]>
Commit | Line | Data |
---|---|---|
57183d11 LP |
1 | /*** |
2 | This file is part of systemd. | |
3 | ||
4 | Copyright 2014 Lennart Poettering | |
5 | ||
6 | systemd is free software; you can redistribute it and/or modify it | |
7 | under the terms of the GNU Lesser General Public License as published by | |
8 | the Free Software Foundation; either version 2.1 of the License, or | |
9 | (at your option) any later version. | |
10 | ||
11 | systemd is distributed in the hope that it will be useful, but | |
12 | WITHOUT ANY WARRANTY; without even the implied warranty of | |
13 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
14 | Lesser General Public License for more details. | |
15 | ||
16 | You should have received a copy of the GNU Lesser General Public License | |
17 | along with systemd; If not, see <http://www.gnu.org/licenses/>. | |
18 | ***/ | |
19 | ||
a8fbdf54 | 20 | #include <errno.h> |
469830d1 | 21 | #include <linux/seccomp.h> |
57183d11 | 22 | #include <seccomp.h> |
a8fbdf54 | 23 | #include <stddef.h> |
469830d1 | 24 | #include <sys/mman.h> |
d347d902 | 25 | #include <sys/prctl.h> |
469830d1 | 26 | #include <sys/shm.h> |
57183d11 | 27 | |
469830d1 | 28 | #include "af-list.h" |
add00535 | 29 | #include "alloc-util.h" |
a8fbdf54 | 30 | #include "macro.h" |
add00535 | 31 | #include "nsflags.h" |
78e864e5 | 32 | #include "process-util.h" |
cf0fbc49 | 33 | #include "seccomp-util.h" |
b16bd535 | 34 | #include "set.h" |
07630cea | 35 | #include "string-util.h" |
b16bd535 | 36 | #include "strv.h" |
8130926d | 37 | #include "util.h" |
469830d1 LP |
38 | #include "errno-list.h" |
39 | ||
40 | const uint32_t seccomp_local_archs[] = { | |
41 | ||
f2d9751c LP |
42 | /* Note: always list the native arch we are compiled as last, so that users can blacklist seccomp(), but our own calls to it still succeed */ |
43 | ||
44 | #if defined(__x86_64__) && defined(__ILP32__) | |
469830d1 LP |
45 | SCMP_ARCH_X86, |
46 | SCMP_ARCH_X86_64, | |
f2d9751c LP |
47 | SCMP_ARCH_X32, /* native */ |
48 | #elif defined(__x86_64__) && !defined(__ILP32__) | |
49 | SCMP_ARCH_X86, | |
469830d1 | 50 | SCMP_ARCH_X32, |
f2d9751c LP |
51 | SCMP_ARCH_X86_64, /* native */ |
52 | #elif defined(__i386__) | |
53 | SCMP_ARCH_X86, | |
54 | #elif defined(__aarch64__) | |
469830d1 | 55 | SCMP_ARCH_ARM, |
f2d9751c LP |
56 | SCMP_ARCH_AARCH64, /* native */ |
57 | #elif defined(__arm__) | |
58 | SCMP_ARCH_ARM, | |
59 | #elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI32 | |
60 | SCMP_ARCH_MIPSEL, | |
61 | SCMP_ARCH_MIPS, /* native */ | |
62 | #elif defined(__mips__) && __BYTE_ORDER == __LITTLE_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI32 | |
469830d1 | 63 | SCMP_ARCH_MIPS, |
f2d9751c LP |
64 | SCMP_ARCH_MIPSEL, /* native */ |
65 | #elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI64 | |
66 | SCMP_ARCH_MIPSEL, | |
67 | SCMP_ARCH_MIPS, | |
68 | SCMP_ARCH_MIPSEL64N32, | |
469830d1 | 69 | SCMP_ARCH_MIPS64N32, |
f2d9751c LP |
70 | SCMP_ARCH_MIPSEL64, |
71 | SCMP_ARCH_MIPS64, /* native */ | |
72 | #elif defined(__mips__) && __BYTE_ORDER == __LITTLE_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI64 | |
73 | SCMP_ARCH_MIPS, | |
469830d1 | 74 | SCMP_ARCH_MIPSEL, |
f2d9751c LP |
75 | SCMP_ARCH_MIPS64N32, |
76 | SCMP_ARCH_MIPSEL64N32, | |
77 | SCMP_ARCH_MIPS64, | |
78 | SCMP_ARCH_MIPSEL64, /* native */ | |
79 | #elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_NABI32 | |
80 | SCMP_ARCH_MIPSEL, | |
81 | SCMP_ARCH_MIPS, | |
469830d1 | 82 | SCMP_ARCH_MIPSEL64, |
f2d9751c | 83 | SCMP_ARCH_MIPS64, |
469830d1 | 84 | SCMP_ARCH_MIPSEL64N32, |
f2d9751c LP |
85 | SCMP_ARCH_MIPS64N32, /* native */ |
86 | #elif defined(__mips__) && __BYTE_ORDER == __LITTLE_ENDIAN && _MIPS_SIM == _MIPS_SIM_NABI32 | |
87 | SCMP_ARCH_MIPS, | |
88 | SCMP_ARCH_MIPSEL, | |
89 | SCMP_ARCH_MIPS64, | |
90 | SCMP_ARCH_MIPSEL64, | |
91 | SCMP_ARCH_MIPS64N32, | |
92 | SCMP_ARCH_MIPSEL64N32, /* native */ | |
93 | #elif defined(__powerpc64__) && __BYTE_ORDER == __BIG_ENDIAN | |
469830d1 | 94 | SCMP_ARCH_PPC, |
469830d1 | 95 | SCMP_ARCH_PPC64LE, |
f2d9751c LP |
96 | SCMP_ARCH_PPC64, /* native */ |
97 | #elif defined(__powerpc64__) && __BYTE_ORDER == __LITTLE_ENDIAN | |
98 | SCMP_ARCH_PPC, | |
99 | SCMP_ARCH_PPC64, | |
100 | SCMP_ARCH_PPC64LE, /* native */ | |
101 | #elif defined(__powerpc__) | |
102 | SCMP_ARCH_PPC, | |
103 | #elif defined(__s390x__) | |
104 | SCMP_ARCH_S390, | |
105 | SCMP_ARCH_S390X, /* native */ | |
106 | #elif defined(__s390__) | |
469830d1 | 107 | SCMP_ARCH_S390, |
469830d1 LP |
108 | #endif |
109 | (uint32_t) -1 | |
110 | }; | |
57183d11 LP |
111 | |
112 | const char* seccomp_arch_to_string(uint32_t c) { | |
aa34055f ZJS |
113 | /* Maintain order used in <seccomp.h>. |
114 | * | |
115 | * Names used here should be the same as those used for ConditionArchitecture=, | |
116 | * except for "subarchitectures" like x32. */ | |
57183d11 | 117 | |
aa34055f ZJS |
118 | switch(c) { |
119 | case SCMP_ARCH_NATIVE: | |
57183d11 | 120 | return "native"; |
aa34055f | 121 | case SCMP_ARCH_X86: |
57183d11 | 122 | return "x86"; |
aa34055f | 123 | case SCMP_ARCH_X86_64: |
57183d11 | 124 | return "x86-64"; |
aa34055f | 125 | case SCMP_ARCH_X32: |
57183d11 | 126 | return "x32"; |
aa34055f | 127 | case SCMP_ARCH_ARM: |
57183d11 | 128 | return "arm"; |
aa34055f ZJS |
129 | case SCMP_ARCH_AARCH64: |
130 | return "arm64"; | |
131 | case SCMP_ARCH_MIPS: | |
132 | return "mips"; | |
133 | case SCMP_ARCH_MIPS64: | |
134 | return "mips64"; | |
135 | case SCMP_ARCH_MIPS64N32: | |
136 | return "mips64-n32"; | |
137 | case SCMP_ARCH_MIPSEL: | |
138 | return "mips-le"; | |
139 | case SCMP_ARCH_MIPSEL64: | |
140 | return "mips64-le"; | |
141 | case SCMP_ARCH_MIPSEL64N32: | |
142 | return "mips64-le-n32"; | |
143 | case SCMP_ARCH_PPC: | |
144 | return "ppc"; | |
145 | case SCMP_ARCH_PPC64: | |
146 | return "ppc64"; | |
147 | case SCMP_ARCH_PPC64LE: | |
148 | return "ppc64-le"; | |
149 | case SCMP_ARCH_S390: | |
6abfd303 | 150 | return "s390"; |
aa34055f | 151 | case SCMP_ARCH_S390X: |
6abfd303 | 152 | return "s390x"; |
aa34055f ZJS |
153 | default: |
154 | return NULL; | |
155 | } | |
57183d11 LP |
156 | } |
157 | ||
158 | int seccomp_arch_from_string(const char *n, uint32_t *ret) { | |
159 | if (!n) | |
160 | return -EINVAL; | |
161 | ||
162 | assert(ret); | |
163 | ||
164 | if (streq(n, "native")) | |
165 | *ret = SCMP_ARCH_NATIVE; | |
166 | else if (streq(n, "x86")) | |
167 | *ret = SCMP_ARCH_X86; | |
168 | else if (streq(n, "x86-64")) | |
169 | *ret = SCMP_ARCH_X86_64; | |
170 | else if (streq(n, "x32")) | |
171 | *ret = SCMP_ARCH_X32; | |
172 | else if (streq(n, "arm")) | |
173 | *ret = SCMP_ARCH_ARM; | |
aa34055f ZJS |
174 | else if (streq(n, "arm64")) |
175 | *ret = SCMP_ARCH_AARCH64; | |
176 | else if (streq(n, "mips")) | |
