Commit | Line | Data |
---|---|---|
8befd5cc MG |
1 | /** |
2 | * Enhanced Seccomp Architecture/Machine Specific Code | |
3 | * | |
4 | * Copyright (c) 2012 Red Hat <pmoore@redhat.com> | |
5 | * Author: Paul Moore <paul@paul-moore.com> | |
6 | */ | |
7 | ||
8 | /* | |
9 | * This library is free software; you can redistribute it and/or modify it | |
10 | * under the terms of version 2.1 of the GNU Lesser General Public License as | |
11 | * published by the Free Software Foundation. | |
12 | * | |
13 | * This library is distributed in the hope that it will be useful, but WITHOUT | |
14 | * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or | |
15 | * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License | |
16 | * for more details. | |
17 | * | |
18 | * You should have received a copy of the GNU Lesser General Public License | |
19 | * along with this library; if not, see <http://www.gnu.org/licenses>. | |
20 | */ | |
21 | ||
22 | #include <elf.h> | |
23 | #include <errno.h> | |
24 | #include <stdlib.h> | |
25 | #include <string.h> | |
26 | #include <asm/bitsperlong.h> | |
27 | #include <linux/audit.h> | |
28 | #include <stdbool.h> | |
29 | ||
30 | #include <seccomp.h> | |
31 | ||
32 | #include "arch.h" | |
33 | #include "arch-x86.h" | |
34 | #include "arch-x86_64.h" | |
35 | #include "arch-x32.h" | |
36 | #include "arch-arm.h" | |
37 | #include "arch-aarch64.h" | |
38 | #include "arch-mips.h" | |
39 | #include "arch-mips64.h" | |
40 | #include "arch-mips64n32.h" | |
41 | #include "arch-ppc.h" | |
42 | #include "arch-ppc64.h" | |
43 | #include "arch-s390.h" | |
44 | #include "arch-s390x.h" | |
45 | #include "db.h" | |
46 | #include "system.h" | |
47 | ||
48 | #define default_arg_count_max 6 | |
49 | ||
50 | #define default_arg_offset(x) (offsetof(struct seccomp_data, args[x])) | |
51 | ||
52 | #if __i386__ | |
53 | const struct arch_def *arch_def_native = &arch_def_x86; | |
54 | #elif __x86_64__ | |
55 | #ifdef __ILP32__ | |
56 | const struct arch_def *arch_def_native = &arch_def_x32; | |
57 | #else | |
58 | const struct arch_def *arch_def_native = &arch_def_x86_64; | |
59 | #endif /* __ILP32__ */ | |
60 | #elif __arm__ | |
61 | const struct arch_def *arch_def_native = &arch_def_arm; | |
62 | #elif __aarch64__ | |
63 | const struct arch_def *arch_def_native = &arch_def_aarch64; | |
64 | #elif __mips__ && _MIPS_SIM == _MIPS_SIM_ABI32 | |
65 | #if __MIPSEB__ | |
66 | const struct arch_def *arch_def_native = &arch_def_mips; | |
67 | #elif __MIPSEL__ | |
68 | const struct arch_def *arch_def_native = &arch_def_mipsel; | |
69 | #endif /* _MIPS_SIM_ABI32 */ | |
70 | #elif __mips__ && _MIPS_SIM == _MIPS_SIM_ABI64 | |
71 | #if __MIPSEB__ | |
72 | const struct arch_def *arch_def_native = &arch_def_mips64; | |
73 | #elif __MIPSEL__ | |
74 | const struct arch_def *arch_def_native = &arch_def_mipsel64; | |
75 | #endif /* _MIPS_SIM_ABI64 */ | |
76 | #elif __mips__ && _MIPS_SIM == _MIPS_SIM_NABI32 | |
77 | #if __MIPSEB__ | |
78 | const struct arch_def *arch_def_native = &arch_def_mips64n32; | |
79 | #elif __MIPSEL__ | |
80 | const struct arch_def *arch_def_native = &arch_def_mipsel64n32; | |
81 | #endif /* _MIPS_SIM_NABI32 */ | |
82 | #elif __PPC64__ | |
83 | #ifdef __BIG_ENDIAN__ | |
84 | const struct arch_def *arch_def_native = &arch_def_ppc64; | |
85 | #else | |
86 | const struct arch_def *arch_def_native = &arch_def_ppc64le; | |
87 | #endif | |
88 | #elif __PPC__ | |
