kore

An easy to use, scalable and secure web application framework for writing web APIs in C.
Commits | Files | Refs | README | LICENSE | git clone https://git.kore.io/kore.git

seccomp.c (12519B)



      1 /*
      2  * Copyright (c) 2019-2022 Joris Vink <joris@coders.se>
      3  *
      4  * Permission to use, copy, modify, and distribute this software for any
      5  * purpose with or without fee is hereby granted, provided that the above
      6  * copyright notice and this permission notice appear in all copies.
      7  *
      8  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
      9  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
     10  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
     11  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
     12  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
     13  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
     14  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
     15  */
     16 
     17 #include <sys/param.h>
     18 #include <sys/mman.h>
     19 #include <sys/epoll.h>
     20 #include <sys/ptrace.h>
     21 #include <sys/prctl.h>
     22 #include <sys/user.h>
     23 #include <sys/syscall.h>
     24 
     25 #include <linux/ptrace.h>
     26 #include <linux/seccomp.h>
     27 #include <linux/filter.h>
     28 #include <linux/audit.h>
     29 
     30 #include <stddef.h>
     31 #include <sched.h>
     32 
     33 #include "kore.h"
     34 #include "seccomp.h"
     35 #include "platform.h"
     36 
     37 #if defined(KORE_USE_PYTHON)
     38 #include "python_api.h"
     39 #endif
     40 
     41 #if !defined(SECCOMP_KILL_POLICY)
     42 #define SECCOMP_KILL_POLICY		SECCOMP_RET_KILL
     43 #endif
     44 
     45 /*
     46  * The bare minimum to be able to run kore. These are added last and can
     47  * be overwritten by a filter program that is added before hand.
     48  */
     49 static struct sock_filter filter_kore[] = {
     50 	/* Deny these, but with EACCESS instead of dying. */
     51 	KORE_SYSCALL_DENY(ioctl, EACCES),
     52 
     53 	/* File related. */
     54 #if defined(SYS_open)
     55 	KORE_SYSCALL_ALLOW(open),
     56 #endif
     57 	KORE_SYSCALL_ALLOW(read),
     58 #if defined(SYS_stat)
     59 	KORE_SYSCALL_ALLOW(stat),
     60 #endif
     61 #if defined(SYS_stat64)
     62 	KORE_SYSCALL_ALLOW(stat64),
     63 #endif
     64 #if defined(SYS_lstat)
     65 	KORE_SYSCALL_ALLOW(lstat),
     66 #endif
     67 	KORE_SYSCALL_ALLOW(fstat),
     68 #if defined(SYS_fstat64)
     69 	KORE_SYSCALL_ALLOW(fstat64),
     70 #endif
     71 #if defined(SYS_newfstatat)
     72 	KORE_SYSCALL_ALLOW(newfstatat),
     73 #endif
     74 	KORE_SYSCALL_ALLOW(write),
     75 	KORE_SYSCALL_ALLOW(fcntl),
     76 #if defined(SYS_fcntl64)
     77 	KORE_SYSCALL_ALLOW(fcntl64),
     78 #endif
     79 	KORE_SYSCALL_ALLOW(lseek),
     80 #if defined(SYS__llseek)
     81 	KORE_SYSCALL_ALLOW(_llseek),
     82 #endif
     83 	KORE_SYSCALL_ALLOW(close),
     84 	KORE_SYSCALL_ALLOW(openat),
     85 #if defined(SYS_access)
     86 	KORE_SYSCALL_ALLOW(access),
     87 #endif
     88 	KORE_SYSCALL_ALLOW(writev),
     89 	KORE_SYSCALL_ALLOW(getcwd),
     90 #if defined(SYS_unlink)
     91 	KORE_SYSCALL_ALLOW(unlink),
     92 #endif
     93 #if defined(SYS_readlink)
     94 	KORE_SYSCALL_ALLOW(readlink),
     95 #endif
     96 #if defined(SYS_readlinkat)
     97 	KORE_SYSCALL_ALLOW(readlinkat),
     98 #endif
     99 
    100 	/* Process related. */
    101 	KORE_SYSCALL_ALLOW(exit),
    102 	KORE_SYSCALL_ALLOW(kill),
    103 	KORE_SYSCALL_ALLOW(getpid),
    104 	KORE_SYSCALL_ALLOW(getuid),
    105 	KORE_SYSCALL_ALLOW(geteuid),