177 | *ret = SCMP_ARCH_MIPS; | |
178 | else if (streq(n, "mips64")) | |
179 | *ret = SCMP_ARCH_MIPS64; | |
180 | else if (streq(n, "mips64-n32")) | |
181 | *ret = SCMP_ARCH_MIPS64N32; | |
182 | else if (streq(n, "mips-le")) | |
183 | *ret = SCMP_ARCH_MIPSEL; | |
184 | else if (streq(n, "mips64-le")) | |
185 | *ret = SCMP_ARCH_MIPSEL64; | |
186 | else if (streq(n, "mips64-le-n32")) | |
187 | *ret = SCMP_ARCH_MIPSEL64N32; | |
188 | else if (streq(n, "ppc")) | |
189 | *ret = SCMP_ARCH_PPC; | |
190 | else if (streq(n, "ppc64")) | |
191 | *ret = SCMP_ARCH_PPC64; | |
192 | else if (streq(n, "ppc64-le")) | |
193 | *ret = SCMP_ARCH_PPC64LE; | |
6abfd303 HB |
194 | else if (streq(n, "s390")) |
195 | *ret = SCMP_ARCH_S390; | |
196 | else if (streq(n, "s390x")) | |
197 | *ret = SCMP_ARCH_S390X; | |
57183d11 LP |
198 | else |
199 | return -EINVAL; | |
200 | ||
201 | return 0; | |
202 | } | |
e9642be2 | 203 | |
469830d1 | 204 | int seccomp_init_for_arch(scmp_filter_ctx *ret, uint32_t arch, uint32_t default_action) { |
8d7b0c8f LP |
205 | scmp_filter_ctx seccomp; |
206 | int r; | |
207 | ||
469830d1 LP |
208 | /* Much like seccomp_init(), but initializes the filter for one specific architecture only, without affecting |
209 | * any others. Also, turns off the NNP fiddling. */ | |
8d7b0c8f LP |
210 | |
211 | seccomp = seccomp_init(default_action); | |
212 | if (!seccomp) | |
213 | return -ENOMEM; | |
214 | ||
469830d1 LP |
215 | if (arch != SCMP_ARCH_NATIVE && |
216 | arch != seccomp_arch_native()) { | |
217 | ||
1b52793d | 218 | r = seccomp_arch_remove(seccomp, seccomp_arch_native()); |
469830d1 LP |
219 | if (r < 0) |
220 | goto finish; | |
221 | ||
1b52793d | 222 | r = seccomp_arch_add(seccomp, arch); |
469830d1 LP |
223 | if (r < 0) |
224 | goto finish; | |
225 | ||
226 | assert(seccomp_arch_exist(seccomp, arch) >= 0); | |
227 | assert(seccomp_arch_exist(seccomp, SCMP_ARCH_NATIVE) == -EEXIST); | |
228 | assert(seccomp_arch_exist(seccomp, seccomp_arch_native()) == -EEXIST); | |
229 | } else { | |
230 | assert(seccomp_arch_exist(seccomp, SCMP_ARCH_NATIVE) >= 0); | |
231 | assert(seccomp_arch_exist(seccomp, seccomp_arch_native()) >= 0); | |
232 | } | |
233 | ||
234 | r = seccomp_attr_set(seccomp, SCMP_FLTATR_ACT_BADARCH, SCMP_ACT_ALLOW); | |
8d7b0c8f LP |
235 | if (r < 0) |
236 | goto finish; | |
237 | ||
238 | r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0); | |
239 | if (r < 0) | |
240 | goto finish; | |
241 | ||
242 | *ret = seccomp; | |
243 | return 0; | |
244 | ||
245 | finish: | |
246 | seccomp_release(seccomp); | |
247 | return r; | |
248 | } | |
249 | ||
d347d902 | 250 | static bool is_basic_seccomp_available(void) { |
4d5bd50a | 251 | return prctl(PR_GET_SECCOMP, 0, 0, 0, 0) >= 0; |
d347d902 FS |
252 | } |
253 | ||
254 | static bool is_seccomp_filter_available(void) { | |
4d5bd50a LP |
255 | return prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0) < 0 && |
256 | errno == EFAULT; | |
d347d902 FS |
257 | } |
258 | ||
83f12b27 | 259 | bool is_seccomp_available(void) { |
83f12b27 | 260 | static int cached_enabled = -1; |
4d5bd50a | 261 | |
83f12b27 | 262 | if (cached_enabled < 0) |
4d5bd50a LP |
263 | cached_enabled = |
264 | is_basic_seccomp_available() && | |
265 | is_seccomp_filter_available(); | |
266 | ||
83f12b27 FS |
267 | return cached_enabled; |
268 | } | |
269 | ||
8130926d | 270 | const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { |
40eb6a80 | 271 | [SYSCALL_FILTER_SET_DEFAULT] = { |
40eb6a80 | 272 | .name = "@default", |
d5efc18b | 273 | .help = "System calls that are always permitted", |
40eb6a80 ZJS |
274 | .value = |
275 | "clock_getres\0" | |
276 | "clock_gettime\0" | |
277 | "clock_nanosleep\0" | |
278 | "execve\0" | |
279 | "exit\0" | |
280 | "exit_group\0" | |
e41b0f42 LP |
281 | "futex\0" |
282 | "get_robust_list\0" | |
283 | "get_thread_area\0" | |
09d3020b DH |
284 | "getegid\0" |
285 | "getegid32\0" | |
286 | "geteuid\0" | |
287 | "geteuid32\0" | |
288 | "getgid\0" | |
289 | "getgid32\0" | |
290 | "getgroups\0" | |
291 | "getgroups32\0" | |
292 | "getpgid\0" | |
293 | "getpgrp\0" | |
294 | "getpid\0" | |
295 | "getppid\0" | |
296 | "getresgid\0" | |
297 | "getresgid32\0" | |
298 | "getresuid\0" | |
299 | "getresuid32\0" | |
40eb6a80 | 300 | "getrlimit\0" /* make sure processes can query stack size and such */ |
09d3020b DH |
301 | "getsid\0" |
302 | "gettid\0" | |
40eb6a80 | 303 | "gettimeofday\0" |
09d3020b DH |
304 | "getuid\0" |
305 | "getuid32\0" | |
e41b0f42 | 306 | "membarrier\0" |
40eb6a80 ZJS |
307 | "nanosleep\0" |
308 | "pause\0" | |
4c3a9176 | 309 | "prlimit64\0" |
e41b0f42 | 310 | "restart_syscall\0" |
40eb6a80 | 311 | "rt_sigreturn\0" |
8f44de08 | 312 | "sched_yield\0" |
e41b0f42 LP |
313 | "set_robust_list\0" |
314 | "set_thread_area\0" | |
315 | "set_tid_address\0" | |
40eb6a80 ZJS |
316 | "sigreturn\0" |
317 | "time\0" | |
4c3a9176 | 318 | "ugetrlimit\0" |
40eb6a80 | 319 | }, |
44898c53 LP |
320 | [SYSCALL_FILTER_SET_AIO] = { |
321 | .name = "@aio", | |
322 | .help = "Asynchronous IO", | |
323 | .value = | |
324 | "io_cancel\0" | |
325 | "io_destroy\0" | |
326 | "io_getevents\0" | |
327 | "io_setup\0" | |
328 | "io_submit\0" | |
329 | }, | |
133ddbbe | 330 | [SYSCALL_FILTER_SET_BASIC_IO] = { |
133ddbbe | 331 | .name = "@basic-io", |
d5efc18b | 332 | .help = "Basic IO", |
133ddbbe | 333 | .value = |
648a0ed0 | 334 | "_llseek\0" |
133ddbbe | 335 | "close\0" |
648a0ed0 | 336 | "dup\0" |
133ddbbe LP |
337 | "dup2\0" |
338 | "dup3\0" | |
133ddbbe LP |
339 | "lseek\0" |
340 | "pread64\0" | |
341 | "preadv\0" | |
44898c53 | 342 | "preadv2\0" |
133ddbbe LP |
343 | "pwrite64\0" |
344 | "pwritev\0" | |
44898c53 | 345 | "pwritev2\0" |
133ddbbe LP |
346 | "read\0" |
347 | "readv\0" | |
348 | "write\0" | |
349 | "writev\0" | |
350 | }, | |
44898c53 LP |
351 | [SYSCALL_FILTER_SET_CHOWN] = { |
352 | .name = "@chown", | |
353 | .help = "Change ownership of files and directories", | |
354 | .value = | |
355 | "chown\0" | |
356 | "chown32\0" | |
357 | "fchown\0" | |
358 | "fchown32\0" | |
359 | "fchownat\0" | |
360 | "lchown\0" | |
361 | "lchown32\0" | |
362 | }, | |
8130926d | 363 | [SYSCALL_FILTER_SET_CLOCK] = { |
8130926d | 364 | .name = "@clock", |
d5efc18b | 365 | .help = "Change the system time", |
201c1cc2 TM |
366 | .value = |
367 | "adjtimex\0" | |
1f9ac68b LP |
368 | "clock_adjtime\0" |
369 | "clock_settime\0" | |
201c1cc2 | 370 | "settimeofday\0" |
1f9ac68b | 371 | "stime\0" |
8130926d LP |
372 | }, |
373 | [SYSCALL_FILTER_SET_CPU_EMULATION] = { | |
8130926d | 374 | .name = "@cpu-emulation", |
d5efc18b | 375 | .help = "System calls for CPU emulation functionality", |
1f9ac68b LP |
376 | .value = |
377 | "modify_ldt\0" | |
378 | "subpage_prot\0" | |
379 | "switch_endian\0" | |
380 | "vm86\0" | |
381 | "vm86old\0" | |
8130926d LP |
382 | }, |
