2014-02-13 00:24:00 +01:00
|
|
|
/***
|
|
|
|
|
This file is part of systemd.
|
|
|
|
|
|
|
|
|
|
Copyright 2014 Lennart Poettering
|
|
|
|
|
|
|
|
|
|
systemd is free software; you can redistribute it and/or modify it
|
|
|
|
|
under the terms of the GNU Lesser General Public License as published by
|
|
|
|
|
the Free Software Foundation; either version 2.1 of the License, or
|
|
|
|
|
(at your option) any later version.
|
|
|
|
|
|
|
|
|
|
systemd is distributed in the hope that it will be useful, but
|
|
|
|
|
WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
|
Lesser General Public License for more details.
|
|
|
|
|
|
|
|
|
|
You should have received a copy of the GNU Lesser General Public License
|
|
|
|
|
along with systemd; If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
***/
|
|
|
|
|
|
2015-12-03 21:13:37 +01:00
|
|
|
#include <errno.h>
|
2014-02-13 00:24:00 +01:00
|
|
|
#include <seccomp.h>
|
2015-12-03 21:13:37 +01:00
|
|
|
#include <stddef.h>
|
2014-02-13 00:24:00 +01:00
|
|
|
|
2015-12-03 21:13:37 +01:00
|
|
|
#include "macro.h"
|
2015-11-16 22:09:36 +01:00
|
|
|
#include "seccomp-util.h"
|
2015-10-24 22:58:24 +02:00
|
|
|
#include "string-util.h"
|
2014-02-13 00:24:00 +01:00
|
|
|
|
|
|
|
|
const char* seccomp_arch_to_string(uint32_t c) {
|
|
|
|
|
|
|
|
|
|
if (c == SCMP_ARCH_NATIVE)
|
|
|
|
|
return "native";
|
|
|
|
|
if (c == SCMP_ARCH_X86)
|
|
|
|
|
return "x86";
|
|
|
|
|
if (c == SCMP_ARCH_X86_64)
|
|
|
|
|
return "x86-64";
|
|
|
|
|
if (c == SCMP_ARCH_X32)
|
|
|
|
|
return "x32";
|
|
|
|
|
if (c == SCMP_ARCH_ARM)
|
|
|
|
|
return "arm";
|
|
|
|
|
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int seccomp_arch_from_string(const char *n, uint32_t *ret) {
|
|
|
|
|
if (!n)
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
|
|
assert(ret);
|
|
|
|
|
|
|
|
|
|
if (streq(n, "native"))
|
|
|
|
|
*ret = SCMP_ARCH_NATIVE;
|
|
|
|
|
else if (streq(n, "x86"))
|
|
|
|
|
*ret = SCMP_ARCH_X86;
|
|
|
|
|
else if (streq(n, "x86-64"))
|
|
|
|
|
*ret = SCMP_ARCH_X86_64;
|
|
|
|
|
else if (streq(n, "x32"))
|
|
|
|
|
*ret = SCMP_ARCH_X32;
|
|
|
|
|
else if (streq(n, "arm"))
|
|
|
|
|
*ret = SCMP_ARCH_ARM;
|
|
|
|
|
else
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2014-02-18 22:14:00 +01:00
|
|
|
|
|
|
|
|
int seccomp_add_secondary_archs(scmp_filter_ctx *c) {
|
|
|
|
|
|
|
|
|
|
#if defined(__i386__) || defined(__x86_64__)
|
|
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
/* Add in all possible secondary archs we are aware of that
|
|
|
|
|
* this kernel might support. */
|
|
|
|
|
|
|
|
|
|
r = seccomp_arch_add(c, SCMP_ARCH_X86);
|
|
|
|
|
if (r < 0 && r != -EEXIST)
|
|
|
|
|
return r;
|
|
|
|
|
|
|
|
|
|
r = seccomp_arch_add(c, SCMP_ARCH_X86_64);
|
|
|
|
|
if (r < 0 && r != -EEXIST)
|
|
|
|
|
return r;
|
|
|
|
|
|
|
|
|
|
r = seccomp_arch_add(c, SCMP_ARCH_X32);
|
|
|
|
|
if (r < 0 && r != -EEXIST)
|
|
|
|
|
return r;
|
|
|
|
|
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
}
|
2016-06-01 11:56:01 +02:00
|
|
|
|
|
|
|
|
const SystemCallFilterSet syscall_filter_sets[] = {
|
|
|
|
|
{
|
|
|
|
|
/* Clock */
|
|
|
|
|
.set_name = "@clock",
|
|
|
|
|
.value =
|
|
|
|
|
"adjtimex\0"
|
core: improve seccomp syscall grouping a bit
This adds three new seccomp syscall groups: @keyring for kernel keyring access,
@cpu-emulation for CPU emulation features, for exampe vm86() for dosemu and
suchlike, and @debug for ptrace() and related calls.