    106 	KORE_SYSCALL_ALLOW(exit_group),
    107 	KORE_SYSCALL_ALLOW(nanosleep),
    108 #if defined(SYS_clock_nanosleep)
    109 	KORE_SYSCALL_ALLOW(clock_nanosleep),
    110 #endif
    111 #if defined(SYS_sigreturn)
    112 	KORE_SYSCALL_ALLOW(sigreturn),
    113 #endif
    114 
    115 	/* Memory related. */
    116 	KORE_SYSCALL_ALLOW(brk),
    117 	KORE_SYSCALL_ALLOW(munmap),
    118 
    119 	/* Deny mmap/mprotect calls with PROT_EXEC/PROT_WRITE protection. */
    120 #if defined(SYS_mmap)
    121 	KORE_SYSCALL_DENY_WITH_FLAG(mmap, 2, PROT_EXEC | PROT_WRITE, EINVAL),
    122 #endif
    123 #if defined(SYS_mmap2)
    124 	KORE_SYSCALL_DENY_WITH_FLAG(mmap2, 2, PROT_EXEC | PROT_WRITE, EINVAL),
    125 #endif
    126 	KORE_SYSCALL_DENY_WITH_FLAG(mprotect, 2, PROT_EXEC, EINVAL),
    127 
    128 #if defined(SYS_mmap)
    129 	KORE_SYSCALL_ALLOW(mmap),
    130 #endif
    131 #if defined(SYS_mmap2)
    132 	KORE_SYSCALL_ALLOW(mmap2),
    133 #endif
    134 	KORE_SYSCALL_ALLOW(madvise),
    135 	KORE_SYSCALL_ALLOW(mprotect),
    136 
    137 	/* Net related. */
    138 #if defined(SYS_poll)
    139 	KORE_SYSCALL_ALLOW(poll),
    140 #endif
    141 	KORE_SYSCALL_ALLOW(ppoll),
    142 #if defined(SYS_send)
    143 	KORE_SYSCALL_ALLOW(send),
    144 #endif
    145 	KORE_SYSCALL_ALLOW(sendto),
    146 	KORE_SYSCALL_ALLOW(accept),
    147 	KORE_SYSCALL_ALLOW(sendfile),
    148 #if defined(SYS_recv)
    149 	KORE_SYSCALL_ALLOW(recv),
    150 #endif
    151 	KORE_SYSCALL_ALLOW(recvfrom),
    152 	KORE_SYSCALL_ALLOW(epoll_ctl),
    153 	KORE_SYSCALL_ALLOW(setsockopt),
    154 #if defined(SYS_epoll_wait)
    155 	KORE_SYSCALL_ALLOW(epoll_wait),
    156 #endif
    157 	KORE_SYSCALL_ALLOW(epoll_pwait),
    158 
    159 	/* Signal related. */
    160 	KORE_SYSCALL_ALLOW(sigaltstack),
    161 	KORE_SYSCALL_ALLOW(rt_sigreturn),
    162 	KORE_SYSCALL_ALLOW(rt_sigaction),
    163 	KORE_SYSCALL_ALLOW(rt_sigprocmask),
    164 
    165 	/* "Other" without clear category. */
    166 	KORE_SYSCALL_ALLOW(futex),
    167 #if defined(SYS_clock_gettime)
    168 	KORE_SYSCALL_ALLOW(clock_gettime),
    169 #endif
    170 
    171 #if defined(__NR_getrandom)
    172 	KORE_SYSCALL_ALLOW(getrandom),
    173 #endif
    174 };
    175 
    176 /* bpf program prologue. */
    177 static struct sock_filter filter_prologue[] = {
    178 	/* Load arch member into accumulator (A) (arch is __u32). */
    179 	KORE_BPF_LOAD(arch, 0),
    180 
    181 	/* Compare accumulator against constant, if false jump over kill. */
    182 	KORE_BPF_CMP(SECCOMP_AUDIT_ARCH, 1, 0),
    183 	KORE_BPF_RET(SECCOMP_RET_KILL),
    184 
    185 	/* Load the system call number into the accumulator. */
    186 	KORE_BPF_LOAD(nr, 0),
    187 };
    188 
    189 /* bpf program epilogue. */
    190 static struct sock_filter filter_epilogue[] = {
    191 	/* Return hit if no system calls matched our list. */
    192 	BPF_STMT(BPF_RET+BPF_K, SECCOMP_KILL_POLICY)
    193 };
    194 
    195 static struct sock_filter	*seccomp_filter_update(struct sock_filter *,
    196 				    const char *, size_t);
    197 
    198 #define filter_prologue_len	KORE_FILTER_LEN(filter_prologue)
    199 #define filter_epilogue_len	KORE_FILTER_LEN(filter_epilogue)
    200 
    201 static void	seccomp_register_violation(pid_t);
    202 
    203 struct filter {
    204 	char			*name;
    205 	struct sock_filter	*prog;
    206 	size_t			instructions;
    207 	TAILQ_ENTRY(filter)	list;
    208 };
    209 
    210 static TAILQ_HEAD(, filter)	filters;
    211 static struct filter		*ufilter = NULL;
    212 
    213 /*
    214  * If enabled will instruct the parent process to ptrace its children and
    215  * log any seccomp SECCOMP_RET_TRACE rule.