89 | const struct arch_def *arch_def_native = &arch_def_ppc; | |
90 | #elif __s390x__ /* s390x must be checked before s390 */ | |
91 | const struct arch_def *arch_def_native = &arch_def_s390x; | |
92 | #elif __s390__ | |
93 | const struct arch_def *arch_def_native = &arch_def_s390; | |
94 | #else | |
95 | #error the arch code needs to know about your machine type | |
96 | #endif /* machine type guess */ | |
97 | ||
98 | /** | |
99 | * Validate the architecture token | |
100 | * @param arch the architecture token | |
101 | * | |
102 | * Verify the given architecture token; return zero if valid, -EINVAL if not. | |
103 | * | |
104 | */ | |
105 | int arch_valid(uint32_t arch) | |
106 | { | |
107 | return (arch_def_lookup(arch) ? 0 : -EINVAL); | |
108 | } | |
109 | ||
110 | /** | |
111 | * Lookup the architecture definition | |
112 | * @param token the architecure token | |
113 | * | |
114 | * Return the matching architecture definition, returns NULL on failure. | |
115 | * | |
116 | */ | |
117 | const struct arch_def *arch_def_lookup(uint32_t token) | |
118 | { | |
119 | switch (token) { | |
120 | case SCMP_ARCH_X86: | |
121 | return &arch_def_x86; | |
122 | case SCMP_ARCH_X86_64: | |
123 | return &arch_def_x86_64; | |
124 | case SCMP_ARCH_X32: | |
125 | return &arch_def_x32; | |
126 | case SCMP_ARCH_ARM: | |
127 | return &arch_def_arm; | |
128 | case SCMP_ARCH_AARCH64: | |
129 | return &arch_def_aarch64; | |
130 | case SCMP_ARCH_MIPS: | |
131 | return &arch_def_mips; | |
132 | case SCMP_ARCH_MIPSEL: | |
133 | return &arch_def_mipsel; | |
134 | case SCMP_ARCH_MIPS64: | |
135 | return &arch_def_mips64; | |
136 | case SCMP_ARCH_MIPSEL64: | |
137 | return &arch_def_mipsel64; | |
138 | case SCMP_ARCH_MIPS64N32: | |
139 | return &arch_def_mips64n32; | |
140 | case SCMP_ARCH_MIPSEL64N32: | |
141 | return &arch_def_mipsel64n32; | |
142 | case SCMP_ARCH_PPC: | |
143 | return &arch_def_ppc; | |
144 | case SCMP_ARCH_PPC64: | |
145 | return &arch_def_ppc64; | |
146 | case SCMP_ARCH_PPC64LE: | |
147 | return &arch_def_ppc64le; | |
148 | case SCMP_ARCH_S390: | |
149 | return &arch_def_s390; | |
150 | case SCMP_ARCH_S390X: | |
151 | return &arch_def_s390x; | |
152 | } | |
153 | ||
154 | return NULL; | |
155 | } | |
156 | ||
157 | /** | |
158 | * Lookup the architecture definition by name | |
159 | * @param arch_name the architecure name | |
160 | * | |
161 | * Return the matching architecture definition, returns NULL on failure. | |
162 | * | |
163 | */ | |
164 | const struct arch_def *arch_def_lookup_name(const char *arch_name) | |
165 | { | |
166 | if (strcmp(arch_name, "x86") == 0) | |
167 | return &arch_def_x86; | |
168 | else if (strcmp(arch_name, "x86_64") == 0) | |
169 | return &arch_def_x86_64; | |
170 | else if (strcmp(arch_name, "x32") == 0) | |
171 | return &arch_def_x32; | |
172 | else if (strcmp(arch_name, "arm") == 0) | |
173 | return &arch_def_arm; | |
174 | else if (strcmp(arch_name, "aarch64") == 0) | |
175 | return &arch_def_aarch64; | |
176 | else if (strcmp(arch_name, "mips") == 0) | |
177 | return &arch_def_mips; | |
178 | else if (strcmp(arch_name, "mipsel") == 0) | |
179 | return &arch_def_mipsel; | |
180 | else if (strcmp(arch_name, "mips64") == 0) | |
181 | return &arch_def_mips64; | |
182 | else if (strcmp(arch_name, "mipsel64") == 0) | |
183 | return &arch_def_mipsel64; | |
184 | else if (strcmp(arch_name, "mips64n32") == 0) | |
185 | return &arch_def_mips64n32; | |
