[thirdparty/systemd.git] / src / shared / seccomp-util.h

/* SPDX-License-Identifier: LGPL-2.1-or-later */
#pragma once

#include <seccomp.h>
#include <stdbool.h>
#include <stdint.h>

#include "errno-list.h"
#include "parse-util.h"
#include "set.h"
#include "string-util.h"

const char* seccomp_arch_to_string(uint32_t c);
int seccomp_arch_from_string(const char *n, uint32_t *ret);

int seccomp_init_for_arch(scmp_filter_ctx *ret, uint32_t arch, uint32_t default_action);

bool is_seccomp_available(void);

typedef struct SyscallFilterSet {
        const char *name;
        const char *help;
        const char *value;
} SyscallFilterSet;

enum {
        /* Please leave DEFAULT first and KNOWN last, but sort the rest alphabetically */
        SYSCALL_FILTER_SET_DEFAULT,
        SYSCALL_FILTER_SET_AIO,
        SYSCALL_FILTER_SET_BASIC_IO,
        SYSCALL_FILTER_SET_CHOWN,
        SYSCALL_FILTER_SET_CLOCK,
        SYSCALL_FILTER_SET_CPU_EMULATION,
        SYSCALL_FILTER_SET_DEBUG,
        SYSCALL_FILTER_SET_FILE_SYSTEM,
        SYSCALL_FILTER_SET_IO_EVENT,
        SYSCALL_FILTER_SET_IPC,
        SYSCALL_FILTER_SET_KEYRING,
        SYSCALL_FILTER_SET_MEMLOCK,
        SYSCALL_FILTER_SET_MODULE,
        SYSCALL_FILTER_SET_MOUNT,
        SYSCALL_FILTER_SET_NETWORK_IO,
        SYSCALL_FILTER_SET_OBSOLETE,
        SYSCALL_FILTER_SET_PKEY,
        SYSCALL_FILTER_SET_PRIVILEGED,
        SYSCALL_FILTER_SET_PROCESS,
        SYSCALL_FILTER_SET_RAW_IO,
        SYSCALL_FILTER_SET_REBOOT,
        SYSCALL_FILTER_SET_RESOURCES,
        SYSCALL_FILTER_SET_SETUID,
        SYSCALL_FILTER_SET_SIGNAL,
        SYSCALL_FILTER_SET_SWAP,
        SYSCALL_FILTER_SET_SYNC,
        SYSCALL_FILTER_SET_SYSTEM_SERVICE,
        SYSCALL_FILTER_SET_TIMER,
        SYSCALL_FILTER_SET_KNOWN,
        _SYSCALL_FILTER_SET_MAX
};

extern const SyscallFilterSet syscall_filter_sets[];

const SyscallFilterSet *syscall_filter_set_find(const char *name);

int seccomp_filter_set_add(Hashmap *s, bool b, const SyscallFilterSet *set);

int seccomp_add_syscall_filter_item(
                scmp_filter_ctx *ctx,
                const char *name,
                uint32_t action,
                char **exclude,
                bool log_missing,
                char ***added);

int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action, bool log_missing);
int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* set, uint32_t action, bool log_missing);

typedef enum SeccompParseFlags {
        SECCOMP_PARSE_INVERT     = 1 << 0,
        SECCOMP_PARSE_ALLOW_LIST = 1 << 1,
        SECCOMP_PARSE_LOG        = 1 << 2,
        SECCOMP_PARSE_PERMISSIVE = 1 << 3,
} SeccompParseFlags;

int seccomp_parse_syscall_filter(
                const char *name,
                int errno_num,
                Hashmap *filter,
                SeccompParseFlags flags,
                const char *unit,
                const char *filename, unsigned line);

int seccomp_restrict_archs(Set *archs);
int seccomp_restrict_namespaces(unsigned long retain);
int seccomp_protect_sysctl(void);
int seccomp_protect_syslog(void);
int seccomp_restrict_address_families(Set *address_families, bool allow_list);
int seccomp_restrict_realtime(void);
int seccomp_memory_deny_write_execute(void);
int seccomp_lock_personality(unsigned long personality);
int seccomp_protect_hostname(void);
int seccomp_restrict_suid_sgid(void);

extern uint32_t seccomp_local_archs[];

#define SECCOMP_LOCAL_ARCH_END UINT32_MAX

/* Note: 0 is safe to use here because although SCMP_ARCH_NATIVE is 0, it would
 * never be in the seccomp_local_archs array anyway so we can use it as a
 * marker. */
#define SECCOMP_LOCAL_ARCH_BLOCKED 0

#define SECCOMP_FOREACH_LOCAL_ARCH(arch) \
        for (unsigned _i = ({ (arch) = seccomp_local_archs[0]; 0; });   \
             (arch) != SECCOMP_LOCAL_ARCH_END;                          \
             (arch) = seccomp_local_archs[++_i])                        \
                if ((arch) != SECCOMP_LOCAL_ARCH_BLOCKED)

