Commit | Line | Data |
---|---|---|
8ac270d1 WD |
1 | /* |
2 | * Seccomp filter example for x86 (32-bit and 64-bit) with BPF macros | |
3 | * | |
4 | * Copyright (c) 2012 The Chromium OS Authors <chromium-os-dev@chromium.org> | |
5 | * Author: Will Drewry <wad@chromium.org> | |
6 | * | |
7 | * The code may be used by anyone for any purpose, | |
8 | * and can serve as a starting point for developing | |
9 | * applications using prctl(PR_SET_SECCOMP, 2, ...). | |
10 | */ | |
11 | #define __USE_GNU 1 | |
12 | #define _GNU_SOURCE 1 | |
13 | ||
14 | #include <linux/types.h> | |
15 | #include <linux/filter.h> | |
16 | #include <linux/seccomp.h> | |
17 | #include <linux/unistd.h> | |
18 | #include <signal.h> | |
19 | #include <stdio.h> | |
20 | #include <stddef.h> | |
21 | #include <string.h> | |
22 | #include <sys/prctl.h> | |
23 | #include <unistd.h> | |
24 | ||
25 | #define syscall_arg(_n) (offsetof(struct seccomp_data, args[_n])) | |
26 | #define syscall_nr (offsetof(struct seccomp_data, nr)) | |
27 | ||
28 | #if defined(__i386__) | |
29 | #define REG_RESULT REG_EAX | |
30 | #define REG_SYSCALL REG_EAX | |
31 | #define REG_ARG0 REG_EBX | |
32 | #define REG_ARG1 REG_ECX | |
33 | #define REG_ARG2 REG_EDX | |
34 | #define REG_ARG3 REG_ESI | |
35 | #define REG_ARG4 REG_EDI | |
36 | #define REG_ARG5 REG_EBP | |
37 | #elif defined(__x86_64__) | |
38 | #define REG_RESULT REG_RAX | |
39 | #define REG_SYSCALL REG_RAX | |
40 | #define REG_ARG0 REG_RDI | |
41 | #define REG_ARG1 REG_RSI | |
42 | #define REG_ARG2 REG_RDX | |
43 | #define REG_ARG3 REG_R10 | |
44 | #define REG_ARG4 REG_R8 | |
45 | #define REG_ARG5 REG_R9 | |
46 | #else | |
47 | #error Unsupported platform | |
48 | #endif | |
49 | ||
50 | #ifndef PR_SET_NO_NEW_PRIVS | |
51 | #define PR_SET_NO_NEW_PRIVS 38 | |
52 | #endif | |
53 | ||
54 | #ifndef SYS_SECCOMP | |
55 | #define SYS_SECCOMP 1 | |
56 | #endif | |
57 | ||
58 | static void emulator(int nr, siginfo_t *info, void *void_context) | |
59 | { | |
60 | ucontext_t *ctx = (ucontext_t *)(void_context); | |
61 | int syscall; | |
62 | char *buf; | |
63 | ssize_t bytes; | |
64 | size_t len; | |
65 | if (info->si_code != SYS_SECCOMP) | |
66 | return; | |
67 | if (!ctx) | |
68 | return; | |
69 | syscall = ctx->uc_mcontext.gregs[REG_SYSCALL]; | |
70 | buf = (char *) ctx->uc_mcontext.gregs[REG_ARG1]; | |
71 | len = (size_t) ctx->uc_mcontext.gregs[REG_ARG2]; | |
72 | ||
73 | if (syscall != __NR_write) | |
74 | return; | |
75 | if (ctx->uc_mcontext.gregs[REG_ARG0] != STDERR_FILENO) | |
76 | return; | |
77 | /* Redirect stderr messages to stdout. Doesn't handle EINTR, etc */ | |
78 | ctx->uc_mcontext.gregs[REG_RESULT] = -1; | |
79 | if (write(STDOUT_FILENO, "[ERR] ", 6) > 0) { | |
80 | bytes = write(STDOUT_FILENO, buf, len); | |
81 | ctx->uc_mcontext.gregs[REG_RESULT] = bytes; | |
82 | } | |
83 | return; | |
84 | } | |
85 | ||
86 | static int install_emulator(void) | |
87 | { | |
88 | struct sigaction act; | |
89 | sigset_t mask; | |
90 | memset(&act, 0, sizeof(act)); | |
91 | sigemptyset(&mask); | |
92 | sigaddset(&mask, SIGSYS); | |
93 | ||
94 | act.sa_sigaction = &emulator; | |
95 | act.sa_flags = SA_SIGINFO; | |
96 | if (sigaction(SIGSYS, &act, NULL) < 0) { | |
97 | perror("sigaction"); | |
98 | return -1; | |
99 | } | |
100 | if (sigprocmask(SIG_UNBLOCK, &mask, NULL)) { | |
101 | perror("sigprocmask"); | |
102 | return -1; | |
103 | } | |
104 | return 0; | |
105 | } | |
106 | ||
107 | static int install_filter(void) | |
108 | { | |
109 | struct sock_filter filter[] = { | |
110 | /* Grab the system call number */ | |
111 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, syscall_nr), | |
112 | /* Jump table for the allowed syscalls */ | |
113 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_rt_sigreturn, 0, 1), | |
114 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), | |
115 | #ifdef __NR_sigreturn | |
116 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_sigreturn, 0, 1), | |
117 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), | |
118 | #endif | |
119 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_exit_group, 0, 1), | |
120 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), | |
121 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_exit, 0, 1), | |
122 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), | |
123 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_read, 1, 0), | |
124 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_write, 3, 2), | |
125 | ||
126 | /* Check that read is only using stdin. */ | |
127 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, syscall_arg(0)), | |
128 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, STDIN_FILENO, 4, 0), | |
129 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL), | |
130 | ||
131 | /* Check that write is only using stdout */ | |
132 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, syscall_arg(0)), | |
133 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, STDOUT_FILENO, 1, 0), | |
134 | /* Trap attempts to write to stderr */ | |
135 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, STDERR_FILENO, 1, 2), | |
136 | ||
137 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), | |
138 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_TRAP), | |
139 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL), | |
140 | }; | |
141 | struct sock_fprog prog = { | |
142 | .len = (unsigned short)(sizeof(filter)/sizeof(filter[0])), | |
143 | .filter = filter, | |
144 | }; | |
145 | ||
146 | if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { | |
147 | perror("prctl(NO_NEW_PRIVS)"); | |
148 | return 1; | |
149 | } | |
150 | ||
151 | ||
152 | if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) { | |
153 | perror("prctl"); | |
154 | return 1; | |
155 | } | |
156 | return 0; | |
157 | } | |
158 | ||
159 | #define payload(_c) (_c), sizeof((_c)) | |
160 | int main(int argc, char **argv) | |
161 | { | |
162 | char buf[4096]; | |
163 | ssize_t bytes = 0; | |
164 | if (install_emulator()) | |
165 | return 1; | |
166 | if (install_filter()) | |
167 | return 1; | |
168 | syscall(__NR_write, STDOUT_FILENO, | |
169 | payload("OHAI! WHAT IS YOUR NAME? ")); | |
170 | bytes = syscall(__NR_read, STDIN_FILENO, buf, sizeof(buf)); | |
171 | syscall(__NR_write, STDOUT_FILENO, payload("HELLO, ")); | |
172 | syscall(__NR_write, STDOUT_FILENO, buf, bytes); | |
173 | syscall(__NR_write, STDERR_FILENO, | |
174 | payload("Error message going to STDERR\n")); | |
175 | return 0; | |
176 | } |