[thirdparty/systemd.git] / src / shared / seccomp-util.c

/***
  This file is part of systemd.

  Copyright 2014 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include <errno.h>
#include <seccomp.h>
#include <stddef.h>
#include <sys/prctl.h>
#include <linux/seccomp.h>

#include "alloc-util.h"
#include "macro.h"
#include "nsflags.h"
#include "seccomp-util.h"
#include "string-util.h"
#include "util.h"

const char* seccomp_arch_to_string(uint32_t c) {
        /* Maintain order used in <seccomp.h>.
         *
         * Names used here should be the same as those used for ConditionArchitecture=,
         * except for "subarchitectures" like x32. */

        switch(c) {
        case SCMP_ARCH_NATIVE:
                return "native";
        case SCMP_ARCH_X86:
                return "x86";
        case SCMP_ARCH_X86_64:
                return "x86-64";
        case SCMP_ARCH_X32:
                return "x32";
        case SCMP_ARCH_ARM:
                return "arm";
        case SCMP_ARCH_AARCH64:
                return "arm64";
        case SCMP_ARCH_MIPS:
                return "mips";
        case SCMP_ARCH_MIPS64:
                return "mips64";
        case SCMP_ARCH_MIPS64N32:
                return "mips64-n32";
        case SCMP_ARCH_MIPSEL:
                return "mips-le";
        case SCMP_ARCH_MIPSEL64:
                return "mips64-le";
        case SCMP_ARCH_MIPSEL64N32:
                return "mips64-le-n32";
        case SCMP_ARCH_PPC:
                return "ppc";
        case SCMP_ARCH_PPC64:
                return "ppc64";
        case SCMP_ARCH_PPC64LE:
                return "ppc64-le";
        case SCMP_ARCH_S390:
                return "s390";
        case SCMP_ARCH_S390X:
                return "s390x";
        default:
                return NULL;
        }
}

int seccomp_arch_from_string(const char *n, uint32_t *ret) {
        if (!n)
                return -EINVAL;

        assert(ret);

        if (streq(n, "native"))
                *ret = SCMP_ARCH_NATIVE;
        else if (streq(n, "x86"))
                *ret = SCMP_ARCH_X86;
        else if (streq(n, "x86-64"))
                *ret = SCMP_ARCH_X86_64;
        else if (streq(n, "x32"))
                *ret = SCMP_ARCH_X32;
        else if (streq(n, "arm"))
                *ret = SCMP_ARCH_ARM;
        else if (streq(n, "arm64"))
                *ret = SCMP_ARCH_AARCH64;
        else if (streq(n, "mips"))
                *ret = SCMP_ARCH_MIPS;
        else if (streq(n, "mips64"))
                *ret = SCMP_ARCH_MIPS64;
        else if (streq(n, "mips64-n32"))
                *ret = SCMP_ARCH_MIPS64N32;
        else if (streq(n, "mips-le"))
                *ret = SCMP_ARCH_MIPSEL;
        else if (streq(n, "mips64-le"))
                *ret = SCMP_ARCH_MIPSEL64;
        else if (streq(n, "mips64-le-n32"))
                *ret = SCMP_ARCH_MIPSEL64N32;
        else if (streq(n, "ppc"))
                *ret = SCMP_ARCH_PPC;
        else if (streq(n, "ppc64"))
                *ret = SCMP_ARCH_PPC64;
        else if (streq(n, "ppc64-le"))
                *ret = SCMP_ARCH_PPC64LE;
        else if (streq(n, "s390"))
                *ret = SCMP_ARCH_S390;
        else if (streq(n, "s390x"))
                *ret = SCMP_ARCH_S390X;
        else
                return -EINVAL;

        return 0;
}

int seccomp_init_conservative(scmp_filter_ctx *ret, uint32_t default_action) {
        scmp_filter_ctx seccomp;
        int r;

        /* Much like seccomp_init(), but tries to be a bit more conservative in its defaults: all secondary archs are
         * added by default, and NNP is turned off. */

        seccomp = seccomp_init(default_action);
        if (!seccomp)
                return -ENOMEM;

        r = seccomp_add_secondary_archs(seccomp);
        if (r < 0)
                goto finish;

        r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
        if (r < 0)
                goto finish;

        *ret = seccomp;
        return 0;

finish:
        seccomp_release(seccomp);
        return r;
}

int seccomp_add_secondary_archs(scmp_filter_ctx ctx) {

        /* Add in all possible secondary archs we are aware of that
         * this kernel might support. */

        static const int seccomp_arches[] = {
#if defined(__i386__) || defined(__x86_64__)
                SCMP_ARCH_X86,
                SCMP_ARCH_X86_64,
                SCMP_ARCH_X32,

#elif defined(__arm__) || defined(__aarch64__)
                SCMP_ARCH_ARM,
                SCMP_ARCH_AARCH64,

#elif defined(__arm__) || defined(__aarch64__)
                SCMP_ARCH_ARM,
                SCMP_ARCH_AARCH64,

#elif defined(__mips__) || defined(__mips64__)
                SCMP_ARCH_MIPS,
                SCMP_ARCH_MIPS64,
                SCMP_ARCH_MIPS64N32,
                SCMP_ARCH_MIPSEL,
                SCMP_ARCH_MIPSEL64,
                SCMP_ARCH_MIPSEL64N32,

#elif defined(__powerpc__) || defined(__powerpc64__)
                SCMP_ARCH_PPC,
                SCMP_ARCH_PPC64,
                SCMP_ARCH_PPC64LE,

