]>
Commit | Line | Data |
---|---|---|
c93114cd TW |
1 | /* |
2 | * Copyright (C) 2023 Thomas Weißschuh <thomas@t-8ch.de> | |
3 | * | |
4 | * This program is free software; you can redistribute it and/or modify | |
5 | * it under the terms of the GNU General Public License as published by | |
6 | * the Free Software Foundation; either version 2 of the License, or | |
7 | * (at your option) any later version. | |
8 | * | |
9 | * This program is distributed in the hope that it would be useful, | |
10 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
12 | * GNU General Public License for more details. | |
13 | * | |
14 | * You should have received a copy of the GNU General Public License along | |
15 | * with this program; if not, write to the Free Software Foundation, Inc., | |
16 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | |
17 | */ | |
18 | ||
19 | #include <stddef.h> | |
20 | #include <stdbool.h> | |
21 | #include <getopt.h> | |
22 | ||
23 | #include <linux/unistd.h> | |
c93114cd TW |
24 | #include <linux/audit.h> |
25 | #include <sys/prctl.h> | |
6c1bd545 | 26 | #include <sys/syscall.h> |
65bf3c73 | 27 | #include <sys/ioctl.h> |
c93114cd TW |
28 | |
29 | #include "c.h" | |
30 | #include "exitcodes.h" | |
13d1cbce | 31 | #include "nls.h" |
afb669af | 32 | #include "bitops.h" |
29e3f737 | 33 | #include "audit-arch.h" |
358e3e43 TW |
34 | #include "list.h" |
35 | #include "xalloc.h" | |
36 | #include "strutils.h" | |
fd1786d3 | 37 | #include "seccomp.h" |
e6e606a9 | 38 | #include "all-io.h" |
c93114cd | 39 | |
afb669af | 40 | #define IS_LITTLE_ENDIAN (__BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) |
7626054c | 41 | |
c93114cd | 42 | #define syscall_nr (offsetof(struct seccomp_data, nr)) |
9e8fb1f5 | 43 | #define syscall_arch (offsetof(struct seccomp_data, arch)) |
05a5e48c TW |
44 | #define _syscall_arg(n) (offsetof(struct seccomp_data, args[n])) |
45 | #define syscall_arg_lower32(n) (_syscall_arg(n) + 4 * !IS_LITTLE_ENDIAN) | |
46 | #define syscall_arg_upper32(n) (_syscall_arg(n) + 4 * IS_LITTLE_ENDIAN) | |
c93114cd TW |
47 | |
48 | struct syscall { | |
49 | const char *const name; | |
58fe2636 | 50 | long number; |
c93114cd TW |
51 | }; |
52 | ||
1078c4ae TW |
53 | /* When the alias arrays are empty the compiler emits -Wtype-limits warnings. |
54 | * Avoid those by going through this function. */ | |
55 | static inline bool lt(size_t a, size_t b) | |
56 | { | |
57 | return a < b; | |
58 | } | |
59 | ||
165fbfd4 | 60 | static const struct syscall syscalls[] = { |
69e542bd TW |
61 | #define UL_SYSCALL(name, nr) { name, nr }, |
62 | #include "syscalls.h" | |
63 | #undef UL_SYSCALL | |
c93114cd TW |
64 | }; |
65 | ||
ced129dc TW |
66 | static const struct syscall errnos[] = { |
67 | #define UL_ERRNO(name, nr) { name, nr }, | |
68 | #include "errnos.h" | |
69 | #undef UL_ERRNO | |
70 | }; | |
71 | ||
65bf3c73 TW |
72 | static const struct syscall ioctls[] = { |
73 | { "FIOCLEX", FIOCLEX }, | |
74 | }; | |
65bf3c73 | 75 | |
344ba205 TW |
76 | static void __attribute__((__noreturn__)) usage(void) |
77 | { | |
78 | FILE *out = stdout; | |
79 | ||
80 | fputs(USAGE_HEADER, out); | |