383 | [SYSCALL_FILTER_SET_DEBUG] = { | |
8130926d | 384 | .name = "@debug", |
d5efc18b | 385 | .help = "Debugging, performance monitoring and tracing functionality", |
1f9ac68b LP |
386 | .value = |
387 | "lookup_dcookie\0" | |
388 | "perf_event_open\0" | |
389 | "process_vm_readv\0" | |
390 | "process_vm_writev\0" | |
391 | "ptrace\0" | |
392 | "rtas\0" | |
8130926d | 393 | #ifdef __NR_s390_runtime_instr |
1f9ac68b | 394 | "s390_runtime_instr\0" |
8130926d | 395 | #endif |
1f9ac68b | 396 | "sys_debug_setcontext\0" |
8130926d | 397 | }, |
1a1b13c9 LP |
398 | [SYSCALL_FILTER_SET_FILE_SYSTEM] = { |
399 | .name = "@file-system", | |
400 | .help = "File system operations", | |
401 | .value = | |
402 | "access\0" | |
403 | "chdir\0" | |
404 | "chmod\0" | |
405 | "close\0" | |
406 | "creat\0" | |
407 | "faccessat\0" | |
408 | "fallocate\0" | |
409 | "fchdir\0" | |
410 | "fchmod\0" | |
411 | "fchmodat\0" | |
1a1b13c9 | 412 | "fcntl\0" |
ceaa6aa7 | 413 | "fcntl64\0" |
1a1b13c9 LP |
414 | "fgetxattr\0" |
415 | "flistxattr\0" | |
ceaa6aa7 | 416 | "fremovexattr\0" |
1a1b13c9 | 417 | "fsetxattr\0" |
1a1b13c9 | 418 | "fstat\0" |
ceaa6aa7 | 419 | "fstat64\0" |
1a1b13c9 | 420 | "fstatat64\0" |
1a1b13c9 | 421 | "fstatfs\0" |
ceaa6aa7 | 422 | "fstatfs64\0" |
1a1b13c9 | 423 | "ftruncate\0" |
ceaa6aa7 | 424 | "ftruncate64\0" |
1a1b13c9 LP |
425 | "futimesat\0" |
426 | "getcwd\0" | |
1a1b13c9 | 427 | "getdents\0" |
ceaa6aa7 | 428 | "getdents64\0" |
1a1b13c9 LP |
429 | "getxattr\0" |
430 | "inotify_add_watch\0" | |
ceaa6aa7 | 431 | "inotify_init\0" |
1a1b13c9 LP |
432 | "inotify_init1\0" |
433 | "inotify_rm_watch\0" | |
434 | "lgetxattr\0" | |
435 | "link\0" | |
436 | "linkat\0" | |
437 | "listxattr\0" | |
438 | "llistxattr\0" | |
439 | "lremovexattr\0" | |
440 | "lsetxattr\0" | |
1a1b13c9 | 441 | "lstat\0" |
ceaa6aa7 | 442 | "lstat64\0" |
1a1b13c9 LP |
443 | "mkdir\0" |
444 | "mkdirat\0" | |
445 | "mknod\0" | |
446 | "mknodat\0" | |
1a1b13c9 | 447 | "mmap\0" |
ceaa6aa7 | 448 | "mmap2\0" |
7961116e | 449 | "munmap\0" |
1a1b13c9 | 450 | "newfstatat\0" |
ceaa6aa7 LP |
451 | "oldfstat\0" |
452 | "oldlstat\0" | |
453 | "oldstat\0" | |
1a1b13c9 LP |
454 | "open\0" |
455 | "openat\0" | |
456 | "readlink\0" | |
457 | "readlinkat\0" | |
458 | "removexattr\0" | |
459 | "rename\0" | |
1a1b13c9 | 460 | "renameat\0" |
ceaa6aa7 | 461 | "renameat2\0" |
1a1b13c9 LP |
462 | "rmdir\0" |
463 | "setxattr\0" | |
1a1b13c9 | 464 | "stat\0" |
ceaa6aa7 | 465 | "stat64\0" |
1a1b13c9 | 466 | "statfs\0" |
ceaa6aa7 | 467 | "statfs64\0" |
8e6a7a8b | 468 | #ifdef __NR_statx |
a4135a74 | 469 | "statx\0" |
ceaa6aa7 | 470 | #endif |
1a1b13c9 LP |
471 | "symlink\0" |
472 | "symlinkat\0" | |
1a1b13c9 | 473 | "truncate\0" |
ceaa6aa7 | 474 | "truncate64\0" |
1a1b13c9 LP |
475 | "unlink\0" |
476 | "unlinkat\0" | |
ceaa6aa7 | 477 | "utime\0" |
1a1b13c9 LP |
478 | "utimensat\0" |
479 | "utimes\0" | |
480 | }, | |
8130926d | 481 | [SYSCALL_FILTER_SET_IO_EVENT] = { |
8130926d | 482 | .name = "@io-event", |
d5efc18b | 483 | .help = "Event loop system calls", |
201c1cc2 TM |
484 | .value = |
485 | "_newselect\0" | |
201c1cc2 | 486 | "epoll_create\0" |
215728ff | 487 | "epoll_create1\0" |
201c1cc2 TM |
488 | "epoll_ctl\0" |
489 | "epoll_ctl_old\0" | |
490 | "epoll_pwait\0" | |
491 | "epoll_wait\0" | |
492 | "epoll_wait_old\0" | |
201c1cc2 | 493 | "eventfd\0" |
215728ff | 494 | "eventfd2\0" |
201c1cc2 TM |
495 | "poll\0" |
496 | "ppoll\0" | |
497 | "pselect6\0" | |
498 | "select\0" | |
8130926d LP |
499 | }, |
500 | [SYSCALL_FILTER_SET_IPC] = { | |
8130926d | 501 | .name = "@ipc", |
d5efc18b ZJS |
502 | .help = "SysV IPC, POSIX Message Queues or other IPC", |
503 | .value = | |
504 | "ipc\0" | |
cd5bfd7e | 505 | "memfd_create\0" |
201c1cc2 TM |
506 | "mq_getsetattr\0" |
507 | "mq_notify\0" | |
508 | "mq_open\0" | |
509 | "mq_timedreceive\0" | |
510 | "mq_timedsend\0" | |
511 | "mq_unlink\0" | |
512 | "msgctl\0" | |
513 | "msgget\0" | |
514 | "msgrcv\0" | |
515 | "msgsnd\0" | |
cd5bfd7e | 516 | "pipe\0" |
215728ff | 517 | "pipe2\0" |
201c1cc2 TM |
518 | "process_vm_readv\0" |
519 | "process_vm_writev\0" | |
520 | "semctl\0" | |
521 | "semget\0" | |
522 | "semop\0" | |
523 | "semtimedop\0" | |
524 | "shmat\0" | |
525 | "shmctl\0" | |
526 | "shmdt\0" | |
527 | "shmget\0" | |
8130926d LP |
528 | }, |
529 | [SYSCALL_FILTER_SET_KEYRING] = { | |
8130926d | 530 | .name = "@keyring", |
d5efc18b | 531 | .help = "Kernel keyring access", |
1f9ac68b LP |
532 | .value = |
533 | "add_key\0" | |
534 | "keyctl\0" | |
535 | "request_key\0" | |
8130926d | 536 | }, |
cd0ddf6f LP |
537 | [SYSCALL_FILTER_SET_MEMLOCK] = { |
538 | .name = "@memlock", | |
539 | .help = "Memory locking control", | |
540 | .value = | |
541 | "mlock\0" | |
542 | "mlock2\0" | |
543 | "mlockall\0" | |
544 | "munlock\0" | |
545 | "munlockall\0" | |
546 | }, | |
8130926d | 547 | [SYSCALL_FILTER_SET_MODULE] = { |
8130926d | 548 | .name = "@module", |
d5efc18b | 549 | .help = "Loading and unloading of kernel modules", |
201c1cc2 | 550 | .value = |
201c1cc2 TM |
551 | "delete_module\0" |
552 | "finit_module\0" | |
553 | "init_module\0" | |
8130926d LP |
554 | }, |
555 | [SYSCALL_FILTER_SET_MOUNT] = { | |
8130926d | 556 | .name = "@mount", |
d5efc18b | 557 | .help = "Mounting and unmounting of file systems", |
201c1cc2 TM |
558 | .value = |
559 | "chroot\0" | |
560 | "mount\0" | |
201c1cc2 | 561 | "pivot_root\0" |
201c1cc2 | 562 | "umount\0" |
215728ff | 563 | "umount2\0" |
8130926d LP |
564 | }, |
565 | [SYSCALL_FILTER_SET_NETWORK_IO] = { | |
8130926d | 566 | .name = "@network-io", |
d5efc18b | 567 | .help = "Network or Unix socket IO, should not be needed if not network facing", |
201c1cc2 | 568 | .value = |
201c1cc2 | 569 | "accept\0" |
215728ff | 570 | "accept4\0" |
201c1cc2 TM |
571 | "bind\0" |
572 | "connect\0" | |
573 | "getpeername\0" | |
574 | "getsockname\0" | |
575 | "getsockopt\0" | |
576 | "listen\0" | |
577 | "recv\0" | |
578 | "recvfrom\0" | |
579 | "recvmmsg\0" | |
580 | "recvmsg\0" | |
581 | "send\0" | |
582 | "sendmmsg\0" | |
583 | "sendmsg\0" | |
584 | "sendto\0" | |
585 | "setsockopt\0" | |
586 | "shutdown\0" | |
587 | "socket\0" | |
588 | "socketcall\0" | |
589 | "socketpair\0" | |
8130926d LP |
590 | }, |
591 | [SYSCALL_FILTER_SET_OBSOLETE] = { | |
d5efc18b | 592 | /* some unknown even to libseccomp */ |
8130926d | 593 | .name = "@obsolete", |
d5efc18b | 594 | .help = "Unusual, obsolete or unimplemented system calls", |
201c1cc2 TM |
595 | .value = |
596 | "_sysctl\0" | |
597 | "afs_syscall\0" | |
802fa07a | 598 | "bdflush\0" |
201c1cc2 | 599 | "break\0" |
1f9ac68b | 600 | "create_module\0" |
201c1cc2 TM |
601 | "ftime\0" |
602 | "get_kernel_syms\0" | |
201c1cc2 TM |
603 | "getpmsg\0" |
604 | "gtty\0" | |
7e0c3b8f | 605 | "idle\0" |
201c1cc2 | 606 | "lock\0" |