    216  */
    217 int	kore_seccomp_tracing = 0;
    218 
    219 void
    220 kore_seccomp_init(void)
    221 {
    222 	TAILQ_INIT(&filters);
    223 }
    224 
    225 void
    226 kore_seccomp_drop(void)
    227 {
    228 	struct filter		*filter;
    229 
    230 	while ((filter = TAILQ_FIRST(&filters)) != NULL) {
    231 		if (!kore_quiet) {
    232 			kore_log(LOG_INFO,
    233 			    "seccomp filter '%s' dropped", filter->name);
    234 		}
    235 		TAILQ_REMOVE(&filters, filter, list);
    236 		kore_free(filter->name);
    237 		kore_free(filter);
    238 	}
    239 
    240 	TAILQ_INIT(&filters);
    241 }
    242 
    243 void
    244 kore_seccomp_enable(void)
    245 {
    246 	struct sock_filter		*sf;
    247 	struct sock_fprog		prog;
    248 	struct kore_runtime_call	*rcall;
    249 	struct filter			*filter;
    250 	size_t				prog_len, off, i;
    251 
    252 	/*
    253 	 * If kore_seccomp_tracing is turned on, set the default policy to
    254 	 * SECCOMP_RET_TRACE so we can log the system calls.
    255 	 */
    256 	if (kore_seccomp_tracing) {
    257 		filter_epilogue[0].k = SECCOMP_RET_TRACE;
    258 		kore_log(LOG_NOTICE, "seccomp tracing enabled");
    259 	}
    260 
    261 #if defined(KORE_USE_PYTHON)
    262 	ufilter = TAILQ_FIRST(&filters);
    263 	kore_python_seccomp_hook("koreapp.seccomp");
    264 	ufilter = NULL;
    265 #endif
    266 
    267 	/* Allow application to add its own filters. */
    268 	if ((rcall = kore_runtime_getcall("kore_seccomp_hook")) != NULL) {
    269 		ufilter = TAILQ_FIRST(&filters);
    270 		kore_runtime_execute(rcall);
    271 		kore_free(rcall);
    272 		ufilter = NULL;
    273 	}
    274 
    275 	if (worker->id != KORE_WORKER_KEYMGR) {
    276 		/* Add worker required syscalls. */
    277 		kore_seccomp_filter("worker", filter_kore,
    278 		    KORE_FILTER_LEN(filter_kore));
    279 	}
    280 
    281 	/* Start with the prologue. */
    282 	prog_len = filter_prologue_len;
    283 
    284 	/* Now account for all enabled filters. */
    285 	TAILQ_FOREACH(filter, &filters, list)
    286 		prog_len += filter->instructions;
    287 
    288 	/* Finally add the epilogue. */
    289 	prog_len += filter_epilogue_len;
    290 
    291 	/* Build the entire bpf program now. */
    292 	if ((sf = calloc(prog_len, sizeof(*sf))) == NULL)
    293 		fatalx("calloc");
    294 
    295 	off = 0;
    296 	for (i = 0; i < filter_prologue_len; i++)
    297 		sf[off++] = filter_prologue[i];
    298 
    299 	TAILQ_FOREACH(filter, &filters, list) {
    300 		for (i = 0; i < filter->instructions; i++)
    301 			sf[off++] = filter->prog[i];
    302 	}
    303 
    304 	for (i = 0; i < filter_epilogue_len; i++)
    305 		sf[off++] = filter_epilogue[i];
    306 
    307 	/* Lock and load it. */
    308 	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
    309 		fatalx("prctl: %s", errno_s);
    310 
    311 	prog.filter = sf;
    312 	prog.len = prog_len;
    313 
    314 	if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) == -1)
    315 		fatalx("prctl: %s", errno_s);
    316 
    317 #if defined(KORE_USE_PYTHON)