#elif defined(__s390__) || defined(__s390x__)
                SCMP_ARCH_S390,
                SCMP_ARCH_S390X,
#endif
        };

        unsigned i;
        int r;

        for (i = 0; i < ELEMENTSOF(seccomp_arches); i++) {
                r = seccomp_arch_add(ctx, seccomp_arches[i]);
                if (r < 0 && r != -EEXIST)
                        return r;
        }

        return 0;
}

static bool is_basic_seccomp_available(void) {
        int r;
        r = prctl(PR_GET_SECCOMP, 0, 0, 0, 0);
        return r >= 0;
}

static bool is_seccomp_filter_available(void) {
        int r;
        r = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
        return r < 0 && errno == EFAULT;
}

bool is_seccomp_available(void) {
        static int cached_enabled = -1;
        if (cached_enabled < 0)
                cached_enabled = is_basic_seccomp_available() && is_seccomp_filter_available();
        return cached_enabled;
}

const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
        [SYSCALL_FILTER_SET_DEFAULT] = {
                .name = "@default",
                .help = "System calls that are always permitted",
                .value =
                "clock_getres\0"
                "clock_gettime\0"
                "clock_nanosleep\0"
                "execve\0"
                "exit\0"
                "exit_group\0"
                "getrlimit\0"      /* make sure processes can query stack size and such */
                "gettimeofday\0"
                "nanosleep\0"
                "pause\0"
                "rt_sigreturn\0"
                "sigreturn\0"
                "time\0"
        },
        [SYSCALL_FILTER_SET_BASIC_IO] = {
                .name = "@basic-io",
                .help = "Basic IO",
                .value =
                "close\0"
                "dup2\0"
                "dup3\0"
                "dup\0"
                "lseek\0"
                "pread64\0"
                "preadv\0"
                "pwrite64\0"
                "pwritev\0"
                "read\0"
                "readv\0"
                "write\0"
                "writev\0"
        },
        [SYSCALL_FILTER_SET_CLOCK] = {
                .name = "@clock",
                .help = "Change the system time",
                .value =
                "adjtimex\0"
                "clock_adjtime\0"
                "clock_settime\0"
                "settimeofday\0"
                "stime\0"
        },
        [SYSCALL_FILTER_SET_CPU_EMULATION] = {
                .name = "@cpu-emulation",
                .help = "System calls for CPU emulation functionality",
                .value =
                "modify_ldt\0"
                "subpage_prot\0"
                "switch_endian\0"
                "vm86\0"
                "vm86old\0"
        },
        [SYSCALL_FILTER_SET_DEBUG] = {
                .name = "@debug",
                .help = "Debugging, performance monitoring and tracing functionality",
                .value =
                "lookup_dcookie\0"
                "perf_event_open\0"
                "process_vm_readv\0"
                "process_vm_writev\0"
                "ptrace\0"
                "rtas\0"
#ifdef __NR_s390_runtime_instr
                "s390_runtime_instr\0"
#endif
                "sys_debug_setcontext\0"
        },
        [SYSCALL_FILTER_SET_IO_EVENT] = {
                .name = "@io-event",
                .help = "Event loop system calls",
                .value =
                "_newselect\0"
                "epoll_create1\0"
                "epoll_create\0"
                "epoll_ctl\0"
                "epoll_ctl_old\0"
                "epoll_pwait\0"
                "epoll_wait\0"
                "epoll_wait_old\0"
                "eventfd2\0"
                "eventfd\0"
                "poll\0"
                "ppoll\0"
                "pselect6\0"
                "select\0"
        },
        [SYSCALL_FILTER_SET_IPC] = {
                .name = "@ipc",
                .help = "SysV IPC, POSIX Message Queues or other IPC",
                .value =
                "ipc\0"
                "memfd_create\0"
                "mq_getsetattr\0"
                "mq_notify\0"
                "mq_open\0"
                "mq_timedreceive\0"
                "mq_timedsend\0"
                "mq_unlink\0"
                "msgctl\0"
                "msgget\0"
                "msgrcv\0"
                "msgsnd\0"
                "pipe2\0"
                "pipe\0"
                "process_vm_readv\0"
                "process_vm_writev\0"
                "semctl\0"
                "semget\0"
                "semop\0"
                "semtimedop\0"
                "shmat\0"
                "shmctl\0"
                "shmdt\0"
                "shmget\0"
        },
        [SYSCALL_FILTER_SET_KEYRING] = {
                .name = "@keyring",
                .help = "Kernel keyring access",
                .value =
                "add_key\0"
                "keyctl\0"
                "request_key\0"
        },
        [SYSCALL_FILTER_SET_MODULE] = {
                .name = "@module",
                .help = "Loading and unloading of kernel modules",
                .value =
                "delete_module\0"
                "finit_module\0"
                "init_module\0"
        },
        [SYSCALL_FILTER_SET_MOUNT] = {
                .name = "@mount",
                .help = "Mounting and unmounting of file systems",
                .value =
                "chroot\0"
                "mount\0"
                "pivot_root\0"
                "umount2\0"
                "umount\0"
        },
        [SYSCALL_FILTER_SET_NETWORK_IO] = {
                .name = "@network-io",
                .help = "Network or Unix socket IO, should not be needed if not network facing",
                .value =
                "accept4\0"
                "accept\0"
                "bind\0"
                "connect\0"
                "getpeername\0"
                "getsockname\0"
                "getsockopt\0"
                "listen\0"
                "recv\0"
                "recvfrom\0"
                "recvmmsg\0"
                "recvmsg\0"
                "send\0"
                "sendmmsg\0"
                "sendmsg\0"
                "sendto\0"
                "setsockopt\0"
                "shutdown\0"
                "socket\0"
                "socketcall\0"
                "socketpair\0"
        },
        [SYSCALL_FILTER_SET_OBSOLETE] = {
                /* some unknown even to libseccomp */
                .name = "@obsolete",
                .help = "Unusual, obsolete or unimplemented system calls",
                .value =
                "_sysctl\0"
                "afs_syscall\0"
                "break\0"
                "create_module\0"
                "ftime\0"
                "get_kernel_syms\0"
                "getpmsg\0"
                "gtty\0"
                "lock\0"
                "mpx\0"
                "prof\0"
                "profil\0"
                "putpmsg\0"
                "query_module\0"
                "security\0"
                "sgetmask\0"
                "ssetmask\0"
                "stty\0"
                "sysfs\0"
                "tuxcall\0"
                "ulimit\0"
                "uselib\0"
                "ustat\0"
                "vserver\0"
        },
        [SYSCALL_FILTER_SET_PRIVILEGED] = {
                .name = "@privileged",
                .help = "All system calls which need super-user capabilities",
                .value =
                "@clock\0"
                "@module\0"
                "@raw-io\0"
                "acct\0"
                "bdflush\0"
                "bpf\0"
                "capset\0"
                "chown32\0"
                "chown\0"
                "chroot\0"
                "fchown32\0"
                "fchown\0"
                "fchownat\0"
                "kexec_file_load\0"
                "kexec_load\0"
                "lchown32\0"
                "lchown\0"
                "nfsservctl\0"
                "pivot_root\0"
                "quotactl\0"
                "reboot\0"
                "setdomainname\0"
                "setfsuid32\0"
                "setfsuid\0"
                "setgroups32\0"
                "setgroups\0"
                "sethostname\0"
                "setresuid32\0"
                "setresuid\0"
                "setreuid32\0"
                "setreuid\0"
                "setuid32\0"
                "setuid\0"
                "swapoff\0"
                "swapon\0"
                "_sysctl\0"
                "vhangup\0"
        },
        [SYSCALL_FILTER_SET_PROCESS] = {
                .name = "@process",
                .help = "Process control, execution, namespaceing operations",
                .value =
                "arch_prctl\0"
                "clone\0"
                "execveat\0"
                "fork\0"
                "kill\0"
                "prctl\0"
                "setns\0"
                "tgkill\0"
                "tkill\0"
                "unshare\0"
                "vfork\0"
        },
        [SYSCALL_FILTER_SET_RAW_IO] = {
                .name = "@raw-io",
                .help = "Raw I/O port access",
                .value =
                "ioperm\0"
                "iopl\0"
                "pciconfig_iobase\0"
                "pciconfig_read\0"
                "pciconfig_write\0"
#ifdef __NR_s390_pci_mmio_read
                "s390_pci_mmio_read\0"
#endif
#ifdef __NR_s390_pci_mmio_write
                "s390_pci_mmio_write\0"
#endif
        },
        [SYSCALL_FILTER_SET_RESOURCES] = {
                /* Alter resource settings */
                .name = "@resources",
                .value =
                "sched_setparam\0"
                "sched_setscheduler\0"
                "sched_setaffinity\0"
                "setpriority\0"
                "setrlimit\0"
                "set_mempolicy\0"
                "migrate_pages\0"
                "move_pages\0"
                "mbind\0"
                "sched_setattr\0"
                "prlimit64\0"
        },
};