201c1cc2 | 607 | "mpx\0" |
201c1cc2 TM |
608 | "prof\0" |
609 | "profil\0" | |
201c1cc2 TM |
610 | "putpmsg\0" |
611 | "query_module\0" | |
201c1cc2 TM |
612 | "security\0" |
613 | "sgetmask\0" | |
614 | "ssetmask\0" | |
615 | "stty\0" | |
1f9ac68b | 616 | "sysfs\0" |
201c1cc2 TM |
617 | "tuxcall\0" |
618 | "ulimit\0" | |
619 | "uselib\0" | |
1f9ac68b | 620 | "ustat\0" |
201c1cc2 | 621 | "vserver\0" |
8130926d LP |
622 | }, |
623 | [SYSCALL_FILTER_SET_PRIVILEGED] = { | |
8130926d | 624 | .name = "@privileged", |
d5efc18b | 625 | .help = "All system calls which need super-user capabilities", |
201c1cc2 | 626 | .value = |
44898c53 | 627 | "@chown\0" |
201c1cc2 TM |
628 | "@clock\0" |
629 | "@module\0" | |
630 | "@raw-io\0" | |
af0f047b LP |
631 | "@reboot\0" |
632 | "@swap\0" | |
215728ff | 633 | "_sysctl\0" |
201c1cc2 | 634 | "acct\0" |
201c1cc2 | 635 | "bpf\0" |
1f9ac68b | 636 | "capset\0" |
201c1cc2 | 637 | "chroot\0" |
201c1cc2 TM |
638 | "nfsservctl\0" |
639 | "pivot_root\0" | |
640 | "quotactl\0" | |
201c1cc2 | 641 | "setdomainname\0" |
201c1cc2 | 642 | "setfsuid\0" |
215728ff | 643 | "setfsuid32\0" |
201c1cc2 | 644 | "setgroups\0" |
215728ff | 645 | "setgroups32\0" |
201c1cc2 | 646 | "sethostname\0" |
201c1cc2 | 647 | "setresuid\0" |
215728ff | 648 | "setresuid32\0" |
201c1cc2 | 649 | "setreuid\0" |
215728ff | 650 | "setreuid32\0" |
201c1cc2 | 651 | "setuid\0" |
215728ff | 652 | "setuid32\0" |
201c1cc2 | 653 | "vhangup\0" |
8130926d LP |
654 | }, |
655 | [SYSCALL_FILTER_SET_PROCESS] = { | |
8130926d | 656 | .name = "@process", |
d5efc18b | 657 | .help = "Process control, execution, namespaceing operations", |
201c1cc2 TM |
658 | .value = |
659 | "arch_prctl\0" | |
09d3020b | 660 | "capget\0" /* Able to query arbitrary processes */ |
201c1cc2 | 661 | "clone\0" |
201c1cc2 TM |
662 | "execveat\0" |
663 | "fork\0" | |
b887d2eb | 664 | "getrusage\0" |
201c1cc2 TM |
665 | "kill\0" |
666 | "prctl\0" | |
b887d2eb LP |
667 | "rt_sigqueueinfo\0" |
668 | "rt_tgsigqueueinfo\0" | |
201c1cc2 TM |
669 | "setns\0" |
670 | "tgkill\0" | |
b887d2eb | 671 | "times\0" |
201c1cc2 TM |
672 | "tkill\0" |
673 | "unshare\0" | |
674 | "vfork\0" | |
b887d2eb LP |
675 | "wait4\0" |
676 | "waitid\0" | |
677 | "waitpid\0" | |
8130926d LP |
678 | }, |
679 | [SYSCALL_FILTER_SET_RAW_IO] = { | |
8130926d | 680 | .name = "@raw-io", |
d5efc18b | 681 | .help = "Raw I/O port access", |
201c1cc2 TM |
682 | .value = |
683 | "ioperm\0" | |
684 | "iopl\0" | |
1f9ac68b | 685 | "pciconfig_iobase\0" |
201c1cc2 TM |
686 | "pciconfig_read\0" |
687 | "pciconfig_write\0" | |
8130926d | 688 | #ifdef __NR_s390_pci_mmio_read |
201c1cc2 | 689 | "s390_pci_mmio_read\0" |
8130926d LP |
690 | #endif |
691 | #ifdef __NR_s390_pci_mmio_write | |
201c1cc2 | 692 | "s390_pci_mmio_write\0" |
8130926d LP |
693 | #endif |
694 | }, | |
bd2ab3f4 LP |
695 | [SYSCALL_FILTER_SET_REBOOT] = { |
696 | .name = "@reboot", | |
697 | .help = "Reboot and reboot preparation/kexec", | |
698 | .value = | |
bd2ab3f4 | 699 | "kexec_file_load\0" |
e59608fa | 700 | "kexec_load\0" |
bd2ab3f4 LP |
701 | "reboot\0" |
702 | }, | |
133ddbbe | 703 | [SYSCALL_FILTER_SET_RESOURCES] = { |
133ddbbe | 704 | .name = "@resources", |
58a8f68b | 705 | .help = "Alter resource settings", |
133ddbbe | 706 | .value = |
0963c053 LP |
707 | "ioprio_set\0" |
708 | "mbind\0" | |
709 | "migrate_pages\0" | |
710 | "move_pages\0" | |
711 | "nice\0" | |
0963c053 LP |
712 | "sched_setaffinity\0" |
713 | "sched_setattr\0" | |
133ddbbe LP |
714 | "sched_setparam\0" |
715 | "sched_setscheduler\0" | |
0963c053 | 716 | "set_mempolicy\0" |
133ddbbe LP |
717 | "setpriority\0" |
718 | "setrlimit\0" | |
133ddbbe | 719 | }, |
6eaaeee9 LP |
720 | [SYSCALL_FILTER_SET_SETUID] = { |
721 | .name = "@setuid", | |
722 | .help = "Operations for changing user/group credentials", | |
723 | .value = | |
6eaaeee9 | 724 | "setgid\0" |
215728ff | 725 | "setgid32\0" |
6eaaeee9 | 726 | "setgroups\0" |
215728ff | 727 | "setgroups32\0" |
6eaaeee9 | 728 | "setregid\0" |
215728ff | 729 | "setregid32\0" |
6eaaeee9 | 730 | "setresgid\0" |
215728ff | 731 | "setresgid32\0" |
6eaaeee9 | 732 | "setresuid\0" |
215728ff | 733 | "setresuid32\0" |
6eaaeee9 | 734 | "setreuid\0" |
215728ff | 735 | "setreuid32\0" |
6eaaeee9 | 736 | "setuid\0" |
215728ff | 737 | "setuid32\0" |
6eaaeee9 | 738 | }, |
cd0ddf6f LP |
739 | [SYSCALL_FILTER_SET_SIGNAL] = { |
740 | .name = "@signal", | |
741 | .help = "Process signal handling", | |
742 | .value = | |
743 | "rt_sigaction\0" | |
744 | "rt_sigpending\0" | |
745 | "rt_sigprocmask\0" | |
746 | "rt_sigsuspend\0" | |
747 | "rt_sigtimedwait\0" | |
748 | "sigaction\0" | |
749 | "sigaltstack\0" | |
750 | "signal\0" | |
751 | "signalfd\0" | |
752 | "signalfd4\0" | |
753 | "sigpending\0" | |
754 | "sigprocmask\0" | |
755 | "sigsuspend\0" | |
756 | }, | |
bd2ab3f4 LP |
757 | [SYSCALL_FILTER_SET_SWAP] = { |
758 | .name = "@swap", | |
759 | .help = "Enable/disable swap devices", | |
760 | .value = | |
761 | "swapoff\0" | |
762 | "swapon\0" | |
763 | }, | |
44898c53 LP |
764 | [SYSCALL_FILTER_SET_SYNC] = { |
765 | .name = "@sync", | |
766 | .help = "Synchronize files and memory to storage", | |
767 | .value = | |
768 | "fdatasync\0" | |
769 | "fsync\0" | |
770 | "msync\0" | |
771 | "sync\0" | |
772 | "sync_file_range\0" | |
773 | "syncfs\0" | |
774 | }, | |
cd0ddf6f LP |
775 | [SYSCALL_FILTER_SET_TIMER] = { |
776 | .name = "@timer", | |
777 | .help = "Schedule operations by time", | |
778 | .value = | |
779 | "alarm\0" | |
780 | "getitimer\0" | |
781 | "setitimer\0" | |
782 | "timer_create\0" | |
783 | "timer_delete\0" | |
784 | "timer_getoverrun\0" | |
785 | "timer_gettime\0" | |
786 | "timer_settime\0" | |
787 | "timerfd_create\0" | |
788 | "timerfd_gettime\0" | |
789 | "timerfd_settime\0" | |
790 | "times\0" | |
791 | }, | |
201c1cc2 | 792 | }; |
8130926d LP |
793 | |
794 | const SyscallFilterSet *syscall_filter_set_find(const char *name) { | |
795 | unsigned i; | |
796 | ||
797 | if (isempty(name) || name[0] != '@') | |
798 | return NULL; | |
799 | ||
800 | for (i = 0; i < _SYSCALL_FILTER_SET_MAX; i++) | |
801 | if (streq(syscall_filter_sets[i].name, name)) | |
802 | return syscall_filter_sets + i; | |
803 | ||
804 | return NULL; | |
805 | } | |
806 | ||
960e4569 | 807 | static int seccomp_add_syscall_filter_set(scmp_filter_ctx seccomp, const SyscallFilterSet *set, uint32_t action, char **exclude); |
69b1b241 | 808 | |
960e4569 | 809 | int seccomp_add_syscall_filter_item(scmp_filter_ctx *seccomp, const char *name, uint32_t action, char **exclude) { |
69b1b241 LP |
810 | int r; |
811 | ||
812 | assert(seccomp); | |
813 | assert(name); | |
814 | ||
960e4569 LP |
815 | if (strv_contains(exclude, name)) |
816 | return 0; | |
817 | ||
69b1b241 LP |
818 | if (name[0] == '@') { |
819 | const SyscallFilterSet *other; | |