Also, the @clock group is updated with more syscalls that alter the system
clock. capset() is added to @privileged, and pciconfig_iobase() is added to
@raw-io.
Finally, @obsolete is a cleaned up. A number of syscalls that never existed on
Linux and have no number assigned on any architecture are removed, as they only
exist in the man pages and other operating sytems, but not in code at all.
create_module() is moved from @module to @obsolete, as it is an obsolete system
call. mem_getpolicy() is removed from the @obsolete list, as it is not
obsolete, but simply a NUMA API.
2016-06-10 17:43:38 +02:00
|
|
|
"clock_adjtime\0"
|
|
|
|
|
"clock_settime\0"
|
2016-06-01 11:56:01 +02:00
|
|
|
"settimeofday\0"
|
core: improve seccomp syscall grouping a bit
This adds three new seccomp syscall groups: @keyring for kernel keyring access,
@cpu-emulation for CPU emulation features, for exampe vm86() for dosemu and
suchlike, and @debug for ptrace() and related calls.
Also, the @clock group is updated with more syscalls that alter the system
clock. capset() is added to @privileged, and pciconfig_iobase() is added to
@raw-io.
Finally, @obsolete is a cleaned up. A number of syscalls that never existed on
Linux and have no number assigned on any architecture are removed, as they only
exist in the man pages and other operating sytems, but not in code at all.
create_module() is moved from @module to @obsolete, as it is an obsolete system
call. mem_getpolicy() is removed from the @obsolete list, as it is not
obsolete, but simply a NUMA API.
2016-06-10 17:43:38 +02:00
|
|
|
"stime\0"
|
|
|
|
|
}, {
|
|
|
|
|
/* CPU emulation calls */
|
|
|
|
|
.set_name = "@cpu-emulation",
|
|
|
|
|
.value =
|
|
|
|
|
"modify_ldt\0"
|
|
|
|
|
"subpage_prot\0"
|
|
|
|
|
"switch_endian\0"
|
|
|
|
|
"vm86\0"
|
|
|
|
|
"vm86old\0"
|
|
|
|
|
}, {
|
|
|
|
|
/* Debugging/Performance Monitoring/Tracing */
|
|
|
|
|
.set_name = "@debug",
|
|
|
|
|
.value =
|
|
|
|
|
"lookup_dcookie\0"
|
|
|
|
|
"perf_event_open\0"
|
|
|
|
|
"process_vm_readv\0"
|
|
|
|
|
"process_vm_writev\0"
|
|
|
|
|
"ptrace\0"
|
|
|
|
|
"rtas\0"
|
|
|
|
|
"s390_runtime_instr\0"
|
|
|
|
|
"sys_debug_setcontext\0"
|
2016-06-01 11:56:01 +02:00
|
|
|
}, {
|
|
|
|
|
/* Default list */
|
|
|
|
|
.set_name = "@default",
|
|
|
|
|
.value =
|
|
|
|
|
"execve\0"
|
|
|
|
|
"exit\0"
|
|
|
|
|
"exit_group\0"
|
|
|
|
|
"rt_sigreturn\0"
|
|
|
|
|
"sigreturn\0"
|
|
|
|
|
}, {
|
|
|
|
|
/* Event loop use */
|
|
|
|
|
.set_name = "@io-event",
|
|
|
|
|
.value =
|
|
|
|
|
"_newselect\0"
|
|
|
|
|
"epoll_create1\0"
|
|
|
|
|
"epoll_create\0"
|
|
|
|
|
"epoll_ctl\0"
|
|
|
|
|
"epoll_ctl_old\0"
|
|
|
|
|
"epoll_pwait\0"
|
|
|
|
|
"epoll_wait\0"
|
|
|
|
|
"epoll_wait_old\0"
|
|
|
|
|
"eventfd2\0"
|
|
|
|
|
"eventfd\0"
|
|
|
|
|
"poll\0"
|
|
|
|
|
"ppoll\0"
|
|
|
|
|
"pselect6\0"
|
|
|
|
|
"select\0"
|
|
|
|
|
}, {
|
|
|
|
|
/* Message queues, SYSV IPC or other IPC: unusual */
|
|
|
|
|
.set_name = "@ipc",
|
|
|
|
|
.value = "ipc\0"
|
|
|
|
|
"mq_getsetattr\0"