/* EACCES: does not have the CAP_SYS_ADMIN or no_new_privs == 1
 * ENOMEM: out of memory, failed to allocate space for a libseccomp structure, or would exceed a defined constant
 * EFAULT: addresses passed as args (by libseccomp) are invalid */
#define ERRNO_IS_SECCOMP_FATAL(r)                                       \
        IN_SET(abs(r), EPERM, EACCES, ENOMEM, EFAULT)

DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(scmp_filter_ctx, seccomp_release, NULL);

int parse_syscall_archs(char **l, Set **ret_archs);

uint32_t scmp_act_kill_process(void);

/* This is a special value to be used where syscall filters otherwise expect errno numbers, will be
   replaced with real seccomp action. */
enum {
        SECCOMP_ERROR_NUMBER_KILL = INT_MAX - 1,
};

static inline bool seccomp_errno_or_action_is_valid(int n) {
        return n == SECCOMP_ERROR_NUMBER_KILL || errno_is_valid(n);
}

static inline int seccomp_parse_errno_or_action(const char *p) {
        if (streq_ptr(p, "kill"))
                return SECCOMP_ERROR_NUMBER_KILL;
        return parse_errno(p);
}

static inline const char *seccomp_errno_or_action_to_string(int num) {
        if (num == SECCOMP_ERROR_NUMBER_KILL)
                return "kill";
        return errno_to_name(num);
}