81 | fprintf(out, _(" %s [options] -- <command>\n"), program_invocation_short_name); | |
82 | ||
83 | fputs(USAGE_OPTIONS, out); | |
84 | fputs(_(" -s, --syscall syscall to block\n"), out); | |
65bf3c73 | 85 | fputs(_(" -i, --ioctl ioctl to block\n"), out); |
7f104027 | 86 | fputs(_(" -l, --list list known syscalls\n"), out); |
90cb3825 | 87 | fputs(_(" -d, --dump[=<file>] dump seccomp bytecode\n"), out); |
344ba205 TW |
88 | |
89 | fputs(USAGE_SEPARATOR, out); | |
90 | fprintf(out, USAGE_HELP_OPTIONS(25)); | |
91 | ||
92 | fprintf(out, USAGE_MAN_TAIL("enosys(1)")); | |
93 | ||
94 | exit(EXIT_SUCCESS); | |
95 | } | |
96 | ||
358e3e43 TW |
97 | struct blocked_number { |
98 | struct list_head head; | |
99 | long number; | |
766a9bd6 | 100 | int ret; |
358e3e43 TW |
101 | }; |
102 | ||
ced129dc | 103 | static struct blocked_number *parse_block(const char *s, int ret, const struct syscall entities[], size_t n_entities) |
766a9bd6 TW |
104 | { |
105 | struct blocked_number *blocked; | |
ced129dc | 106 | const char *name, *error_name; |
766a9bd6 | 107 | long blocked_number; |
ced129dc | 108 | char *colon; |
766a9bd6 TW |
109 | bool found; |
110 | size_t i; | |
111 | ||
ced129dc TW |
112 | colon = strchr(s, ':'); |
113 | if (colon) { | |
114 | name = xstrndup(s, colon - s); | |
115 | error_name = colon + 1; | |
116 | ||
117 | found = 0; | |
118 | for (i = 0; i < ARRAY_SIZE(errnos); i++) { | |
119 | if (strcmp(error_name, errnos[i].name) == 0) { | |
120 | ret = errnos[i].number; | |
121 | found = 1; | |
122 | break; | |
123 | } | |
124 | } | |
125 | if (!found) | |
126 | ret = str2num_or_err( | |
127 | colon + 1, 10, _("Unknown errno"), 0, INT_MAX); | |
128 | } else { | |
129 | name = s; | |
130 | } | |
131 | ||
766a9bd6 | 132 | found = 0; |
ced129dc TW |
133 | for (i = 0; i < n_entities; i++) { |
134 | if (strcmp(name, entities[i].name) == 0) { | |
135 | blocked_number = entities[i].number; | |
766a9bd6 TW |
136 | found = 1; |
137 | break; | |
138 | } | |
139 | } | |
140 | if (!found) | |
141 | blocked_number = str2num_or_err( | |
ced129dc | 142 | name, 10, _("Unknown syscall"), 0, LONG_MAX); |
766a9bd6 TW |
143 | |
144 | blocked = xmalloc(sizeof(*blocked)); | |
145 | blocked->number = blocked_number; | |
146 | blocked->ret = ret; | |
147 | ||
148 | if (name != s) | |
149 | free((char *)name); | |
150 | ||
151 | return blocked; | |
152 | } | |
153 | ||
c93114cd TW |
154 | int main(int argc, char **argv) |
155 | { | |
2aeb519a | 156 | int c; |
c93114cd | 157 | size_t i; |
90cb3825 | 158 | FILE *dump = NULL; |
c93114cd | 159 | static const struct option longopts[] = { |
65bf3c73 TW |
160 | { "syscall", required_argument, NULL, 's' }, |
161 | { "ioctl", required_argument, NULL, 'i' }, | |
162 | { "list", no_argument, NULL, 'l' }, | |
163 | { "list-ioctl", no_argument, NULL, 'm' }, | |
90cb3825 | 164 | { "dump", optional_argument, NULL, 'd' }, |
65bf3c73 TW |
165 | { "version", no_argument, NULL, 'V' }, |
166 | { "help", no_argument, NULL, 'h' }, | |
c93114cd TW |
167 | { 0 } |
168 | }; | |
169 | ||
358e3e43 | 170 | struct blocked_number *blocked; |
65bf3c73 | 171 | struct list_head *loop_ctr; |
358e3e43 | 172 | struct list_head blocked_syscalls; |