|
|
|
|
|
"mq_notify\0"
|
|
|
|
|
"mq_open\0"
|
|
|
|
|
"mq_timedreceive\0"
|
|
|
|
|
"mq_timedsend\0"
|
|
|
|
|
"mq_unlink\0"
|
|
|
|
|
"msgctl\0"
|
|
|
|
|
"msgget\0"
|
|
|
|
|
"msgrcv\0"
|
|
|
|
|
"msgsnd\0"
|
|
|
|
|
"process_vm_readv\0"
|
|
|
|
|
"process_vm_writev\0"
|
|
|
|
|
"semctl\0"
|
|
|
|
|
"semget\0"
|
|
|
|
|
"semop\0"
|
|
|
|
|
"semtimedop\0"
|
|
|
|
|
"shmat\0"
|
|
|
|
|
"shmctl\0"
|
|
|
|
|
"shmdt\0"
|
|
|
|
|
"shmget\0"
|
core: improve seccomp syscall grouping a bit
This adds three new seccomp syscall groups: @keyring for kernel keyring access,
@cpu-emulation for CPU emulation features, for exampe vm86() for dosemu and
suchlike, and @debug for ptrace() and related calls.
Also, the @clock group is updated with more syscalls that alter the system
clock. capset() is added to @privileged, and pciconfig_iobase() is added to
@raw-io.
Finally, @obsolete is a cleaned up. A number of syscalls that never existed on
Linux and have no number assigned on any architecture are removed, as they only
exist in the man pages and other operating sytems, but not in code at all.
create_module() is moved from @module to @obsolete, as it is an obsolete system
call. mem_getpolicy() is removed from the @obsolete list, as it is not
obsolete, but simply a NUMA API.
2016-06-10 17:43:38 +02:00
|
|
|
}, {
|
|
|
|
|
/* Keyring */
|
|
|
|
|
.set_name = "@keyring",
|
|
|
|
|
.value =
|
|
|
|
|
"add_key\0"
|
|
|
|
|
"keyctl\0"
|
|
|
|
|
"request_key\0"
|
2016-06-01 11:56:01 +02:00
|
|
|
}, {
|
|
|
|
|
/* Kernel module control */
|
|
|
|
|
.set_name = "@module",
|
|
|
|
|
.value =
|
|
|
|
|
"delete_module\0"
|
|
|
|
|
"finit_module\0"
|
|
|
|
|
"init_module\0"
|
|
|
|
|
}, {
|
|
|
|
|
/* Mounting */
|
|
|
|
|
.set_name = "@mount",
|
|
|
|
|
.value =
|
|
|
|
|
"chroot\0"
|
|
|
|
|
"mount\0"
|
|
|
|
|
"oldumount\0"
|
|
|
|
|
"pivot_root\0"
|
|
|
|
|
"umount2\0"
|
|
|
|
|
"umount\0"
|
|
|
|
|
}, {
|
|
|
|
|
/* Network or Unix socket IO, should not be needed if not network facing */
|
|
|
|
|
.set_name = "@network-io",
|
|
|
|
|
.value =
|
|
|
|
|
"accept4\0"
|
|
|
|
|
"accept\0"
|
|
|
|
|
"bind\0"
|
|
|
|
|
"connect\0"
|
|
|
|
|
"getpeername\0"
|
|
|
|
|
"getsockname\0"
|
|
|
|
|
"getsockopt\0"
|
|
|
|
|
"listen\0"
|
|
|
|
|
"recv\0"
|
|
|
|
|
"recvfrom\0"
|
|
|
|
|
"recvmmsg\0"
|
|
|
|
|
"recvmsg\0"
|
|
|
|
|
"send\0"
|
|
|
|
|
"sendmmsg\0"
|
|
|
|
|
"sendmsg\0"
|
|
|
|
|
"sendto\0"
|
|
|
|
|
"setsockopt\0"
|
|
|
|
|
"shutdown\0"
|
|
|
|
|
"socket\0"
|
|
|
|
|
"socketcall\0"
|
|
|
|
|
"socketpair\0"
|
|
|
|
|
}, {
|
|
|
|
|
/* Unusual, obsolete or unimplemented, some unknown even to libseccomp */
|
|
|
|
|
.set_name = "@obsolete",
|
|
|
|
|
.value =
|
|
|
|
|
"_sysctl\0"
|
|
|
|
|
"afs_syscall\0"
|
|
|
|
|
"break\0"
|
core: improve seccomp syscall grouping a bit
This adds three new seccomp syscall groups: @keyring for kernel keyring access,
@cpu-emulation for CPU emulation features, for exampe vm86() for dosemu and
suchlike, and @debug for ptrace() and related calls.
