seccomp-filters.c 11.4 KB
Newer Older
1 2
/* See LICENSE file for license and copyright information */

3
#include "seccomp-filters.h"
valoq's avatar
valoq committed
4 5

#ifdef WITH_SECCOMP
Sebastian Ramacher's avatar
Sebastian Ramacher committed
6
#include <girara/log.h>
valoq's avatar
valoq committed
7 8 9 10 11 12
#include <seccomp.h> /* libseccomp */
#include <sys/prctl.h> /* prctl */
#include <sys/socket.h>
#include <fcntl.h>
#include <stdlib.h>
#include <errno.h>
valoq's avatar
valoq committed
13
#include <girara/utils.h>
valoq's avatar
valoq committed
14 15 16 17

#define DENY_RULE(call) { if (seccomp_rule_add (ctx, SCMP_ACT_KILL, SCMP_SYS(call), 0) < 0) goto out; }
#define ALLOW_RULE(call) { if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(call), 0) < 0) goto out; }

Sebastian Ramacher's avatar
Sebastian Ramacher committed
18 19 20 21 22 23
int
seccomp_enable_basic_filter(void)
{
  /* prevent child processes from getting more priv e.g. via setuid, capabilities, ... */
  if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
    girara_error("prctl SET_NO_NEW_PRIVS");
valoq's avatar
valoq committed
24
    return -1;
Sebastian Ramacher's avatar
Sebastian Ramacher committed
25
  }
valoq's avatar
valoq committed
26

Sebastian Ramacher's avatar
Sebastian Ramacher committed
27 28 29 30 31
  /* prevent escape via ptrace */
  if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0)) {
    girara_error("prctl PR_SET_DUMPABLE");
    return -1;
  }
valoq's avatar
valoq committed
32

Sebastian Ramacher's avatar
Sebastian Ramacher committed
33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100
  /* initialize the filter */
  scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW);
  if (ctx == NULL) {
    girara_error("seccomp_init failed");
    return -1;
  }

  DENY_RULE(_sysctl);
  DENY_RULE(acct);
  DENY_RULE(add_key);
  DENY_RULE(adjtimex);
  DENY_RULE(chroot);
  DENY_RULE(clock_adjtime);
  DENY_RULE(create_module);
  DENY_RULE(delete_module);
  DENY_RULE(fanotify_init);
  DENY_RULE(finit_module);
  DENY_RULE(get_kernel_syms);
  DENY_RULE(get_mempolicy);
  DENY_RULE(init_module);
  DENY_RULE(io_cancel);
  DENY_RULE(io_destroy);
  DENY_RULE(io_getevents);
  DENY_RULE(io_setup);
  DENY_RULE(io_submit);
  DENY_RULE(ioperm);
  DENY_RULE(iopl);
  DENY_RULE(ioprio_set);
  DENY_RULE(kcmp);
  DENY_RULE(kexec_file_load);
  DENY_RULE(kexec_load);
  DENY_RULE(keyctl);
  DENY_RULE(lookup_dcookie);
  DENY_RULE(mbind);
  DENY_RULE(nfsservctl);
  DENY_RULE(migrate_pages);
  DENY_RULE(modify_ldt);
  DENY_RULE(mount);
  DENY_RULE(move_pages);
  DENY_RULE(name_to_handle_at);
  DENY_RULE(open_by_handle_at);
  DENY_RULE(perf_event_open);
  DENY_RULE(pivot_root);
  DENY_RULE(process_vm_readv);
  DENY_RULE(process_vm_writev);
  DENY_RULE(ptrace);
  DENY_RULE(reboot);
  DENY_RULE(remap_file_pages);
  DENY_RULE(request_key);
  DENY_RULE(set_mempolicy);
  DENY_RULE(swapoff);
  DENY_RULE(swapon);
  DENY_RULE(sysfs);
  DENY_RULE(syslog);
  DENY_RULE(tuxcall);
  DENY_RULE(umount2);
  DENY_RULE(uselib);
  DENY_RULE(vmsplice);

  /* TODO: check for additional syscalls to blacklist */
  /* DENY_RULE (execve); */

  /* applying filter... */
  if (seccomp_load (ctx) >= 0) {
    /* free ctx after the filter has been loaded into the kernel */
    seccomp_release(ctx);
    return 0;
  }
valoq's avatar
valoq committed
101