const SyscallFilterSet *syscall_filter_set_find(const char *name) {
        unsigned i;

        if (isempty(name) || name[0] != '@')
                return NULL;

        for (i = 0; i < _SYSCALL_FILTER_SET_MAX; i++)
                if (streq(syscall_filter_sets[i].name, name))
                        return syscall_filter_sets + i;

        return NULL;
}

int seccomp_add_syscall_filter_set(scmp_filter_ctx seccomp, const SyscallFilterSet *set, uint32_t action) {
        const char *sys;
        int r;

        assert(seccomp);
        assert(set);

        NULSTR_FOREACH(sys, set->value) {
                int id;

                if (sys[0] == '@') {
                        const SyscallFilterSet *other;

                        other = syscall_filter_set_find(sys);
                        if (!other)
                                return -EINVAL;

                        r = seccomp_add_syscall_filter_set(seccomp, other, action);
                } else {
                        id = seccomp_syscall_resolve_name(sys);
                        if (id == __NR_SCMP_ERROR)
                                return -EINVAL;

                        r = seccomp_rule_add(seccomp, action, id, 0);
                }
                if (r < 0)
                        return r;
        }

        return 0;
}

int seccomp_load_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action) {
        scmp_filter_ctx seccomp;
        int r;

        assert(set);

        /* The one-stop solution: allocate a seccomp object, add a filter to it, and apply it */

        r = seccomp_init_conservative(&seccomp, default_action);
        if (r < 0)
                return r;

        r = seccomp_add_syscall_filter_set(seccomp, set, action);
        if (r < 0)
                goto finish;

        r = seccomp_load(seccomp);

finish:
        seccomp_release(seccomp);
        return r;
}

int seccomp_restrict_namespaces(unsigned long retain) {
        scmp_filter_ctx seccomp;
        unsigned i;
        int r;

        if (log_get_max_level() >= LOG_DEBUG) {
                _cleanup_free_ char *s = NULL;

                (void) namespace_flag_to_string_many(retain, &s);
                log_debug("Restricting namespace to: %s.", strna(s));
        }