    318 	kore_python_seccomp_cleanup();
    319 #endif
    320 }
    321 
    322 int
    323 kore_seccomp_filter(const char *name, void *prog, size_t len)
    324 {
    325 	struct filter		*filter;
    326 
    327 	TAILQ_FOREACH(filter, &filters, list) {
    328 		if (!strcmp(filter->name, name))
    329 			return (KORE_RESULT_ERROR);
    330 	}
    331 
    332 	filter = kore_calloc(1, sizeof(*filter));
    333 
    334 	filter->prog = prog;
    335 	filter->instructions = len;
    336 	filter->name = kore_strdup(name);
    337 
    338 	if (ufilter) {
    339 		TAILQ_INSERT_BEFORE(ufilter, filter, list);
    340 	} else {
    341 		TAILQ_INSERT_TAIL(&filters, filter, list);
    342 	}
    343 
    344 	return (KORE_RESULT_OK);
    345 }
    346 
    347 void
    348 kore_seccomp_traceme(void)
    349 {
    350 	if (kore_seccomp_tracing == 0)
    351 		return;
    352 
    353 	if (ptrace(PTRACE_TRACEME, 0, NULL, NULL) == -1)
    354 		fatalx("ptrace: %s", errno_s);
    355 	if (kill(worker->pid, SIGSTOP) == -1)
    356 		fatalx("kill: %s", errno_s);
    357 }
    358 
    359 int
    360 kore_seccomp_trace(pid_t pid, int status)
    361 {
    362 	int	evt;
    363 
    364 	if (kore_seccomp_tracing == 0)
    365 		return (KORE_RESULT_ERROR);
    366 
    367 	if (WIFSTOPPED(status) && WSTOPSIG(status) == SIGSTOP) {
    368 		if (ptrace(PTRACE_SETOPTIONS, pid, NULL,
    369 		    PTRACE_O_TRACESECCOMP | PTRACE_O_TRACECLONE |
    370 		    PTRACE_O_TRACEFORK) == -1)
    371 			fatal("ptrace: %s", errno_s);
    372 		if (ptrace(PTRACE_CONT, pid, NULL, NULL) == -1)
    373 			fatal("ptrace: %s", errno_s);
    374 		return (KORE_RESULT_OK);
    375 	}
    376 
    377 	if (WIFSTOPPED(status) && WSTOPSIG(status) == SIGTRAP) {
    378 		evt = status >> 8;
    379 		if (evt == (SIGTRAP | (PTRACE_EVENT_SECCOMP << 8)))
    380 			seccomp_register_violation(pid);
    381 		if (ptrace(PTRACE_CONT, pid, NULL, NULL) == -1)
    382 			fatal("ptrace: %s", errno_s);
    383 		return (KORE_RESULT_OK);
    384 	}
    385 
    386 	if (WIFSTOPPED(status)) {
    387 		if (ptrace(PTRACE_CONT, pid, NULL, WSTOPSIG(status)) == -1)
    388 			fatal("ptrace: %s", errno_s);
    389 		return (KORE_RESULT_OK);
    390 	}
    391 
    392 	return (KORE_RESULT_ERROR);
    393 }
    394 
    395 int
    396 kore_seccomp_syscall_resolve(const char *name)
    397 {
    398 	int		i;
    399 
    400 	for (i = 0; kore_syscall_map[i].name != NULL; i++) {
    401 		if (!strcmp(name, kore_syscall_map[i].name))
    402 			return (kore_syscall_map[i].nr);
    403 	}
    404 
    405 	return (-1);
    406 }
    407 
    408 const char *
    409 kore_seccomp_syscall_name(long sysnr)
    410 {
    411 	int		i;
    412 
    413 	for (i = 0; kore_syscall_map[i].name != NULL; i++) {
    414 		if (kore_syscall_map[i].nr == sysnr)
    415 			return (kore_syscall_map[i].name);
    416 	}
    417 
    418 	return ("unknown");
    419 }
    420 
    421 struct sock_filter *
    422 kore_seccomp_syscall_filter(const char *name, int action)
    423 {
    424 	struct sock_filter	filter[] = {
    425 		KORE_SYSCALL_FILTER(exit, action),
