qemu-seccomp.c

   1 /*
   2  * QEMU seccomp mode 2 support with libseccomp
   3  *
   4  * Copyright IBM, Corp. 2012
   5  *
   6  * Authors:
   7  *  Eduardo Otubo    <eotubo@br.ibm.com>
   8  *
   9  * This work is licensed under the terms of the GNU GPL, version 2.  See
  10  * the COPYING file in the top-level directory.
  11  *
  12  * Contributions after 2012-01-13 are licensed under the terms of the
  13  * GNU GPL, version 2 or (at your option) any later version.
  14  */
  15 #include <stdio.h>
  16 #include <seccomp.h>
  17 #include "qemu-seccomp.h"
  18
  19 struct QemuSeccompSyscall {
  20     int32_t num;
  21     uint8_t priority;
  22 };
  23
  24 static const struct QemuSeccompSyscall seccomp_whitelist[] = {
  25     { SCMP_SYS(timer_settime), 255 },
  26     { SCMP_SYS(timer_gettime), 254 },
  27     { SCMP_SYS(futex), 253 },
  28     { SCMP_SYS(select), 252 },
  29     { SCMP_SYS(recvfrom), 251 },
  30     { SCMP_SYS(sendto), 250 },
  31     { SCMP_SYS(read), 249 },
  32     { SCMP_SYS(brk), 248 },
  33     { SCMP_SYS(clone), 247 },
  34     { SCMP_SYS(mmap), 247 },
  35     { SCMP_SYS(mprotect), 246 },
  36     { SCMP_SYS(execve), 245 },
  37     { SCMP_SYS(open), 245 },
  38     { SCMP_SYS(ioctl), 245 },
  39     { SCMP_SYS(recvmsg), 245 },
  40     { SCMP_SYS(sendmsg), 245 },
  41     { SCMP_SYS(accept), 245 },
  42     { SCMP_SYS(connect), 245 },
  43     { SCMP_SYS(gettimeofday), 245 },
  44     { SCMP_SYS(readlink), 245 },
  45     { SCMP_SYS(access), 245 },
  46     { SCMP_SYS(prctl), 245 },
  47     { SCMP_SYS(signalfd), 245 },
  48 #if defined(__i386__)
  49     { SCMP_SYS(fcntl64), 245 },
  50     { SCMP_SYS(fstat64), 245 },
  51     { SCMP_SYS(stat64), 245 },
  52     { SCMP_SYS(getgid32), 245 },
  53     { SCMP_SYS(getegid32), 245 },
  54     { SCMP_SYS(getuid32), 245 },
  55     { SCMP_SYS(geteuid32), 245 },
  56     { SCMP_SYS(sigreturn), 245 },
  57     { SCMP_SYS(_newselect), 245 },
  58     { SCMP_SYS(_llseek), 245 },
  59     { SCMP_SYS(mmap2), 245},
  60     { SCMP_SYS(sigprocmask), 245 },
  61 #elif defined(__x86_64__)
  62     { SCMP_SYS(sched_getparam), 245},
  63     { SCMP_SYS(sched_getscheduler), 245},
  64     { SCMP_SYS(fstat), 245},
  65     { SCMP_SYS(clock_getres), 245},
  66     { SCMP_SYS(sched_get_priority_min), 245},
  67     { SCMP_SYS(sched_get_priority_max), 245},
  68     { SCMP_SYS(stat), 245},
  69     { SCMP_SYS(socket), 245},
  70     { SCMP_SYS(setsockopt), 245},
  71     { SCMP_SYS(uname), 245},
  72     { SCMP_SYS(semget), 245},
  73 #endif
  74     { SCMP_SYS(eventfd2), 245 },
  75     { SCMP_SYS(dup), 245 },
  76     { SCMP_SYS(gettid), 245 },
  77     { SCMP_SYS(timer_create), 245 },
  78     { SCMP_SYS(exit), 245 },
  79     { SCMP_SYS(clock_gettime), 245 },
  80     { SCMP_SYS(time), 245 },
  81     { SCMP_SYS(restart_syscall), 245 },
  82     { SCMP_SYS(pwrite64), 245 },
  83     { SCMP_SYS(chown), 245 },
  84     { SCMP_SYS(openat), 245 },
  85     { SCMP_SYS(getdents), 245 },
  86     { SCMP_SYS(timer_delete), 245 },
  87     { SCMP_SYS(exit_group), 245 },
  88     { SCMP_SYS(rt_sigreturn), 245 },
  89     { SCMP_SYS(sync), 245 },
  90     { SCMP_SYS(pread64), 245 },
  91     { SCMP_SYS(madvise), 245 },
  92     { SCMP_SYS(set_robust_list), 245 },
  93     { SCMP_SYS(lseek), 245 },
  94     { SCMP_SYS(pselect6), 245 },
  95     { SCMP_SYS(fork), 245 },
  96     { SCMP_SYS(bind), 245 },
  97     { SCMP_SYS(listen), 245 },
  98     { SCMP_SYS(eventfd), 245 },
  99     { SCMP_SYS(rt_sigprocmask), 245 },
 100     { SCMP_SYS(write), 244 },
 101     { SCMP_SYS(fcntl), 243 },
 102     { SCMP_SYS(tgkill), 242 },
 103     { SCMP_SYS(rt_sigaction), 242 },
 104     { SCMP_SYS(pipe2), 242 },
 105     { SCMP_SYS(munmap), 242 },
 106     { SCMP_SYS(mremap), 242 },
 107     { SCMP_SYS(getsockname), 242 },
 108     { SCMP_SYS(getpeername), 242 },
 109     { SCMP_SYS(fdatasync), 242 },
 110     { SCMP_SYS(close), 242 }
 111 };
 112
 113 int seccomp_start(void)
 114 {
 115     int rc = 0;
 116     unsigned int i = 0;
 117     scmp_filter_ctx ctx;
 118
 119     ctx = seccomp_init(SCMP_ACT_KILL);
 120     if (ctx == NULL) {
 121         goto seccomp_return;
 122     }
 123
 124     for (i = 0; i < ARRAY_SIZE(seccomp_whitelist); i++) {
 125         rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, seccomp_whitelist[i].num, 0);
 126         if (rc < 0) {
 127             goto seccomp_return;
 128         }
 129         rc = seccomp_syscall_priority(ctx, seccomp_whitelist[i].num,
 130                                       seccomp_whitelist[i].priority);
 131         if (rc < 0) {
 132             goto seccomp_return;
 133         }
 134     }
 135
 136     rc = seccomp_load(ctx);
 137
 138   seccomp_return:
 139     seccomp_release(ctx);
 140     return rc;
 141 }