Sebastian Ramacher's avatar
Sebastian Ramacher committed
102 103 104 105 106
out:
  /* something went wrong */
  seccomp_release(ctx);
  return -1;
}
valoq's avatar
valoq committed
107

Sebastian Ramacher's avatar
Sebastian Ramacher committed
108 109 110 111 112 113 114 115
int
seccomp_enable_strict_filter(void)
{
  /* prevent child processes from getting more priv e.g. via setuid, capabilities, ... */
  if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
    girara_error("prctl SET_NO_NEW_PRIVS");
    return -1;
  }
valoq's avatar
valoq committed
116

Sebastian Ramacher's avatar
Sebastian Ramacher committed
117 118 119 120 121
  /* prevent escape via ptrace */
  if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0)) {
    girara_error("prctl PR_SET_DUMPABLE");
    return -1;
  }
valoq's avatar
valoq committed
122

Sebastian Ramacher's avatar
Sebastian Ramacher committed
123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148
  /* initialize the filter */
  scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_KILL);
  if (ctx == NULL){
    girara_error("seccomp_init failed");
    return -1;
  }

  ALLOW_RULE(access);
  /* ALLOW_RULE (arch_prctl); */
  ALLOW_RULE(bind);
  ALLOW_RULE(brk);
  ALLOW_RULE(clock_getres);
  ALLOW_RULE(clone); /* TODO: investigate */
  ALLOW_RULE(close);
  /* ALLOW_RULE (connect); */
  ALLOW_RULE(eventfd2);
  ALLOW_RULE(exit);
  ALLOW_RULE(exit_group);
  ALLOW_RULE(fadvise64);
  ALLOW_RULE(fallocate);
  ALLOW_RULE(fcntl);  /* TODO: build detailed filter */
  ALLOW_RULE(fstat);
  ALLOW_RULE(fstatfs);
  ALLOW_RULE(ftruncate);
  ALLOW_RULE(futex);
  ALLOW_RULE(getdents);
valoq's avatar
valoq committed
149
  ALLOW_RULE(getdents64);
Sebastian Ramacher's avatar
Sebastian Ramacher committed
150 151 152 153 154 155 156 157 158
  ALLOW_RULE(getegid);
  ALLOW_RULE(geteuid);
  ALLOW_RULE(getgid);
  ALLOW_RULE(getuid);
  ALLOW_RULE(getpid);
  /* ALLOW_RULE (getpeername); */
  ALLOW_RULE(getresgid);
  ALLOW_RULE(getresuid);
  ALLOW_RULE(getrlimit);
valoq's avatar
valoq committed
159
  ALLOW_RULE(getpeername);
Sebastian Ramacher's avatar
Sebastian Ramacher committed
160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251
  /* ALLOW_RULE (getsockname); */
  /* ALLOW_RULE (getsockopt);   needed for access to x11 socket in network namespace (without abstract sockets) */
  ALLOW_RULE(inotify_add_watch);
  ALLOW_RULE(inotify_init1);
  ALLOW_RULE(inotify_rm_watch);
  /* ALLOW_RULE (ioctl);  specified below  */
  ALLOW_RULE(lseek);
  ALLOW_RULE(lstat);
  ALLOW_RULE(madvise);
  ALLOW_RULE(memfd_create);
  ALLOW_RULE(mkdir); /* needed for first run only */
  ALLOW_RULE(mmap);
  ALLOW_RULE(mprotect);
  ALLOW_RULE(mremap);
  ALLOW_RULE(munmap);
  //ALLOW_RULE (open);  /* (zathura needs to open for writing) TODO: avoid needing this somehow */
  //ALLOW_RULE (openat);
  ALLOW_RULE(pipe);
  ALLOW_RULE(poll);
  ALLOW_RULE(pwrite64); /* TODO: build detailed filter */
  ALLOW_RULE(pread64);
  /* ALLOW_RULE (prlimit64); */
  /* ALLOW_RULE (prctl);   specified below  */
  ALLOW_RULE(read);
  ALLOW_RULE(readlink);
  ALLOW_RULE(recvfrom);
  ALLOW_RULE(recvmsg);
  ALLOW_RULE(restart_syscall);
  ALLOW_RULE(rt_sigaction);
  ALLOW_RULE(rt_sigprocmask);
  ALLOW_RULE(sendmsg);
  ALLOW_RULE(sendto);
  ALLOW_RULE(select);
  ALLOW_RULE(set_robust_list);
  /* ALLOW_RULE (set_tid_address); */
  /* ALLOW_RULE (setsockopt); */
  ALLOW_RULE(shmat);
  ALLOW_RULE(shmctl);
  ALLOW_RULE(shmdt);
  ALLOW_RULE(shmget);
  ALLOW_RULE(shutdown);
  ALLOW_RULE(stat);
  ALLOW_RULE(statfs);
  /* ALLOW_RULE (socket); */
  ALLOW_RULE(sysinfo);
  ALLOW_RULE(uname);
  ALLOW_RULE(unlink);
  ALLOW_RULE(write);  /* specified below (zathura needs to write files)*/
  ALLOW_RULE(writev);
  ALLOW_RULE(wait4);  /* trying to open links should not crash the app */

