-
Notifications
You must be signed in to change notification settings - Fork 0
/
seccomp-bpf.h
133 lines (115 loc) · 3.55 KB
/
seccomp-bpf.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
/* -*- Mode: C; tab-width: 8; c-basic-offset: 8; indent-tabs-mode: t; -*- */
/*
* seccomp example for x86 (32-bit and 64-bit) with BPF macros
*
* Copyright (c) 2012 The Chromium OS Authors <[email protected]>
* Authors:
* Will Drewry <[email protected]>
* Kees Cook <[email protected]>
*
* The code may be used by anyone for any purpose, and can serve as a
* starting point for developing applications using mode 2 seccomp.
*/
#ifndef _SECCOMP_BPF_H_
#define _SECCOMP_BPF_H_
#define _GNU_SOURCE 1
#include <stdio.h>
#include <stddef.h>
#include <stdlib.h>
#include <errno.h>
#include <signal.h>
#include <string.h>
#include <unistd.h>
#include <asm/unistd.h>
#include <sys/user.h>
#include <sys/prctl.h>
#ifndef PR_SET_NO_NEW_PRIVS
# define PR_SET_NO_NEW_PRIVS 38
#endif
#include <linux/unistd.h>
#include <linux/audit.h>
#include <linux/filter.h>
#ifdef HAVE_LINUX_SECCOMP_H
# include <linux/seccomp.h>
#endif
#ifndef SECCOMP_MODE_FILTER
# define SECCOMP_MODE_FILTER 2 /* uses user-supplied filter. */
# define SECCOMP_RET_KILL 0x00000000U /* kill the task immediately */
# define SECCOMP_RET_TRAP 0x00030000U /* disallow and force a SIGSYS */
# define SECCOMP_RET_ALLOW 0x7fff0000U /* allow */
# define SECCOMP_RET_TRACE 0x7ff00000U /* trace */
struct seccomp_data {
int nr;
__u32 arch;
__u64 instruction_pointer;
__u64 args[6];
};
#endif
#ifndef SYS_SECCOMP
# define SYS_SECCOMP 1
#endif
#define syscall_nr (offsetof(struct seccomp_data, nr))
#define arch_nr (offsetof(struct seccomp_data, arch))
#define inst_ptr (offsetof(struct seccomp_data, instruction_pointer))
#define args(i) (offsetof(struct seccomp_data, args[i]))
#if defined(__i386__)
# define REG_SYSCALL REG_EAX
# define ARCH_NR AUDIT_ARCH_I386
#elif defined(__x86_64__)
# define REG_SYSCALL REG_RAX
# define ARCH_NR AUDIT_ARCH_X86_64
#else
# warning "Platform does not support seccomp filter yet"
# define REG_SYSCALL 0
# define ARCH_NR 0
#endif
#define EXAMINE_SYSCALL \
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, syscall_nr)
/**
* this macro determines whether the instruction pointer is within the given
* library bounds and trace the call if it is not. If it is, allow it to continue.
*
* logic is:
* if eip > libend goto trace;
* if eip >= libstart goto continue;
* allow if clone or fork
* kill if poll or socket
* trace;
* continue;
*/
#define ALLOW_SYSCALLS_FROM_CALLSITE(callsite) \
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, inst_ptr), \
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, callsite, 0, 1), \
ALLOW_PROCESS
#define ALLOW_SYSCALL(name) \
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##name, 0, 1), \
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
#define KILL_SYSCALL(name) \
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##name, 0, 1), \
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
/**
* logic is:
* if !socketcall goto continue;
* grab the operation from arg0
* if (op is blocking) goto trace;
* allow;
* trace;
* continue filtering;
*/
#define ALLOW_SOCKETCALL \
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_socketcall, 0, 5), \
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, args(0)), \
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_RECV, 2, 0), \
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_ACCEPT, 1, 0), \
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), \
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_TRACE)
#define TRACE_SYSCALL(name) \
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##name, 0, 1), \
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_TRACE)
#define KILL_PROCESS \
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
#define ALLOW_PROCESS \
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
#define TRACE_PROCESS \
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_TRACE)
#endif /* _SECCOMP_BPF_H_ */