        /* NOOP? */
        if ((retain & NAMESPACE_FLAGS_ALL) == NAMESPACE_FLAGS_ALL)
                return 0;

        r = seccomp_init_conservative(&seccomp, SCMP_ACT_ALLOW);
        if (r < 0)
                return r;

        if ((retain & NAMESPACE_FLAGS_ALL) == 0)
                /* If every single kind of namespace shall be prohibited, then let's block the whole setns() syscall
                 * altogether. */
                r = seccomp_rule_add(
                                seccomp,
                                SCMP_ACT_ERRNO(EPERM),
                                SCMP_SYS(setns),
                                0);
        else
                /* Otherwise, block only the invocations with the appropriate flags in the loop below, but also the
                 * special invocation with a zero flags argument, right here. */
                r = seccomp_rule_add(
                                seccomp,
                                SCMP_ACT_ERRNO(EPERM),
                                SCMP_SYS(setns),
                                1,
                                SCMP_A1(SCMP_CMP_EQ, 0));
        if (r < 0)
                goto finish;

        for (i = 0; namespace_flag_map[i].name; i++) {
                unsigned long f;

                f = namespace_flag_map[i].flag;
                if ((retain & f) == f) {
                        log_debug("Permitting %s.", namespace_flag_map[i].name);
                        continue;
                }

                log_debug("Blocking %s.", namespace_flag_map[i].name);

                r = seccomp_rule_add(
                                seccomp,
                                SCMP_ACT_ERRNO(EPERM),
                                SCMP_SYS(unshare),
                                1,
                                SCMP_A0(SCMP_CMP_MASKED_EQ, f, f));
                if (r < 0)
                        goto finish;

                r = seccomp_rule_add(
                                seccomp,
                                SCMP_ACT_ERRNO(EPERM),
                                SCMP_SYS(clone),
                                1,
                                SCMP_A0(SCMP_CMP_MASKED_EQ, f, f));
                if (r < 0)
                        goto finish;

                if ((retain & NAMESPACE_FLAGS_ALL) != 0) {
                        r = seccomp_rule_add(
                                        seccomp,
                                        SCMP_ACT_ERRNO(EPERM),
                                        SCMP_SYS(setns),
                                        1,
                                        SCMP_A1(SCMP_CMP_MASKED_EQ, f, f));
                        if (r < 0)
                                goto finish;
                }
        }

        r = seccomp_load(seccomp);