    426 		KORE_BPF_GUARD
    427 	};
    428 
    429 	return (seccomp_filter_update(filter, name, KORE_FILTER_LEN(filter)));
    430 }
    431 
    432 struct sock_filter *
    433 kore_seccomp_syscall_arg(const char *name, int action, int arg, int value)
    434 {
    435 	struct sock_filter	filter[] = {
    436 		KORE_SYSCALL_ARG(exit, arg, value, action),
    437 		KORE_BPF_GUARD
    438 	};
    439 
    440 	return (seccomp_filter_update(filter, name, KORE_FILTER_LEN(filter)));
    441 }
    442 
    443 struct sock_filter *
    444 kore_seccomp_syscall_mask(const char *name, int action, int arg, int value)
    445 {
    446 	struct sock_filter	filter[] = {
    447 		KORE_SYSCALL_MASK(exit, arg, value, action),
    448 		KORE_BPF_GUARD
    449 	};
    450 
    451 	return (seccomp_filter_update(filter, name, KORE_FILTER_LEN(filter)));
    452 }
    453 
    454 struct sock_filter *
    455 kore_seccomp_syscall_flag(const char *name, int action, int arg, int value)
    456 {
    457 	struct sock_filter	filter[] = {
    458 		KORE_SYSCALL_WITH_FLAG(exit, arg, value, action),
    459 		KORE_BPF_GUARD
    460 	};
    461 
    462 	return (seccomp_filter_update(filter, name, KORE_FILTER_LEN(filter)));
    463 }
    464 
    465 static void
    466 seccomp_register_violation(pid_t pid)
    467 {
    468 	int				idx;
    469 	struct kore_worker		*kw;
    470 	struct iovec			iov;
    471 #if defined(__arm__)
    472 	struct pt_regs			regs;
    473 #else
    474 	struct user_regs_struct		regs;
    475 #endif
    476 	long				sysnr;
    477 	const char			*name;
    478 
    479 	iov.iov_base = &regs;
    480 	iov.iov_len = sizeof(regs);
    481 
    482 	if (ptrace(PTRACE_GETREGSET, pid, 1, &iov) == -1)
    483 		fatal("ptrace: %s", errno_s);
    484 
    485 #if SECCOMP_AUDIT_ARCH == AUDIT_ARCH_X86_64
    486 	sysnr = regs.orig_rax;
    487 #elif SECCOMP_AUDIT_ARCH == AUDIT_ARCH_AARCH64
    488 	sysnr = regs.regs[8];
    489 #elif SECCOMP_AUDIT_ARCH == AUDIT_ARCH_ARM
    490 	sysnr = regs.uregs[7];
    491 #else
    492 #error "platform not supported"
    493 #endif
    494 
    495 	name = NULL;
    496 	for (idx = 0; idx < worker_count; idx++) {
    497 		kw = kore_worker_data(idx);
    498 		if (kw->pid == pid) {
    499 			name = kore_worker_name(kw->id);
    500 			break;
    501 		}
    502 	}
    503 
    504 	if (name == NULL)
    505 		name = "<child>";
    506 
    507 	kore_log(LOG_INFO, "seccomp violation, %s pid=%d, syscall=%ld:%s",
    508 	    name, pid, sysnr, kore_seccomp_syscall_name(sysnr));
    509 }
    510 
    511 static struct sock_filter *
    512 seccomp_filter_update(struct sock_filter *filter, const char *name, size_t elm)
    513 {
    514 	int			nr;
    515 	struct sock_filter	*result;
    516 
    517 	if ((nr = kore_seccomp_syscall_resolve(name)) == -1)
    518 		return (NULL);
    519 
    520 	result = kore_calloc(elm, sizeof(struct sock_filter));
    521 	memcpy(result, filter, elm * sizeof(struct sock_filter));
    522 
    523 	/* Update the syscall number to the one specified. */
    524 	result[0].k = nr;
    525 
    526 	return (result);
    527 }