186 | else if (strcmp(arch_name, "mipsel64n32") == 0) | |
187 | return &arch_def_mipsel64n32; | |
188 | else if (strcmp(arch_name, "ppc") == 0) | |
189 | return &arch_def_ppc; | |
190 | else if (strcmp(arch_name, "ppc64") == 0) | |
191 | return &arch_def_ppc64; | |
192 | else if (strcmp(arch_name, "ppc64le") == 0) | |
193 | return &arch_def_ppc64le; | |
194 | else if (strcmp(arch_name, "s390") == 0) | |
195 | return &arch_def_s390; | |
196 | else if (strcmp(arch_name, "s390x") == 0) | |
197 | return &arch_def_s390x; | |
198 | ||
199 | return NULL; | |
200 | } | |
201 | ||
202 | /** | |
203 | * Determine the maximum number of syscall arguments | |
204 | * @param arch the architecture definition | |
205 | * | |
206 | * Determine the maximum number of syscall arguments for the given architecture. | |
207 | * Returns the number of arguments on success, negative values on failure. | |
208 | * | |
209 | */ | |
210 | int arch_arg_count_max(const struct arch_def *arch) | |
211 | { | |
212 | return (arch_valid(arch->token) == 0 ? default_arg_count_max : -EDOM); | |
213 | } | |
214 | ||
215 | /** | |
216 | * Determine the argument offset for the lower 32 bits | |
217 | * @param arch the architecture definition | |
218 | * @param arg the argument number | |
219 | * | |
220 | * Determine the correct offset for the low 32 bits of the given argument based | |
221 | * on the architecture definition. Returns the offset on success, negative | |
222 | * values on failure. | |
223 | * | |
224 | */ | |
225 | int arch_arg_offset_lo(const struct arch_def *arch, unsigned int arg) | |
226 | { | |
227 | if (arch_valid(arch->token) < 0) | |
228 | return -EDOM; | |
229 | ||
230 | switch (arch->endian) { | |
231 | case ARCH_ENDIAN_LITTLE: | |
232 | return default_arg_offset(arg); | |
233 | break; | |
234 | case ARCH_ENDIAN_BIG: | |
235 | return default_arg_offset(arg) + 4; | |
236 | break; | |
237 | default: | |
238 | return -EDOM; | |
239 | } | |
240 | } | |
241 | ||
242 | /** | |
243 | * Determine the argument offset for the high 32 bits | |
244 | * @param arch the architecture definition | |
245 | * @param arg the argument number | |
246 | * | |
247 | * Determine the correct offset for the high 32 bits of the given argument | |
248 | * based on the architecture definition. Returns the offset on success, | |
249 | * negative values on failure. | |
250 | * | |
251 | */ | |
252 | int arch_arg_offset_hi(const struct arch_def *arch, unsigned int arg) | |
253 | { | |
254 | if (arch_valid(arch->token) < 0 || arch->size != ARCH_SIZE_64) | |
255 | return -EDOM; | |
256 | ||
257 | switch (arch->endian) { | |
258 | case ARCH_ENDIAN_LITTLE: | |
259 | return default_arg_offset(arg) + 4; | |
260 | break; | |
261 | case ARCH_ENDIAN_BIG: | |
262 | return default_arg_offset(arg); | |
263 | break; | |
264 | default: | |
265 | return -EDOM; | |
266 | } | |
267 | } | |
268 | ||
269 | /** | |
270 | * Determine the argument offset | |
271 | * @param arch the architecture definition | |
272 | * @param arg the argument number | |
273 | * | |
274 | * Determine the correct offset for the given argument based on the | |
275 | * architecture definition. Returns the offset on success, negative values on | |
276 | * failure. | |
277 | * | |
278 | */ | |
279 | int arch_arg_offset(const struct arch_def *arch, unsigned int arg) | |
280 | { | |
281 | return arch_arg_offset_lo(arch, arg); | |
282 | } | |
283 | ||
284 | /** | |