  /* Special requirements for ioctl, allowed on stdout/stderr */
  if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1,
          SCMP_CMP(0, SCMP_CMP_EQ, 1)) < 0) {
    goto out;
  }
  if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1,
          SCMP_CMP(0, SCMP_CMP_EQ, 2)) < 0) {
    goto out;
  }

  /* needed by gtk??? (does not load content without) */

  /* special restrictions for prctl, only allow PR_SET_NAME/PR_SET_PDEATHSIG */
  if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(prctl), 1,
          SCMP_CMP(0, SCMP_CMP_EQ, PR_SET_NAME)) < 0) {
    goto out;
  }

  if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(prctl), 1,
          SCMP_CMP(0, SCMP_CMP_EQ, PR_SET_PDEATHSIG)) < 0) {
    goto out;
  }

  /* special restrictions for open, prevent opening files for writing */
  if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 1,
                        SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_WRONLY | O_RDWR, 0)) < 0) {
    goto out;
  }

  if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO (EACCES), SCMP_SYS(open), 1,
                        SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_WRONLY, O_WRONLY)) < 0) {
    goto out;
  }

  if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO (EACCES), SCMP_SYS(open), 1,
                        SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_RDWR, O_RDWR)) < 0) {
    goto out;
  }

  /* special restrictions for openat, prevent opening files for writing */
  if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
valoq's avatar
valoq committed
252
                        SCMP_CMP(2, SCMP_CMP_MASKED_EQ, O_WRONLY | O_RDWR, 0)) < 0) {
Sebastian Ramacher's avatar
Sebastian Ramacher committed
253 254 255 256
    goto out;
  }

  if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO (EACCES), SCMP_SYS(openat), 1,
valoq's avatar
valoq committed
257
                        SCMP_CMP(2, SCMP_CMP_MASKED_EQ, O_WRONLY, O_WRONLY)) < 0) {
Sebastian Ramacher's avatar
Sebastian Ramacher committed
258 259 260 261
    goto out;
  }

  if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO (EACCES), SCMP_SYS(openat), 1,
valoq's avatar
valoq committed
262
                        SCMP_CMP(2, SCMP_CMP_MASKED_EQ, O_RDWR, O_RDWR)) < 0) {
Sebastian Ramacher's avatar
Sebastian Ramacher committed
263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317
    goto out;
  }

  /* allowed for debugging: */

  /* ALLOW_RULE (prctl); */
  /* ALLOW_RULE (ioctl); */

  /* TODO: test fcntl rules */
  /* if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl), 1, */
  /*        SCMP_CMP(0, SCMP_CMP_EQ, F_GETFL)) < 0) */
  /*  goto out; */

  /* if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl), 1, */
  /*        SCMP_CMP(0, SCMP_CMP_EQ, F_SETFL)) < 0) */
  /*  goto out; */

  /* if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl), 1, */
  /*        SCMP_CMP(0, SCMP_CMP_EQ, F_SETFD)) < 0) */
  /*  goto out; */

  /* if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl), 1, */
  /*        SCMP_CMP(0, SCMP_CMP_EQ, F_GETFD)) < 0) */
  /*  goto out; */

  /* if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl), 1, */
  /*        SCMP_CMP(0, SCMP_CMP_EQ, F_SETLK)) < 0) */
  /*  goto out; */


  /* TODO: build detailed filter for prctl */
  /*  needed by gtk??? (does not load content without) */

  /* /\* special restrictions for prctl, only allow PR_SET_NAME/PR_SET_PDEATHSIG *\/ */
  /*     if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(prctl), 1, */
  /*        SCMP_CMP(0, SCMP_CMP_EQ, PR_SET_NAME)) < 0) */
  /*  goto out; */