Also, the @clock group is updated with more syscalls that alter the system
clock. capset() is added to @privileged, and pciconfig_iobase() is added to
@raw-io.
Finally, @obsolete is a cleaned up. A number of syscalls that never existed on
Linux and have no number assigned on any architecture are removed, as they only
exist in the man pages and other operating sytems, but not in code at all.
create_module() is moved from @module to @obsolete, as it is an obsolete system
call. mem_getpolicy() is removed from the @obsolete list, as it is not
obsolete, but simply a NUMA API.
2016-06-10 17:43:38 +02:00
|
|
|
"create_module\0"
|
2016-06-01 11:56:01 +02:00
|
|
|
"ftime\0"
|
|
|
|
|
"get_kernel_syms\0"
|
|
|
|
|
"getpmsg\0"
|
|
|
|
|
"gtty\0"
|
|
|
|
|
"lock\0"
|
|
|
|
|
"mpx\0"
|
|
|
|
|
"prof\0"
|
|
|
|
|
"profil\0"
|
|
|
|
|
"putpmsg\0"
|
|
|
|
|
"query_module\0"
|
|
|
|
|
"security\0"
|
|
|
|
|
"sgetmask\0"
|
|
|
|
|
"ssetmask\0"
|
|
|
|
|
"stty\0"
|
core: improve seccomp syscall grouping a bit
This adds three new seccomp syscall groups: @keyring for kernel keyring access,
@cpu-emulation for CPU emulation features, for exampe vm86() for dosemu and
suchlike, and @debug for ptrace() and related calls.
Also, the @clock group is updated with more syscalls that alter the system
clock. capset() is added to @privileged, and pciconfig_iobase() is added to
@raw-io.
Finally, @obsolete is a cleaned up. A number of syscalls that never existed on
Linux and have no number assigned on any architecture are removed, as they only
exist in the man pages and other operating sytems, but not in code at all.
create_module() is moved from @module to @obsolete, as it is an obsolete system
call. mem_getpolicy() is removed from the @obsolete list, as it is not
obsolete, but simply a NUMA API.
2016-06-10 17:43:38 +02:00
|
|
|
"sysfs\0"
|
2016-06-01 11:56:01 +02:00
|
|
|
"tuxcall\0"
|
|
|
|
|
"ulimit\0"
|
|
|
|
|
"uselib\0"
|
core: improve seccomp syscall grouping a bit
This adds three new seccomp syscall groups: @keyring for kernel keyring access,
@cpu-emulation for CPU emulation features, for exampe vm86() for dosemu and
suchlike, and @debug for ptrace() and related calls.
Also, the @clock group is updated with more syscalls that alter the system
clock. capset() is added to @privileged, and pciconfig_iobase() is added to
@raw-io.
Finally, @obsolete is a cleaned up. A number of syscalls that never existed on
Linux and have no number assigned on any architecture are removed, as they only
exist in the man pages and other operating sytems, but not in code at all.
create_module() is moved from @module to @obsolete, as it is an obsolete system
call. mem_getpolicy() is removed from the @obsolete list, as it is not
obsolete, but simply a NUMA API.
2016-06-10 17:43:38 +02:00
|
|
|
"ustat\0"
|
2016-06-01 11:56:01 +02:00
|
|
|
"vserver\0"
|
|
|
|
|
}, {
|
|
|
|
|
/* Nice grab-bag of all system calls which need superuser capabilities */
|
|
|
|
|
.set_name = "@privileged",
|
|
|
|
|
.value =
|
|
|
|
|
"@clock\0"
|
|
|
|
|
"@module\0"
|
|
|
|
|
"@raw-io\0"
|
|
|
|
|
"acct\0"
|
|
|
|
|
"bdflush\0"
|
|
|
|
|
"bpf\0"
|
core: improve seccomp syscall grouping a bit
This adds three new seccomp syscall groups: @keyring for kernel keyring access,
@cpu-emulation for CPU emulation features, for exampe vm86() for dosemu and
suchlike, and @debug for ptrace() and related calls.