285 | * Resolve a syscall name to a number | |
286 | * @param arch the architecture definition | |
287 | * @param name the syscall name | |
288 | * | |
289 | * Resolve the given syscall name to the syscall number based on the given | |
290 | * architecture. Returns the syscall number on success, including negative | |
291 | * pseudo syscall numbers; returns __NR_SCMP_ERROR on failure. | |
292 | * | |
293 | */ | |
294 | int arch_syscall_resolve_name(const struct arch_def *arch, const char *name) | |
295 | { | |
296 | if (arch->syscall_resolve_name) | |
297 | return (*arch->syscall_resolve_name)(name); | |
298 | ||
299 | return __NR_SCMP_ERROR; | |
300 | } | |
301 | ||
302 | /** | |
303 | * Resolve a syscall number to a name | |
304 | * @param arch the architecture definition | |
305 | * @param num the syscall number | |
306 | * | |
307 | * Resolve the given syscall number to the syscall name based on the given | |
308 | * architecture. Returns a pointer to the syscall name string on success, | |
309 | * including pseudo syscall names; returns NULL on failure. | |
310 | * | |
311 | */ | |
312 | const char *arch_syscall_resolve_num(const struct arch_def *arch, int num) | |
313 | { | |
314 | if (arch->syscall_resolve_num) | |
315 | return (*arch->syscall_resolve_num)(num); | |
316 | ||
317 | return NULL; | |
318 | } | |
319 | ||
320 | /** | |
321 | * Translate the syscall number | |
322 | * @param arch the architecture definition | |
323 | * @param syscall the syscall number | |
324 | * | |
325 | * Translate the syscall number, in the context of the native architecure, to | |
326 | * the provided architecure. Returns zero on success, negative values on | |
327 | * failure. | |
328 | * | |
329 | */ | |
330 | int arch_syscall_translate(const struct arch_def *arch, int *syscall) | |
331 | { | |
332 | int sc_num; | |
333 | const char *sc_name; | |
334 | ||
335 | if (arch->token != arch_def_native->token) { | |
336 | sc_name = arch_syscall_resolve_num(arch_def_native, *syscall); | |
337 | if (sc_name == NULL) | |
338 | return -EFAULT; | |
339 | ||
340 | sc_num = arch_syscall_resolve_name(arch, sc_name); | |
341 | if (sc_num == __NR_SCMP_ERROR) | |
342 | return -EFAULT; | |
343 | ||
344 | *syscall = sc_num; | |
345 | } | |
346 | ||
347 | return 0; | |
348 | } | |
349 | ||
350 | /** | |
351 | * Rewrite a syscall value to match the architecture | |
352 | * @param arch the architecture definition | |
353 | * @param syscall the syscall number | |
354 | * | |
355 | * Syscalls can vary across different architectures so this function rewrites | |
356 | * the syscall into the correct value for the specified architecture. Returns | |
357 | * zero on success, -EDOM if the syscall is not defined for @arch, and negative | |
358 | * values on failure. | |
359 | * | |
360 | */ | |
361 | int arch_syscall_rewrite(const struct arch_def *arch, int *syscall) | |
362 | { | |
363 | int sys = *syscall; | |
364 | ||
365 | if (sys >= 0) { | |
366 | /* we shouldn't be here - no rewrite needed */ | |
367 | return 0; | |
368 | } else if (sys < 0 && sys > -100) { | |
369 | /* reserved values */ | |
370 | return -EINVAL; | |
371 | } else if (sys <= -100 && sys > -10000) { | |
372 | /* rewritable syscalls */ | |
373 | if (arch->syscall_rewrite) | |
374 | (*arch->syscall_rewrite)(syscall); | |
375 | } | |
376 | ||
377 | /* syscalls not defined on this architecture */ | |
378 | if ((*syscall) < 0) | |
379 | return -EDOM; | |
380 | return 0; | |