820 | ||
821 | other = syscall_filter_set_find(name); | |
cff7bff8 LP |
822 | if (!other) { |
823 | log_debug("Filter set %s is not known!", name); | |
69b1b241 | 824 | return -EINVAL; |
cff7bff8 | 825 | } |
69b1b241 | 826 | |
960e4569 | 827 | r = seccomp_add_syscall_filter_set(seccomp, other, action, exclude); |
69b1b241 LP |
828 | if (r < 0) |
829 | return r; | |
830 | } else { | |
831 | int id; | |
832 | ||
833 | id = seccomp_syscall_resolve_name(name); | |
cff7bff8 | 834 | if (id == __NR_SCMP_ERROR) { |
ff217dc3 LP |
835 | log_debug("System call %s is not known, ignoring.", name); |
836 | return 0; | |
cff7bff8 | 837 | } |
69b1b241 LP |
838 | |
839 | r = seccomp_rule_add_exact(seccomp, action, id, 0); | |
840 | if (r < 0) | |
841 | /* If the system call is not known on this architecture, then that's fine, let's ignore it */ | |
842 | log_debug_errno(r, "Failed to add rule for system call %s() / %d, ignoring: %m", name, id); | |
843 | } | |
844 | ||
845 | return 0; | |
846 | } | |
847 | ||
469830d1 LP |
848 | static int seccomp_add_syscall_filter_set( |
849 | scmp_filter_ctx seccomp, | |
469830d1 | 850 | const SyscallFilterSet *set, |
960e4569 LP |
851 | uint32_t action, |
852 | char **exclude) { | |
469830d1 | 853 | |
8130926d LP |
854 | const char *sys; |
855 | int r; | |
856 | ||
857 | assert(seccomp); | |
858 | assert(set); | |
859 | ||
860 | NULSTR_FOREACH(sys, set->value) { | |
960e4569 | 861 | r = seccomp_add_syscall_filter_item(seccomp, sys, action, exclude); |
69b1b241 LP |
862 | if (r < 0) |
863 | return r; | |
469830d1 LP |
864 | } |
865 | ||
866 | return 0; | |
867 | } | |
868 | ||
869 | int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action) { | |
870 | uint32_t arch; | |
871 | int r; | |
872 | ||
873 | assert(set); | |
874 | ||
875 | /* The one-stop solution: allocate a seccomp object, add the specified filter to it, and apply it. Once for | |
876 | * earch local arch. */ | |
877 | ||
878 | SECCOMP_FOREACH_LOCAL_ARCH(arch) { | |
879 | _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL; | |
880 | ||
881 | log_debug("Operating on architecture: %s", seccomp_arch_to_string(arch)); | |
882 | ||
883 | r = seccomp_init_for_arch(&seccomp, arch, default_action); | |
8130926d LP |
884 | if (r < 0) |
885 | return r; | |
469830d1 | 886 | |
960e4569 | 887 | r = seccomp_add_syscall_filter_set(seccomp, set, action, NULL); |
469830d1 LP |
888 | if (r < 0) { |
889 | log_debug_errno(r, "Failed to add filter set, ignoring: %m"); | |
890 | continue; | |
891 | } | |
892 | ||
893 | r = seccomp_load(seccomp); | |
894 | if (IN_SET(r, -EPERM, -EACCES)) | |
895 | return r; | |
896 | if (r < 0) | |
897 | log_debug_errno(r, "Failed to install filter set for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); | |
8130926d LP |
898 | } |
899 | ||
900 | return 0; | |
901 | } | |
a3be2849 | 902 | |
8cfa775f | 903 | int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* set, uint32_t action) { |
469830d1 | 904 | uint32_t arch; |
a3be2849 LP |
905 | int r; |
906 | ||
469830d1 LP |
907 | /* Similar to seccomp_load_syscall_filter_set(), but takes a raw Set* of syscalls, instead of a |
908 | * SyscallFilterSet* table. */ | |
a3be2849 | 909 | |
8cfa775f | 910 | if (hashmap_isempty(set) && default_action == SCMP_ACT_ALLOW) |
469830d1 | 911 | return 0; |
a3be2849 | 912 | |
469830d1 LP |
913 | SECCOMP_FOREACH_LOCAL_ARCH(arch) { |
914 | _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL; | |
915 | Iterator i; | |
8cfa775f | 916 | void *id, *val; |
a3be2849 | 917 | |
469830d1 | 918 | log_debug("Operating on architecture: %s", seccomp_arch_to_string(arch)); |
a3be2849 | 919 | |
469830d1 LP |
920 | r = seccomp_init_for_arch(&seccomp, arch, default_action); |
921 | if (r < 0) | |
922 | return r; | |
a3be2849 | 923 | |
8cfa775f YW |
924 | HASHMAP_FOREACH_KEY(val, id, set, i) { |
925 | uint32_t a = action; | |
926 | int e = PTR_TO_INT(val); | |
927 | ||
928 | if (action != SCMP_ACT_ALLOW && e >= 0) | |
929 | a = SCMP_ACT_ERRNO(e); | |
930 | ||
931 | r = seccomp_rule_add_exact(seccomp, a, PTR_TO_INT(id) - 1, 0); | |
469830d1 LP |
932 | if (r < 0) { |
933 | /* If the system call is not known on this architecture, then that's fine, let's ignore it */ | |
934 | _cleanup_free_ char *n = NULL; | |
935 | ||
936 | n = seccomp_syscall_resolve_num_arch(arch, PTR_TO_INT(id) - 1); | |
e7854c46 | 937 | log_debug_errno(r, "Failed to add rule for system call %s() / %d, ignoring: %m", strna(n), PTR_TO_INT(id) - 1); |
469830d1 LP |
938 | } |
939 | } | |
940 | ||
941 | r = seccomp_load(seccomp); | |
942 | if (IN_SET(r, -EPERM, -EACCES)) | |
943 | return r; | |
944 | if (r < 0) | |
945 | log_debug_errno(r, "Failed to install filter set for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); | |
946 | } | |
947 | ||
948 | return 0; | |
add00535 LP |
949 | } |
950 | ||
951 | int seccomp_restrict_namespaces(unsigned long retain) { | |
469830d1 | 952 | uint32_t arch; |
add00535 LP |
953 | int r; |
954 | ||
955 | if (log_get_max_level() >= LOG_DEBUG) { | |
956 | _cleanup_free_ char *s = NULL; | |
957 | ||
958 | (void) namespace_flag_to_string_many(retain, &s); | |
959 | log_debug("Restricting namespace to: %s.", strna(s)); | |
960 | } | |
961 | ||
962 | /* NOOP? */ | |
963 | if ((retain & NAMESPACE_FLAGS_ALL) == NAMESPACE_FLAGS_ALL) | |
964 | return 0; | |
965 | ||
469830d1 LP |
966 | SECCOMP_FOREACH_LOCAL_ARCH(arch) { |
967 | _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL; | |
968 | unsigned i; | |
add00535 | 969 | |
469830d1 LP |
970 | log_debug("Operating on architecture: %s", seccomp_arch_to_string(arch)); |
971 | ||
972 | r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ALLOW); | |
973 | if (r < 0) | |
974 | return r; | |
975 | ||
976 | if ((retain & NAMESPACE_FLAGS_ALL) == 0) | |
977 | /* If every single kind of namespace shall be prohibited, then let's block the whole setns() syscall | |
978 | * altogether. */ | |
979 | r = seccomp_rule_add_exact( | |
980 | seccomp, | |
981 | SCMP_ACT_ERRNO(EPERM), | |
982 | SCMP_SYS(setns), | |
983 | 0); | |
984 | else | |
985 | /* Otherwise, block only the invocations with the appropriate flags in the loop below, but also the | |
986 | * special invocation with a zero flags argument, right here. */ | |
987 | r = seccomp_rule_add_exact( | |
988 | seccomp, | |
989 | SCMP_ACT_ERRNO(EPERM), | |
990 | SCMP_SYS(setns), | |
991 | 1, | |
992 | SCMP_A1(SCMP_CMP_EQ, 0)); | |
993 | if (r < 0) { | |
994 | log_debug_errno(r, "Failed to add setns() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); | |
995 | continue; | |
996 | } | |
997 | ||
998 | for (i = 0; namespace_flag_map[i].name; i++) { | |
999 | unsigned long f; | |
1000 | ||
1001 | f = namespace_flag_map[i].flag; | |
1002 | if ((retain & f) == f) { | |
1003 | log_debug("Permitting %s.", namespace_flag_map[i].name); | |
