qemu-seccomp.c

   1 /*
   2  * QEMU seccomp mode 2 support with libseccomp
   3  *
   4  * Copyright IBM, Corp. 2012
   5  *
   6  * Authors:
   7  *  Eduardo Otubo    <eotubo@br.ibm.com>
   8  *
   9  * This work is licensed under the terms of the GNU GPL, version 2.  See
  10  * the COPYING file in the top-level directory.
  11  *
  12  * Contributions after 2012-01-13 are licensed under the terms of the
  13  * GNU GPL, version 2 or (at your option) any later version.
  14  */
  15 #include "qemu/osdep.h"
  16 #include <seccomp.h>
  17 #include "sysemu/seccomp.h"
  18
  19 /* For some architectures (notably ARM) cacheflush is not supported until
  20  * libseccomp 2.2.3, but configure enforces that we are using a more recent
  21  * version on those hosts, so it is OK for this check to be less strict.
  22  */
  23 #if SCMP_VER_MAJOR >= 3
  24   #define HAVE_CACHEFLUSH
  25 #elif SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR >= 2
  26   #define HAVE_CACHEFLUSH
  27 #endif
  28
  29 struct QemuSeccompSyscall {
  30     int32_t num;
  31     uint8_t set;
  32 };
  33
  34 static const struct QemuSeccompSyscall blacklist[] = {
  35     /* default set of syscalls to blacklist */
  36     { SCMP_SYS(reboot),                 QEMU_SECCOMP_SET_DEFAULT },
  37     { SCMP_SYS(swapon),                 QEMU_SECCOMP_SET_DEFAULT },
  38     { SCMP_SYS(swapoff),                QEMU_SECCOMP_SET_DEFAULT },
  39     { SCMP_SYS(syslog),                 QEMU_SECCOMP_SET_DEFAULT },
  40     { SCMP_SYS(mount),                  QEMU_SECCOMP_SET_DEFAULT },
  41     { SCMP_SYS(umount),                 QEMU_SECCOMP_SET_DEFAULT },
  42     { SCMP_SYS(kexec_load),             QEMU_SECCOMP_SET_DEFAULT },
  43     { SCMP_SYS(afs_syscall),            QEMU_SECCOMP_SET_DEFAULT },
  44     { SCMP_SYS(break),                  QEMU_SECCOMP_SET_DEFAULT },
  45     { SCMP_SYS(ftime),                  QEMU_SECCOMP_SET_DEFAULT },
  46     { SCMP_SYS(getpmsg),                QEMU_SECCOMP_SET_DEFAULT },
  47     { SCMP_SYS(gtty),                   QEMU_SECCOMP_SET_DEFAULT },
  48     { SCMP_SYS(lock),                   QEMU_SECCOMP_SET_DEFAULT },
  49     { SCMP_SYS(mpx),                    QEMU_SECCOMP_SET_DEFAULT },
  50     { SCMP_SYS(prof),                   QEMU_SECCOMP_SET_DEFAULT },
  51     { SCMP_SYS(profil),                 QEMU_SECCOMP_SET_DEFAULT },
  52     { SCMP_SYS(putpmsg),                QEMU_SECCOMP_SET_DEFAULT },
  53     { SCMP_SYS(security),               QEMU_SECCOMP_SET_DEFAULT },
  54     { SCMP_SYS(stty),                   QEMU_SECCOMP_SET_DEFAULT },
  55     { SCMP_SYS(tuxcall),                QEMU_SECCOMP_SET_DEFAULT },
  56     { SCMP_SYS(ulimit),                 QEMU_SECCOMP_SET_DEFAULT },
  57     { SCMP_SYS(vserver),                QEMU_SECCOMP_SET_DEFAULT },
  58     /* obsolete */
  59     { SCMP_SYS(readdir),                QEMU_SECCOMP_SET_OBSOLETE },
  60     { SCMP_SYS(_sysctl),                QEMU_SECCOMP_SET_OBSOLETE },
  61     { SCMP_SYS(bdflush),                QEMU_SECCOMP_SET_OBSOLETE },
  62     { SCMP_SYS(create_module),          QEMU_SECCOMP_SET_OBSOLETE },