  /* if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(prctl), 1, */
  /*        SCMP_CMP(0, SCMP_CMP_EQ, PR_SET_PDEATHSIG)) < 0) */
  /*  goto out; */

  /* when zathura is run on wayland, with X11 server available but blocked, unset the DISPLAY variable */
  /* otherwise it will try to connect to X11 using inet socket protocol */

  /*  ------------ experimental filters --------------- */

  /* /\* this filter is susceptible to TOCTOU race conditions, providing limited use *\/ */
  /* /\* allow opening only specified files identified by their file descriptors*\/ */

  /*  this requires either a list of all files to open (A LOT!!!) */
  /*  or needs to be applied only after initialisation, right before parsing */
  /*  if(seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 1, */
  /*       SCMP_CMP(SCMP_CMP_EQ, fd)) < 0) /\* or < 1 ??? *\/ */
  /*      goto out; */
valoq's avatar
valoq committed
318

Sebastian Ramacher's avatar
Sebastian Ramacher committed
319
  /* /\* restricting write access *\/ */
valoq's avatar
valoq committed
320

Sebastian Ramacher's avatar
Sebastian Ramacher committed
321 322 323 324
  /* /\* allow stdin *\/ */
  /*  if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, */
  /*                          SCMP_CMP(0, SCMP_CMP_EQ, 0)) < 0 ) */
  /*      goto out; */
valoq's avatar
valoq committed
325

Sebastian Ramacher's avatar
Sebastian Ramacher committed
326 327 328 329
  /* /\* allow stdout *\/ */
  /*  if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, */
  /*                              SCMP_CMP(0, SCMP_CMP_EQ, 1)) < 0 ) */
  /*      goto out; */
valoq's avatar
valoq committed
330 331


Sebastian Ramacher's avatar
Sebastian Ramacher committed
332 333 334 335
  /* /\* allow stderr *\/ */
  /* if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, */
  /*                              SCMP_CMP(0, SCMP_CMP_EQ, 2)) < 0 ) */
  /*     goto out; */
valoq's avatar
valoq committed
336

Sebastian Ramacher's avatar
Sebastian Ramacher committed
337 338 339 340 341
  /* /\* restrict writev (write a vector) access *\/ */
  /*  this does not seem reliable but it surprisingly is. investigate more */
  /* if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(writev), 1, */
  /*                             SCMP_CMP(0, SCMP_CMP_EQ, 3)) < 0 ) */
  /*     goto out; */
valoq's avatar
valoq committed
342

Sebastian Ramacher's avatar
Sebastian Ramacher committed
343
  /* test if repeating this after some time or denying it works */
valoq's avatar
valoq committed
344 345


Sebastian Ramacher's avatar
Sebastian Ramacher committed
346 347 348 349
  /*  first attempt to filter poll requests */
  /*  if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(poll), 1, */
  /*                          SCMP_CMP(0, SCMP_CMP_MASKED_EQ, POLLIN | POLL, 0)) < 0) */
  /*    goto out; */
valoq's avatar
valoq committed
350 351


Sebastian Ramacher's avatar
Sebastian Ramacher committed
352 353 354 355 356 357 358 359
  /* /\* restrict fcntl calls *\/ */
  /*  this syscall sets the file descriptor to read write */
  /* if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl), 1, */
  /*                             SCMP_CMP(0, SCMP_CMP_EQ, 3)) < 0 ) */
  /*     goto out; */
  /*  fcntl(3, F_GETFL)                       = 0x2 (flags O_RDWR) */
  /*  fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK)    = 0 */
  /*  fcntl(3, F_SETFD, FD_CLOEXEC)           = 0 */
valoq's avatar
valoq committed
360

Sebastian Ramacher's avatar
Sebastian Ramacher committed
361
  /*  ------------------ end of experimental filters ------------------ */
valoq's avatar
valoq committed
362

Sebastian Ramacher's avatar
Sebastian Ramacher committed
363 364 365
  /* applying filter... */
  if (seccomp_load(ctx) >= 0) {
    /* free ctx after the filter has been loaded into the kernel */
valoq's avatar
valoq committed
366
    seccomp_release(ctx);
Sebastian Ramacher's avatar
Sebastian Ramacher committed
367 368 369 370 371 372 373
    return 0;
  }

out:
  /* something went wrong */
  seccomp_release(ctx);
  return -1;
valoq's avatar
valoq committed
374 375 376
}

#endif /* WITH_SECCOMP */