finish:
        seccomp_release(seccomp);
        return r;
}
Commit	Line	Data
57183d11 LP	1	/***
	2	This file is part of systemd.
	3
	4	Copyright 2014 Lennart Poettering
	5
	6	systemd is free software; you can redistribute it and/or modify it
	7	under the terms of the GNU Lesser General Public License as published by
	8	the Free Software Foundation; either version 2.1 of the License, or
	9	(at your option) any later version.
	10
	11	systemd is distributed in the hope that it will be useful, but
	12	WITHOUT ANY WARRANTY; without even the implied warranty of
	13	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	14	Lesser General Public License for more details.
	15
	16	You should have received a copy of the GNU Lesser General Public License
	17	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	18	***/
	19
a8fbdf54	20	#include <errno.h>
57183d11	21	#include <seccomp.h>
a8fbdf54	22	#include <stddef.h>
d347d902 FS	23	#include <sys/prctl.h>
d347d902 FS	24	#include <linux/seccomp.h>
57183d11	25
add00535	26	#include "alloc-util.h"
a8fbdf54	27	#include "macro.h"
add00535	28	#include "nsflags.h"
cf0fbc49	29	#include "seccomp-util.h"
07630cea	30	#include "string-util.h"
8130926d	31	#include "util.h"
57183d11 LP	32
57183d11 LP	33	const char* seccomp_arch_to_string(uint32_t c) {
aa34055f ZJS	34	/* Maintain order used in <seccomp.h>.
	35	*
	36	* Names used here should be the same as those used for ConditionArchitecture=,
	37	* except for "subarchitectures" like x32. */
57183d11	38
aa34055f ZJS	39	switch(c) {
aa34055f ZJS	40	case SCMP_ARCH_NATIVE:
57183d11	41	return "native";
aa34055f	42	case SCMP_ARCH_X86:
57183d11	43	return "x86";
aa34055f	44	case SCMP_ARCH_X86_64:
57183d11	45	return "x86-64";
aa34055f	46	case SCMP_ARCH_X32:
57183d11	47	return "x32";
aa34055f	48	case SCMP_ARCH_ARM:
57183d11	49	return "arm";
aa34055f ZJS	50	case SCMP_ARCH_AARCH64:
	51	return "arm64";
	52	case SCMP_ARCH_MIPS:
	53	return "mips";
	54	case SCMP_ARCH_MIPS64:
	55	return "mips64";
	56	case SCMP_ARCH_MIPS64N32:
	57	return "mips64-n32";
	58	case SCMP_ARCH_MIPSEL:
	59	return "mips-le";
	60	case SCMP_ARCH_MIPSEL64:
	61	return "mips64-le";
	62	case SCMP_ARCH_MIPSEL64N32:
	63	return "mips64-le-n32";
	64	case SCMP_ARCH_PPC:
	65	return "ppc";
	66	case SCMP_ARCH_PPC64:
	67	return "ppc64";
	68	case SCMP_ARCH_PPC64LE:
	69	return "ppc64-le";
	70	case SCMP_ARCH_S390:
6abfd303	71	return "s390";
aa34055f	72	case SCMP_ARCH_S390X:
6abfd303	73	return "s390x";
aa34055f ZJS	74	default:
	75	return NULL;
	76	}
57183d11 LP	77	}
	78
	79	int seccomp_arch_from_string(const char n, uint32_t ret) {
	80	if (!n)
	81	return -EINVAL;
	82
	83	assert(ret);
	84
	85	if (streq(n, "native"))
	86	*ret = SCMP_ARCH_NATIVE;
	87	else if (streq(n, "x86"))
	88	*ret = SCMP_ARCH_X86;
	89	else if (streq(n, "x86-64"))
	90	*ret = SCMP_ARCH_X86_64;
	91	else if (streq(n, "x32"))
	92	*ret = SCMP_ARCH_X32;
	93	else if (streq(n, "arm"))
	94	*ret = SCMP_ARCH_ARM;
aa34055f ZJS	95	else if (streq(n, "arm64"))
	96	*ret = SCMP_ARCH_AARCH64;
	97	else if (streq(n, "mips"))
	98	*ret = SCMP_ARCH_MIPS;
	99	else if (streq(n, "mips64"))
	100	*ret = SCMP_ARCH_MIPS64;
	101	else if (streq(n, "mips64-n32"))
	102	*ret = SCMP_ARCH_MIPS64N32;
	103	else if (streq(n, "mips-le"))
	104	*ret = SCMP_ARCH_MIPSEL;
	105	else if (streq(n, "mips64-le"))
	106	*ret = SCMP_ARCH_MIPSEL64;
	107	else if (streq(n, "mips64-le-n32"))
	108	*ret = SCMP_ARCH_MIPSEL64N32;
	109	else if (streq(n, "ppc"))
	110	*ret = SCMP_ARCH_PPC;
	111	else if (streq(n, "ppc64"))
	112	*ret = SCMP_ARCH_PPC64;
	113	else if (streq(n, "ppc64-le"))
	114	*ret = SCMP_ARCH_PPC64LE;
6abfd303 HB	115	else if (streq(n, "s390"))
	116	*ret = SCMP_ARCH_S390;
	117	else if (streq(n, "s390x"))
	118	*ret = SCMP_ARCH_S390X;
57183d11 LP	119	else
	120	return -EINVAL;
	121
	122	return 0;
	123	}
e9642be2	124
8d7b0c8f LP	125	int seccomp_init_conservative(scmp_filter_ctx *ret, uint32_t default_action) {
	126	scmp_filter_ctx seccomp;
	127	int r;
	128
	129	/* Much like seccomp_init(), but tries to be a bit more conservative in its defaults: all secondary archs are
	130	* added by default, and NNP is turned off. */
	131
	132	seccomp = seccomp_init(default_action);
	133	if (!seccomp)
	134	return -ENOMEM;
	135
	136	r = seccomp_add_secondary_archs(seccomp);
	137	if (r < 0)
	138	goto finish;
	139
	140	r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
	141	if (r < 0)
	142	goto finish;
	143
	144	*ret = seccomp;
	145	return 0;
	146
	147	finish:
	148	seccomp_release(seccomp);
	149	return r;
	150	}
	151
aa34055f	152	int seccomp_add_secondary_archs(scmp_filter_ctx ctx) {
e9642be2 LP	153
	154	/* Add in all possible secondary archs we are aware of that
	155	* this kernel might support. */
	156
aa34055f ZJS	157	static const int seccomp_arches[] = {
	158	#if defined(__i386__) \|\| defined(__x86_64__)
	159	SCMP_ARCH_X86,
	160	SCMP_ARCH_X86_64,
	161	SCMP_ARCH_X32,
	162
	163	#elif defined(__arm__) \|\| defined(__aarch64__)
	164	SCMP_ARCH_ARM,
	165	SCMP_ARCH_AARCH64,
	166
	167	#elif defined(__arm__) \|\| defined(__aarch64__)
	168	SCMP_ARCH_ARM,
	169	SCMP_ARCH_AARCH64,
	170
	171	#elif defined(__mips__) \|\| defined(__mips64__)
	172	SCMP_ARCH_MIPS,
	173	SCMP_ARCH_MIPS64,
	174	SCMP_ARCH_MIPS64N32,
	175	SCMP_ARCH_MIPSEL,
	176	SCMP_ARCH_MIPSEL64,
	177	SCMP_ARCH_MIPSEL64N32,
	178
	179	#elif defined(__powerpc__) \|\| defined(__powerpc64__)
	180	SCMP_ARCH_PPC,
	181	SCMP_ARCH_PPC64,
	182	SCMP_ARCH_PPC64LE,
e9642be2	183
6abfd303	184	#elif defined(__s390__) \|\| defined(__s390x__)
aa34055f ZJS	185	SCMP_ARCH_S390,
	186	SCMP_ARCH_S390X,
	187	#endif
	188	};
6abfd303	189
aa34055f ZJS	190	unsigned i;
aa34055f ZJS	191	int r;
6abfd303	192
aa34055f ZJS	193	for (i = 0; i < ELEMENTSOF(seccomp_arches); i++) {
	194	r = seccomp_arch_add(ctx, seccomp_arches[i]);
	195	if (r < 0 && r != -EEXIST)
	196	return r;
	197	}
e9642be2 LP	198
e9642be2 LP	199	return 0;
e9642be2	200	}
201c1cc2	201
d347d902 FS	202	static bool is_basic_seccomp_available(void) {
	203	int r;
	204	r = prctl(PR_GET_SECCOMP, 0, 0, 0, 0);
	205	return r >= 0;
	206	}
	207
	208	static bool is_seccomp_filter_available(void) {
	209	int r;
	210	r = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
	211	return r < 0 && errno == EFAULT;
	212	}
	213
83f12b27	214	bool is_seccomp_available(void) {
83f12b27 FS	215	static int cached_enabled = -1;
83f12b27 FS	216	if (cached_enabled < 0)
d347d902	217	cached_enabled = is_basic_seccomp_available() && is_seccomp_filter_available();
83f12b27 FS	218	return cached_enabled;
	219	}
	220
8130926d	221	const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
40eb6a80	222	[SYSCALL_FILTER_SET_DEFAULT] = {
40eb6a80	223	.name = "@default",
d5efc18b	224	.help = "System calls that are always permitted",
40eb6a80 ZJS	225	.value =
	226	"clock_getres\0"
	227	"clock_gettime\0"
	228	"clock_nanosleep\0"
	229	"execve\0"
	230	"exit\0"
	231	"exit_group\0"
	232	"getrlimit\0" /* make sure processes can query stack size and such */
	233	"gettimeofday\0"
	234	"nanosleep\0"
	235	"pause\0"
	236	"rt_sigreturn\0"
	237	"sigreturn\0"
	238	"time\0"
	239	},
133ddbbe	240	[SYSCALL_FILTER_SET_BASIC_IO] = {
133ddbbe	241	.name = "@basic-io",
d5efc18b	242	.help = "Basic IO",
133ddbbe LP	243	.value =
	244	"close\0"
	245	"dup2\0"
	246	"dup3\0"
	247	"dup\0"
	248	"lseek\0"
	249	"pread64\0"
	250	"preadv\0"
	251	"pwrite64\0"
	252	"pwritev\0"
	253	"read\0"
	254	"readv\0"
	255	"write\0"
	256	"writev\0"
	257	},
8130926d	258	[SYSCALL_FILTER_SET_CLOCK] = {
8130926d	259	.name = "@clock",
d5efc18b	260	.help = "Change the system time",
201c1cc2 TM	261	.value =
201c1cc2 TM	262	"adjtimex\0"
1f9ac68b LP	263	"clock_adjtime\0"
1f9ac68b LP	264	"clock_settime\0"
201c1cc2	265	"settimeofday\0"
1f9ac68b	266	"stime\0"
8130926d LP	267	},
8130926d LP	268	[SYSCALL_FILTER_SET_CPU_EMULATION] = {
8130926d	269	.name = "@cpu-emulation",
d5efc18b	270	.help = "System calls for CPU emulation functionality",
1f9ac68b LP	271	.value =
	272	"modify_ldt\0"
	273	"subpage_prot\0"
	274	"switch_endian\0"
	275	"vm86\0"
	276	"vm86old\0"
8130926d LP	277	},
8130926d LP	278	[SYSCALL_FILTER_SET_DEBUG] = {
8130926d	279	.name = "@debug",
d5efc18b	280	.help = "Debugging, performance monitoring and tracing functionality",
1f9ac68b LP	281	.value =
	282	"lookup_dcookie\0"
	283	"perf_event_open\0"
	284	"process_vm_readv\0"
	285	"process_vm_writev\0"
	286	"ptrace\0"
	287	"rtas\0"
8130926d	288	#ifdef __NR_s390_runtime_instr
1f9ac68b	289	"s390_runtime_instr\0"
8130926d	290	#endif
1f9ac68b	291	"sys_debug_setcontext\0"
8130926d	292	},
8130926d	293	[SYSCALL_FILTER_SET_IO_EVENT] = {
8130926d	294	.name = "@io-event",
d5efc18b	295	.help = "Event loop system calls",
201c1cc2 TM	296	.value =
	297	"_newselect\0"
	298	"epoll_create1\0"
	299	"epoll_create\0"
	300	"epoll_ctl\0"
	301	"epoll_ctl_old\0"
	302	"epoll_pwait\0"
	303	"epoll_wait\0"
	304	"epoll_wait_old\0"
	305	"eventfd2\0"
	306	"eventfd\0"
	307	"poll\0"
	308	"ppoll\0"
	309	"pselect6\0"
	310	"select\0"
8130926d LP	311	},