381 | } | |
382 | ||
383 | /** | |
384 | * Add a new rule to the specified filter | |
385 | * @param col the filter collection | |
386 | * @param db the seccomp filter db | |
387 | * @param strict the strict flag | |
388 | * @param action the filter action | |
389 | * @param syscall the syscall number | |
390 | * @param chain_len the number of argument filters in the argument filter chain | |
391 | * @param chain the argument filter chain | |
392 | * | |
393 | * This function adds a new argument/comparison/value to the seccomp filter for | |
394 | * a syscall; multiple arguments can be specified and they will be chained | |
395 | * together (essentially AND'd together) in the filter. When the strict flag | |
396 | * is true the function will fail if the exact rule can not be added to the | |
397 | * filter, if the strict flag is false the function will not fail if the | |
398 | * function needs to adjust the rule due to architecture specifics. Returns | |
399 | * zero on success, negative values on failure. | |
400 | * | |
401 | */ | |
402 | int arch_filter_rule_add(struct db_filter_col *col, struct db_filter *db, | |
403 | bool strict, uint32_t action, int syscall, | |
404 | unsigned int chain_len, struct db_api_arg *chain) | |
405 | { | |
406 | int rc; | |
407 | size_t chain_size = sizeof(*chain) * chain_len; | |
408 | struct db_api_rule_list *rule, *rule_tail; | |
409 | ||
410 | /* ensure we aren't using any reserved syscall values */ | |
411 | if (syscall < 0 && syscall > -100) | |
412 | return -EINVAL; | |
413 | ||
414 | /* translate the syscall */ | |
415 | rc = arch_syscall_translate(db->arch, &syscall); | |
416 | if (rc < 0) | |
417 | return rc; | |
418 | ||
419 | /* copy of the chain for each filter in the collection */ | |
420 | rule = malloc(sizeof(*rule)); | |
421 | if (rule == NULL) | |
422 | return -ENOMEM; | |
423 | rule->args = malloc(chain_size); | |
424 | if (rule->args == NULL) { | |
425 | free(rule); | |
426 | return -ENOMEM; | |
427 | } | |
428 | rule->action = action; | |
429 | rule->syscall = syscall; | |
430 | rule->args_cnt = chain_len; | |
431 | memcpy(rule->args, chain, chain_size); | |
432 | rule->prev = NULL; | |
433 | rule->next = NULL; | |
434 | ||
435 | /* add the new rule to the existing filter */ | |
436 | if (db->arch->rule_add == NULL) { | |
437 | /* negative syscalls require a db->arch->rule_add() function */ | |
438 | if (syscall < 0 && strict) { | |
439 | rc = -EDOM; | |
440 | goto rule_add_failure; | |
441 | } | |
442 | rc = db_rule_add(db, rule); | |
443 | } else | |
444 | rc = (db->arch->rule_add)(col, db, strict, rule); | |
445 | if (rc == 0) { | |
446 | /* insert the chain to the end of the filter's rule list */ | |
447 | rule_tail = rule; | |
448 | while (rule_tail->next) | |
449 | rule_tail = rule_tail->next; | |
450 | if (db->rules != NULL) { | |
451 | rule->prev = db->rules->prev; | |
452 | rule_tail->next = db->rules; | |
453 | db->rules->prev->next = rule; | |
454 | db->rules->prev = rule_tail; | |
455 | } else { | |
456 | rule->prev = rule_tail; | |
457 | rule_tail->next = rule; | |
458 | db->rules = rule; | |
459 | } | |
460 | } else | |
461 | goto rule_add_failure; | |
462 | ||
463 | return 0; | |
464 | ||
465 | rule_add_failure: | |
466 | do { | |
467 | rule_tail = rule; | |
468 | rule = rule->next; | |
469 | free(rule_tail->args); | |
470 | free(rule_tail); | |
471 | } while (rule); | |
472 | return rc; | |
473 | } |