8edbb62b | 173 | bool blocking_execve = false; |
358e3e43 | 174 | INIT_LIST_HEAD(&blocked_syscalls); |
65bf3c73 TW |
175 | struct list_head blocked_ioctls; |
176 | INIT_LIST_HEAD(&blocked_ioctls); | |
c93114cd | 177 | |
d191a7be TW |
178 | setlocale(LC_ALL, ""); |
179 | bindtextdomain(PACKAGE, LOCALEDIR); | |
180 | textdomain(PACKAGE); | |
181 | ||
90cb3825 | 182 | while ((c = getopt_long (argc, argv, "+Vhs:i:lmd::", longopts, NULL)) != -1) { |
c93114cd TW |
183 | switch (c) { |
184 | case 's': | |
766a9bd6 | 185 | blocked = parse_block(optarg, ENOSYS, syscalls, ARRAY_SIZE(syscalls)); |
358e3e43 | 186 | list_add(&blocked->head, &blocked_syscalls); |
766a9bd6 | 187 | if (blocked->number == __NR_execve) |
8edbb62b | 188 | blocking_execve = true; |
358e3e43 | 189 | |
65bf3c73 TW |
190 | break; |
191 | case 'i': | |
766a9bd6 | 192 | blocked = parse_block(optarg, ENOTTY, ioctls, ARRAY_SIZE(ioctls)); |
65bf3c73 TW |
193 | list_add(&blocked->head, &blocked_ioctls); |
194 | ||
c93114cd | 195 | break; |
7f104027 | 196 | case 'l': |
1078c4ae | 197 | for (i = 0; lt(i, ARRAY_SIZE(syscalls)); i++) |
e9e52c79 | 198 | printf("%5ld %s\n", syscalls[i].number, syscalls[i].name); |
7f104027 | 199 | return EXIT_SUCCESS; |
65bf3c73 | 200 | case 'm': |
1078c4ae | 201 | for (i = 0; lt(i, ARRAY_SIZE(ioctls)); i++) |
65bf3c73 TW |
202 | printf("%5ld %s\n", ioctls[i].number, ioctls[i].name); |
203 | return EXIT_SUCCESS; | |
e6e606a9 | 204 | case 'd': |
90cb3825 TW |
205 | if (optarg) { |
206 | dump = fopen(optarg, "w"); | |
207 | if (!dump) | |
208 | err(EXIT_FAILURE, _("Could not open %s"), optarg); | |
209 | } else { | |
210 | dump = stdout; | |
211 | } | |
e6e606a9 | 212 | break; |
344ba205 TW |
213 | case 'V': |
214 | print_version(EXIT_SUCCESS); | |
215 | case 'h': | |
216 | usage(); | |
c93114cd | 217 | default: |
344ba205 | 218 | errtryhelp(EXIT_FAILURE); |
c93114cd TW |
219 | } |
220 | } | |
221 | ||
e6e606a9 | 222 | if (!dump && optind >= argc) |
344ba205 | 223 | errtryhelp(EXIT_FAILURE); |
c93114cd | 224 | |
3085fabe TW |
225 | struct sock_filter filter[BPF_MAXINSNS]; |
226 | struct sock_filter *f = filter; | |
227 | ||
228 | #define INSTR(_instruction) \ | |
229 | if (f == &filter[ARRAY_SIZE(filter)]) \ | |
230 | errx(EXIT_FAILURE, _("filter too big")); \ | |
231 | *f++ = (struct sock_filter) _instruction | |
232 | ||
233 | INSTR(BPF_STMT(BPF_LD | BPF_W | BPF_ABS, syscall_arch)); | |
234 | INSTR(BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SECCOMP_ARCH_NATIVE, 1, 0)); | |
235 | INSTR(BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_TRAP)); | |
236 | ||
237 | /* Blocking "execve" normally would also block our own call to | |
238 | * it and the end of main. To distinguish between our execve | |
239 | * and the execve to be blocked, compare the environ pointer. | |
240 | * | |
241 | * See https://lore.kernel.org/all/CAAnLoWnS74dK9Wq4EQ-uzQ0qCRfSK-dLqh+HCais-5qwDjrVzg@mail.gmail.com/ | |
242 | */ | |
8edbb62b TW |
243 | if (blocking_execve) { |
244 | INSTR(BPF_STMT(BPF_LD | BPF_W | BPF_ABS, syscall_nr)); | |
245 | INSTR(BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_execve, 0, 5)); | |
