commit c3a280dc1210c679cf7324f76d8f023a3feb4750 Author: Yawning Angel <yawning@schwanenlied.me> Date: Thu Dec 29 02:18:02 2016 +0000 Bug 21093: Go back to using gosecco for seccomp rule compilation. This means that there is no longer a dependency on libseccomp at all, yay. --- .gitignore | 1 - ChangeLog | 1 + Makefile | 6 +- README.md | 1 - data/tor-amd64.seccomp | 38 + data/tor-common-amd64.seccomp | 125 +++ data/tor-obfs4-amd64.seccomp | 58 ++ data/torbrowser-amd64.seccomp | 210 +++++ src/cmd/gen-seccomp/main.go | 61 -- src/cmd/gen-seccomp/seccomp.go | 120 --- src/cmd/gen-seccomp/seccomp_firefox.go | 215 ------ src/cmd/gen-seccomp/seccomp_tor.go | 595 -------------- .../internal/sandbox/seccomp.go | 71 +- vendor/manifest | 6 - .../github.com/seccomp/libseccomp-golang/LICENSE | 22 - .../github.com/seccomp/libseccomp-golang/README | 26 - .../seccomp/libseccomp-golang/seccomp.go | 857 --------------------- .../seccomp/libseccomp-golang/seccomp_internal.go | 506 ------------ .../seccomp/libseccomp-golang/seccomp_test.go | 457 ----------- 19 files changed, 492 insertions(+), 2884 deletions(-) diff --git a/.gitignore b/.gitignore index 9334d77..659d2b0 100644 --- a/.gitignore +++ b/.gitignore @@ -2,7 +2,6 @@ bin/ pkg/ data/revision data/tbb_stub.so -data/*.bpf src/cmd/sandboxed-tor-browser/internal/data/bindata.go *.swp *~ diff --git a/ChangeLog b/ChangeLog index 8bcc45b..4f3a908 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,5 @@ Changes in version 0.0.3 - UNRELEASED: + * Bug 21903: Go back to using gosecco for seccomp rule compilation. * Bug 20940: Deprecate x86 support. * Bug 20778: Check for updates in the background. * Bug 20851: If the incremental update fails, fall back to the complete diff --git a/Makefile b/Makefile index 67f6723..78c9a4c 100644 --- a/Makefile +++ b/Makefile @@ -9,9 +9,8 @@ sandboxed-tor-browser: static-assets gb build -tags $(GTK3TAG) cmd/sandboxed-tor-browser mv ./bin/sandboxed-tor-browser-$(GTK3TAG) ./bin/sandboxed-tor-browser -static-assets: go-bindata gen-seccomp tbb_stub +static-assets: go-bindata tbb_stub git rev-parse --short HEAD > data/revision - ./bin/gen-seccomp -o ./data ./bin/go-bindata -nometadata -pkg data -prefix data -o ./src/cmd/sandboxed-tor-browser/internal/data/bindata.go data/... tbb_stub: go-bindata @@ -20,9 +19,6 @@ tbb_stub: go-bindata go-bindata: gb build github.com/jteeuwen/go-bindata/go-bindata -gen-seccomp: - gb build cmd/gen-seccomp - clean: rm -f ./src/cmd/sandboxed-tor-browser/internal/data/bindata.go rm -f ./data/revision diff --git a/README.md b/README.md index badb125..675ee2f 100644 --- a/README.md +++ b/README.md @@ -29,7 +29,6 @@ Build time dependencies: * A C compiler * gb (https://getgb.io/ Yes I know it's behind fucking cloudflare) * Go (Tested with 1.7.x) - * libseccomp2 >= 2.2.1 * libnotify Things that the sandbox breaks: diff --git a/data/tor-amd64.seccomp b/data/tor-amd64.seccomp new file mode 100644 index 0000000..097052a --- /dev/null +++ b/data/tor-amd64.seccomp @@ -0,0 +1,38 @@ +# tor binary (x86_64) specific seccomp whitelist. +# +# This is based off of tor's src/common/sandbox.c + +# +# Extra constant definitions needed for filtering. +# + +FUTEX_WAIT=0 +FUTEX_WAKE=1 +FUTEX_FD=2 +FUTEX_REQUEUE=3 +FUTEX_CMP_REQUEUE=4 +FUTEX_WAKE_OP=5 +#FUTEX_LOCK_PI=6 +#FUTEX_UNLOCK_PI=7 +FUTEX_WAIT_BITSET=9 +FUTEX_PRIVATE_FLAG=128 +FUTEX_CLOCK_REALTIME=256 + +FUTEX_WAIT_PRIVATE=FUTEX_WAIT | FUTEX_PRIVATE_FLAG +FUTEX_WAKE_PRIVATE=FUTEX_WAKE | FUTEX_PRIVATE_FLAG +FUTEX_CMP_REQUEUE_PRIVATE=FUTEX_CMP_REQUEUE | FUTEX_PRIVATE_FLAG +FUTEX_WAKE_OP_PRIVATE=FUTEX_WAKE_OP | FUTEX_PRIVATE_FLAG +#FUTEX_LOCK_PI_PRIVATE=FUTEX_LOCK_PI | FUTEX_PRIVATE_FLAG +#FUTEX_UNLOCK_PI_PRIVATE=FUTEX_UNLOCK_PI | FUTEX_PRIVATE_FLAG +FUTEX_WAIT_BITSET_PRIVATE=FUTEX_WAIT_BITSET | FUTEX_PRIVATE_FLAG + +# +# System calls allowed with filtering. +# * mmap: Asan (arg2 == PROT_READ|PROT_WRITE && arg3 == MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE) +# (arg2 == PROT_NONE && arg3 == MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE) +# + +futex: arg1 == FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME || arg1 == FUTEX_WAKE_PRIVATE || arg1 == FUTEX_WAIT_PRIVATE +mprotect: arg2 == PROT_READ || arg2 == PROT_NONE +mmap: (arg2 == PROT_READ && arg3 == MAP_PRIVATE) || (arg2 == PROT_NONE && arg3 == MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE) || (arg2 == PROT_READ|PROT_WRITE && arg3 == MAP_PRIVATE|MAP_ANONYMOUS) || (arg2 == PROT_READ|PROT_WRITE && arg3 == MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK) || (arg2 == PROT_READ|PROT_WRITE && arg3 == MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE) || (arg2 == PROT_READ|PROT_WRITE && arg3 == MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS) || (arg2 == PROT_READ|PROT_EXEC && arg3 == MAP_PRIVATE|MAP_DENYWRITE) || (arg2 == PROT_READ|PROT_WRITE && arg3 == MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE) || (arg2 == PROT_NONE && arg3 == MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE) +setsockopt: arg1 == SOL_SOCKET && (arg2 == SO_REUSEADDR || arg2 == SO_SNDBUF || arg2 == SO_RCVBUF) diff --git a/data/tor-common-amd64.seccomp b/data/tor-common-amd64.seccomp new file mode 100644 index 0000000..59ce3e1 --- /dev/null +++ b/data/tor-common-amd64.seccomp @@ -0,0 +1,125 @@ +# tor binary (x86_64) common seccomp whitelist. +# +# This is based off of tor's src/common/sandbox.c and is the whitelist for +# calls that aren't affected by the presence of obfs4proxy. gosecco's compiler +# doesn't allow multiple rules for the same system call that aren't identical. + +# +# Extra constant definitions needed for filtering. +# + +MADV_FREE=8 +MREMAP_MAYMOVE=1 + +SIG_BLOCK=1 +SIG_SETMASK=2 + +PF_INET=AF_INET +PF_INET6=AF_INET6 +PF_LOCAL=AF_LOCAL +PF_UNIX=AF_UNIX +POLLIN=1 + +MASKED_CLOEXEC_NONBLOCK = 0xFFF7F7FF + +# +# System calls allowed unconditionally without argument filtering. +# + +access: 1 +brk: 1 +clock_gettime: 1 +close: 1 +clone: 1 +epoll_create: 1 +epoll_wait: 1 +eventfd2: 1 +pipe2: 1 +pipe: 1 +fstat: 1 +getdents: 1 +getdents64: 1 +getegid: 1 +geteuid: 1 +getgid: 1 +getrlimit: 1 +gettimeofday: 1 +gettid: 1 +getuid: 1 +lseek: 1 +mkdir: 1 +munmap: 1 +prlimit64: 1 +read: 1 +rt_sigreturn: 1 +sched_getaffinity: 1 +sched_yield: 1 +sendmsg: 1 +set_robust_list: 1 +setrlimit: 1 +sigaltstack: 1 +stat: 1 +uname: 1 +wait4: 1 +write: 1 +writev: 1 +exit_group: 1 +exit: 1 +getrandom: 1 +sysinfo: 1 +bind: 1 +listen: 1 +connect: 1 +getsockname: 1 +recvmsg: 1 +recvfrom: 1 +sendto: 1 +unlink: 1 + +# tor's sandbox filters these, but we can't because we are not in the tor +# daemon's process space. +chown: 1 +chmod: 1 +open: 1 +openat: 1 +rename: 1 + +# Calls made prior to tor's UseSeccomp being enabled. +arch_prctl: 1 +chdir: 1 +execve: 1 +getpid: 1 +kill: 1 +restart_syscall: 1 +set_tid_address: 1 +unshare: 1 +rt_sigaction: 1 + +# XXX: This is only required for ASAN builds, so this should be included at +# runtime. +readlink: 1 + +# +# System calls allowed with filtering. +# +# Note: +# * socket: +# * tor explicitly allows PF_FILE separately from PF_UNIX which is +# pointless/nonsensical under Linux. +# * Tor allows socket(PF_NETLINK, SOCK_RAW, 0) but will accept no. +# + +time: arg0 == 0 +madvise: arg2 == MADV_FREE +umask: arg0 == 022 +rt_sigprocmask: arg0 == SIG_BLOCK || arg0 == SIG_SETMASK +epoll_ctl: arg1 == EPOLL_CTL_ADD || arg1 == EPOLL_CTL_MOD || arg1 == EPOLL_CTL_DEL +prctl: (arg0 == PR_SET_DUMPABLE && arg1 == 0) || arg0 == PR_SET_PDEATHSIG +flock: arg1 == (LOCK_EX | LOCK_NB) || arg1 == LOCK_UN +mremap: arg3 == MREMAP_MAYMOVE +accept4: argL3 & MASKED_CLOEXEC_NONBLOCK == 0 && argH3 == 0 +poll: arg1 == POLLIN && arg2 == 10 +socket: argH1 == 0 && (arg0 == PF_INET && argL1 & MASKED_CLOEXEC_NONBLOCK == SOCK_STREAM && arg2 == IPPROTO_TCP) || (arg0 == PF_INET && argL1 & MASKED_CLOEXEC_NONBLOCK == SOCK_STREAM && arg2 == IPPROTO_IP) || (arg0 == PF_INET && argL1 & MASKED_CLOEXEC_NONBLOCK == SOCK_DGRAM && arg2 == IPPROTO_IP) || (arg0 == PF_INET && argL1 & MASKED_CLOEXEC_NONBLOCK == SOCK_DGRAM && arg2 == IPPROTO_UDP) || (arg0 == PF_INET6 && argL1 & MASKED_CLOEXEC_NONBLOCK == SOCK_STREAM && arg2 == IPPROTO_TCP) || (arg0 == PF_INET6 && argL1 & MASKED_CLOEXEC_NONBLOCK == SOCK_STREAM && arg2 == IPPROTO_IP) || (arg0 == PF_INET6 && argL1 & MASKED_CLOEXEC_NONBLOCK == SOCK_DGRAM && arg2 == IPPROTO_IP) || (arg0 == PF_INET6 && argL1 & MASKED_CLOEXEC_NONBLOCK == SOCK_DGRAM && arg2 == IPPROTO_UDP) || (arg0 == PF_UNIX && argL1 & MASKED_CLOEXEC_NONBLOCK == SOCK_STREAM && arg2 == 0) || (arg0 == PF_UNIX && argL1 & MASKED_CLOEXEC_NONBLOCK == SOCK_DGRAM && arg2 == 0) +getsockopt: arg1 == SOL_SOCKET && arg2 == SO_ERROR +socketpair: arg0 == PF_LOCAL && (arg1 == SOCK_STREAM || arg1 == SOCK_STREAM | SOCK_CLOEXEC) +fcntl: arg1 == F_GETFL || (arg1 == F_SETFL && (arg2 == O_RDWR|O_NONBLOCK || arg2 == O_RDONLY |O_NONBLOCK)) || arg1 == F_GETFD || (arg1 == F_SETFD && arg2 == FD_CLOEXEC) diff --git a/data/tor-obfs4-amd64.seccomp b/data/tor-obfs4-amd64.seccomp new file mode 100644 index 0000000..b7ac52d --- /dev/null +++ b/data/tor-obfs4-amd64.seccomp @@ -0,0 +1,58 @@ +# tor binary (x86_64) obfs4proxy seccomp whitelist. +# +# These are the rules that should apply to tor and obfs4proxy. Eventually, +# obfs4proxy should live in it's own container so this file should go away. + +# +# Extra constant definitions needed for filtering. +# + +FUTEX_WAIT=0 +FUTEX_WAKE=1 +FUTEX_FD=2 +FUTEX_REQUEUE=3 +FUTEX_CMP_REQUEUE=4 +FUTEX_WAKE_OP=5 +#FUTEX_LOCK_PI=6 +#FUTEX_UNLOCK_PI=7 +FUTEX_WAIT_BITSET=9 +FUTEX_PRIVATE_FLAG=128 +FUTEX_CLOCK_REALTIME=256 + +FUTEX_WAIT_PRIVATE=FUTEX_WAIT | FUTEX_PRIVATE_FLAG +FUTEX_WAKE_PRIVATE=FUTEX_WAKE | FUTEX_PRIVATE_FLAG +FUTEX_CMP_REQUEUE_PRIVATE=FUTEX_CMP_REQUEUE | FUTEX_PRIVATE_FLAG +FUTEX_WAKE_OP_PRIVATE=FUTEX_WAKE_OP | FUTEX_PRIVATE_FLAG +#FUTEX_LOCK_PI_PRIVATE=FUTEX_LOCK_PI | FUTEX_PRIVATE_FLAG +#FUTEX_UNLOCK_PI_PRIVATE=FUTEX_UNLOCK_PI | FUTEX_PRIVATE_FLAG +FUTEX_WAIT_BITSET_PRIVATE=FUTEX_WAIT_BITSET | FUTEX_PRIVATE_FLAG + + +# +# obfs4proxy specific system calls allowed unconditionally without argument +# filtering. +# + +mincore: 1 +dup2: 1 +select: 1 +mkdirat: 1 +fsync: 1 +getpeername: 1 +getppid: 1 + +# +# obfs4proxy specific system calls allowed with filtering. +# + +epoll_create1: arg0 == EPOLL_CLOEXEC + +# +# System calls allowed with filtering that obfs4proxy/tor want to allow +# different things for. +# + +futex: arg1 == FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME || arg1 == FUTEX_WAKE_PRIVATE || arg1 == FUTEX_WAIT_PRIVATE || arg1 == FUTEX_WAKE || arg1 == FUTEX_WAIT +mprotect: arg2 == PROT_READ || arg2 == PROT_NONE || arg2 == PROT_READ|PROT_WRITE +mmap: (arg2 == PROT_READ && arg3 == MAP_PRIVATE) || (arg2 == PROT_NONE && arg3 == MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE) || (arg2 == PROT_READ|PROT_WRITE && arg3 == MAP_PRIVATE|MAP_ANONYMOUS) || (arg2 == PROT_READ|PROT_WRITE && arg3 == MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK) || (arg2 == PROT_READ|PROT_WRITE && arg3 == MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE) || (arg2 == PROT_READ|PROT_WRITE && arg3 == MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS) || (arg2 == PROT_READ|PROT_EXEC && arg3 == MAP_PRIVATE|MAP_DENYWRITE) || (arg2 == PROT_READ|PROT_WRITE && arg3 == MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE) || (arg2 == PROT_NONE && arg3 == MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE) || (arg2 == PROT_NONE && arg3 == MAP_PRIVATE|MAP_ANONYMOUS) || (arg2 == PROT_NONE && arg3 == MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS) +setsockopt: (arg1 == SOL_SOCKET && (arg2 == SO_REUSEADDR || arg2 == SO_SNDBUF || arg2 == SO_RCVBUF || arg2 == SO_BROADCAST)) || (arg1 == SOL_TCP && arg2 == TCP_NODELAY) || (arg1 == SOL_IPV6 && arg2 == IPV6_V6ONLY) diff --git a/data/torbrowser-amd64.seccomp b/data/torbrowser-amd64.seccomp new file mode 100644 index 0000000..a2c2817 --- /dev/null +++ b/data/torbrowser-amd64.seccomp @@ -0,0 +1,210 @@ +# Tor Browser (x86_64) seccomp whitelist. +# +# This is based off of: +# https://github.com/subgraph/subgraph-oz-profiles/blob/master/torbrowser-laun... +# https://github.com/mozilla/gecko-dev/blob/master/security/sandbox/linux/Sand... + +# +# Extra constant definitions needed for filtering. +# + +FIONREAD = 0x541b +TCGETS = 0x5401 +TIOCGPGRP = 0x540f + +MADV_NORMAL=0 +MADV_DONTNEED=4 +MADV_FREE=8 + +FUTEX_WAIT=0 +FUTEX_WAKE=1 +FUTEX_FD=2 +FUTEX_REQUEUE=3 +FUTEX_CMP_REQUEUE=4 +FUTEX_WAKE_OP=5 +#FUTEX_LOCK_PI=6 +#FUTEX_UNLOCK_PI=7 +FUTEX_WAIT_BITSET=9 +FUTEX_PRIVATE_FLAG=128 +FUTEX_CLOCK_REALTIME=256 + +FUTEX_WAIT_PRIVATE=FUTEX_WAIT | FUTEX_PRIVATE_FLAG +FUTEX_WAKE_PRIVATE=FUTEX_WAKE | FUTEX_PRIVATE_FLAG +FUTEX_CMP_REQUEUE_PRIVATE=FUTEX_CMP_REQUEUE | FUTEX_PRIVATE_FLAG +FUTEX_WAKE_OP_PRIVATE=FUTEX_WAKE_OP | FUTEX_PRIVATE_FLAG +#FUTEX_LOCK_PI_PRIVATE=FUTEX_LOCK_PI | FUTEX_PRIVATE_FLAG +#FUTEX_UNLOCK_PI_PRIVATE=FUTEX_UNLOCK_PI | FUTEX_PRIVATE_FLAG +FUTEX_WAIT_BITSET_PRIVATE=FUTEX_WAIT_BITSET | FUTEX_PRIVATE_FLAG + +# +# System calls allowed unconditionally without argument filtering. +# + +clock_gettime: 1 +clock_getres: 1 +gettimeofday: 1 +nanosleep: 1 +sched_yield: 1 + +open: 1 +openat: 1 +pread64: 1 +read: 1 +recvfrom: 1 +pwrite64: 1 +sendto: 1 +write: 1 +writev: 1 +close: 1 + +access: 1 +creat: 1 +chmod: 1 +chdir: 1 +dup2: 1 +dup: 1 +fadvise64: 1 +fallocate: 1 +fcntl: 1 +fchmod: 1 +fchown: 1 +fchdir: 1 +fdatasync: 1 +fstat: 1 +fstatfs: 1 +ftruncate: 1 +fsync: 1 +getcwd: 1 +getdents: 1 +getdents64: 1 +link: 1 +lseek: 1 +lstat: 1 +mkdir: 1 +name_to_handle_at: 1 +newfstatat: 1 +pipe: 1 +pipe2: 1 +readahead: 1 +readlink: 1 +readlinkat: 1 +rename: 1 +rmdir: 1 +stat: 1 +splice: 1 +statfs: 1 +symlink: 1 +unlink: 1 +utime: 1 +utimes: 1 + +accept4: 1 +bind: 1 +connect: 1 +epoll_create: 1 +epoll_create1: 1 +epoll_ctl: 1 +epoll_wait: 1 +eventfd2: 1 +getsockname: 1 +getsockopt: 1 +getpeername: 1 +listen: 1 +poll: 1 +ppoll: 1 +recvmsg: 1 +socketpair: 1 +select: 1 +sendmsg: 1 +setsockopt: 1 +shutdown: 1 + +inotify_add_watch: 1 +inotify_init1: 1 +inotify_rm_watch: 1 + +brk: 1 +mincore: 1 +mmap: 1 +mprotect: 1 +mremap: 1 +munmap: 1 + +shmdt: 1 +shmat: 1 +shmctl: 1 +shmget: 1 + +alarm: 1 +execve: 1 +getrandom: 1 +getrlimit: 1 +getrusage: 1 +getpgrp: 1 +getppid: 1 +getpid: 1 +getpriority: 1 +getresgid: 1 +getresuid: 1 +gettid: 1 +getuid: 1 +geteuid: 1 +getgid: 1 +getegid: 1 +rt_sigaction: 1 +rt_sigprocmask: 1 +rt_sigreturn: 1 +rt_tgsigqueueinfo: 1 +sigaltstack: 1 + +arch_prctl: 1 +capset: 1 +capget: 1 +clone: 1 +exit: 1 +exit_group: 1 +kill: 1 +restart_syscall: 1 +seccomp: 1 +sched_getaffinity: 1 +sched_setscheduler: 1 +setpriority: 1 +set_robust_list: 1 +setsid: 1 +set_tid_address: 1 +setresuid: 1 +setresgid: 1 +sysinfo: 1 +tgkill: 1 +umask: 1 +uname: 1 +unshare: 1 +wait4: 1 + +# XXX: This is only required for ASAN builds, so this should be included at +# runtime. +setrlimit: 1 + +# +# System calls allowed with filtering. +# +# Note: Because we patch PulseAudio from tbb_stub.so, we can omit all PI futex +# calls. +# + +futex: arg1 == FUTEX_CMP_REQUEUE_PRIVATE || arg1 == FUTEX_WAIT || arg1 == FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME || arg1 == FUTEX_WAIT_PRIVATE || arg1 == FUTEX_WAKE || arg1 == FUTEX_WAKE_OP_PRIVATE || arg1 == FUTEX_WAKE_PRIVATE || arg1 == FUTEX_WAIT_BITSET_PRIVATE +madvise: arg2 == MADV_NORMAL || arg2 == MADV_DONTNEED || arg2 == MADV_FREE +ioctl: arg1 == FIONREAD || arg1 == TCGETS || arg1 == TIOCGPGRP +prctl: arg0 == PR_SET_NAME || arg0 == PR_GET_NAME || arg0 == PR_GET_TIMERSLACK || arg0 == PR_SET_SECCOMP +socket: arg0 == AF_UNIX + +# Calls that other people think we should have but we deny: +# +# Firefox: +# * quotactl - gracefully deals with rejection. +# +# Subgraph (all probably python): +# * vfork +# * memfd_create +# * personality +# * mlock diff --git a/src/cmd/gen-seccomp/main.go b/src/cmd/gen-seccomp/main.go deleted file mode 100644 index 8216166..0000000 --- a/src/cmd/gen-seccomp/main.go +++ /dev/null @@ -1,61 +0,0 @@ -// gen-seccomp.go - Pre-generate seccomp rules. -// Copyright (C) 2016 Yawning Angel. -// -// This program is free software: you can redistribute it and/or modify -// it under the terms of the GNU Affero General Public License as -// published by the Free Software Foundation, either version 3 of the -// License, or (at your option) any later version. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU Affero General Public License for more details. -// -// You should have received a copy of the GNU Affero General Public License -// along with this program. If not, see <http://www.gnu.org/licenses/>. - -package main - -import ( - "flag" - "log" - "os" - "path/filepath" -) - -func main() { - outFlag := flag.String("o", "", "output directory") - flag.Parse() - - outDir, err := filepath.Abs(*outFlag) - if err != nil { - log.Fatalf("failed to get absolute path: %v", err) - } - - // Tor Browser (amd64) - f, err := os.Create(filepath.Join(outDir, "tor-amd64.bpf")) - if err != nil { - log.Fatalf("failed to create output: %v", err) - } - if err = compileTorSeccompProfile(f, false); err != nil { - log.Fatalf("failed to create tor amd64 profile: %v", err) - } - - // Tor Browser + obfs4proxy (amd64) - f, err = os.Create(filepath.Join(outDir, "tor-obfs4-amd64.bpf")) - if err != nil { - log.Fatalf("failed to create output: %v", err) - } - if err = compileTorSeccompProfile(f, true); err != nil { - log.Fatalf("failed to create tor-obfs4 amd64 profile: %v", err) - } - - // Firefox (amd64) - f, err = os.Create(filepath.Join(outDir, "torbrowser-amd64.bpf")) - if err != nil { - log.Fatalf("failed to create output: %v", err) - } - if err = compileTorBrowserSeccompProfile(f); err != nil { - log.Fatalf("failed to create firefox amd64 profile: %v", err) - } -} diff --git a/src/cmd/gen-seccomp/seccomp.go b/src/cmd/gen-seccomp/seccomp.go deleted file mode 100644 index b016f4c..0000000 --- a/src/cmd/gen-seccomp/seccomp.go +++ /dev/null @@ -1,120 +0,0 @@ -// secomp.go - Sandbox seccomp rules. -// Copyright (C) 2016 Yawning Angel. -// -// This program is free software: you can redistribute it and/or modify -// it under the terms of the GNU Affero General Public License as -// published by the Free Software Foundation, either version 3 of the -// License, or (at your option) any later version. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU Affero General Public License for more details. -// -// You should have received a copy of the GNU Affero General Public License -// along with this program. If not, see <http://www.gnu.org/licenses/>. - -package main - -import ( - "fmt" - - seccomp "github.com/seccomp/libseccomp-golang" -) - -const ( - madvNormal = 0 // MADV_NORMAL - madvDontneed = 4 // MADV_DONTNEED - madvFree = 8 // MADV_FREE - mremapMaymove = 1 - - sigBlock = 1 // SIG_BLOCK - sigSetmask = 2 // SIG_SETMASK - - futexWait = 0 - futexWake = 1 - futexFd = 2 - futexRequeue = 3 - futexCmpRequeue = 4 - futexWakeOp = 5 - futexLockPi = 6 - futexUnlockPi = 7 - futexTrylockPi = 8 - futexWaitBitset = 9 - futexWakeBitset = 10 - futexWaitRequeuePi = 11 - futexCmpRequeuePi = 12 - - futexPrivateFlag = 128 - futexClockRealtime = 256 - - futexWaitPrivate = futexWait | futexPrivateFlag - futexWakePrivate = futexWake | futexPrivateFlag - futexRequeuePrivate = futexRequeue | futexPrivateFlag - futexCmpRequeuePrivate = futexCmpRequeue | futexPrivateFlag - futexWakeOpPrivate = futexWakeOp | futexPrivateFlag - futexLockPiPrivate = futexLockPi | futexPrivateFlag - futexUnlockPiPrivate = futexUnlockPi | futexPrivateFlag - futexTrylockPiPrivate = futexTrylockPi | futexPrivateFlag - futexWaitBitsetPrivate = futexWaitBitset | futexPrivateFlag - futexWakeBitsetPrivate = futexWakeBitset | futexPrivateFlag - futexWaitRequeuePiPrivate = futexWaitRequeuePi | futexPrivateFlag - futexCmpRequeuePiPrivate = futexCmpRequeuePi | futexPrivateFlag - - pollIn = 1 - - fionread = 0x541b - tcgets = 0x5401 - tiocgpgrp = 0x540f -) - -func newWhitelist() (*seccomp.ScmpFilter, error) { - actENOSYS := seccomp.ActErrno.SetReturnCode(38) - f, err := seccomp.NewFilter(actENOSYS) - if err != nil { - return nil, err - } - - if err = f.AddArch(seccomp.ArchAMD64); err != nil { - f.Release() - return nil, err - } - if err = f.SetBadArchAction(seccomp.ActKill); err != nil { - return nil, err - } - - return f, nil -} - -func allowSyscalls(f *seccomp.ScmpFilter, calls []string) error { - for _, scallName := range calls { - scall, err := seccomp.GetSyscallFromName(scallName) - if err != nil { - return fmt.Errorf("seccomp: unknown system call: %v", scallName) - } - if err = f.AddRule(scall, seccomp.ActAllow); err != nil { - return err - } - } - return nil -} - -func allowCmpEq(f *seccomp.ScmpFilter, scallName string, arg uint, values ...uint64) error { - scall, err := seccomp.GetSyscallFromName(scallName) - if err != nil { - return fmt.Errorf("seccomp: unknown system call: %v", scallName) - } - - // Allow if the arg matches any of the values. Implemented as multiple - // rules. - for _, v := range values { - argIsEqual, err := seccomp.MakeCondition(arg, seccomp.CompareEqual, v) - if err != nil { - return err - } - if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{argIsEqual}); err != nil { - return err - } - } - return nil -} diff --git a/src/cmd/gen-seccomp/seccomp_firefox.go b/src/cmd/gen-seccomp/seccomp_firefox.go deleted file mode 100644 index 427c5f9..0000000 --- a/src/cmd/gen-seccomp/seccomp_firefox.go +++ /dev/null @@ -1,215 +0,0 @@ -// secomp_firefox.go - Firefox sandbox seccomp rules. -// Copyright (C) 2016 Yawning Angel. -// -// This program is free software: you can redistribute it and/or modify -// it under the terms of the GNU Affero General Public License as -// published by the Free Software Foundation, either version 3 of the -// License, or (at your option) any later version. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU Affero General Public License for more details. -// -// You should have received a copy of the GNU Affero General Public License -// along with this program. If not, see <http://www.gnu.org/licenses/>. - -package main - -import ( - "os" - "syscall" -) - -func compileTorBrowserSeccompProfile(fd *os.File) error { - defer fd.Close() - - f, err := newWhitelist() - if err != nil { - return err - } - defer f.Release() - - // TODO; Filter the arguments on more of these calls. - // - // Maybe draaw inspiration from: - // https://github.com/mozilla/gecko-dev/blob/master/security/sandbox/linux/Sand... - allowedNoArgs := []string{ - "clock_gettime", - "clock_getres", - "gettimeofday", - "nanosleep", - "sched_yield", - - "open", - "openat", - "pread64", - "read", - "recvfrom", - "pwrite64", - "sendto", - "write", - "writev", - "close", - - "access", - "creat", - "chmod", - "chdir", - "dup2", - "dup", - "fadvise64", - "fallocate", - "fcntl", - "fchmod", - "fchown", - "fchdir", - "fdatasync", - "fstat", - "fstatfs", - "ftruncate", - "fsync", - "getcwd", - "getdents", - "getdents64", - "link", - "lseek", - "lstat", - "mkdir", - "name_to_handle_at", - "newfstatat", - "pipe", - "pipe2", - "readahead", - "readlink", - "readlinkat", - "rename", - "rmdir", - "stat", - "splice", - "statfs", - "symlink", - "unlink", - "utime", - "utimes", - - "accept4", - "bind", - "connect", - "epoll_create", - "epoll_create1", - "epoll_ctl", - "epoll_wait", - "eventfd2", - "getsockname", - "getsockopt", - "getpeername", - "listen", - "poll", - "ppoll", - "recvmsg", - "socketpair", - "select", - "sendmsg", - "setsockopt", - "shutdown", - - "inotify_add_watch", - "inotify_init1", - "inotify_rm_watch", - - "brk", - "mincore", - "mmap", - "mprotect", - "mremap", - "munmap", - - "shmdt", - "shmat", - "shmctl", - "shmget", - - "alarm", - "execve", - "getrandom", - "getrlimit", - "getrusage", - "getpgrp", - "getppid", - "getpid", - "getpriority", - "getresgid", - "getresuid", - "gettid", - "getuid", - "geteuid", - "getgid", - "getegid", - "rt_sigaction", - "rt_sigprocmask", - "rt_sigreturn", - "sigaltstack", - - "arch_prctl", - "capset", - "capget", - "clone", - "exit", - "exit_group", - "kill", - "restart_syscall", - "seccomp", - "sched_getaffinity", - "sched_setscheduler", - "setpriority", - "set_robust_list", - "setsid", - "set_tid_address", - "setresuid", - "setresgid", - "sysinfo", - "tgkill", - "umask", - "uname", - "unshare", - "wait4", - - // ASAN explodes if this doesn't work. Sigh. - "setrlimit", - - // Firefox uses this, but will take no for an answer. - // "quotactl", - - // Subgraph's profile has these, but that's for Tor Browser Launcher. - // - // "vfork", - // "memfd_create", (PulseAudio? Won't work in our container.) - // "personality", - // "mlock", - } - if err = allowSyscalls(f, allowedNoArgs); err != nil { - return err - } - - // Because we patch PulseAudio's mutex creation, we can omit all PI futex - // calls. - if err = allowCmpEq(f, "futex", 1, futexWait, futexWaitPrivate, futexWakePrivate, futexCmpRequeuePrivate, futexWakeOpPrivate, futexWaitBitsetPrivate|futexClockRealtime, futexWake, futexWaitBitsetPrivate); err != nil { - return err - } - - if err = allowCmpEq(f, "madvise", 2, madvNormal, madvDontneed, madvFree); err != nil { - return err - } - if err = allowCmpEq(f, "ioctl", 1, fionread, tcgets, tiocgpgrp); err != nil { - return err - } - if err = allowCmpEq(f, "prctl", 0, syscall.PR_SET_NAME, syscall.PR_GET_NAME, syscall.PR_GET_TIMERSLACK, syscall.PR_SET_SECCOMP); err != nil { - return err - } - if err = allowCmpEq(f, "socket", 0, syscall.AF_UNIX); err != nil { - return err - } - - return f.ExportBPF(fd) -} diff --git a/src/cmd/gen-seccomp/seccomp_tor.go b/src/cmd/gen-seccomp/seccomp_tor.go deleted file mode 100644 index e6501e3..0000000 --- a/src/cmd/gen-seccomp/seccomp_tor.go +++ /dev/null @@ -1,595 +0,0 @@ -// secomp_tor.go - Sandbox tor seccomp rules. -// Copyright (C) 2016 Yawning Angel. -// -// This program is free software: you can redistribute it and/or modify -// it under the terms of the GNU Affero General Public License as -// published by the Free Software Foundation, either version 3 of the -// License, or (at your option) any later version. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU Affero General Public License for more details. -// -// You should have received a copy of the GNU Affero General Public License -// along with this program. If not, see <http://www.gnu.org/licenses/>. - -package main - -import ( - "os" - "syscall" - - seccomp "github.com/seccomp/libseccomp-golang" -) - -var maskedCloexecNonblock = ^(uint64(syscall.SOCK_CLOEXEC | syscall.SOCK_NONBLOCK)) - -func compileTorSeccompProfile(fd *os.File, useBridges bool) error { - defer fd.Close() - - f, err := newWhitelist() - if err != nil { - return err - } - defer f.Release() - - allowedNoArgs := []string{ - "access", - "brk", - "clock_gettime", - "close", - "clone", - "epoll_create", - "epoll_wait", - "eventfd2", - "pipe2", - "pipe", - "fstat", - "getdents", - "getdents64", - "getegid", - "geteuid", - "getgid", - "getrlimit", - "gettimeofday", - "gettid", - "getuid", - "lseek", - "mkdir", - "munmap", - "prlimit64", - "read", - "rt_sigreturn", - "sched_getaffinity", - "sched_yield", - "sendmsg", - "set_robust_list", - "setrlimit", - "sigaltstack", - "stat", - "uname", - "wait4", - "write", - "writev", - "exit_group", - "exit", - "getrandom", - "sysinfo", - "bind", - "listen", - "connect", - "getsockname", - "recvmsg", - "recvfrom", - "sendto", - "unlink", - - // Calls that tor can filter, but I can't due to not being in - // the tor daemon's process space. - "chown", - "chmod", - "open", - "openat", - "rename", - - // Calls made prior to tor's UseSeccomp being installed. - "arch_prctl", - "chdir", - "execve", - "getpid", - "kill", - "restart_syscall", - "set_tid_address", - "unshare", - "rt_sigaction", // Tor filters this but libc does more. - - "readlink", // ASAN needs this. - } - if err = allowSyscalls(f, allowedNoArgs); err != nil { - return err - } - - if err = allowCmpEq(f, "time", 0, 0); err != nil { - return err - } - if err = allowCmpEq(f, "madvise", 2, madvFree); err != nil { - return err - } - if err = allowCmpEq(f, "umask", 0, 022); err != nil { - return err - } - if err = allowCmpEq(f, "rt_sigprocmask", 0, sigBlock, sigSetmask); err != nil { - return err - } - if err = allowCmpEq(f, "epoll_ctl", 1, syscall.EPOLL_CTL_ADD, syscall.EPOLL_CTL_MOD, syscall.EPOLL_CTL_DEL); err != nil { - return err - } - if err = torFilterPrctl(f); err != nil { - return err - } - if err = allowCmpEq(f, "mprotect", 2, syscall.PROT_READ, syscall.PROT_NONE); err != nil { - return err - } - if err = allowCmpEq(f, "flock", 1, syscall.LOCK_EX|syscall.LOCK_NB, syscall.LOCK_UN); err != nil { - return err - } - if err = allowCmpEq(f, "futex", 1, futexWaitBitsetPrivate|futexClockRealtime, futexWaitPrivate, futexWakePrivate); err != nil { - return err - } - if err = allowCmpEq(f, "mremap", 3, mremapMaymove); err != nil { - return err - } - if err = torFilterAccept4(f); err != nil { - return err - } - if err = torFilterPoll(f); err != nil { - return err - } - if err = torFilterSocket(f); err != nil { - return err - } - if err = torFilterSetsockopt(f); err != nil { - return err - } - if err = torFilterGetsockopt(f); err != nil { - return err - } - if err = torFilterSocketpair(f); err != nil { - return err - } - if err = torFilterMmap(f); err != nil { - return err - } - if err = torFilterFcntl(f); err != nil { - return err - } - - if useBridges { - // XXX: One day, all the PTs will live in their own containers. - // - // Till then, just whitelist the extra calls obfs4proxy needs. - obfsCalls := []string{ - "mincore", - "dup2", - "select", - "mkdirat", - "fsync", - "getpeername", - "getppid", - } - if err = allowSyscalls(f, obfsCalls); err != nil { - return err - } - - // `mmap` -> `arg2 == PROT_NONE && (arg3 == MAP_PRIVATE|MAP_ANONYMOUS || arg3 == MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS)` - if err = allowCmpEq(f, "epoll_create1", 0, syscall.EPOLL_CLOEXEC); err != nil { - return err - } - if err = allowCmpEq(f, "mprotect", 2, syscall.PROT_READ|syscall.PROT_WRITE); err != nil { - return err - } - if err = allowCmpEq(f, "futex", 1, futexWake, futexWait); err != nil { - return err - } - if err = obfsFilterSetsockopt(f); err != nil { - return err - } - if err = obfsFilterMmap(f); err != nil { - return err - } - } - - return f.ExportBPF(fd) -} - -func torFilterPrctl(f *seccomp.ScmpFilter) error { - scall, err := seccomp.GetSyscallFromName("prctl") - if err != nil { - return err - } - - isPrSetDumpable, err := seccomp.MakeCondition(0, seccomp.CompareEqual, syscall.PR_SET_DUMPABLE) - if err != nil { - return err - } - arg1IsZero, err := seccomp.MakeCondition(1, seccomp.CompareEqual, 0) - if err != nil { - return err - } - if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isPrSetDumpable, arg1IsZero}); err != nil { - return err - } - - isPrSetDeathsig, err := seccomp.MakeCondition(0, seccomp.CompareEqual, syscall.PR_SET_PDEATHSIG) - if err != nil { - return err - } - return f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isPrSetDeathsig}) -} - -func torFilterAccept4(f *seccomp.ScmpFilter) error { - scall, err := seccomp.GetSyscallFromName("accept4") - if err != nil { - return err - } - - cond, err := seccomp.MakeCondition(3, seccomp.CompareMaskedEqual, maskedCloexecNonblock, 0) - if err != nil { - return nil - } - - return f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{cond}) -} - -func torFilterPoll(f *seccomp.ScmpFilter) error { - scall, err := seccomp.GetSyscallFromName("poll") - if err != nil { - return err - } - - isPollIn, err := seccomp.MakeCondition(1, seccomp.CompareEqual, pollIn) - if err != nil { - return err - } - timeoutIsTen, err := seccomp.MakeCondition(2, seccomp.CompareEqual, 10) - if err != nil { - return err - } - return f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isPollIn, timeoutIsTen}) -} - -func torFilterSocket(f *seccomp.ScmpFilter) error { - scall, err := seccomp.GetSyscallFromName("socket") - if err != nil { - return err - } - - makeCondType := func(t uint64) (seccomp.ScmpCondition, error) { - return seccomp.MakeCondition(1, seccomp.CompareMaskedEqual, maskedCloexecNonblock, t) - } - - // tor allows PF_FILE, which is PF_LOCAL on Linux, not sure why. - - for _, d := range []uint64{syscall.AF_INET, syscall.AF_INET6} { - isDomain, err := seccomp.MakeCondition(0, seccomp.CompareEqual, d) - if err != nil { - return err - } - - for _, t := range []uint64{syscall.SOCK_STREAM, syscall.SOCK_DGRAM} { - protocols := []uint64{syscall.IPPROTO_IP, syscall.IPPROTO_UDP} - if t == syscall.SOCK_STREAM { - protocols = append(protocols, syscall.IPPROTO_TCP) - } - - isType, err := makeCondType(t) - if err != nil { - return err - } - - for _, p := range protocols { - isProtocol, err := seccomp.MakeCondition(2, seccomp.CompareEqual, p) - if err != nil { - return err - } - - if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isDomain, isType, isProtocol}); err != nil { - return err - } - } - } - } - - isAfLocal, err := seccomp.MakeCondition(0, seccomp.CompareEqual, syscall.AF_LOCAL) - if err != nil { - return err - } - for _, t := range []uint64{syscall.SOCK_STREAM, syscall.SOCK_DGRAM} { - isType, err := makeCondType(t) - if err != nil { - return err - } - isProtocol, err := seccomp.MakeCondition(2, seccomp.CompareEqual, 0) - if err != nil { - return err - } - if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isAfLocal, isType, isProtocol}); err != nil { - return err - } - } - - // tor allows socket(AF_NETLINK, SOCK_RAW, 0), which is used to check it's - // IP address, but will take "no". - - return nil -} - -func torFilterSetsockopt(f *seccomp.ScmpFilter) error { - scall, err := seccomp.GetSyscallFromName("setsockopt") - if err != nil { - return err - } - - isSolSocket, err := seccomp.MakeCondition(1, seccomp.CompareEqual, syscall.SOL_SOCKET) - if err != nil { - return err - } - - okOpts := []uint64{ - syscall.SO_REUSEADDR, - syscall.SO_SNDBUF, - syscall.SO_RCVBUF, - } - - for _, opt := range okOpts { - isOpt, err := seccomp.MakeCondition(2, seccomp.CompareEqual, opt) - if err != nil { - return err - } - if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isSolSocket, isOpt}); err != nil { - return err - } - } - - return nil -} - -func torFilterGetsockopt(f *seccomp.ScmpFilter) error { - scall, err := seccomp.GetSyscallFromName("getsockopt") - if err != nil { - return err - } - - isSolSocket, err := seccomp.MakeCondition(1, seccomp.CompareEqual, syscall.SOL_SOCKET) - if err != nil { - return err - } - optIsError, err := seccomp.MakeCondition(2, seccomp.CompareEqual, syscall.SO_ERROR) - if err != nil { - return err - } - return f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isSolSocket, optIsError}) -} - -func torFilterSocketpair(f *seccomp.ScmpFilter) error { - scall, err := seccomp.GetSyscallFromName("socketpair") - if err != nil { - return err - } - - isPfLocal, err := seccomp.MakeCondition(0, seccomp.CompareEqual, syscall.AF_LOCAL) - if err != nil { - return err - } - - // XXX: src/common/compat.c:tor_socketpair looks like it uses SOCK_CLOEXEC, - // but according to strace, fcntl is used to actually set the flag (6.0.6). - okTypes := []uint64{ - syscall.SOCK_STREAM, - syscall.SOCK_STREAM | syscall.SOCK_CLOEXEC, - } - for _, t := range okTypes { - isType, err := seccomp.MakeCondition(1, seccomp.CompareEqual, t) - if err != nil { - return err - } - if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isPfLocal, isType}); err != nil { - return err - } - } - return nil -} - -func torFilterMmap(f *seccomp.ScmpFilter) error { - scall, err := seccomp.GetSyscallFromName("mmap") - if err != nil { - return err - } - - // (arg2 == PROT_READ && arg3 == MAP_PRIVATE) - isProtRead, err := seccomp.MakeCondition(2, seccomp.CompareEqual, syscall.PROT_READ) - if err != nil { - return err - } - isPrivate, err := seccomp.MakeCondition(3, seccomp.CompareEqual, syscall.MAP_PRIVATE) - if err != nil { - return err - } - if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isProtRead, isPrivate}); err != nil { - return err - } - - // (arg2 == PROT_NONE && arg3 == MAP_PRIVATE | MAP_ANONYMOUS | MAP_NORESERVE) - isProtNone, err := seccomp.MakeCondition(2, seccomp.CompareEqual, syscall.PROT_NONE) - if err != nil { - return err - } - isProtNoneFlags, err := seccomp.MakeCondition(3, seccomp.CompareEqual, syscall.MAP_PRIVATE|syscall.MAP_ANONYMOUS|syscall.MAP_NORESERVE) - if err != nil { - return err - } - if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isProtNone, isProtNoneFlags}); err != nil { - return err - } - - isProtReadWrite, err := seccomp.MakeCondition(2, seccomp.CompareEqual, syscall.PROT_READ|syscall.PROT_WRITE) - if err != nil { - return err - } - rwFlags := []uint64{ - syscall.MAP_PRIVATE | syscall.MAP_ANONYMOUS, - syscall.MAP_PRIVATE | syscall.MAP_ANONYMOUS | syscall.MAP_STACK, - syscall.MAP_PRIVATE | syscall.MAP_FIXED | syscall.MAP_DENYWRITE, - syscall.MAP_PRIVATE | syscall.MAP_FIXED | syscall.MAP_ANONYMOUS, - syscall.MAP_PRIVATE | syscall.MAP_DENYWRITE, - } - for _, flag := range rwFlags { - isFlag, err := seccomp.MakeCondition(3, seccomp.CompareEqual, flag) - if err != nil { - return err - } - if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isProtReadWrite, isFlag}); err != nil { - return err - } - } - - // (arg2 == PROT_READ | PROT_EXEC && arg3 == MAP_PRIVATE | MAP_DENYWRITE) - // This is needed for ld-linux.so. - isProtReadExec, err := seccomp.MakeCondition(2, seccomp.CompareEqual, syscall.PROT_READ|syscall.PROT_EXEC) - if err != nil { - return err - } - isProtReadExecFlags, err := seccomp.MakeCondition(3, seccomp.CompareEqual, syscall.MAP_PRIVATE|syscall.MAP_DENYWRITE) - if err != nil { - return err - } - if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isProtReadExec, isProtReadExecFlags}); err != nil { - return err - } - - return nil -} - -func torFilterFcntl(f *seccomp.ScmpFilter) error { - scall, err := seccomp.GetSyscallFromName("fcntl") - if err != nil { - return err - } - - isFGetfl, err := seccomp.MakeCondition(1, seccomp.CompareEqual, syscall.F_GETFL) - if err != nil { - return err - } - isFGetfd, err := seccomp.MakeCondition(1, seccomp.CompareEqual, syscall.F_GETFD) - if err != nil { - return err - } - - isFSetfl, err := seccomp.MakeCondition(1, seccomp.CompareEqual, syscall.F_SETFL) - if err != nil { - return err - } - isFSetflFlags, err := seccomp.MakeCondition(2, seccomp.CompareEqual, syscall.O_RDWR|syscall.O_NONBLOCK) - if err != nil { - return err - } - - isFSetfd, err := seccomp.MakeCondition(1, seccomp.CompareEqual, syscall.F_SETFD) - if err != nil { - return err - } - isFdCloexec, err := seccomp.MakeCondition(2, seccomp.CompareEqual, syscall.FD_CLOEXEC) - if err != nil { - return err - } - - if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isFGetfl}); err != nil { - return err - } - if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isFGetfd}); err != nil { - return err - } - - if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isFSetfl, isFSetflFlags}); err != nil { - return err - } - - if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isFSetfd, isFdCloexec}); err != nil { - return err - } - - return nil -} - -func obfsFilterSetsockopt(f *seccomp.ScmpFilter) error { - scall, err := seccomp.GetSyscallFromName("setsockopt") - if err != nil { - return err - } - - isSolTcp, err := seccomp.MakeCondition(1, seccomp.CompareEqual, syscall.SOL_TCP) - if err != nil { - return err - } - isTcpNodelay, err := seccomp.MakeCondition(2, seccomp.CompareEqual, syscall.TCP_NODELAY) - if err != nil { - return err - } - if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isSolTcp, isTcpNodelay}); err != nil { - return err - } - - isSolSocket, err := seccomp.MakeCondition(1, seccomp.CompareEqual, syscall.SOL_SOCKET) - if err != nil { - return err - } - isSoBroadcast, err := seccomp.MakeCondition(2, seccomp.CompareEqual, syscall.SO_BROADCAST) - if err != nil { - return err - } - if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isSolSocket, isSoBroadcast}); err != nil { - return err - } - - isSolIpv6, err := seccomp.MakeCondition(1, seccomp.CompareEqual, syscall.SOL_IPV6) - if err != nil { - return err - } - isIpv6Only, err := seccomp.MakeCondition(2, seccomp.CompareEqual, syscall.IPV6_V6ONLY) - if err != nil { - return err - } - if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isSolIpv6, isIpv6Only}); err != nil { - return err - } - - return nil -} - -// `mmap` -> `arg2 == PROT_NONE && (arg3 == MAP_PRIVATE|MAP_ANONYMOUS || arg3 == MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS)` -func obfsFilterMmap(f *seccomp.ScmpFilter) error { - scall, err := seccomp.GetSyscallFromName("mmap") - if err != nil { - return err - } - - isProtNone, err := seccomp.MakeCondition(2, seccomp.CompareEqual, syscall.PROT_NONE) - if err != nil { - return err - } - protNoneFlags := []uint64{ - syscall.MAP_PRIVATE | syscall.MAP_ANONYMOUS, - syscall.MAP_PRIVATE | syscall.MAP_FIXED | syscall.MAP_ANONYMOUS, - } - for _, flag := range protNoneFlags { - isFlag, err := seccomp.MakeCondition(3, seccomp.CompareEqual, flag) - if err != nil { - return err - } - if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isProtNone, isFlag}); err != nil { - return err - } - } - return nil -} diff --git a/src/cmd/sandboxed-tor-browser/internal/sandbox/seccomp.go b/src/cmd/sandboxed-tor-browser/internal/sandbox/seccomp.go index c88005e..9d5ec90 100644 --- a/src/cmd/sandboxed-tor-browser/internal/sandbox/seccomp.go +++ b/src/cmd/sandboxed-tor-browser/internal/sandbox/seccomp.go @@ -17,34 +17,81 @@ package sandbox import ( + "encoding/binary" + "fmt" "os" "runtime" + "github.com/twtiger/gosecco" + "github.com/twtiger/gosecco/parser" + "cmd/sandboxed-tor-browser/internal/data" ) func installTorSeccompProfile(fd *os.File, useBridges bool) error { - assetFile := "tor-" - if useBridges { - assetFile = assetFile + "obfs4-" - } - assetFile = assetFile + runtime.GOARCH + ".bpf" + commonAssetFile := "tor-common-" + runtime.GOARCH + ".seccomp" - bpf, err := data.Asset(assetFile) - if err != nil { - return err + assets := []string{commonAssetFile} + if useBridges { + assets = append(assets, "tor-obfs4-"+runtime.GOARCH+".seccomp") + } else { + assets = append(assets, "tor-"+runtime.GOARCH+".seccomp") } - return writeBuffer(fd, bpf) + return installSeccomp(fd, assets) } func installTorBrowserSeccompProfile(fd *os.File) error { - assetFile := "torbrowser-" + runtime.GOARCH + ".bpf" + assetFile := "torbrowser-" + runtime.GOARCH + ".seccomp" + + return installSeccomp(fd, []string{assetFile}) +} + +func installSeccomp(fd *os.File, ruleAssets []string) error { + defer fd.Close() - bpf, err := data.Asset(assetFile) + settings := gosecco.SeccompSettings{ + DefaultPositiveAction: "allow", + DefaultNegativeAction: "ENOSYS", + DefaultPolicyAction: "ENOSYS", + ActionOnX32: "kill", + ActionOnAuditFailure: "kill", + } + + if len(ruleAssets) == 0 { + return fmt.Errorf("installSeccomp() called with no rules") + } + + // Combine the rules into a single source. + var sources []parser.Source + for _, asset := range ruleAssets { + rules, err := data.Asset(asset) + if err != nil { + return err + } + source := &parser.StringSource{ + Name: asset, + Content: string(rules), + } + sources = append(sources, source) + } + + // Compile the combined source into bpf bytecode. + combined := parser.CombineSources(sources...) + bpf, err := gosecco.PrepareSource(combined, settings) if err != nil { return err } - return writeBuffer(fd, bpf) + // Install the bpf bytecode. + if size, limit := len(bpf), 0xffff; size > limit { + return fmt.Errorf("filter program too big: %d bpf instructions (limit = %d)", size, limit) + } + for _, rule := range bpf { + if err := binary.Write(fd, binary.LittleEndian, rule); err != nil { + return err + } + } + + return nil } diff --git a/vendor/manifest b/vendor/manifest index 04dfc33..a783eed 100644 --- a/vendor/manifest +++ b/vendor/manifest @@ -38,12 +38,6 @@ "branch": "master" }, { - "importpath": "github.com/seccomp/libseccomp-golang", - "repository": "https://github.com/seccomp/libseccomp-golang", - "revision": "32f571b70023028bd57d9288c20efbcb237f3ce0", - "branch": "master" - }, - { "importpath": "github.com/twtiger/gosecco", "repository": "https://github.com/twtiger/gosecco", "revision": "81110d334ed7a530d99ad620375855246f21d524", diff --git a/vendor/src/github.com/seccomp/libseccomp-golang/LICENSE b/vendor/src/github.com/seccomp/libseccomp-golang/LICENSE deleted file mode 100644 index 81cf60d..0000000 --- a/vendor/src/github.com/seccomp/libseccomp-golang/LICENSE +++ /dev/null @@ -1,22 +0,0 @@ -Copyright (c) 2015 Matthew Heon <mheon@redhat.com> -Copyright (c) 2015 Paul Moore <pmoore@redhat.com> -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: -- Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. -- Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/vendor/src/github.com/seccomp/libseccomp-golang/README b/vendor/src/github.com/seccomp/libseccomp-golang/README deleted file mode 100644 index 64cab69..0000000 --- a/vendor/src/github.com/seccomp/libseccomp-golang/README +++ /dev/null @@ -1,26 +0,0 @@ -libseccomp-golang: Go Language Bindings for the libseccomp Project -=============================================================================== -https://github.com/seccomp/libseccomp-golang -https://github.com/seccomp/libseccomp - -The libseccomp library provides an easy to use, platform independent, interface -to the Linux Kernel's syscall filtering mechanism. The libseccomp API is -designed to abstract away the underlying BPF based syscall filter language and -present a more conventional function-call based filtering interface that should -be familiar to, and easily adopted by, application developers. - -The libseccomp-golang library provides a Go based interface to the libseccomp -library. - -* Online Resources - -The library source repository currently lives on GitHub at the following URLs: - - -> https://github.com/seccomp/libseccomp-golang - -> https://github.com/seccomp/libseccomp - -The project mailing list is currently hosted on Google Groups at the URL below, -please note that a Google account is not required to subscribe to the mailing -list. - - -> https://groups.google.com/d/forum/libseccomp diff --git a/vendor/src/github.com/seccomp/libseccomp-golang/seccomp.go b/vendor/src/github.com/seccomp/libseccomp-golang/seccomp.go deleted file mode 100644 index b2c010f..0000000 --- a/vendor/src/github.com/seccomp/libseccomp-golang/seccomp.go +++ /dev/null @@ -1,857 +0,0 @@ -// +build linux - -// Public API specification for libseccomp Go bindings -// Contains public API for the bindings - -// Package seccomp provides bindings for libseccomp, a library wrapping the Linux -// seccomp syscall. Seccomp enables an application to restrict system call use -// for itself and its children. -package seccomp - -import ( - "fmt" - "os" - "runtime" - "strings" - "sync" - "syscall" - "unsafe" -) - -// C wrapping code - -// #cgo pkg-config: libseccomp -// #include <stdlib.h> -// #include <seccomp.h> -import "C" - -// Exported types - -// ScmpArch represents a CPU architecture. Seccomp can restrict syscalls on a -// per-architecture basis. -type ScmpArch uint - -// ScmpAction represents an action to be taken on a filter rule match in -// libseccomp -type ScmpAction uint - -// ScmpCompareOp represents a comparison operator which can be used in a filter -// rule -type ScmpCompareOp uint - -// ScmpCondition represents a rule in a libseccomp filter context -type ScmpCondition struct { - Argument uint `json:"argument,omitempty"` - Op ScmpCompareOp `json:"operator,omitempty"` - Operand1 uint64 `json:"operand_one,omitempty"` - Operand2 uint64 `json:"operand_two,omitempty"` -} - -// ScmpSyscall represents a Linux System Call -type ScmpSyscall int32 - -// Exported Constants - -const ( - // Valid architectures recognized by libseccomp - // ARM64 and all MIPS architectures are unsupported by versions of the - // library before v2.2 and will return errors if used - - // ArchInvalid is a placeholder to ensure uninitialized ScmpArch - // variables are invalid - ArchInvalid ScmpArch = iota - // ArchNative is the native architecture of the kernel - ArchNative ScmpArch = iota - // ArchX86 represents 32-bit x86 syscalls - ArchX86 ScmpArch = iota - // ArchAMD64 represents 64-bit x86-64 syscalls - ArchAMD64 ScmpArch = iota - // ArchX32 represents 64-bit x86-64 syscalls (32-bit pointers) - ArchX32 ScmpArch = iota - // ArchARM represents 32-bit ARM syscalls - ArchARM ScmpArch = iota - // ArchARM64 represents 64-bit ARM syscalls - ArchARM64 ScmpArch = iota - // ArchMIPS represents 32-bit MIPS syscalls - ArchMIPS ScmpArch = iota - // ArchMIPS64 represents 64-bit MIPS syscalls - ArchMIPS64 ScmpArch = iota - // ArchMIPS64N32 represents 64-bit MIPS syscalls (32-bit pointers) - ArchMIPS64N32 ScmpArch = iota - // ArchMIPSEL represents 32-bit MIPS syscalls (little endian) - ArchMIPSEL ScmpArch = iota - // ArchMIPSEL64 represents 64-bit MIPS syscalls (little endian) - ArchMIPSEL64 ScmpArch = iota - // ArchMIPSEL64N32 represents 64-bit MIPS syscalls (little endian, - // 32-bit pointers) - ArchMIPSEL64N32 ScmpArch = iota - // ArchPPC represents 32-bit POWERPC syscalls - ArchPPC ScmpArch = iota - // ArchPPC64 represents 64-bit POWER syscalls (big endian) - ArchPPC64 ScmpArch = iota - // ArchPPC64LE represents 64-bit POWER syscalls (little endian) - ArchPPC64LE ScmpArch = iota - // ArchS390 represents 31-bit System z/390 syscalls - ArchS390 ScmpArch = iota - // ArchS390X represents 64-bit System z/390 syscalls - ArchS390X ScmpArch = iota -) - -const ( - // Supported actions on filter match - - // ActInvalid is a placeholder to ensure uninitialized ScmpAction - // variables are invalid - ActInvalid ScmpAction = iota - // ActKill kills the process - ActKill ScmpAction = iota - // ActTrap throws SIGSYS - ActTrap ScmpAction = iota - // ActErrno causes the syscall to return a negative error code. This - // code can be set with the SetReturnCode method - ActErrno ScmpAction = iota - // ActTrace causes the syscall to notify