  63     { SCMP_SYS(get_kernel_syms),        QEMU_SECCOMP_SET_OBSOLETE },
  64     { SCMP_SYS(query_module),           QEMU_SECCOMP_SET_OBSOLETE },
  65     { SCMP_SYS(sgetmask),               QEMU_SECCOMP_SET_OBSOLETE },
  66     { SCMP_SYS(ssetmask),               QEMU_SECCOMP_SET_OBSOLETE },
  67     { SCMP_SYS(sysfs),                  QEMU_SECCOMP_SET_OBSOLETE },
  68     { SCMP_SYS(uselib),                 QEMU_SECCOMP_SET_OBSOLETE },
  69     { SCMP_SYS(ustat),                  QEMU_SECCOMP_SET_OBSOLETE },
  70     /* privileged */
  71     { SCMP_SYS(setuid),                 QEMU_SECCOMP_SET_PRIVILEGED },
  72     { SCMP_SYS(setgid),                 QEMU_SECCOMP_SET_PRIVILEGED },
  73     { SCMP_SYS(setpgid),                QEMU_SECCOMP_SET_PRIVILEGED },
  74     { SCMP_SYS(setsid),                 QEMU_SECCOMP_SET_PRIVILEGED },
  75     { SCMP_SYS(setreuid),               QEMU_SECCOMP_SET_PRIVILEGED },
  76     { SCMP_SYS(setregid),               QEMU_SECCOMP_SET_PRIVILEGED },
  77     { SCMP_SYS(setresuid),              QEMU_SECCOMP_SET_PRIVILEGED },
  78     { SCMP_SYS(setresgid),              QEMU_SECCOMP_SET_PRIVILEGED },
  79     { SCMP_SYS(setfsuid),               QEMU_SECCOMP_SET_PRIVILEGED },
  80     { SCMP_SYS(setfsgid),               QEMU_SECCOMP_SET_PRIVILEGED },
  81     /* spawn */
  82     { SCMP_SYS(fork),                   QEMU_SECCOMP_SET_SPAWN },
  83     { SCMP_SYS(vfork),                  QEMU_SECCOMP_SET_SPAWN },
  84     { SCMP_SYS(execve),                 QEMU_SECCOMP_SET_SPAWN },
  85     /* resource control */
  86     { SCMP_SYS(getpriority),            QEMU_SECCOMP_SET_RESOURCECTL },
  87     { SCMP_SYS(setpriority),            QEMU_SECCOMP_SET_RESOURCECTL },
  88     { SCMP_SYS(sched_setparam),         QEMU_SECCOMP_SET_RESOURCECTL },
  89     { SCMP_SYS(sched_getparam),         QEMU_SECCOMP_SET_RESOURCECTL },
  90     { SCMP_SYS(sched_setscheduler),     QEMU_SECCOMP_SET_RESOURCECTL },
  91     { SCMP_SYS(sched_getscheduler),     QEMU_SECCOMP_SET_RESOURCECTL },
  92     { SCMP_SYS(sched_setaffinity),      QEMU_SECCOMP_SET_RESOURCECTL },
  93     { SCMP_SYS(sched_getaffinity),      QEMU_SECCOMP_SET_RESOURCECTL },
  94     { SCMP_SYS(sched_get_priority_max), QEMU_SECCOMP_SET_RESOURCECTL },
  95     { SCMP_SYS(sched_get_priority_min), QEMU_SECCOMP_SET_RESOURCECTL },
  96 };
  97
  98
  99 int seccomp_start(uint32_t seccomp_opts)
 100 {
 101     int rc = 0;
 102     unsigned int i = 0;
 103     scmp_filter_ctx ctx;
 104
 105     ctx = seccomp_init(SCMP_ACT_ALLOW);
 106     if (ctx == NULL) {
 107         rc = -1;
 108         goto seccomp_return;
 109     }
 110
 111     for (i = 0; i < ARRAY_SIZE(blacklist); i++) {
 112         if (!(seccomp_opts & blacklist[i].set)) {
 113             continue;
 114         }
 115
 116         rc = seccomp_rule_add(ctx, SCMP_ACT_KILL, blacklist[i].num, 0);
 117         if (rc < 0) {
 118             goto seccomp_return;
 119         }
 120     }
 121
 122     rc = seccomp_load(ctx);
 123
 124   seccomp_return:
 125     seccomp_release(ctx);
 126     return rc;
 127 }