int parse_syscall_and_errno(const char *in, char **name, int *error);
Commit	Line	Data
db9ecf05	1	/* SPDX-License-Identifier: LGPL-2.1-or-later */
57183d11 LP	2	#pragma once
57183d11 LP	3
a60e9f7f	4	#include <seccomp.h>
f6281133	5	#include <stdbool.h>
a8fbdf54	6	#include <stdint.h>
57183d11	7
005bfaf1 TM	8	#include "errno-list.h"
005bfaf1 TM	9	#include "parse-util.h"
469830d1	10	#include "set.h"
005bfaf1	11	#include "string-util.h"
469830d1	12
57183d11 LP	13	const char* seccomp_arch_to_string(uint32_t c);
57183d11 LP	14	int seccomp_arch_from_string(const char n, uint32_t ret);
e9642be2	15
469830d1	16	int seccomp_init_for_arch(scmp_filter_ctx *ret, uint32_t arch, uint32_t default_action);
201c1cc2	17
83f12b27 FS	18	bool is_seccomp_available(void);
83f12b27 FS	19
8130926d LP	20	typedef struct SyscallFilterSet {
8130926d LP	21	const char *name;
d5efc18b	22	const char *help;
201c1cc2	23	const char *value;
8130926d LP	24	} SyscallFilterSet;
	25
	26	enum {
95aac012	27	/* Please leave DEFAULT first and KNOWN last, but sort the rest alphabetically */
40eb6a80	28	SYSCALL_FILTER_SET_DEFAULT,
44898c53	29	SYSCALL_FILTER_SET_AIO,
133ddbbe	30	SYSCALL_FILTER_SET_BASIC_IO,
44898c53	31	SYSCALL_FILTER_SET_CHOWN,
8130926d LP	32	SYSCALL_FILTER_SET_CLOCK,
	33	SYSCALL_FILTER_SET_CPU_EMULATION,
	34	SYSCALL_FILTER_SET_DEBUG,
1a1b13c9	35	SYSCALL_FILTER_SET_FILE_SYSTEM,
8130926d LP	36	SYSCALL_FILTER_SET_IO_EVENT,
	37	SYSCALL_FILTER_SET_IPC,
	38	SYSCALL_FILTER_SET_KEYRING,
cd0ddf6f	39	SYSCALL_FILTER_SET_MEMLOCK,
8130926d LP	40	SYSCALL_FILTER_SET_MODULE,
	41	SYSCALL_FILTER_SET_MOUNT,
	42	SYSCALL_FILTER_SET_NETWORK_IO,
	43	SYSCALL_FILTER_SET_OBSOLETE,
9493b168	44	SYSCALL_FILTER_SET_PKEY,
8130926d LP	45	SYSCALL_FILTER_SET_PRIVILEGED,
	46	SYSCALL_FILTER_SET_PROCESS,
	47	SYSCALL_FILTER_SET_RAW_IO,
bd2ab3f4	48	SYSCALL_FILTER_SET_REBOOT,
133ddbbe	49	SYSCALL_FILTER_SET_RESOURCES,
6eaaeee9	50	SYSCALL_FILTER_SET_SETUID,
cd0ddf6f	51	SYSCALL_FILTER_SET_SIGNAL,
bd2ab3f4	52	SYSCALL_FILTER_SET_SWAP,
44898c53	53	SYSCALL_FILTER_SET_SYNC,
70526841	54	SYSCALL_FILTER_SET_SYSTEM_SERVICE,
cd0ddf6f	55	SYSCALL_FILTER_SET_TIMER,
95aac012	56	SYSCALL_FILTER_SET_KNOWN,
8130926d LP	57	_SYSCALL_FILTER_SET_MAX
	58	};
	59
	60	extern const SyscallFilterSet syscall_filter_sets[];
	61
	62	const SyscallFilterSet syscall_filter_set_find(const char name);
	63
8cfa775f	64	int seccomp_filter_set_add(Hashmap s, bool b, const SyscallFilterSet set);
165a31c0	65
000c0520 ZJS	66	int seccomp_add_syscall_filter_item(
	67	scmp_filter_ctx *ctx,
	68	const char *name,
	69	uint32_t action,
	70	char **exclude,
	71	bool log_missing,
	72	char ***added);
69b1b241	73
b54f36c6 ZJS	74	int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action, bool log_missing);
b54f36c6 ZJS	75	int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* set, uint32_t action, bool log_missing);
add00535	76
13d92c63	77	typedef enum SeccompParseFlags {
ef31828d	78	SECCOMP_PARSE_INVERT = 1 << 0,
6b000af4	79	SECCOMP_PARSE_ALLOW_LIST = 1 << 1,
ef31828d LP	80	SECCOMP_PARSE_LOG = 1 << 2,
ef31828d LP	81	SECCOMP_PARSE_PERMISSIVE = 1 << 3,
13d92c63 LP	82	} SeccompParseFlags;
13d92c63 LP	83
58f6ab44 ZJS	84	int seccomp_parse_syscall_filter(
	85	const char *name,
	86	int errno_num,
	87	Hashmap *filter,
	88	SeccompParseFlags flags,
	89	const char *unit,
	90	const char *filename, unsigned line);
898748d8	91
469830d1	92	int seccomp_restrict_archs(Set *archs);
add00535	93	int seccomp_restrict_namespaces(unsigned long retain);
469830d1	94	int seccomp_protect_sysctl(void);
620dbdd2	95	int seccomp_protect_syslog(void);
6b000af4	96	int seccomp_restrict_address_families(Set *address_families, bool allow_list);
469830d1 LP	97	int seccomp_restrict_realtime(void);
469830d1 LP	98	int seccomp_memory_deny_write_execute(void);
78e864e5	99	int seccomp_lock_personality(unsigned long personality);
aecd5ac6	100	int seccomp_protect_hostname(void);
3c27973b	101	int seccomp_restrict_suid_sgid(void);
469830d1	102
65976868 GDF	103	extern uint32_t seccomp_local_archs[];
	104
	105	#define SECCOMP_LOCAL_ARCH_END UINT32_MAX
	106
	107	/* Note: 0 is safe to use here because although SCMP_ARCH_NATIVE is 0, it would
	108	* never be in the seccomp_local_archs array anyway so we can use it as a
	109	* marker. */
	110	#define SECCOMP_LOCAL_ARCH_BLOCKED 0
469830d1 LP	111
	112	#define SECCOMP_FOREACH_LOCAL_ARCH(arch) \
	113	for (unsigned _i = ({ (arch) = seccomp_local_archs[0]; 0; }); \
65976868 GDF	114	(arch) != SECCOMP_LOCAL_ARCH_END; \
	115	(arch) = seccomp_local_archs[++_i]) \
	116	if ((arch) != SECCOMP_LOCAL_ARCH_BLOCKED)
469830d1	117
7bc5e0b1 AZ	118	/* EACCES: does not have the CAP_SYS_ADMIN or no_new_privs == 1
	119	* ENOMEM: out of memory, failed to allocate space for a libseccomp structure, or would exceed a defined constant
	120	* EFAULT: addresses passed as args (by libseccomp) are invalid */
	121	#define ERRNO_IS_SECCOMP_FATAL(r) \
	122	IN_SET(abs(r), EPERM, EACCES, ENOMEM, EFAULT)
	123
fd421c4a	124	DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(scmp_filter_ctx, seccomp_release, NULL);
b16bd535	125
de7fef4b	126	int parse_syscall_archs(char l, Set ret_archs);
915fb324 LP	127
915fb324 LP	128	uint32_t scmp_act_kill_process(void);
005bfaf1 TM	129
	130	/* This is a special value to be used where syscall filters otherwise expect errno numbers, will be
	131	replaced with real seccomp action. */
	132	enum {
	133	SECCOMP_ERROR_NUMBER_KILL = INT_MAX - 1,
	134	};
	135
	136	static inline bool seccomp_errno_or_action_is_valid(int n) {
	137	return n == SECCOMP_ERROR_NUMBER_KILL \|\| errno_is_valid(n);
	138	}
	139
	140	static inline int seccomp_parse_errno_or_action(const char *p) {
	141	if (streq_ptr(p, "kill"))
	142	return SECCOMP_ERROR_NUMBER_KILL;
	143	return parse_errno(p);
	144	}
	145
	146	static inline const char *seccomp_errno_or_action_to_string(int num) {
	147	if (num == SECCOMP_ERROR_NUMBER_KILL)
	148	return "kill";
	149	return errno_to_name(num);
	150	}
22eadc28 YW	151
22eadc28 YW	152	int parse_syscall_and_errno(const char in, char name, int error);