tracing processes with the - // given error code. This code can be set with the SetReturnCode method - ActTrace ScmpAction = iota - // ActAllow permits the syscall to continue execution - ActAllow ScmpAction = iota -) - -const ( - // These are comparison operators used in conditional seccomp rules - // They are used to compare the value of a single argument of a syscall - // against a user-defined constant - - // CompareInvalid is a placeholder to ensure uninitialized ScmpCompareOp - // variables are invalid - CompareInvalid ScmpCompareOp = iota - // CompareNotEqual returns true if the argument is not equal to the - // given value - CompareNotEqual ScmpCompareOp = iota - // CompareLess returns true if the argument is less than the given value - CompareLess ScmpCompareOp = iota - // CompareLessOrEqual returns true if the argument is less than or equal - // to the given value - CompareLessOrEqual ScmpCompareOp = iota - // CompareEqual returns true if the argument is equal to the given value - CompareEqual ScmpCompareOp = iota - // CompareGreaterEqual returns true if the argument is greater than or - // equal to the given value - CompareGreaterEqual ScmpCompareOp = iota - // CompareGreater returns true if the argument is greater than the given - // value - CompareGreater ScmpCompareOp = iota - // CompareMaskedEqual returns true if the argument is equal to the given - // value, when masked (bitwise &) against the second given value - CompareMaskedEqual ScmpCompareOp = iota -) - -// Helpers for types - -// GetArchFromString returns an ScmpArch constant from a string representing an -// architecture -func GetArchFromString(arch string) (ScmpArch, error) { - switch strings.ToLower(arch) { - case "x86": - return ArchX86, nil - case "amd64", "x86-64", "x86_64", "x64": - return ArchAMD64, nil - case "x32": - return ArchX32, nil - case "arm": - return ArchARM, nil - case "arm64", "aarch64": - return ArchARM64, nil - case "mips": - return ArchMIPS, nil - case "mips64": - return ArchMIPS64, nil - case "mips64n32": - return ArchMIPS64N32, nil - case "mipsel": - return ArchMIPSEL, nil - case "mipsel64": - return ArchMIPSEL64, nil - case "mipsel64n32": - return ArchMIPSEL64N32, nil - case "ppc": - return ArchPPC, nil - case "ppc64": - return ArchPPC64, nil - case "ppc64le": - return ArchPPC64LE, nil - case "s390": - return ArchS390, nil - case "s390x": - return ArchS390X, nil - default: - return ArchInvalid, fmt.Errorf("cannot convert unrecognized string %s", arch) - } -} - -// String returns a string representation of an architecture constant -func (a ScmpArch) String() string { - switch a { - case ArchX86: - return "x86" - case ArchAMD64: - return "amd64" - case ArchX32: - return "x32" - case ArchARM: - return "arm" - case ArchARM64: - return "arm64" - case ArchMIPS: - return "mips" - case ArchMIPS64: - return "mips64" - case ArchMIPS64N32: - return "mips64n32" - case ArchMIPSEL: - return "mipsel" - case ArchMIPSEL64: - return "mipsel64" - case ArchMIPSEL64N32: - return "mipsel64n32" - case ArchPPC: - return "ppc" - case ArchPPC64: - return "ppc64" - case ArchPPC64LE: - return "ppc64le" - case ArchS390: - return "s390" - case ArchS390X: - return "s390x" - case ArchNative: - return "native" - case ArchInvalid: - return "Invalid architecture" - default: - return "Unknown architecture" - } -} - -// String returns a string representation of a comparison operator constant -func (a ScmpCompareOp) String() string { - switch a { - case CompareNotEqual: - return "Not equal" - case CompareLess: - return "Less than" - case CompareLessOrEqual: - return "Less than or equal to" - case CompareEqual: - return "Equal" - case CompareGreaterEqual: - return "Greater than or equal to" - case CompareGreater: - return "Greater than" - case CompareMaskedEqual: - return "Masked equality" - case CompareInvalid: - return "Invalid comparison operator" - default: - return "Unrecognized comparison operator" - } -} - -// String returns a string representation of a seccomp match action -func (a ScmpAction) String() string { - switch a & 0xFFFF { - case ActKill: - return "Action: Kill Process" - case ActTrap: - return "Action: Send SIGSYS" - case ActErrno: - return fmt.Sprintf("Action: Return error code %d", (a >> 16)) - case ActTrace: - return fmt.Sprintf("Action: Notify tracing processes with code %d", - (a >> 16)) - case ActAllow: - return "Action: Allow system call" - default: - return "Unrecognized Action" - } -} - -// SetReturnCode adds a return code to a supporting ScmpAction, clearing any -// existing code Only valid on ActErrno and ActTrace. Takes no action otherwise. -// Accepts 16-bit return code as argument. -// Returns a valid ScmpAction of the original type with the new error code set. -func (a ScmpAction) SetReturnCode(code int16) ScmpAction { - aTmp := a & 0x0000FFFF - if aTmp == ActErrno || aTmp == ActTrace { - return (aTmp | (ScmpAction(code)&0xFFFF)<<16) - } - return a -} - -// GetReturnCode returns the return code of an ScmpAction -func (a ScmpAction) GetReturnCode() int16 { - return int16(a >> 16) -} - -// General utility functions - -// GetLibraryVersion returns the version of the library the bindings are built -// against. -// The version is formatted as follows: Major.Minor.Micro -func GetLibraryVersion() (major, minor, micro int) { - return verMajor, verMinor, verMicro -} - -// Syscall functions - -// GetName retrieves the name of a syscall from its number. -// Acts on any syscall number. -// Returns either a string containing the name of the syscall, or an error. -func (s ScmpSyscall) GetName() (string, error) { - return s.GetNameByArch(ArchNative) -} - -// GetNameByArch retrieves the name of a syscall from its number for a given -// architecture. -// Acts on any syscall number. -// Accepts a valid architecture constant. -// Returns either a string containing the name of the syscall, or an error. -// if the syscall is unrecognized or an issue occurred. -func (s ScmpSyscall) GetNameByArch(arch ScmpArch) (string, error) { - if err := sanitizeArch(arch); err != nil { - return "", err - } - - cString := C.seccomp_syscall_resolve_num_arch(arch.toNative(), C.int(s)) - if cString == nil { - return "", fmt.Errorf("could not resolve syscall name") - } - defer C.free(unsafe.Pointer(cString)) - - finalStr := C.GoString(cString) - return finalStr, nil -} - -// GetSyscallFromName returns the number of a syscall by name on the kernel's -// native architecture. -// Accepts a string containing the name of a syscall. -// Returns the number of the syscall, or an error if no syscall with that name -// was found. -func GetSyscallFromName(name string) (ScmpSyscall, error) { - cString := C.CString(name) - defer C.free(unsafe.Pointer(cString)) - - result := C.seccomp_syscall_resolve_name(cString) - if result == scmpError { - return 0, fmt.Errorf("could not resolve name to syscall") - } - - return ScmpSyscall(result), nil -} - -// GetSyscallFromNameByArch returns the number of a syscall by name for a given -// architecture's ABI. -// Accepts the name of a syscall and an architecture constant. -// Returns the number of the syscall, or an error if an invalid architecture is -// passed or a syscall with that name was not found. -func GetSyscallFromNameByArch(name string, arch ScmpArch) (ScmpSyscall, error) { - if err := sanitizeArch(arch); err != nil { - return 0, err - } - - cString := C.CString(name) - defer C.free(unsafe.Pointer(cString)) - - result := C.seccomp_syscall_resolve_name_arch(arch.toNative(), cString) - if result == scmpError { - return 0, fmt.Errorf("could not resolve name to syscall") - } - - return ScmpSyscall(result), nil -} - -// MakeCondition creates and returns a new condition to attach to a filter rule. -// Associated rules will only match if this condition is true. -// Accepts the number the argument we are checking, and a comparison operator -// and value to compare to. -// The rule will match if argument $arg (zero-indexed) of the syscall is -// $COMPARE_OP the provided comparison value. -// Some comparison operators accept two values. Masked equals, for example, -// will mask $arg of the syscall with the second value provided (via bitwise -// AND) and then compare against the first value provided. -// For example, in the less than or equal case, if the syscall argument was -// 0 and the value provided was 1, the condition would match, as 0 is less -// than or equal to 1. -// Return either an error on bad argument or a valid ScmpCondition struct. -func MakeCondition(arg uint, comparison ScmpCompareOp, values ...uint64) (ScmpCondition, error) { - var condStruct ScmpCondition - - if comparison == CompareInvalid { - return condStruct, fmt.Errorf("invalid comparison operator") - } else if arg > 5 { - return condStruct, fmt.Errorf("syscalls only have up to 6 arguments") - } else if len(values) > 2 { - return condStruct, fmt.Errorf("conditions can have at most 2 arguments") - } else if len(values) == 0 { - return condStruct, fmt.Errorf("must provide at least one value to compare against") - } - - condStruct.Argument = arg - condStruct.Op = comparison - condStruct.Operand1 = values[0] - if len(values) == 2 { - condStruct.Operand2 = values[1] - } else { - condStruct.Operand2 = 0 // Unused - } - - return condStruct, nil -} - -// Utility Functions - -// GetNativeArch returns architecture token representing the native kernel -// architecture -func GetNativeArch() (ScmpArch, error) { - arch := C.seccomp_arch_native() - - return archFromNative(arch) -} - -// Public Filter API - -// ScmpFilter represents a filter context in libseccomp. -// A filter context is initially empty. Rules can be added to it, and it can -// then be loaded into the kernel. -type ScmpFilter struct { - filterCtx C.scmp_filter_ctx - valid bool - lock sync.Mutex -} - -// NewFilter creates and returns a new filter context. -// Accepts a default action to be taken for syscalls which match no rules in -// the filter. -// Returns a reference to a valid filter context, or nil and an error if the -// filter context could not be created or an invalid default action was given. -func NewFilter(defaultAction ScmpAction) (*ScmpFilter, error) { - if err := sanitizeAction(defaultAction); err != nil { - return nil, err - } - - fPtr := C.seccomp_init(defaultAction.toNative()) - if fPtr == nil { - return nil, fmt.Errorf("could not create filter") - } - - filter := new(ScmpFilter) - filter.filterCtx = fPtr - filter.valid = true - runtime.SetFinalizer(filter, filterFinalizer) - - return filter, nil -} - -// IsValid determines whether a filter context is valid to use. -// Some operations (Release and Merge) render filter contexts invalid and -// consequently prevent further use. -func (f *ScmpFilter) IsValid() bool { - f.lock.Lock() - defer f.lock.Unlock() - - return f.valid -} - -// Reset resets a filter context, removing all its existing state. -// Accepts a new default action to be taken for syscalls which do not match. -// Returns an error if the filter or action provided are invalid. -func (f *ScmpFilter) Reset(defaultAction ScmpAction) error { - f.lock.Lock() - defer f.lock.Unlock() - - if err := sanitizeAction(defaultAction); err != nil { - return err - } else if !f.valid { - return errBadFilter - } - - retCode := C.seccomp_reset(f.filterCtx, defaultAction.toNative()) - if retCode != 0 { - return syscall.Errno(-1 * retCode) - } - - return nil -} - -// Release releases a filter context, freeing its memory. Should be called after -// loading into the kernel, when the filter is no longer needed. -// After calling this function, the given filter is no longer valid and cannot -// be used. -// Release() will be invoked automatically when a filter context is garbage -// collected, but can also be called manually to free memory. -func (f *ScmpFilter) Release() { - f.lock.Lock() - defer f.lock.Unlock() - - if !f.valid { - return - } - - f.valid = false - C.seccomp_release(f.filterCtx) -} - -// Merge merges two filter contexts. -// The source filter src will be released as part of the process, and will no -// longer be usable or valid after this call. -// To be merged, filters must NOT share any architectures, and all their -// attributes (Default Action, Bad Arch Action, No New Privs and TSync bools) -// must match. -// The filter src will be merged into the filter this is called on. -// The architectures of the src filter not present in the destination, and all -// associated rules, will be added to the destination. -// Returns an error if merging the filters failed. -func (f *ScmpFilter) Merge(src *ScmpFilter) error { - f.lock.Lock() - defer f.lock.Unlock() - - src.lock.Lock() - defer src.lock.Unlock() - - if !src.valid || !f.valid { - return fmt.Errorf("one or more of the filter contexts is invalid or uninitialized") - } - - // Merge the filters - retCode := C.seccomp_merge(f.filterCtx, src.filterCtx) - if syscall.Errno(-1*retCode) == syscall.EINVAL { - return fmt.Errorf("filters could not be merged due to a mismatch in attributes or invalid filter") - } else if retCode != 0 { - return syscall.Errno(-1 * retCode) - } - - src.valid = false - - return nil -} - -// IsArchPresent checks if an architecture is present in a filter. -// If a filter contains an architecture, it uses its default action for -// syscalls which do not match rules in it, and its rules can match syscalls -// for that ABI. -// If a filter does not contain an architecture, all syscalls made to that -// kernel ABI will fail with the filter's default Bad Architecture Action -// (by default, killing the process). -// Accepts an architecture constant. -// Returns true if the architecture is present in the filter, false otherwise, -// and an error on an invalid filter context, architecture constant, or an -// issue with the call to libseccomp. -func (f *ScmpFilter) IsArchPresent(arch ScmpArch) (bool, error) { - f.lock.Lock() - defer f.lock.Unlock() - - if err := sanitizeArch(arch); err != nil { - return false, err - } else if !f.valid { - return false, errBadFilter - } - - retCode := C.seccomp_arch_exist(f.filterCtx, arch.toNative()) - if syscall.Errno(-1*retCode) == syscall.EEXIST { - // -EEXIST is "arch not present" - return false, nil - } else if retCode != 0 { - return false, syscall.Errno(-1 * retCode) - } - - return true, nil -} - -// AddArch adds an architecture to the filter. -// Accepts an architecture constant. -// Returns an error on invalid filter context or architecture token, or an -// issue with the call to libseccomp. -func (f *ScmpFilter) AddArch(arch ScmpArch) error { - f.lock.Lock() - defer f.lock.Unlock() - - if err := sanitizeArch(arch); err != nil { - return err - } else if !f.valid { - return errBadFilter - } - - // Libseccomp returns -EEXIST if the specified architecture is already - // present. Succeed silently in this case, as it's not fatal, and the - // architecture is present already. - retCode := C.seccomp_arch_add(f.filterCtx, arch.toNative()) - if retCode != 0 && syscall.Errno(-1*retCode) != syscall.EEXIST { - return syscall.Errno(-1 * retCode) - } - - return nil -} - -// RemoveArch removes an architecture from the filter. -// Accepts an architecture constant. -// Returns an error on invalid filter context or architecture token, or an -// issue with the call to libseccomp. -func (f *ScmpFilter) RemoveArch(arch ScmpArch) error { - f.lock.Lock() - defer f.lock.Unlock() - - if err := sanitizeArch(arch); err != nil { - return err - } else if !f.valid { - return errBadFilter - } - - // Similar to AddArch, -EEXIST is returned if the arch is not present - // Succeed silently in that case, this is not fatal and the architecture - // is not present in the filter after RemoveArch - retCode := C.seccomp_arch_remove(f.filterCtx, arch.toNative()) - if retCode != 0 && syscall.Errno(-1*retCode) != syscall.EEXIST { - return syscall.Errno(-1 * retCode) - } - - return nil -} - -// Load loads a filter context into the kernel. -// Returns an error if the filter context is invalid or the syscall failed. -func (f *ScmpFilter) Load() error { - f.lock.Lock() - defer f.lock.Unlock() - - if !f.valid { - return errBadFilter - } - - if retCode := C.seccomp_load(f.filterCtx); retCode != 0 { - return syscall.Errno(-1 * retCode) - } - - return nil -} - -// GetDefaultAction returns the default action taken on a syscall which does not -// match a rule in the filter, or an error if an issue was encountered -// retrieving the value. -func (f *ScmpFilter) GetDefaultAction() (ScmpAction, error) { - action, err := f.getFilterAttr(filterAttrActDefault) - if err != nil { - return 0x0, err - } - - return actionFromNative(action) -} - -// GetBadArchAction returns the default action taken on a syscall for an -// architecture not in the filter, or an error if an issue was encountered -// retrieving the value. -func (f *ScmpFilter) GetBadArchAction() (ScmpAction, error) { - action, err := f.getFilterAttr(filterAttrActBadArch) - if err != nil { - return 0x0, err - } - - return actionFromNative(action) -} - -// GetNoNewPrivsBit returns the current state the No New Privileges bit will be set -// to on the filter being loaded, or an error if an issue was encountered -// retrieving the value. -// The No New Privileges bit tells the kernel that new processes run with exec() -// cannot gain more privileges than the process that ran exec(). -// For example, a process with No New Privileges set would be unable to exec -// setuid/setgid executables. -func (f *ScmpFilter) GetNoNewPrivsBit() (bool, error) { - noNewPrivs, err := f.getFilterAttr(filterAttrNNP) - if err != nil { - return false, err - } - - if noNewPrivs == 0 { - return false, nil - } - - return true, nil -} - -// GetTsyncBit returns whether Thread Synchronization will be enabled on the -// filter being loaded, or an error if an issue was encountered retrieving the -// value. -// Thread Sync ensures that all members of the thread group of the calling -// process will share the same Seccomp filter set. -// Tsync is a fairly recent addition to the Linux kernel and older kernels -// lack support. If the running kernel does not support Tsync and it is -// requested in a filter, Libseccomp will not enable TSync support and will -// proceed as normal. -// This function is unavailable before v2.2 of libseccomp and will return an -// error. -func (f *ScmpFilter) GetTsyncBit() (bool, error) { - tSync, err := f.getFilterAttr(filterAttrTsync) - if err != nil { - return false, err - } - - if tSync == 0 { - return false, nil - } - - return true, nil -} - -// SetBadArchAction sets the default action taken on a syscall for an -// architecture not in the filter, or an error if an issue was encountered -// setting the value. -func (f *ScmpFilter) SetBadArchAction(action ScmpAction) error { - if err := sanitizeAction(action); err != nil { - return err - } - - return f.setFilterAttr(filterAttrActBadArch, action.toNative()) -} - -// SetNoNewPrivsBit sets the state of the No New Privileges bit, which will be -// applied on filter load, or an error if an issue was encountered setting the -// value. -// Filters with No New Privileges set to 0 can only be loaded if the process -// has the CAP_SYS_ADMIN capability. -func (f *ScmpFilter) SetNoNewPrivsBit(state bool) error { - var toSet C.uint32_t = 0x0 - - if state { - toSet = 0x1 - } - - return f.setFilterAttr(filterAttrNNP, toSet) -} - -// SetTsync sets whether Thread Synchronization will be enabled on the filter -// being loaded. Returns an error if setting Tsync failed, or the filter is -// invalid. -// Thread Sync ensures that all members of the thread group of the calling -// process will share the same Seccomp filter set. -// Tsync is a fairly recent addition to the Linux kernel and older kernels -// lack support. If the running kernel does not support Tsync and it is -// requested in a filter, Libseccomp will not enable TSync support and will -// proceed as normal. -// This function is unavailable before v2.2 of libseccomp and will return an -// error. -func (f *ScmpFilter) SetTsync(enable bool) error { - var toSet C.uint32_t = 0x0 - - if enable { - toSet = 0x1 - } - - return f.setFilterAttr(filterAttrTsync, toSet) -} - -// SetSyscallPriority sets a syscall's priority. -// This provides a hint to the filter generator in libseccomp about the -// importance of this syscall. High-priority syscalls are placed -// first in the filter code, and incur less overhead (at the expense of -// lower-priority syscalls). -func (f *ScmpFilter) SetSyscallPriority(call ScmpSyscall, priority uint8) error { - f.lock.Lock() - defer f.lock.Unlock() - - if !f.valid { - return errBadFilter - } - - if retCode := C.seccomp_syscall_priority(f.filterCtx, C.int(call), - C.uint8_t(priority)); retCode != 0 { - return syscall.Errno(-1 * retCode) - } - - return nil -} - -// AddRule adds a single rule for an unconditional action on a syscall. -// Accepts the number of the syscall and the action to be taken on the call -// being made. -// Returns an error if an issue was encountered adding the rule. -func (f *ScmpFilter) AddRule(call ScmpSyscall, action ScmpAction) error { - return f.addRuleGeneric(call, action, false, nil) -} - -// AddRuleExact adds a single rule for an unconditional action on a syscall. -// Accepts the number of the syscall and the action to be taken on the call -// being made. -// No modifications will be made to the rule, and it will fail to add if it -// cannot be applied to the current architecture without modification. -// The rule will function exactly as described, but it may not function identically -// (or be able to be applied to) all architectures. -// Returns an error if an issue was encountered adding the rule. -func (f *ScmpFilter) AddRuleExact(call ScmpSyscall, action ScmpAction) error { - return f.addRuleGeneric(call, action, true, nil) -} - -// AddRuleConditional adds a single rule for a conditional action on a syscall. -// Returns an error if an issue was encountered adding the rule. -// All conditions must match for the rule to match. -// There is a bug in library versions below v2.2.1 which can, in some cases, -// cause conditions to be lost when more than one are used. Consequently, -// AddRuleConditional is disabled on library versions lower than v2.2.1 -func (f *ScmpFilter) AddRuleConditional(call ScmpSyscall, action ScmpAction, conds []ScmpCondition) error { - return f.addRuleGeneric(call, action, false, conds) -} - -// AddRuleConditionalExact adds a single rule for a conditional action on a -// syscall. -// No modifications will be made to the rule, and it will fail to add if it -// cannot be applied to the current architecture without modification. -// The rule will function exactly as described, but it may not function identically -// (or be able to be applied to) all architectures. -// Returns an error if an issue was encountered adding the rule. -// There is a bug in library versions below v2.2.1 which can, in some cases, -// cause conditions to be lost when more than one are used. Consequently, -// AddRuleConditionalExact is disabled on library versions lower than v2.2.1 -func (f *ScmpFilter) AddRuleConditionalExact(call ScmpSyscall, action ScmpAction, conds []ScmpCondition) error { - return f.addRuleGeneric(call, action, true, conds) -} - -// ExportPFC output PFC-formatted, human-readable dump of a filter context's -// rules to a file. -// Accepts file to write to (must be open for writing). -// Returns an error if writing to the file fails. -func (f *ScmpFilter) ExportPFC(file *os.File) error { - f.lock.Lock() - defer f.lock.Unlock() - - fd := file.Fd() - - if !f.valid { - return errBadFilter - } - - if retCode := C.seccomp_export_pfc(f.filterCtx, C.int(fd)); retCode != 0 { - return syscall.Errno(-1 * retCode) - } - - return nil -} - -// ExportBPF outputs Berkeley Packet Filter-formatted, kernel-readable dump of a -// filter context's rules to a file. -// Accepts file to write to (must be open for writing). -// Returns an error if writing to the file fails. -func (f *ScmpFilter) ExportBPF(file *os.File) error { - f.lock.Lock() - defer f.lock.Unlock() - - fd := file.Fd() - - if !f.valid { - return errBadFilter - } - - if retCode := C.seccomp_export_bpf(f.filterCtx, C.int(fd)); retCode != 0 { - return syscall.Errno(-1 * retCode) - } - - return nil -} diff --git a/vendor/src/github.com/seccomp/libseccomp-golang/seccomp_internal.go b/vendor/src/github.com/seccomp/libseccomp-golang/seccomp_internal.go deleted file mode 100644 index ab67a3d..0000000 --- a/vendor/src/github.com/seccomp/libseccomp-golang/seccomp_internal.go +++ /dev/null @@ -1,506 +0,0 @@ -// +build linux - -// Internal functions for libseccomp Go bindings -// No exported functions - -package seccomp - -import ( - "fmt" - "os" - "syscall" -) - -// Unexported C wrapping code - provides the C-Golang interface -// Get the seccomp header in scope -// Need stdlib.h for free() on cstrings - -// #cgo pkg-config: libseccomp -/* -#include <stdlib.h> -#include <seccomp.h> - -#if SCMP_VER_MAJOR < 2 -#error Minimum supported version of Libseccomp is v2.1.0 -#elif SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR < 1 -#error Minimum supported version of Libseccomp is v2.1.0 -#endif - -#define ARCH_BAD ~0 - -const uint32_t C_ARCH_BAD = ARCH_BAD; - -#ifndef SCMP_ARCH_AARCH64 -#define SCMP_ARCH_AARCH64 ARCH_BAD -#endif - -#ifndef SCMP_ARCH_MIPS -#define SCMP_ARCH_MIPS ARCH_BAD -#endif - -#ifndef SCMP_ARCH_MIPS64 -#define SCMP_ARCH_MIPS64 ARCH_BAD -#endif - -#ifndef SCMP_ARCH_MIPS64N32 -#define SCMP_ARCH_MIPS64N32 ARCH_BAD -#endif - -#ifndef SCMP_ARCH_MIPSEL -#define SCMP_ARCH_MIPSEL ARCH_BAD -#endif - -#ifndef SCMP_ARCH_MIPSEL64 -#define SCMP_ARCH_MIPSEL64 ARCH_BAD -#endif - -#ifndef SCMP_ARCH_MIPSEL64N32 -#define SCMP_ARCH_MIPSEL64N32 ARCH_BAD -#endif - -#ifndef SCMP_ARCH_PPC -#define SCMP_ARCH_PPC ARCH_BAD -#endif - -#ifndef SCMP_ARCH_PPC64 -#define SCMP_ARCH_PPC64 ARCH_BAD -#endif - -#ifndef SCMP_ARCH_PPC64LE -#define SCMP_ARCH_PPC64LE ARCH_BAD -#endif - -#ifndef SCMP_ARCH_S390 -#define SCMP_ARCH_S390 ARCH_BAD -#endif - -#ifndef SCMP_ARCH_S390X -#define SCMP_ARCH_S390X ARCH_BAD -#endif - -const uint32_t C_ARCH_NATIVE = SCMP_ARCH_NATIVE; -const uint32_t C_ARCH_X86 = SCMP_ARCH_X86; -const uint32_t C_ARCH_X86_64 = SCMP_ARCH_X86_64; -const uint32_t C_ARCH_X32 = SCMP_ARCH_X32; -const uint32_t C_ARCH_ARM = SCMP_ARCH_ARM; -const uint32_t C_ARCH_AARCH64 = SCMP_ARCH_AARCH64; -const uint32_t C_ARCH_MIPS = SCMP_ARCH_MIPS; -const uint32_t C_ARCH_MIPS64 = SCMP_ARCH_MIPS64; -const uint32_t C_ARCH_MIPS64N32 = SCMP_ARCH_MIPS64N32; -const uint32_t C_ARCH_MIPSEL = SCMP_ARCH_MIPSEL; -const uint32_t C_ARCH_MIPSEL64 = SCMP_ARCH_MIPSEL64; -const uint32_t C_ARCH_MIPSEL64N32 = SCMP_ARCH_MIPSEL64N32; -const uint32_t C_ARCH_PPC = SCMP_ARCH_PPC; -const uint32_t C_ARCH_PPC64 = SCMP_ARCH_PPC64; -const uint32_t C_ARCH_PPC64LE = SCMP_ARCH_PPC64LE; -const uint32_t C_ARCH_S390 = SCMP_ARCH_S390; -const uint32_t C_ARCH_S390X = SCMP_ARCH_S390X; - -const uint32_t C_ACT_KILL = SCMP_ACT_KILL; -const uint32_t C_ACT_TRAP = SCMP_ACT_TRAP; -const uint32_t C_ACT_ERRNO = SCMP_ACT_ERRNO(0); -const uint32_t C_ACT_TRACE = SCMP_ACT_TRACE(0); -const uint32_t C_ACT_ALLOW = SCMP_ACT_ALLOW; - -// If TSync is not supported, make sure it doesn't map to a supported filter attribute -// Don't worry about major version < 2, the minimum version checks should catch that case -#if SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR < 2 -#define SCMP_FLTATR_CTL_TSYNC _SCMP_CMP_MIN -#endif - -const uint32_t C_ATTRIBUTE_DEFAULT = (uint32_t)SCMP_FLTATR_ACT_DEFAULT; -const uint32_t C_ATTRIBUTE_BADARCH = (uint32_t)SCMP_FLTATR_ACT_BADARCH; -const uint32_t C_ATTRIBUTE_NNP = (uint32_t)SCMP_FLTATR_CTL_NNP; -const uint32_t C_ATTRIBUTE_TSYNC = (uint32_t)SCMP_FLTATR_CTL_TSYNC; - -const int C_CMP_NE = (int)SCMP_CMP_NE; -const int C_CMP_LT = (int)SCMP_CMP_LT; -const int C_CMP_LE = (int)SCMP_CMP_LE; -const int C_CMP_EQ = (int)SCMP_CMP_EQ; -const int C_CMP_GE = (int)SCMP_CMP_GE; -const int C_CMP_GT = (int)SCMP_CMP_GT; -const int C_CMP_MASKED_EQ = (int)SCMP_CMP_MASKED_EQ; - -const int C_VERSION_MAJOR = SCMP_VER_MAJOR; -const int C_VERSION_MINOR = SCMP_VER_MINOR; -const int C_VERSION_MICRO = SCMP_VER_MICRO; - -typedef struct scmp_arg_cmp* scmp_cast_t; - -// Wrapper to create an scmp_arg_cmp struct -void* -make_struct_arg_cmp( - unsigned int arg, - int compare, - uint64_t a, - uint64_t b - ) -{ - struct scmp_arg_cmp *s = malloc(sizeof(struct scmp_arg_cmp)); - - s->arg = arg; - s->op = compare; - s->datum_a = a; - s->datum_b = b; - - return s; -} -*/ -import "C" - -// Nonexported types -type scmpFilterAttr uint32 - -// Nonexported constants - -const ( - filterAttrActDefault scmpFilterAttr = iota - filterAttrActBadArch scmpFilterAttr = iota - filterAttrNNP scmpFilterAttr = iota - filterAttrTsync scmpFilterAttr = iota -) - -const ( - // An error return from certain libseccomp functions - scmpError C.int = -1 - // Comparison boundaries to check for architecture validity - archStart ScmpArch = ArchNative - archEnd ScmpArch = ArchS390X - // Comparison boundaries to check for action validity - actionStart ScmpAction = ActKill - actionEnd ScmpAction = ActAllow - // Comparison boundaries to check for comparison operator validity - compareOpStart ScmpCompareOp = CompareNotEqual - compareOpEnd ScmpCompareOp = CompareMaskedEqual -) - -var ( - // Error thrown on bad filter context - errBadFilter = fmt.Errorf("filter is invalid or uninitialized") - // Constants representing library major, minor, and micro versions - verMajor = int(C.C_VERSION_MAJOR) - verMinor = int(C.C_VERSION_MINOR) - verMicro = int(C.C_VERSION_MICRO) -) - -// Nonexported functions - -// Check if library version is greater than or equal to the given one -func checkVersionAbove(major, minor, micro int) bool { - return (verMajor > major) || - (verMajor == major && verMinor > minor) || - (verMajor == major && verMinor == minor && verMicro >= micro) -} - -// Init function: Verify library version is appropriate -func init() { - if !checkVersionAbove(2, 1, 0) { - fmt.Fprintf(os.Stderr, "Libseccomp version too low: minimum supported is 2.1.0, detected %d.%d.%d", C.C_VERSION_MAJOR, C.C_VERSION_MINOR, C.C_VERSION_MICRO) - os.Exit(-1) - } -} - -// Filter helpers - -// Filter finalizer - ensure that kernel context for filters is freed -func filterFinalizer(f *ScmpFilter) { - f.Release() -} - -// Get a raw filter attribute -func (f *ScmpFilter) getFilterAttr(attr scmpFilterAttr) (C.uint32_t, error) { - f.lock.Lock() - defer f.lock.Unlock() - - if !f.valid { - return 0x0, errBadFilter - } - - if !checkVersionAbove(2, 2, 0) && attr == filterAttrTsync { - return 0x0, fmt.Errorf("the thread synchronization attribute is not supported in this version of the library") - } - - var attribute C.uint32_t - - retCode := C.seccomp_attr_get(f.filterCtx, attr.toNative(), &attribute) - if retCode != 0 { - return 0x0, syscall.Errno(-1 * retCode) - } - - return attribute, nil -} - -// Set a raw filter attribute -func (f *ScmpFilter) setFilterAttr(attr scmpFilterAttr, value C.uint32_t) error { - f.lock.Lock() - defer f.lock.Unlock() - - if !f.valid { - return errBadFilter - } - - if !checkVersionAbove(2, 2, 0) && attr == filterAttrTsync { - return fmt.Errorf("the thread synchronization attribute is not supported in this version of the library") - } - - retCode := C.seccomp_attr_set(f.filterCtx, attr.toNative(), value) - if retCode != 0 { - return syscall.Errno(-1 * retCode) - } - - return nil -} - -// DOES NOT LOCK OR CHECK VALIDITY -// Assumes caller has already done this -// Wrapper for seccomp_rule_add_... functions -func (f *ScmpFilter) addRuleWrapper(call ScmpSyscall, action ScmpAction, exact bool, cond C.scmp_cast_t) error { - var length C.uint - if cond != nil { - length = 1 - } else { - length = 0 - } - - var retCode C.int - if exact { - retCode = C.seccomp_rule_add_exact_array(f.filterCtx, action.toNative(), C.int(call), length, cond) - } else { - retCode = C.seccomp_rule_add_array(f.filterCtx, action.toNative(), C.int(call), length, cond) - } - - if syscall.Errno(-1*retCode) == syscall.EFAULT { - return fmt.Errorf("unrecognized syscall") - } else if syscall.Errno(-1*retCode) == syscall.EPERM { - return fmt.Errorf("requested action matches default action of filter") - } else if retCode != 0 { - return syscall.Errno(-1 * retCode) - } - - return nil -} - -// Generic add function for filter rules -func (f *ScmpFilter) addRuleGeneric(call ScmpSyscall, action ScmpAction, exact bool, conds []ScmpCondition) error { - f.lock.Lock() - defer f.lock.Unlock() - - if !f.valid { - return errBadFilter - } - - if len(conds) == 0 { - if err := f.addRuleWrapper(call, action, exact, nil); err != nil { - return err - } - } else { - // We don't support conditional filtering in library version v2.1 - if !checkVersionAbove(2, 2, 1) { - return fmt.Errorf("conditional filtering requires libseccomp version >= 2.2.1") - } - - for _, cond := range conds { - cmpStruct := C.make_struct_arg_cmp(C.uint(cond.Argument), cond.Op.toNative(), C.uint64_t(cond.Operand1), C.uint64_t(cond.Operand2)) - defer C.free(cmpStruct) - - if err := f.addRuleWrapper(call, action, exact, C.scmp_cast_t(cmpStruct)); err != nil { - return err - } - } - } - - return nil -} - -// Generic Helpers - -// Helper - Sanitize Arch token input -func sanitizeArch(in ScmpArch) error { - if in < archStart || in > archEnd { - return fmt.Errorf("unrecognized architecture") - } - - if in.toNative() == C.C_ARCH_BAD { - return fmt.Errorf("architecture is not supported on this version of the library") - } - - return nil -} - -func sanitizeAction(in ScmpAction) error { - inTmp := in & 0x0000FFFF - if inTmp < actionStart || inTmp > actionEnd { - return fmt.Errorf("unrecognized action") - } - - if inTmp != ActTrace && inTmp != ActErrno && (in&0xFFFF0000) != 0 { - return fmt.Errorf("highest 16 bits must be zeroed except for Trace and Errno") - } - - return nil -} - -func sanitizeCompareOp(in ScmpCompareOp) error { - if in < compareOpStart || in > compareOpEnd { - return fmt.Errorf("unrecognized comparison operator") - } - - return nil -} - -func archFromNative(a C.uint32_t) (ScmpArch, error) { - switch a { - case C.C_ARCH_X86: - return ArchX86, nil - case C.C_ARCH_X86_64: - return ArchAMD64, nil - case C.C_ARCH_X32: - return ArchX32, nil - case C.C_ARCH_ARM: - return ArchARM, nil - case C.C_ARCH_NATIVE: - return ArchNative, nil - case C.C_ARCH_AARCH64: - return ArchARM64, nil - case C.C_ARCH_MIPS: - return ArchMIPS, nil - case C.C_ARCH_MIPS64: - return ArchMIPS64, nil - case C.C_ARCH_MIPS64N32: - return ArchMIPS64N32, nil - case C.C_ARCH_MIPSEL: - return ArchMIPSEL, nil - case C.C_ARCH_MIPSEL64: - return ArchMIPSEL64, nil - case C.C_ARCH_MIPSEL64N32: - return ArchMIPSEL64N32, nil - case C.C_ARCH_PPC: - return ArchPPC, nil - case C.C_ARCH_PPC64: - return ArchPPC64, nil - case C.C_ARCH_PPC64LE: - return ArchPPC64LE, nil - case C.C_ARCH_S390: - return ArchS390, nil - case C.C_ARCH_S390X: - return ArchS390X, nil - default: - return 0x0, fmt.Errorf("unrecognized architecture") - } -} - -// Only use with sanitized arches, no error handling -func (a ScmpArch) toNative() C.uint32_t { - switch a { - case ArchX86: - return C.C_ARCH_X86 - case ArchAMD64: - return C.C_ARCH_X86_64 - case ArchX32: - return C.C_ARCH_X32 - case ArchARM: - return C.C_ARCH_ARM - case ArchARM64: - return C.C_ARCH_AARCH64 - case ArchMIPS: - return C.C_ARCH_MIPS - case ArchMIPS64: - return C.C_ARCH_MIPS64 - case ArchMIPS64N32: - return C.C_ARCH_MIPS64N32 - case ArchMIPSEL: - return C.C_ARCH_MIPSEL - case ArchMIPSEL64: - return C.C_ARCH_MIPSEL64 - case ArchMIPSEL64N32: - return C.C_ARCH_MIPSEL64N32 - case ArchPPC: - return C.C_ARCH_PPC - case ArchPPC64: - return C.C_ARCH_PPC64 - case ArchPPC64LE: - return C.C_ARCH_PPC64LE - case ArchS390: - return C.C_ARCH_S390 - case ArchS390X: - return C.C_ARCH_S390X - case ArchNative: - return C.C_ARCH_NATIVE - default: - return 0x0 - } -} - -// Only use with sanitized ops, no error handling -func (a ScmpCompareOp) toNative() C.int { - switch a { - case CompareNotEqual: - return C.C_CMP_NE - case CompareLess: - return C.C_CMP_LT - case CompareLessOrEqual: - return C.C_CMP_LE - case CompareEqual: - return C.C_CMP_EQ - case CompareGreaterEqual: - return C.C_CMP_GE - case CompareGreater: - return C.C_CMP_GT - case CompareMaskedEqual: - return C.C_CMP_MASKED_EQ - default: - return 0x0 - } -} - -func actionFromNative(a C.uint32_t) (ScmpAction, error) { - aTmp := a & 0xFFFF - switch a & 0xFFFF0000 { - case C.C_ACT_KILL: - return ActKill, nil - case C.C_ACT_TRAP: - return ActTrap, nil - case C.C_ACT_ERRNO: - return ActErrno.SetReturnCode(int16(aTmp)), nil - case C.C_ACT_TRACE: - return ActTrace.SetReturnCode(int16(aTmp)), nil - case C.C_ACT_ALLOW: - return ActAllow, nil - default: - return 0x0, fmt.Errorf("unrecognized action") - } -} - -// Only use with sanitized actions, no error handling -func (a ScmpAction) toNative() C.uint32_t { - switch a & 0xFFFF { - case ActKill: - return C.C_ACT_KILL - case ActTrap: - return C.C_ACT_TRAP - case ActErrno: - return C.C_ACT_ERRNO | (C.uint32_t(a) >> 16) - case ActTrace: - return C.C_ACT_TRACE | (C.uint32_t(a) >> 16) - case ActAllow: - return C.C_ACT_ALLOW - default: - return 0x0 - } -} - -// Internal only, assumes safe attribute -func (a scmpFilterAttr) toNative() uint32 { - switch a { - case filterAttrActDefault: - return uint32(C.C_ATTRIBUTE_DEFAULT) - case filterAttrActBadArch: - return uint32(C.C_ATTRIBUTE_BADARCH) - case filterAttrNNP: - return uint32(C.C_ATTRIBUTE_NNP) - case filterAttrTsync: - return uint32(C.C_ATTRIBUTE_TSYNC) - default: - return 0x0 - } -} diff --git a/vendor/src/github.com/seccomp/libseccomp-golang/seccomp_test.go b/vendor/src/github.com/seccomp/libseccomp-golang/seccomp_test.go deleted file mode 100644 index b3a49d2..0000000 --- a/vendor/src/github.com/seccomp/libseccomp-golang/seccomp_test.go +++ /dev/null @@ -1,457 +0,0 @@ -// +build linux - -// Tests for public API of libseccomp Go bindings - -package seccomp - -import ( - "fmt" - "syscall" - "testing" -) - -// Type Function Tests - -func TestActionSetReturnCode(t *testing.T) { - if ActInvalid.SetReturnCode(0x0010) != ActInvalid { - t.Errorf("Able to set a return code on invalid action!") - } - - codeSet := ActErrno.SetReturnCode(0x0001) - if codeSet == ActErrno || codeSet.GetReturnCode() != 0x0001 { - t.Errorf("Could not set return code on ActErrno") - } -} - -func TestSyscallGetName(t *testing.T) { - call1 := ScmpSyscall(0x1) - callFail := ScmpSyscall(0x999) - - name, err := call1.GetName() - if err != nil { - t.Errorf("Error getting syscall name for number 0x1") - } else if len(name) == 0 { - t.Errorf("Empty name returned for syscall 0x1") - } - fmt.Printf("Got name of syscall 0x1 on native arch as %s\n", name) - - _, err = callFail.GetName() - if err == nil { - t.Errorf("Getting nonexistant syscall should error!") - } -} - -func TestSyscallGetNameByArch(t *testing.T) { - call1 := ScmpSyscall(0x1) - callInvalid := ScmpSyscall(0x999) - archGood := ArchAMD64 - archBad := ArchInvalid - - name, err := call1.GetNameByArch(archGood) - if err != nil { - t.Errorf("Error getting syscall name for number 0x1 and arch AMD64") - } else if name != "write" { - t.Errorf("Got incorrect name for syscall 0x1 - expected write, got %s", name) - } - - _, err = call1.GetNameByArch(archBad) - if err == nil { - t.Errorf("Bad architecture GetNameByArch() should error!") - } - - _, err = callInvalid.GetNameByArch(archGood) - if err == nil { - t.Errorf("Bad syscall GetNameByArch() should error!") - } - - _, err = callInvalid.GetNameByArch(archBad) - if err == nil { - t.Errorf("Bad syscall and bad arch GetNameByArch() should error!") - } -} - -func TestGetSyscallFromName(t *testing.T) { - name1 := "write" - nameInval := "NOTASYSCALL" - - syscall, err := GetSyscallFromName(name1) - if err != nil { - t.Errorf("Error getting syscall number of write: %s", err) - } - fmt.Printf("Got syscall number of write on native arch as %d\n", syscall) - - _, err = GetSyscallFromName(nameInval) - if err == nil { - t.Errorf("Getting an invalid syscall should error!") - } -} - -func TestGetSyscallFromNameByArch(t *testing.T) { - name1 := "write" - nameInval := "NOTASYSCALL" - arch1 := ArchAMD64 - archInval := ArchInvalid - - syscall, err := GetSyscallFromNameByArch(name1, arch1) - if err != nil { - t.Errorf("Error getting syscall number of write on AMD64: %s", err) - } - fmt.Printf("Got syscall number of write on AMD64 as %d\n", syscall) - - _, err = GetSyscallFromNameByArch(nameInval, arch1) - if err == nil { - t.Errorf("Getting invalid syscall with valid arch should error") - } - - _, err = GetSyscallFromNameByArch(name1, archInval) - if err == nil { - t.Errorf("Getting valid syscall for invalid arch should error") - } - - _, err = GetSyscallFromNameByArch(nameInval, archInval) - if err == nil { - t.Errorf("Getting invalid syscall for invalid arch should error") - } -} - -func TestMakeCondition(t *testing.T) { - condition, err := MakeCondition(3, CompareNotEqual, 0x10) - if err != nil { - t.Errorf("Error making condition struct: %s", err) - } else if condition.Argument != 3 || condition.Operand1 != 0x10 || - condition.Operand2 != 0 || condition.Op != CompareNotEqual { - t.Errorf("Condition struct was filled incorrectly") - } - - condition, err = MakeCondition(3, CompareMaskedEqual, 0x10, 0x20) - if err != nil { - t.Errorf("Error making condition struct: %s", err) - } else if condition.Argument != 3 || condition.Operand1 != 0x10 || - condition.Operand2 != 0x20 || condition.Op != CompareMaskedEqual { - t.Errorf("Condition struct was filled incorrectly") - } - - _, err = MakeCondition(7, CompareNotEqual, 0x10) - if err == nil { - t.Errorf("Condition struct with bad syscall argument number should error") - } - - _, err = MakeCondition(3, CompareInvalid, 0x10) - if err == nil { - t.Errorf("Condition struct with bad comparison operator should error") - } - - _, err = MakeCondition(3, CompareMaskedEqual, 0x10, 0x20, 0x30) - if err == nil { - t.Errorf("MakeCondition with more than 2 arguments should fail") - } - - _, err = MakeCondition(3, CompareMaskedEqual) - if err == nil { - t.Errorf("MakeCondition with no arguments should fail") - } -} - -// Utility Function Tests - -func TestGetNativeArch(t *testing.T) { - arch, err := GetNativeArch() - if err != nil { - t.Errorf("GetNativeArch should not error!") - } - fmt.Printf("Got native arch of system as %s\n", arch.String()) -} - -// Filter Tests - -func TestFilterCreateRelease(t *testing.T) { - _, err := NewFilter(ActInvalid) - if err == nil { - t.Errorf("Can create filter with invalid action") - } - - filter, err := NewFilter(ActKill) - if err != nil { - t.Errorf("Error creating filter: %s", err) - } - - if !filter.IsValid() { - t.Errorf("Filter created by NewFilter was not valid") - } - - filter.Release() - - if filter.IsValid() { - t.Errorf("Filter is valid after being released") - } -} - -func TestFilterReset(t *testing.T) { - filter, err := NewFilter(ActKill) - if err != nil { - t.Errorf("Error creating filter: %s", err) - } - defer filter.Release() - - // Ensure the default action is ActKill - action, err := filter.GetDefaultAction() - if err != nil { - t.Errorf("Error getting default action of filter") - } else if action != ActKill { - t.Errorf("Default action of filter was set incorrectly!") - } - - // Reset with a different default action - err = filter.Reset(ActAllow) - if err != nil { - t.Errorf("Error resetting filter!") - } - - valid := filter.IsValid() - if !valid { - t.Errorf("Filter is no longer valid after reset!") - } - - // The default action should no longer be ActKill - action, err = filter.GetDefaultAction() - if err != nil { - t.Errorf("Error getting default action of filter") - } else if action != ActAllow { - t.Errorf("Default action of filter was set incorrectly!") - } -} - -func TestFilterArchFunctions(t *testing.T) { - filter, err := NewFilter(ActKill) - if err != nil { - t.Errorf("Error creating filter: %s", err) - } - defer filter.Release() - - arch, err := GetNativeArch() - if err != nil { - t.Errorf("Error getting native architecture: %s", err) - } - - present, err := filter.IsArchPresent(arch) - if err != nil { - t.Errorf("Error retrieving arch from filter: %s", err) - } else if !present { - t.Errorf("Filter does not contain native architecture by default") - } - - // Adding the native arch again should succeed, as it's already present - err = filter.AddArch(arch) - if err != nil { - t.Errorf("Adding arch to filter already containing it should succeed") - } - - // Make sure we don't add the native arch again - prospectiveArch := ArchX86 - if arch == ArchX86 { - prospectiveArch = ArchAMD64 - } - - // Check to make sure this other arch isn't in the filter - present, err = filter.IsArchPresent(prospectiveArch) - if err != nil { - t.Errorf("Error retrieving arch from filter: %s", err) - } else if present { - t.Errorf("Arch not added to filter is present") - } - - // Try removing the nonexistant arch - should succeed - err = filter.RemoveArch(prospectiveArch) - if err != nil { - t.Errorf("Error removing nonexistant arch: %s", err) - } - - // Add an arch, see if it's in the filter - err = filter.AddArch(prospectiveArch) - if err != nil { - t.Errorf("Could not add arch %s to filter: %s", - prospectiveArch.String(), err) - } - - present, err = filter.IsArchPresent(prospectiveArch) - if err != nil { - t.Errorf("Error retrieving arch from filter: %s", err) - } else if !present { - t.Errorf("Filter does not contain architecture %s after it was added", - prospectiveArch.String()) - } - - // Remove the arch again, make sure it's not in the filter - err = filter.RemoveArch(prospectiveArch) - if err != nil { - t.Errorf("Could not remove arch %s from filter: %s", - prospectiveArch.String(), err) - } - - present, err = filter.IsArchPresent(prospectiveArch) - if err != nil { - t.Errorf("Error retrieving arch from filter: %s", err) - } else if present { - t.Errorf("Filter contains architecture %s after it was removed", - prospectiveArch.String()) - } -} - -func TestFilterAttributeGettersAndSetters(t *testing.T) { - filter, err := NewFilter(ActKill) - if err != nil { - t.Errorf("Error creating filter: %s", err) - } - defer filter.Release() - - act, err := filter.GetDefaultAction() - if err != nil { - t.Errorf("Error getting default action: %s", err) - } else if act != ActKill { - t.Errorf("Default action was set incorrectly") - } - - err = filter.SetBadArchAction(ActAllow) - if err != nil { - t.Errorf("Error setting bad arch action: %s", err) - } - - act, err = filter.GetBadArchAction() - if err != nil { - t.Errorf("Error getting bad arch action") - } else if act != ActAllow { - t.Errorf("Bad arch action was not set correcly!") - } - - err = filter.SetNoNewPrivsBit(false) - if err != nil { - t.Errorf("Error setting no new privileges bit") - } - - privs, err := filter.GetNoNewPrivsBit() - if err != nil { - t.Errorf("Error getting no new privileges bit!") - } else if privs != false { - t.Errorf("No new privileges bit was not set correctly") - } - - err = filter.SetBadArchAction(ActInvalid) - if err == nil { - t.Errorf("Setting bad arch action to an invalid action should error") - } -} - -func TestMergeFilters(t *testing.T) { - filter1, err := NewFilter(ActAllow) - if err != nil { - t.Errorf("Error creating filter: %s", err) - } - - filter2, err := NewFilter(ActAllow) - if err != nil { - t.Errorf("Error creating filter: %s", err) - } - - // Need to remove the native arch and add another to the second filter - // Filters must NOT share architectures to be successfully merged - nativeArch, err := GetNativeArch() - if err != nil { - t.Errorf("Error getting native arch: %s", err) - } - - prospectiveArch := ArchAMD64 - if nativeArch == ArchAMD64 { - prospectiveArch = ArchX86 - } - - err = filter2.AddArch(prospectiveArch) - if err != nil { - t.Errorf("Error adding architecture to filter: %s", err) - } - - err = filter2.RemoveArch(nativeArch) - if err != nil { - t.Errorf("Error removing architecture from filter: %s", err) - } - - err = filter1.Merge(filter2) - if err != nil { - t.Errorf("Error merging filters: %s", err) - } - - if filter2.IsValid() { - t.Errorf("Source filter should not be valid after merging") - } - - filter3, err := NewFilter(ActKill) - if err != nil { - t.Errorf("Error creating filter: %s", err) - } - defer filter3.Release() - - err = filter1.Merge(filter3) - if err == nil { - t.Errorf("Attributes should have to match to merge filters") - } -} - -func TestRuleAddAndLoad(t *testing.T) { - // Test #1: Add a trivial filter - filter1, err := NewFilter(ActAllow) - if err != nil { - t.Errorf("Error creating filter: %s", err) - } - defer filter1.Release() - - call, err := GetSyscallFromName("getpid") - if err != nil { - t.Errorf("Error getting syscall number of getpid: %s", err) - } - - call2, err := GetSyscallFromName("setreuid") - if err != nil { - t.Errorf("Error getting syscall number of setreuid: %s", err) - } - - uid := syscall.Getuid() - euid := syscall.Geteuid() - - err = filter1.AddRule(call, ActErrno.SetReturnCode(0x1)) - if err != nil { - t.Errorf("Error adding rule to restrict syscall: %s", err) - } - - cond, err := MakeCondition(1, CompareEqual, uint64(euid)) - if err != nil { - t.Errorf("Error making rule to restrict syscall: %s", err) - } - - cond2, err := MakeCondition(0, CompareEqual, uint64(uid)) - if err != nil { - t.Errorf("Error making rule to restrict syscall: %s", err) - } - - conditions := []ScmpCondition{cond, cond2} - - err = filter1.AddRuleConditional(call2, ActErrno.SetReturnCode(0x2), conditions) - if err != nil { - t.Errorf("Error adding conditional rule: %s", err) - } - - err = filter1.Load() - if err != nil { - t.Errorf("Error loading filter: %s", err) - } - - // Try making a simple syscall, it should error - pid := syscall.Getpid() - if pid != -1 { - t.Errorf("Syscall should have returned error code!") - } - - // Try making a Geteuid syscall that should normally succeed - err = syscall.Setreuid(uid, euid) - if err != syscall.Errno(2) { - t.Errorf("Syscall should have returned error code!") - } -}