Also, the @clock group is updated with more syscalls that alter the system
clock. capset() is added to @privileged, and pciconfig_iobase() is added to
@raw-io.
Finally, @obsolete is a cleaned up. A number of syscalls that never existed on
Linux and have no number assigned on any architecture are removed, as they only
exist in the man pages and other operating sytems, but not in code at all.
create_module() is moved from @module to @obsolete, as it is an obsolete system
call. mem_getpolicy() is removed from the @obsolete list, as it is not
obsolete, but simply a NUMA API.
2016-06-10 17:43:38 +02:00
|
|
|
"capset\0"
|
2016-06-01 11:56:01 +02:00
|
|
|
"chown32\0"
|
|
|
|
|
"chown\0"
|
|
|
|
|
"chroot\0"
|
|
|
|
|
"fchown32\0"
|
|
|
|
|
"fchown\0"
|
|
|
|
|
"fchownat\0"
|
|
|
|
|
"kexec_file_load\0"
|
|
|
|
|
"kexec_load\0"
|
|
|
|
|
"lchown32\0"
|
|
|
|
|
"lchown\0"
|
|
|
|
|
"nfsservctl\0"
|
|
|
|
|
"pivot_root\0"
|
|
|
|
|
"quotactl\0"
|
|
|
|
|
"reboot\0"
|
|
|
|
|
"setdomainname\0"
|
|
|
|
|
"setfsuid32\0"
|
|
|
|
|
"setfsuid\0"
|
|
|
|
|
"setgroups32\0"
|
|
|
|
|
"setgroups\0"
|
|
|
|
|
"sethostname\0"
|
|
|
|
|
"setresuid32\0"
|
|
|
|
|
"setresuid\0"
|
|
|
|
|
"setreuid32\0"
|
|
|
|
|
"setreuid\0"
|
|
|
|
|
"setuid32\0"
|
|
|
|
|
"setuid\0"
|
|
|
|
|
"swapoff\0"
|
|
|
|
|
"swapon\0"
|
|
|
|
|
"sysctl\0"
|
|
|
|
|
"vhangup\0"
|
|
|
|
|
}, {
|
|
|
|
|
/* Process control, execution, namespaces */
|
|
|
|
|
.set_name = "@process",
|
|
|
|
|
.value =
|
|
|
|
|
"arch_prctl\0"
|
|
|
|
|
"clone\0"
|
|
|
|
|
"execve\0"
|
|
|
|
|
"execveat\0"
|
|
|
|
|
"fork\0"
|
|
|
|
|
"kill\0"
|
|
|
|
|
"prctl\0"
|
|
|
|
|
"setns\0"
|
|
|
|
|
"tgkill\0"
|
|
|
|
|
"tkill\0"
|
|
|
|
|
"unshare\0"
|
|
|
|
|
"vfork\0"
|
|
|
|
|
}, {
|
|
|
|
|
/* Raw I/O ports */
|
|
|
|
|
.set_name = "@raw-io",
|
|
|
|
|
.value =
|
|
|
|
|
"ioperm\0"
|
|
|
|
|
"iopl\0"
|
core: improve seccomp syscall grouping a bit
This adds three new seccomp syscall groups: @keyring for kernel keyring access,
@cpu-emulation for CPU emulation features, for exampe vm86() for dosemu and
suchlike, and @debug for ptrace() and related calls.
Also, the @clock group is updated with more syscalls that alter the system
clock. capset() is added to @privileged, and pciconfig_iobase() is added to
@raw-io.
Finally, @obsolete is a cleaned up. A number of syscalls that never existed on
Linux and have no number assigned on any architecture are removed, as they only
exist in the man pages and other operating sytems, but not in code at all.
create_module() is moved from @module to @obsolete, as it is an obsolete system
call. mem_getpolicy() is removed from the @obsolete list, as it is not
obsolete, but simply a NUMA API.
2016-06-10 17:43:38 +02:00
|
|
|
"pciconfig_iobase\0"
|
2016-06-01 11:56:01 +02:00
|
|
|
"pciconfig_read\0"
|
|
|
|
|
"pciconfig_write\0"
|
|
|
|
|
"s390_pci_mmio_read\0"
|
|
|
|
|
"s390_pci_mmio_write\0"
|
|
|
|
|
}, {
|
|
|
|
|
.set_name = NULL,
|
|
|
|
|
.value = NULL
|
|
|
|
|
}
|
|
|
|
|
};
|