1004 | continue; | |
1005 | } | |
1006 | ||
1007 | log_debug("Blocking %s.", namespace_flag_map[i].name); | |
1008 | ||
1009 | r = seccomp_rule_add_exact( | |
1010 | seccomp, | |
1011 | SCMP_ACT_ERRNO(EPERM), | |
1012 | SCMP_SYS(unshare), | |
1013 | 1, | |
1014 | SCMP_A0(SCMP_CMP_MASKED_EQ, f, f)); | |
1015 | if (r < 0) { | |
1016 | log_debug_errno(r, "Failed to add unshare() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); | |
1017 | break; | |
1018 | } | |
1019 | ||
511ceb1f ZJS |
1020 | /* On s390/s390x the first two parameters to clone are switched */ |
1021 | if (!IN_SET(arch, SCMP_ARCH_S390, SCMP_ARCH_S390X)) | |
ae9d60ce LP |
1022 | r = seccomp_rule_add_exact( |
1023 | seccomp, | |
1024 | SCMP_ACT_ERRNO(EPERM), | |
1025 | SCMP_SYS(clone), | |
1026 | 1, | |
1027 | SCMP_A0(SCMP_CMP_MASKED_EQ, f, f)); | |
1028 | else | |
1029 | r = seccomp_rule_add_exact( | |
1030 | seccomp, | |
1031 | SCMP_ACT_ERRNO(EPERM), | |
1032 | SCMP_SYS(clone), | |
1033 | 1, | |
1034 | SCMP_A1(SCMP_CMP_MASKED_EQ, f, f)); | |
469830d1 LP |
1035 | if (r < 0) { |
1036 | log_debug_errno(r, "Failed to add clone() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); | |
1037 | break; | |
1038 | } | |
1039 | ||
1040 | if ((retain & NAMESPACE_FLAGS_ALL) != 0) { | |
1041 | r = seccomp_rule_add_exact( | |
1042 | seccomp, | |
1043 | SCMP_ACT_ERRNO(EPERM), | |
1044 | SCMP_SYS(setns), | |
1045 | 1, | |
1046 | SCMP_A1(SCMP_CMP_MASKED_EQ, f, f)); | |
1047 | if (r < 0) { | |
1048 | log_debug_errno(r, "Failed to add setns() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); | |
1049 | break; | |
1050 | } | |
1051 | } | |
1052 | } | |
1053 | if (r < 0) | |
1054 | continue; | |
1055 | ||
1056 | r = seccomp_load(seccomp); | |
1057 | if (IN_SET(r, -EPERM, -EACCES)) | |
1058 | return r; | |
1059 | if (r < 0) | |
1060 | log_debug_errno(r, "Failed to install namespace restriction rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); | |
1061 | } | |
1062 | ||
1063 | return 0; | |
1064 | } | |
1065 | ||
1066 | int seccomp_protect_sysctl(void) { | |
1067 | uint32_t arch; | |
1068 | int r; | |
1069 | ||
1070 | SECCOMP_FOREACH_LOCAL_ARCH(arch) { | |
1071 | _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL; | |
1072 | ||
1073 | log_debug("Operating on architecture: %s", seccomp_arch_to_string(arch)); | |
1074 | ||
2e64e8f4 ZJS |
1075 | if (IN_SET(arch, SCMP_ARCH_X32, SCMP_ARCH_AARCH64)) |
1076 | /* No _sysctl syscall */ | |
1077 | continue; | |
1078 | ||
469830d1 LP |
1079 | r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ALLOW); |
1080 | if (r < 0) | |
1081 | return r; | |
1082 | ||
1083 | r = seccomp_rule_add_exact( | |
add00535 LP |
1084 | seccomp, |
1085 | SCMP_ACT_ERRNO(EPERM), | |
469830d1 | 1086 | SCMP_SYS(_sysctl), |
add00535 | 1087 | 0); |
469830d1 LP |
1088 | if (r < 0) { |
1089 | log_debug_errno(r, "Failed to add _sysctl() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); | |
1090 | continue; | |
1091 | } | |
1092 | ||
1093 | r = seccomp_load(seccomp); | |
1094 | if (IN_SET(r, -EPERM, -EACCES)) | |
1095 | return r; | |
1096 | if (r < 0) | |
1097 | log_debug_errno(r, "Failed to install sysctl protection rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); | |
1098 | } | |
1099 | ||
1100 | return 0; | |
1101 | } | |
1102 | ||
1103 | int seccomp_restrict_address_families(Set *address_families, bool whitelist) { | |
1104 | uint32_t arch; | |
1105 | int r; | |
1106 | ||
1107 | SECCOMP_FOREACH_LOCAL_ARCH(arch) { | |
1108 | _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL; | |
9606bc4b | 1109 | bool supported; |
469830d1 LP |
1110 | Iterator i; |
1111 | ||
1112 | log_debug("Operating on architecture: %s", seccomp_arch_to_string(arch)); | |
1113 | ||
9606bc4b LP |
1114 | switch (arch) { |
1115 | ||
1116 | case SCMP_ARCH_X86_64: | |
1117 | case SCMP_ARCH_X32: | |
1118 | case SCMP_ARCH_ARM: | |
1119 | case SCMP_ARCH_AARCH64: | |
da1921a5 ZJS |
1120 | case SCMP_ARCH_PPC64: |
1121 | case SCMP_ARCH_PPC64LE: | |
9606bc4b LP |
1122 | /* These we know we support (i.e. are the ones that do not use socketcall()) */ |
1123 | supported = true; | |
1124 | break; | |
1125 | ||
9606bc4b LP |
1126 | case SCMP_ARCH_S390: |
1127 | case SCMP_ARCH_S390X: | |
1128 | case SCMP_ARCH_PPC: | |
da1921a5 | 1129 | case SCMP_ARCH_X86: |
9606bc4b LP |
1130 | default: |
1131 | /* These we either know we don't support (i.e. are the ones that do use socketcall()), or we | |
1132 | * don't know */ | |
1133 | supported = false; | |
1134 | break; | |
1135 | } | |
1136 | ||
1137 | if (!supported) | |
1138 | continue; | |
1139 | ||
469830d1 LP |
1140 | r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ALLOW); |
1141 | if (r < 0) | |
1142 | return r; | |
1143 | ||
1144 | if (whitelist) { | |
1145 | int af, first = 0, last = 0; | |
1146 | void *afp; | |
1147 | ||
1148 | /* If this is a whitelist, we first block the address families that are out of range and then | |
1149 | * everything that is not in the set. First, we find the lowest and highest address family in | |
1150 | * the set. */ | |
1151 | ||
1152 | SET_FOREACH(afp, address_families, i) { | |
1153 | af = PTR_TO_INT(afp); | |
1154 | ||
1155 | if (af <= 0 || af >= af_max()) | |
1156 | continue; | |
1157 | ||
1158 | if (first == 0 || af < first) | |
1159 | first = af; | |
1160 | ||
1161 | if (last == 0 || af > last) | |
1162 | last = af; | |
1163 | } | |
1164 | ||
1165 | assert((first == 0) == (last == 0)); | |
1166 | ||
1167 | if (first == 0) { | |
1168 | ||
1169 | /* No entries in the valid range, block everything */ | |
1170 | r = seccomp_rule_add_exact( | |
1171 | seccomp, | |
1172 | SCMP_ACT_ERRNO(EAFNOSUPPORT), | |
1173 | SCMP_SYS(socket), | |
1174 | 0); | |
1175 | if (r < 0) { | |
1176 | log_debug_errno(r, "Failed to add socket() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); | |
1177 | continue; | |
1178 | } | |
1179 | ||
1180 | } else { | |
1181 | ||
1182 | /* Block everything below the first entry */ | |
1183 | r = seccomp_rule_add_exact( | |
1184 | seccomp, | |
1185 | SCMP_ACT_ERRNO(EAFNOSUPPORT), | |
1186 | SCMP_SYS(socket), | |
1187 | 1, | |
1188 | SCMP_A0(SCMP_CMP_LT, first)); | |
1189 | if (r < 0) { | |
1190 | log_debug_errno(r, "Failed to add socket() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); | |
1191 | continue; | |
1192 | } | |
1193 | ||
1194 | /* Block everything above the last entry */ | |
1195 | r = seccomp_rule_add_exact( | |
1196 | seccomp, | |
1197 | SCMP_ACT_ERRNO(EAFNOSUPPORT), | |
1198 | SCMP_SYS(socket), | |
1199 | 1, | |
1200 | SCMP_A0(SCMP_CMP_GT, last)); | |
1201 | if (r < 0) { | |
1202 | log_debug_errno(r, "Failed to add socket() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); | |
1203 | continue; | |
1204 | } | |
1205 | ||
1206 | /* Block everything between the first and last entry */ | |