8130926d LP	312	[SYSCALL_FILTER_SET_IPC] = {
8130926d	313	.name = "@ipc",
d5efc18b ZJS	314	.help = "SysV IPC, POSIX Message Queues or other IPC",
	315	.value =
	316	"ipc\0"
cd5bfd7e	317	"memfd_create\0"
201c1cc2 TM	318	"mq_getsetattr\0"
	319	"mq_notify\0"
	320	"mq_open\0"
	321	"mq_timedreceive\0"
	322	"mq_timedsend\0"
	323	"mq_unlink\0"
	324	"msgctl\0"
	325	"msgget\0"
	326	"msgrcv\0"
	327	"msgsnd\0"
cd5bfd7e LP	328	"pipe2\0"
cd5bfd7e LP	329	"pipe\0"
201c1cc2 TM	330	"process_vm_readv\0"
	331	"process_vm_writev\0"
	332	"semctl\0"
	333	"semget\0"
	334	"semop\0"
	335	"semtimedop\0"
	336	"shmat\0"
	337	"shmctl\0"
	338	"shmdt\0"
	339	"shmget\0"
8130926d LP	340	},
8130926d LP	341	[SYSCALL_FILTER_SET_KEYRING] = {
8130926d	342	.name = "@keyring",
d5efc18b	343	.help = "Kernel keyring access",
1f9ac68b LP	344	.value =
	345	"add_key\0"
	346	"keyctl\0"
	347	"request_key\0"
8130926d LP	348	},
8130926d LP	349	[SYSCALL_FILTER_SET_MODULE] = {
8130926d	350	.name = "@module",
d5efc18b	351	.help = "Loading and unloading of kernel modules",
201c1cc2	352	.value =
201c1cc2 TM	353	"delete_module\0"
	354	"finit_module\0"
	355	"init_module\0"
8130926d LP	356	},
8130926d LP	357	[SYSCALL_FILTER_SET_MOUNT] = {
8130926d	358	.name = "@mount",
d5efc18b	359	.help = "Mounting and unmounting of file systems",
201c1cc2 TM	360	.value =
	361	"chroot\0"
	362	"mount\0"
201c1cc2 TM	363	"pivot_root\0"
	364	"umount2\0"
	365	"umount\0"
8130926d LP	366	},
8130926d LP	367	[SYSCALL_FILTER_SET_NETWORK_IO] = {
8130926d	368	.name = "@network-io",
d5efc18b	369	.help = "Network or Unix socket IO, should not be needed if not network facing",
201c1cc2 TM	370	.value =
	371	"accept4\0"
	372	"accept\0"
	373	"bind\0"
	374	"connect\0"
	375	"getpeername\0"
	376	"getsockname\0"
	377	"getsockopt\0"
	378	"listen\0"
	379	"recv\0"
	380	"recvfrom\0"
	381	"recvmmsg\0"
	382	"recvmsg\0"
	383	"send\0"
	384	"sendmmsg\0"
	385	"sendmsg\0"
	386	"sendto\0"
	387	"setsockopt\0"
	388	"shutdown\0"
	389	"socket\0"
	390	"socketcall\0"
	391	"socketpair\0"
8130926d LP	392	},
8130926d LP	393	[SYSCALL_FILTER_SET_OBSOLETE] = {
d5efc18b	394	/* some unknown even to libseccomp */
8130926d	395	.name = "@obsolete",
d5efc18b	396	.help = "Unusual, obsolete or unimplemented system calls",
201c1cc2 TM	397	.value =
	398	"_sysctl\0"
	399	"afs_syscall\0"
	400	"break\0"
1f9ac68b	401	"create_module\0"
201c1cc2 TM	402	"ftime\0"
201c1cc2 TM	403	"get_kernel_syms\0"
201c1cc2 TM	404	"getpmsg\0"
201c1cc2 TM	405	"gtty\0"
201c1cc2	406	"lock\0"
201c1cc2	407	"mpx\0"
201c1cc2 TM	408	"prof\0"
201c1cc2 TM	409	"profil\0"
201c1cc2 TM	410	"putpmsg\0"
201c1cc2 TM	411	"query_module\0"
201c1cc2 TM	412	"security\0"
	413	"sgetmask\0"
	414	"ssetmask\0"
	415	"stty\0"
1f9ac68b	416	"sysfs\0"
201c1cc2 TM	417	"tuxcall\0"
	418	"ulimit\0"
	419	"uselib\0"
1f9ac68b	420	"ustat\0"
201c1cc2	421	"vserver\0"
8130926d LP	422	},
8130926d LP	423	[SYSCALL_FILTER_SET_PRIVILEGED] = {
8130926d	424	.name = "@privileged",
d5efc18b	425	.help = "All system calls which need super-user capabilities",
201c1cc2 TM	426	.value =
	427	"@clock\0"
	428	"@module\0"
	429	"@raw-io\0"
	430	"acct\0"
	431	"bdflush\0"
	432	"bpf\0"
1f9ac68b	433	"capset\0"
201c1cc2 TM	434	"chown32\0"
	435	"chown\0"
	436	"chroot\0"
	437	"fchown32\0"
	438	"fchown\0"
	439	"fchownat\0"
	440	"kexec_file_load\0"
	441	"kexec_load\0"
	442	"lchown32\0"
	443	"lchown\0"
	444	"nfsservctl\0"
	445	"pivot_root\0"
	446	"quotactl\0"
	447	"reboot\0"
	448	"setdomainname\0"
	449	"setfsuid32\0"
	450	"setfsuid\0"
	451	"setgroups32\0"
	452	"setgroups\0"
	453	"sethostname\0"
	454	"setresuid32\0"
	455	"setresuid\0"
	456	"setreuid32\0"
	457	"setreuid\0"
	458	"setuid32\0"
	459	"setuid\0"
201c1cc2 TM	460	"swapoff\0"
201c1cc2 TM	461	"swapon\0"
60f547cf	462	"_sysctl\0"
201c1cc2	463	"vhangup\0"
8130926d LP	464	},
8130926d LP	465	[SYSCALL_FILTER_SET_PROCESS] = {
8130926d	466	.name = "@process",
d5efc18b	467	.help = "Process control, execution, namespaceing operations",
201c1cc2 TM	468	.value =
	469	"arch_prctl\0"
	470	"clone\0"
201c1cc2 TM	471	"execveat\0"
	472	"fork\0"
	473	"kill\0"
	474	"prctl\0"
	475	"setns\0"
	476	"tgkill\0"
	477	"tkill\0"
	478	"unshare\0"
	479	"vfork\0"
8130926d LP	480	},
8130926d LP	481	[SYSCALL_FILTER_SET_RAW_IO] = {
8130926d	482	.name = "@raw-io",
d5efc18b	483	.help = "Raw I/O port access",
201c1cc2 TM	484	.value =
	485	"ioperm\0"
	486	"iopl\0"
1f9ac68b	487	"pciconfig_iobase\0"
201c1cc2 TM	488	"pciconfig_read\0"
201c1cc2 TM	489	"pciconfig_write\0"
