (i = 0; i < filter_epilogue_len; i++)
305 sf[off++] = filter_epilogue[i];
306
307 /* Lock and load it. */
308 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
309 fatalx("prctl: %s", errno_s);
310
311 prog.filter = sf;
312 prog.len = prog_len;
313
314 if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) == -1)
315 fatalx("prctl: %s", errno_s);
316
317 #if defined(KORE_USE_PYTHON)
318 kore_python_seccomp_cleanup();
319 #endif
320 }
321
322 int
323 kore_seccomp_filter(const char *name, void *prog, size_t len)
324 {
325 struct filter *filter;
326
327 TAILQ_FOREACH(filter, &filters, list) {
328 if (!strcmp(filter->name, name))
329 return (KORE_RESULT_ERROR);
330 }
331
332 filter = kore_calloc(1, sizeof(*filter));
333
334 filter->prog = prog;
335 filter->instructions = len;
336 filter->name = kore_strdup(name);
337
338 if (ufilter) {
339 TAILQ_INSERT_BEFORE(ufilter, filter, list);
340 } else {
341 TAILQ_INSERT_TAIL(&filters, filter, list);
342 }
343
344 return (KORE_RESULT_OK);
345 }
346
347 void
348 kore_seccomp_traceme(void)
349 {
350 if (kore_seccomp_tracing == 0)
351 return;
352
353 if (ptrace(PTRACE_TRACEME, 0, NULL, NULL) == -1)
354 fatalx("ptrace: %s", errno_s);
355 if (kill(worker->pid, SIGSTOP) == -1)
356 fatalx("kill: %s", errno_s);
357 }
358
359 int
360 kore_seccomp_trace(pid_t pid, int status)
361 {
362 int evt;
363
364 if (kore_seccomp_tracing == 0)
365 return (KORE_RESULT_ERROR);
366
367 if (WIFSTOPPED(status) && WSTOPSIG(status) == SIGSTOP) {
368 if (ptrace(PTRACE_SETOPTIONS, pid, NULL,
369 PTRACE_O_TRACESECCOMP | PTRACE_O_TRACECLONE |
370 PTRACE_O_TRACEFORK) == -1)
371 fatal("ptrace: %s", errno_s);
372 if (ptrace(PTRACE_CONT, pid, NULL, NULL) == -1)
373 fatal("ptrace: %s", errno_s);
374 return (KORE_RESULT_OK);
375 }
376
377 if (WIFSTOPPED(status) && WSTOPSIG(status) == SIGTRAP) {
378 evt = status >> 8;
379 if (evt == (SIGTRAP | (PTRACE_EVENT_SECCOMP << 8)))
380 seccomp_register_violation(pid);
381 if (ptrace(PTRACE_CONT, pid, NULL, NULL) == -1)
382 fatal("ptrace: %s", errno_s);
383 return (KORE_RESULT_OK);
384 }
385
386 if (WIFSTOPPED(status)) {
387 if (ptrace(PTRACE_CONT, pid, NULL, WSTOPSIG(status)) == -1)
388 fatal("ptrace: %s", errno_s);
389 return (KORE_RESULT_OK);
390 }
391
392 return (KORE_RESULT_ERROR);
393 }
394
395 int
396 kore_seccomp_syscall_resolve(const char *name)
397 {
398 int i;
399
400 for (i = 0; kore_syscall_map[i].name != NULL; i++) {
401 if (!strcmp(name, kore_syscall_map[i].name))
402 return (kore_syscall_map[i].nr);
403 }
404
405 return (-1);
406 }
407
408 const char *
409 kore_seccomp_syscall_name(long sysnr)
410 {
411 int i;
412
413 for (i = 0; kore_syscall_map[i].name != NULL; i++) {
414 if (kore_syscall_map[i].nr == sysnr)
415 return (kore_syscall_map[i].name);
416 }
417
418 return ("unknown");
419 }
420
421 struct sock_filter *
422 kore_seccomp_syscall_filter(const char *name, int action)
423 {
424 struct sock_filter filter[] = {
425 KORE_SYSCALL_FILTER(exit, action),
426 KORE_BPF_GUARD
427 };
428
429 return (seccomp_filter_update(filter, name, KORE_FILTER_LEN(filter)));
430 }
431
432 struct sock_filter *
433 kore_seccomp_syscall_arg(const char *name, int action, int arg, int value)
434 {
435 struct sock_filter filter[] = {
436 KORE_SYSCALL_ARG(exit, arg, value, action),
437 KORE_BPF_GUARD
438 };
439
440 return (seccomp_filter_update(filter, name, KORE_FILTER_LEN(filter)));
441 }
442
443 struct sock_filter *
444 kore_seccomp_syscall_mask(const char *name, int action, int arg, int value)
445 {
446 struct sock_filter filter[] = {
447 KORE_SYSCALL_MASK(exit, arg, value, action),
448 KORE_BPF_GUARD
449 };
450
451 return (seccomp_filter_update(filter, name, KORE_FILTER_LEN(filter)));
452 }
453
454 struct sock_filter *
455 kore_seccomp_syscall_flag(const char *name, int action, int arg, int value)
456 {
457 struct sock_filter filter[] = {
458 KORE_SYSCALL_WITH_FLAG(exit, arg, value, action),
459 KORE_BPF_GUARD
460 };
461
462 return (seccomp_filter_update(filter, name, KORE_FILTER_LEN(filter)));
463 }
464
465 static void
466 seccomp_register_violation(pid_t pid)
467 {
468 int idx;
469 struct kore_worker *kw;
470 struct iovec iov;
471 #if defined(__arm__)
472 struct pt_regs regs;
473 #else
474 struct user_regs_struct regs;
475 #endif
476 long sysnr;
477 const char *name;
478
479 iov.iov_base = ®s;
480 iov.iov_len = sizeof(regs);
481
482 if (ptrace(PTRACE_GETREGSET, pid, 1, &iov) == -1)
483 fatal("ptrace: %s", errno_s);
484
485 #if SECCOMP_AUDIT_ARCH == AUDIT_ARCH_X86_64
486 sysnr = regs.orig_rax;
487 #elif SECCOMP_AUDIT_ARCH == AUDIT_ARCH_AARCH64
488 sysnr = regs.regs[8];
489 #elif SECCOMP_AUDIT_ARCH == AUDIT_ARCH_ARM
490 sysnr = regs.uregs[7];
491 #else
492 #error "platform not supported"
493 #endif
494
495 name = NULL;
496 for (idx = 0; idx < worker_count; idx++) {
497 kw = kore_worker_data(idx);
498 if (kw->pid == pid) {
499 name = kore_worker_name(kw->id);
500 break;
501 }
502 }
503
504 if (name == NULL)
505 name = "<child>";
506
507 kore_log(LOG_INFO, "seccomp violation, %s pid=%d, syscall=%ld:%s",
508 name, pid, sysnr, kore_seccomp_syscall_name(sysnr));
509 }
510
511 static struct sock_filter *
512 seccomp_filter_update(struct sock_filter *filter, const char *name, size_t elm)
513 {
514 int nr;
515 struct sock_filter *result;
516
517 if ((nr = kore_seccomp_syscall_resolve(name)) == -1)
518 return (NULL);
519
520 result = kore_calloc(elm, sizeof(struct sock_filter));
521 memcpy(result, filter, elm * sizeof(struct sock_filter));
522
523 /* Update the syscall number to the one specified. */
524 result[0].k = nr;
525
526 return (result);
527 }