1207 | for (af = 1; af < af_max(); af++) { | |
1208 | ||
1209 | if (set_contains(address_families, INT_TO_PTR(af))) | |
1210 | continue; | |
1211 | ||
1212 | r = seccomp_rule_add_exact( | |
1213 | seccomp, | |
1214 | SCMP_ACT_ERRNO(EAFNOSUPPORT), | |
1215 | SCMP_SYS(socket), | |
1216 | 1, | |
1217 | SCMP_A0(SCMP_CMP_EQ, af)); | |
1218 | if (r < 0) | |
1219 | break; | |
1220 | } | |
469830d1 LP |
1221 | if (r < 0) { |
1222 | log_debug_errno(r, "Failed to add socket() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); | |
1223 | continue; | |
1224 | } | |
1225 | } | |
1226 | ||
1227 | } else { | |
1228 | void *af; | |
1229 | ||
1230 | /* If this is a blacklist, then generate one rule for | |
1231 | * each address family that are then combined in OR | |
1232 | * checks. */ | |
1233 | ||
1234 | SET_FOREACH(af, address_families, i) { | |
1235 | ||
1236 | r = seccomp_rule_add_exact( | |
1237 | seccomp, | |
1238 | SCMP_ACT_ERRNO(EAFNOSUPPORT), | |
1239 | SCMP_SYS(socket), | |
1240 | 1, | |
1241 | SCMP_A0(SCMP_CMP_EQ, PTR_TO_INT(af))); | |
1242 | if (r < 0) | |
1243 | break; | |
1244 | } | |
469830d1 LP |
1245 | if (r < 0) { |
1246 | log_debug_errno(r, "Failed to add socket() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); | |
1247 | continue; | |
1248 | } | |
1249 | } | |
1250 | ||
1251 | r = seccomp_load(seccomp); | |
1252 | if (IN_SET(r, -EPERM, -EACCES)) | |
1253 | return r; | |
1254 | if (r < 0) | |
1255 | log_debug_errno(r, "Failed to install socket family rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); | |
1256 | } | |
1257 | ||
1258 | return 0; | |
1259 | } | |
1260 | ||
1261 | int seccomp_restrict_realtime(void) { | |
1262 | static const int permitted_policies[] = { | |
1263 | SCHED_OTHER, | |
1264 | SCHED_BATCH, | |
1265 | SCHED_IDLE, | |
1266 | }; | |
1267 | ||
1268 | int r, max_policy = 0; | |
1269 | uint32_t arch; | |
1270 | unsigned i; | |
1271 | ||
1272 | /* Determine the highest policy constant we want to allow */ | |
1273 | for (i = 0; i < ELEMENTSOF(permitted_policies); i++) | |
1274 | if (permitted_policies[i] > max_policy) | |
1275 | max_policy = permitted_policies[i]; | |
1276 | ||
1277 | SECCOMP_FOREACH_LOCAL_ARCH(arch) { | |
1278 | _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL; | |
1279 | int p; | |
1280 | ||
1281 | log_debug("Operating on architecture: %s", seccomp_arch_to_string(arch)); | |
1282 | ||
1283 | r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ALLOW); | |
1284 | if (r < 0) | |
1285 | return r; | |
1286 | ||
1287 | /* Go through all policies with lower values than that, and block them -- unless they appear in the | |
1288 | * whitelist. */ | |
1289 | for (p = 0; p < max_policy; p++) { | |
1290 | bool good = false; | |
1291 | ||
1292 | /* Check if this is in the whitelist. */ | |
1293 | for (i = 0; i < ELEMENTSOF(permitted_policies); i++) | |
1294 | if (permitted_policies[i] == p) { | |
1295 | good = true; | |
1296 | break; | |
1297 | } | |
1298 | ||
1299 | if (good) | |
1300 | continue; | |
1301 | ||
1302 | /* Deny this policy */ | |
1303 | r = seccomp_rule_add_exact( | |
1304 | seccomp, | |
1305 | SCMP_ACT_ERRNO(EPERM), | |
1306 | SCMP_SYS(sched_setscheduler), | |
1307 | 1, | |
1308 | SCMP_A1(SCMP_CMP_EQ, p)); | |
1309 | if (r < 0) { | |
1310 | log_debug_errno(r, "Failed to add scheduler rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); | |
1311 | continue; | |
1312 | } | |
1313 | } | |
1314 | ||
1315 | /* Blacklist all other policies, i.e. the ones with higher values. Note that all comparisons are | |
1316 | * unsigned here, hence no need no check for < 0 values. */ | |
1317 | r = seccomp_rule_add_exact( | |
add00535 LP |
1318 | seccomp, |
1319 | SCMP_ACT_ERRNO(EPERM), | |
469830d1 | 1320 | SCMP_SYS(sched_setscheduler), |
add00535 | 1321 | 1, |
469830d1 LP |
1322 | SCMP_A1(SCMP_CMP_GT, max_policy)); |
1323 | if (r < 0) { | |
1324 | log_debug_errno(r, "Failed to add scheduler rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); | |
1325 | continue; | |
1326 | } | |
add00535 | 1327 | |
469830d1 LP |
1328 | r = seccomp_load(seccomp); |
1329 | if (IN_SET(r, -EPERM, -EACCES)) | |
1330 | return r; | |
1331 | if (r < 0) | |
1332 | log_debug_errno(r, "Failed to install realtime protection rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); | |
1333 | } | |
1334 | ||
1335 | return 0; | |
1336 | } | |
1337 | ||
6dc66688 ZJS |
1338 | static int add_seccomp_syscall_filter(scmp_filter_ctx seccomp, |
1339 | uint32_t arch, | |
1340 | int nr, | |
1341 | unsigned int arg_cnt, | |
1342 | const struct scmp_arg_cmp arg) { | |
1343 | int r; | |
1344 | ||
1345 | r = seccomp_rule_add_exact(seccomp, SCMP_ACT_ERRNO(EPERM), nr, arg_cnt, arg); | |
1346 | if (r < 0) { | |
1347 | _cleanup_free_ char *n = NULL; | |
1348 | ||
1349 | n = seccomp_syscall_resolve_num_arch(arch, nr); | |
1350 | log_debug_errno(r, "Failed to add %s() rule for architecture %s, skipping: %m", | |
1351 | strna(n), | |
1352 | seccomp_arch_to_string(arch)); | |
1353 | } | |
1354 | ||
1355 | return r; | |
1356 | } | |
1357 | ||
2a8d6e63 | 1358 | /* For known architectures, check that syscalls are indeed defined or not. */ |
4278d1f5 | 1359 | #if defined(__x86_64__) || defined(__arm__) || defined(__aarch64__) |
2a8d6e63 ZJS |
1360 | assert_cc(SCMP_SYS(shmget) > 0); |
1361 | assert_cc(SCMP_SYS(shmat) > 0); | |
1362 | assert_cc(SCMP_SYS(shmdt) > 0); | |
1363 | #elif defined(__i386__) || defined(__powerpc64__) | |
1364 | assert_cc(SCMP_SYS(shmget) < 0); | |
1365 | assert_cc(SCMP_SYS(shmat) < 0); | |
1366 | assert_cc(SCMP_SYS(shmdt) < 0); | |
1367 | #endif | |
6dc66688 | 1368 | |
469830d1 | 1369 | int seccomp_memory_deny_write_execute(void) { |
8a50cf69 | 1370 | |
469830d1 LP |
1371 | uint32_t arch; |
1372 | int r; | |
1373 | ||
1374 | SECCOMP_FOREACH_LOCAL_ARCH(arch) { | |
1375 | _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL; | |
8a50cf69 | 1376 | int filter_syscall = 0, block_syscall = 0, shmat_syscall = 0; |
add00535 | 1377 | |
469830d1 LP |
1378 | log_debug("Operating on architecture: %s", seccomp_arch_to_string(arch)); |
1379 | ||
8a50cf69 LP |
1380 | switch (arch) { |
1381 | ||
1382 | case SCMP_ARCH_X86: | |
1383 | filter_syscall = SCMP_SYS(mmap2); | |
1384 | block_syscall = SCMP_SYS(mmap); | |
2a8d6e63 ZJS |
1385 | break; |
1386 | ||
1387 | case SCMP_ARCH_PPC64: | |
1388 | case SCMP_ARCH_PPC64LE: | |
1389 | filter_syscall = SCMP_SYS(mmap); | |
1390 | ||
1391 | /* Note that shmat() isn't available, and the call is multiplexed through ipc(). | |
1392 | * We ignore that here, which means there's still a way to get writable/executable | |
1393 | * memory, if an IPC key is mapped like this. That's a pity, but no total loss. */ | |
8a50cf69 | 1394 | |
8a50cf69 LP |
1395 | break; |
1396 | ||
4278d1f5 ZJS |
1397 | case SCMP_ARCH_ARM: |