8130926d	490	#ifdef __NR_s390_pci_mmio_read
201c1cc2	491	"s390_pci_mmio_read\0"
8130926d LP	492	#endif
8130926d LP	493	#ifdef __NR_s390_pci_mmio_write
201c1cc2	494	"s390_pci_mmio_write\0"
8130926d LP	495	#endif
8130926d LP	496	},
133ddbbe LP	497	[SYSCALL_FILTER_SET_RESOURCES] = {
	498	/* Alter resource settings */
	499	.name = "@resources",
	500	.value =
	501	"sched_setparam\0"
	502	"sched_setscheduler\0"
	503	"sched_setaffinity\0"
	504	"setpriority\0"
	505	"setrlimit\0"
	506	"set_mempolicy\0"
	507	"migrate_pages\0"
	508	"move_pages\0"
	509	"mbind\0"
	510	"sched_setattr\0"
	511	"prlimit64\0"
	512	},
201c1cc2	513	};
8130926d LP	514
	515	const SyscallFilterSet syscall_filter_set_find(const char name) {
	516	unsigned i;
	517
	518	if (isempty(name) \|\| name[0] != '@')
	519	return NULL;
	520
	521	for (i = 0; i < _SYSCALL_FILTER_SET_MAX; i++)
	522	if (streq(syscall_filter_sets[i].name, name))
	523	return syscall_filter_sets + i;
	524
	525	return NULL;
	526	}
	527
	528	int seccomp_add_syscall_filter_set(scmp_filter_ctx seccomp, const SyscallFilterSet *set, uint32_t action) {
	529	const char *sys;
	530	int r;
	531
	532	assert(seccomp);
	533	assert(set);
	534
	535	NULSTR_FOREACH(sys, set->value) {
	536	int id;
	537
	538	if (sys[0] == '@') {
	539	const SyscallFilterSet *other;
	540
	541	other = syscall_filter_set_find(sys);
	542	if (!other)
	543	return -EINVAL;
	544
	545	r = seccomp_add_syscall_filter_set(seccomp, other, action);
	546	} else {
	547	id = seccomp_syscall_resolve_name(sys);
	548	if (id == __NR_SCMP_ERROR)
	549	return -EINVAL;
	550
	551	r = seccomp_rule_add(seccomp, action, id, 0);
	552	}
	553	if (r < 0)
	554	return r;
	555	}
	556
	557	return 0;
	558	}
a3be2849 LP	559
	560	int seccomp_load_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action) {
	561	scmp_filter_ctx seccomp;
	562	int r;
	563
	564	assert(set);
	565
	566	/* The one-stop solution: allocate a seccomp object, add a filter to it, and apply it */
	567
	568	r = seccomp_init_conservative(&seccomp, default_action);
	569	if (r < 0)
	570	return r;
	571
	572	r = seccomp_add_syscall_filter_set(seccomp, set, action);
	573	if (r < 0)
	574	goto finish;
	575
	576	r = seccomp_load(seccomp);
	577
	578	finish:
	579	seccomp_release(seccomp);
	580	return r;
add00535 LP	581	}
	582
	583	int seccomp_restrict_namespaces(unsigned long retain) {
	584	scmp_filter_ctx seccomp;
	585	unsigned i;
	586	int r;
	587
	588	if (log_get_max_level() >= LOG_DEBUG) {
	589	_cleanup_free_ char *s = NULL;
	590
	591	(void) namespace_flag_to_string_many(retain, &s);
	592	log_debug("Restricting namespace to: %s.", strna(s));
	593	}
	594
	595	/* NOOP? */
	596	if ((retain & NAMESPACE_FLAGS_ALL) == NAMESPACE_FLAGS_ALL)
	597	return 0;
	598
	599	r = seccomp_init_conservative(&seccomp, SCMP_ACT_ALLOW);
	600	if (r < 0)
	601	return r;
	602
	603	if ((retain & NAMESPACE_FLAGS_ALL) == 0)
	604	/* If every single kind of namespace shall be prohibited, then let's block the whole setns() syscall
	605	* altogether. */
	606	r = seccomp_rule_add(
	607	seccomp,
	608	SCMP_ACT_ERRNO(EPERM),
	609	SCMP_SYS(setns),
	610	0);
	611	else
	612	/* Otherwise, block only the invocations with the appropriate flags in the loop below, but also the
	613	* special invocation with a zero flags argument, right here. */
	614	r = seccomp_rule_add(
	615	seccomp,
	616	SCMP_ACT_ERRNO(EPERM),
	617	SCMP_SYS(setns),
	618	1,
	619	SCMP_A1(SCMP_CMP_EQ, 0));
	620	if (r < 0)
	621	goto finish;
	622
	623	for (i = 0; namespace_flag_map[i].name; i++) {
	624	unsigned long f;
	625
	626	f = namespace_flag_map[i].flag;
	627	if ((retain & f) == f) {
	628	log_debug("Permitting %s.", namespace_flag_map[i].name);
	629	continue;
	630	}
a3be2849	631
add00535 LP	632	log_debug("Blocking %s.", namespace_flag_map[i].name);
	633
	634	r = seccomp_rule_add(
	635	seccomp,
	636	SCMP_ACT_ERRNO(EPERM),
	637	SCMP_SYS(unshare),
	638	1,
	639	SCMP_A0(SCMP_CMP_MASKED_EQ, f, f));
	640	if (r < 0)
	641	goto finish;
	642
	643	r = seccomp_rule_add(
	644	seccomp,
	645	SCMP_ACT_ERRNO(EPERM),
	646	SCMP_SYS(clone),
	647	1,
	648	SCMP_A0(SCMP_CMP_MASKED_EQ, f, f));
	649	if (r < 0)
	650	goto finish;
	651
	652	if ((retain & NAMESPACE_FLAGS_ALL) != 0) {
	653	r = seccomp_rule_add(
	654	seccomp,
	655	SCMP_ACT_ERRNO(EPERM),
	656	SCMP_SYS(setns),
	657	1,
	658	SCMP_A1(SCMP_CMP_MASKED_EQ, f, f));
	659	if (r < 0)
	660	goto finish;
	661	}
	662	}
	663
	664	r = seccomp_load(seccomp);
	665
	666	finish:
	667	seccomp_release(seccomp);
	668	return r;
a3be2849	669	}