| blob | 0aeb6e8d88a8968e4ae48b12a35c057e09d0e125 |
1 /* Generate a Secure Computing filter definition file.
3 Copyright (C) 2020-2024 Free Software Foundation, Inc.
5 This file is part of GNU Emacs.
7 GNU Emacs is free software: you can redistribute it and/or modify it
8 under the terms of the GNU General Public License as published by the
9 Free Software Foundation, either version 3 of the License, or (at your
10 option) any later version.
12 GNU Emacs is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with GNU Emacs. If not, see
19 <https://www.gnu.org/licenses/>. */
21 /* This program creates a small Secure Computing filter usable for a
22 typical minimal Emacs sandbox. See the man page for `seccomp' for
23 details about Secure Computing filters. This program requires the
24 `libseccomp' library. However, the resulting filter file requires
25 only a Linux kernel supporting the Secure Computing extension.
27 Usage:
29 seccomp-filter out.bpf out.pfc out-exec.bpf out-exec.pfc
31 This writes the raw `struct sock_filter' array to out.bpf and a
32 human-readable representation to out.pfc. Additionally, it writes
33 variants of those files that can be used to sandbox Emacs before
34 'execve' to out-exec.bpf and out-exec.pfc. */
38 #include <assert.h>
39 #include <errno.h>
40 #include <limits.h>
41 #include <stdarg.h>
42 #include <stdlib.h>
43 #include <stdint.h>
44 #include <stdio.h>
45 #include <time.h>
47 #include <asm/prctl.h>
48 #include <sys/ioctl.h>
49 #include <sys/mman.h>
50 #include <sys/prctl.h>
51 #include <sys/types.h>
52 #include <sys/stat.h>
53 #include <linux/futex.h>
54 #include <linux/filter.h>
55 #include <linux/seccomp.h>
56 #include <fcntl.h>
57 #include <sched.h>
58 #include <seccomp.h>
59 #include <unistd.h>
61 #include <attribute.h>
63 #ifndef ARCH_CET_STATUS
64 #define ARCH_CET_STATUS 0x3001
65 #endif
69 {
76 else
77 {
81 }
84 }
86 /* This binary is trivial, so we use a single global filter context
87 object that we release using `atexit'. */
91 static void
93 {
95 }
97 /* Wrapper functions and macros for libseccomp functions. We exit
98 immediately upon any error to avoid error checking noise. */
100 static void
102 {
106 }
108 /* Like `seccomp_rule_add (ACTION, SYSCALL, ...)', except that you
109 don't have to specify the number of comparator arguments, and any
110 failure will exit the process. */
112 #define RULE(action, syscall, ...) \
113 do \
114 { \
115 const struct scmp_arg_cmp arg_array[] = {__VA_ARGS__}; \
116 enum { arg_cnt = sizeof arg_array / sizeof *arg_array }; \
117 int status = seccomp_rule_add_array (ctx, action, syscall, \
118 arg_cnt, arg_array); \
119 if (status < 0) \
121 #action, #syscall, arg_cnt, #__VA_ARGS__); \
122 } \
123 while (false)
125 static void
129 {
131 do
143 }
145 #define EXPORT_FILTER(file, function) \
146 export_filter (file, function, #function)
148 int
150 {
155 /* Any unhandled syscall should abort the Emacs process. */
161 /* We want to abort immediately if the architecture is unknown. */
174 /* Allow a clean exit. */
178 /* Allow `mmap' and friends. This is necessary for dynamic loading,
179 reading the portable dump file, and thread creation. We don't
180 allow pages to be both writable and executable. */
186 /* Only support known flags. MAP_DENYWRITE is ignored, but
187 some versions of the dynamic loader still use it. Also
188 allow allocating thread stacks. */
197 /* Only support known flags. MAP_DENYWRITE is ignored, but
198 some versions of the dynamic loader still use it. */
205 /* Don't allow making pages executable. */
209 /* Allow restartable sequences. The dynamic linker uses them. */
212 /* Futexes are used everywhere. */
216 /* Allow basic dynamic memory management. */
219 /* Allow some status inquiries. */
227 /* Allow operations on open file descriptors. File descriptors are
228 capabilities, and operating on them shouldn't cause security
229 issues. */
239 /* Allow read operations on the filesystem. If necessary, these
240 should be further restricted using mount namespaces. */
243 #ifdef __NR_faccessat2
245 #endif
256 /* Allow opening files, assuming they are only opened for
257 reading. */
272 /* Allow `tcgetpgrp'. */
277 /* Allow reading (but not setting) file flags. */
283 /* Allow reading random numbers from the kernel. */
286 /* Changing the umask is uncritical. */
289 /* Allow creation of pipes. */
293 /* Allow reading (but not changing) resource limits. */
299 /* Block changing resource limits, but don't crash. */
304 /* Emacs installs signal handlers, which is harmless. */
310 /* Allow reading the current time. */
316 /* Allow timer support. */
320 /* Allow thread creation. See the NOTES section in the manual page
321 for the `clone' function. */
324 /* Flags needed to create threads. See
325 create_thread in libc. */
331 /* glibc 2.34+ pthread_create uses clone3. */
336 /* Allow setting the process name for new threads. */
340 /* Allow some event handling functions used by glib. */
348 /* Don't allow creating sockets (network access would be extremely
349 dangerous), but also don't crash. */
355 /* When applying a Seccomp filter before executing the Emacs binary
356 (e.g. using the `bwrap' program), we need to allow further system
357 calls. Firstly, the wrapper binary will need to `execve' the
358 Emacs binary. Furthermore, the C library requires some system
359 calls at startup time to set up thread-local storage. */
370 /* We want to allow starting the Emacs binary itself with the
371 --seccomp flag, so we need to allow the `prctl' and `seccomp'
372 system calls. */
383 }