246 | INSTR(BPF_STMT(BPF_LD | BPF_W | BPF_ABS, syscall_arg_lower32(2))); | |
247 | INSTR(BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, (uint64_t)(uintptr_t) environ, 0, 3)); | |
248 | INSTR(BPF_STMT(BPF_LD | BPF_W | BPF_ABS, syscall_arg_upper32(2))); | |
249 | INSTR(BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, (uint64_t)(uintptr_t) environ >> 32, 0, 1)); | |
250 | INSTR(BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW)); | |
251 | } | |
3085fabe TW |
252 | |
253 | INSTR(BPF_STMT(BPF_LD | BPF_W | BPF_ABS, syscall_nr)); | |
c93114cd | 254 | |
358e3e43 TW |
255 | list_for_each(loop_ctr, &blocked_syscalls) { |
256 | blocked = list_entry(loop_ctr, struct blocked_number, head); | |
3085fabe | 257 | |
358e3e43 | 258 | INSTR(BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, blocked->number, 0, 1)); |
766a9bd6 | 259 | INSTR(BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ERRNO | blocked->ret)); |
c93114cd TW |
260 | } |
261 | ||
ce0c5edc TW |
262 | if (!list_empty(&blocked_ioctls)) { |
263 | INSTR(BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_ioctl, 1, 0)); | |
264 | INSTR(BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW)); | |
265 | ||
266 | list_for_each(loop_ctr, &blocked_ioctls) { | |
267 | blocked = list_entry(loop_ctr, struct blocked_number, head); | |
268 | ||
269 | INSTR(BPF_STMT(BPF_LD | BPF_W | BPF_ABS, syscall_arg_lower32(1))); | |
270 | INSTR(BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, (uint64_t) blocked->number, 0, 3)); | |
271 | INSTR(BPF_STMT(BPF_LD | BPF_W | BPF_ABS, syscall_arg_upper32(1))); | |
272 | INSTR(BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, (uint64_t) blocked->number >> 32, 0, 1)); | |
766a9bd6 | 273 | INSTR(BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ERRNO | blocked->ret)); |
ce0c5edc | 274 | } |
65bf3c73 TW |
275 | } |
276 | ||
3085fabe TW |
277 | INSTR(BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW)); |
278 | ||
e6e606a9 | 279 | if (dump) { |
90cb3825 | 280 | if (fwrite_all(filter, (f - filter) * sizeof(filter[0]), 1, dump)) |
e6e606a9 TW |
281 | err(EXIT_FAILURE, _("Could not dump seccomp filter")); |
282 | return EXIT_SUCCESS; | |
283 | } | |
284 | ||
c93114cd | 285 | struct sock_fprog prog = { |
3085fabe | 286 | .len = f - filter, |
c93114cd TW |
287 | .filter = filter, |
288 | }; | |
289 | ||
f080b635 TW |
290 | /* *SET* below will return EINVAL when either the filter is invalid or |
291 | * seccomp is not supported. To distinguish those cases do a *GET* here | |
292 | */ | |
293 | if (prctl(PR_GET_SECCOMP) == -1 && errno == EINVAL) | |
13d1cbce | 294 | err(EXIT_NOTSUPP, _("Seccomp non-functional")); |
f080b635 | 295 | |
c93114cd | 296 | if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) |
a3fdbe0c | 297 | err_nosys(EXIT_FAILURE, _("Could not run prctl(PR_SET_NO_NEW_PRIVS)")); |
c93114cd | 298 | |
fd1786d3 | 299 | if (ul_set_seccomp_filter_spec_allow(&prog)) |
ced82526 | 300 | err_nosys(EXIT_FAILURE, _("Could not seccomp filter")); |
c93114cd TW |
301 | |
302 | if (execvp(argv[optind], argv + optind)) | |
13d1cbce | 303 | err(EXIT_NOTSUPP, _("Could not exec")); |
c93114cd | 304 | } |