--- /dev/null
+/**
+ * Seccomp System Interfaces
+ *
+ * Copyright (c) 2014 Red Hat <pmoore@redhat.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <stdlib.h>
+#include <errno.h>
+#include <sys/prctl.h>
+
+#define _GNU_SOURCE
+#include <unistd.h>
+
+#include <seccomp.h>
+
+#include "arch.h"
+#include "db.h"
+#include "gen_bpf.h"
+#include "system.h"
+
+/* NOTE: the seccomp syscall whitelist is currently disabled for testing
+ * purposes, but unless we can verify all of the supported ABIs before
+ * our next release we may have to enable the whitelist */
+#define SYSCALL_WHITELIST_ENABLE 0
+
+static int _nr_seccomp = -1;
+static int _support_seccomp_syscall = -1;
+
+/**
+ * Check to see if the seccomp() syscall is supported
+ *
+ * This function attempts to see if the system supports the seccomp() syscall.
+ * Unfortunately, there are a few reasons why this check may fail, including
+ * a previously loaded seccomp filter, so it is hard to say for certain.
+ * Return one if the syscall is supported, zero otherwise.
+ *
+ */
+int sys_chk_seccomp_syscall(void)
+{
+ int rc;
+ int nr_seccomp;
+
+ /* NOTE: it is reasonably safe to assume that we should be able to call
+ * seccomp() when the caller first starts, but we can't rely on
+ * it later so we need to cache our findings for use later */
+ if (_support_seccomp_syscall >= 0)
+ return _support_seccomp_syscall;
+
+#if SYSCALL_WHITELIST_ENABLE
+ /* architecture whitelist */
+ switch (arch_def_native->token) {
+ case SCMP_ARCH_X86_64:
+ case SCMP_ARCH_ARM:
+ case SCMP_ARCH_AARCH64:
+ case SCMP_ARCH_PPC64:
+ case SCMP_ARCH_PPC64LE:
+ case SCMP_ARCH_S390:
+ case SCMP_ARCH_S390X:
+ break;
+ default:
+ goto unsupported;
+ }
+#endif
+
+ nr_seccomp = arch_syscall_resolve_name(arch_def_native, "seccomp");
+ if (nr_seccomp < 0)
+ goto unsupported;
+
+ /* this is an invalid call because the second argument is non-zero, but
+ * depending on the errno value of ENOSYS or EINVAL we can guess if the
+ * seccomp() syscal is supported or not */
+ rc = syscall(nr_seccomp, SECCOMP_SET_MODE_STRICT, 1, NULL);
+ if (rc < 0 && errno == EINVAL)
+ goto supported;
+
+unsupported:
+ _support_seccomp_syscall = 0;
+ return 0;
+supported:
+ _nr_seccomp = nr_seccomp;
+ _support_seccomp_syscall = 1;
+ return 1;
+}
+
+/**
+ * Check to see if a seccomp() flag is supported
+ * @param flag the seccomp() flag
+ *
+ * This function checks to see if a seccomp() flag is supported by the system.
+ * If the flag is supported one is returned, zero if unsupported, negative
+ * values on error.
+ *
+ */
+int sys_chk_seccomp_flag(int flag)
+{
+ switch (flag) {
+ case SECCOMP_FILTER_FLAG_TSYNC:
+ return sys_chk_seccomp_syscall();
+ }
+
+ return -EOPNOTSUPP;
+}
+
+/**
+ * Loads the filter into the kernel
+ * @param col the filter collection
+ *
+ * This function loads the given seccomp filter context into the kernel. If
+ * the filter was loaded correctly, the kernel will be enforcing the filter
+ * when this function returns. Returns zero on success, negative values on
+ * error.
+ *
+ */
+int sys_filter_load(const struct db_filter_col *col)
+{
+ int rc;
+ struct bpf_program *prgm = NULL;
+
+ prgm = gen_bpf_generate(col);
+ if (prgm == NULL)
+ return -ENOMEM;
+
+ /* attempt to set NO_NEW_PRIVS */
+ if (col->attr.nnp_enable) {
+ rc = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
+ if (rc < 0)
+ goto filter_load_out;
+ }
+
+ /* load the filter into the kernel */
+ if (sys_chk_seccomp_syscall() == 1) {
+ int flgs = 0;
+ if (col->attr.tsync_enable)
+ flgs = SECCOMP_FILTER_FLAG_TSYNC;
+ rc = syscall(_nr_seccomp, SECCOMP_SET_MODE_FILTER, flgs, prgm);
+ if (rc > 0 && col->attr.tsync_enable)
+ /* always return -ESRCH if we fail to sync threads */
+ errno = ESRCH;
+ } else
+ rc = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, prgm);
+
+filter_load_out:
+ /* cleanup and return */
+ gen_bpf_release(prgm);
+ if (rc < 0)
+ return -errno;
+ return 0;
+}
projects / linux-seccomp.git / blobdiff