1398 | filter_syscall = SCMP_SYS(mmap2); /* arm has only mmap2 */ | |
1399 | shmat_syscall = SCMP_SYS(shmat); | |
1400 | break; | |
1401 | ||
8a50cf69 LP |
1402 | case SCMP_ARCH_X86_64: |
1403 | case SCMP_ARCH_X32: | |
79873bc8 ZJS |
1404 | case SCMP_ARCH_AARCH64: |
1405 | filter_syscall = SCMP_SYS(mmap); /* amd64, x32, and arm64 have only mmap */ | |
8a50cf69 LP |
1406 | shmat_syscall = SCMP_SYS(shmat); |
1407 | break; | |
1408 | ||
1409 | /* Please add more definitions here, if you port systemd to other architectures! */ | |
1410 | ||
4278d1f5 | 1411 | #if !defined(__i386__) && !defined(__x86_64__) && !defined(__powerpc64__) && !defined(__arm__) && !defined(__aarch64__) |
8a50cf69 LP |
1412 | #warning "Consider adding the right mmap() syscall definitions here!" |
1413 | #endif | |
1414 | } | |
1415 | ||
1416 | /* Can't filter mmap() on this arch, then skip it */ | |
1417 | if (filter_syscall == 0) | |
1418 | continue; | |
1419 | ||
469830d1 LP |
1420 | r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ALLOW); |
1421 | if (r < 0) | |
1422 | return r; | |
1423 | ||
6dc66688 ZJS |
1424 | r = add_seccomp_syscall_filter(seccomp, arch, filter_syscall, |
1425 | 1, | |
1426 | SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC|PROT_WRITE, PROT_EXEC|PROT_WRITE)); | |
1427 | if (r < 0) | |
1428 | continue; | |
8a50cf69 LP |
1429 | |
1430 | if (block_syscall != 0) { | |
6dc66688 ZJS |
1431 | r = add_seccomp_syscall_filter(seccomp, arch, block_syscall, 0, (const struct scmp_arg_cmp){} ); |
1432 | if (r < 0) | |
8a50cf69 | 1433 | continue; |
add00535 | 1434 | } |
a3be2849 | 1435 | |
6dc66688 ZJS |
1436 | r = add_seccomp_syscall_filter(seccomp, arch, SCMP_SYS(mprotect), |
1437 | 1, | |
1438 | SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC, PROT_EXEC)); | |
1439 | if (r < 0) | |
469830d1 | 1440 | continue; |
add00535 | 1441 | |
8a50cf69 | 1442 | if (shmat_syscall != 0) { |
6dc66688 ZJS |
1443 | r = add_seccomp_syscall_filter(seccomp, arch, SCMP_SYS(shmat), |
1444 | 1, | |
1445 | SCMP_A2(SCMP_CMP_MASKED_EQ, SHM_EXEC, SHM_EXEC)); | |
1446 | if (r < 0) | |
8a50cf69 | 1447 | continue; |
469830d1 LP |
1448 | } |
1449 | ||
1450 | r = seccomp_load(seccomp); | |
1451 | if (IN_SET(r, -EPERM, -EACCES)) | |
1452 | return r; | |
add00535 | 1453 | if (r < 0) |
469830d1 LP |
1454 | log_debug_errno(r, "Failed to install MemoryDenyWriteExecute= rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); |
1455 | } | |
add00535 | 1456 | |
469830d1 LP |
1457 | return 0; |
1458 | } | |
1459 | ||
1460 | int seccomp_restrict_archs(Set *archs) { | |
1461 | _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL; | |
1462 | Iterator i; | |
1463 | void *id; | |
1464 | int r; | |
1465 | ||
1466 | /* This installs a filter with no rules, but that restricts the system call architectures to the specified | |
1467 | * list. */ | |
1468 | ||
1469 | seccomp = seccomp_init(SCMP_ACT_ALLOW); | |
1470 | if (!seccomp) | |
1471 | return -ENOMEM; | |
1472 | ||
1473 | SET_FOREACH(id, archs, i) { | |
1474 | r = seccomp_arch_add(seccomp, PTR_TO_UINT32(id) - 1); | |
1475 | if (r == -EEXIST) | |
1476 | continue; | |
1477 | if (r < 0) | |
1478 | return r; | |
add00535 LP |
1479 | } |
1480 | ||
469830d1 LP |
1481 | r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0); |
1482 | if (r < 0) | |
1483 | return r; | |
add00535 | 1484 | |
1c6af69b LP |
1485 | r = seccomp_load(seccomp); |
1486 | if (IN_SET(r, -EPERM, -EACCES)) | |
1487 | return r; | |
1488 | if (r < 0) | |
1489 | log_debug_errno(r, "Failed to restrict system call architectures, skipping: %m"); | |
1490 | ||
1491 | return 0; | |
a3be2849 | 1492 | } |
b16bd535 YW |
1493 | |
1494 | int parse_syscall_archs(char **l, Set **archs) { | |
1495 | _cleanup_set_free_ Set *_archs; | |
1496 | char **s; | |
1497 | int r; | |
1498 | ||
1499 | assert(l); | |
1500 | assert(archs); | |
1501 | ||
1502 | r = set_ensure_allocated(&_archs, NULL); | |
1503 | if (r < 0) | |
1504 | return r; | |
1505 | ||
1506 | STRV_FOREACH(s, l) { | |
1507 | uint32_t a; | |
1508 | ||
1509 | r = seccomp_arch_from_string(*s, &a); | |
1510 | if (r < 0) | |
1511 | return -EINVAL; | |
1512 | ||
1513 | r = set_put(_archs, UINT32_TO_PTR(a + 1)); | |
1514 | if (r < 0) | |
1515 | return -ENOMEM; | |
1516 | } | |
1517 | ||
1518 | *archs = _archs; | |
1519 | _archs = NULL; | |
1520 | ||
1521 | return 0; | |
1522 | } | |
165a31c0 | 1523 | |
8cfa775f | 1524 | int seccomp_filter_set_add(Hashmap *filter, bool add, const SyscallFilterSet *set) { |
165a31c0 LP |
1525 | const char *i; |
1526 | int r; | |
1527 | ||
1528 | assert(set); | |
1529 | ||
1530 | NULSTR_FOREACH(i, set->value) { | |
1531 | ||
1532 | if (i[0] == '@') { | |
1533 | const SyscallFilterSet *more; | |
1534 | ||
1535 | more = syscall_filter_set_find(i); | |
1536 | if (!more) | |
1537 | return -ENXIO; | |
1538 | ||
165a31c0 LP |
1539 | r = seccomp_filter_set_add(filter, add, more); |
1540 | if (r < 0) | |
1541 | return r; | |
1542 | } else { | |
1543 | int id; | |
1544 | ||
1545 | id = seccomp_syscall_resolve_name(i); | |
ff217dc3 LP |
1546 | if (id == __NR_SCMP_ERROR) { |
1547 | log_debug("Couldn't resolve system call, ignoring: %s", i); | |
1548 | continue; | |
1549 | } | |
165a31c0 LP |
1550 | |
1551 | if (add) { | |
8cfa775f | 1552 | r = hashmap_put(filter, INT_TO_PTR(id + 1), INT_TO_PTR(-1)); |
165a31c0 LP |
1553 | if (r < 0) |
1554 | return r; | |
1555 | } else | |
8cfa775f | 1556 | (void) hashmap_remove(filter, INT_TO_PTR(id + 1)); |
165a31c0 LP |
1557 | } |
1558 | } | |
1559 | ||
1560 | return 0; | |
1561 | } | |
78e864e5 TM |
1562 | |
1563 | int seccomp_lock_personality(unsigned long personality) { | |
72eafe71 | 1564 | uint32_t arch; |
78e864e5 TM |
1565 | int r; |
1566 | ||
72eafe71 LP |
1567 | if (personality >= PERSONALITY_INVALID) |
1568 | return -EINVAL; | |
78e864e5 | 1569 | |
72eafe71 LP |
1570 | SECCOMP_FOREACH_LOCAL_ARCH(arch) { |
1571 | _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL; | |
78e864e5 | 1572 | |
72eafe71 LP |
1573 | r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ALLOW); |
1574 | if (r < 0) | |
1575 | return r; | |
1576 | ||
1577 | r = seccomp_rule_add_exact( | |
1578 | seccomp, | |
1579 | SCMP_ACT_ERRNO(EPERM), | |
1580 | SCMP_SYS(personality), | |
1581 | 1, | |
1582 | SCMP_A0(SCMP_CMP_NE, personality)); | |
448ac526 LP |
1583 | if (r < 0) { |
1584 | log_debug_errno(r, "Failed to add scheduler rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); | |
1585 | continue; | |
1586 | } | |
72eafe71 LP |
1587 | |
1588 | r = seccomp_load(seccomp); | |
1589 | if (IN_SET(r, -EPERM, -EACCES)) | |
1590 | return r; | |
1591 | if (r < 0) | |
1592 | log_debug_errno(r, "Failed to enable personality lock for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); | |
1593 | } | |
1594 | ||
1595 | return 0; | |
78e864e5 | 1596 | } |