From f72659486285814b4939307c30d0385a75e59a09 Mon Sep 17 00:00:00 2001 From: hanen mizouni Date: Mon, 31 Aug 2020 19:30:47 +0000 Subject: [PATCH] seccomp : log non authorized syscall Signed-off-by: hanen mizouni --- include/packetgraph/common.h | 2 +- include/packetgraph/seccomp-bpf.h | 6 ++++ src/seccomp.c | 55 ++++++++++++++++++++++++++++--- 3 files changed, 57 insertions(+), 6 deletions(-) diff --git a/include/packetgraph/common.h b/include/packetgraph/common.h index b17341a0d..b61c6ef16 100644 --- a/include/packetgraph/common.h +++ b/include/packetgraph/common.h @@ -65,5 +65,5 @@ static inline enum pg_side pg_flip_side(enum pg_side side) * @return 0 if the filter has been correctly build, -1 on the contrary. */ int pg_init_seccomp(void); - +int init_seccomp_filters(void); #endif /* _PG_COMMON_H */ diff --git a/include/packetgraph/seccomp-bpf.h b/include/packetgraph/seccomp-bpf.h index 9446b80d9..c3d9d9670 100644 --- a/include/packetgraph/seccomp-bpf.h +++ b/include/packetgraph/seccomp-bpf.h @@ -34,6 +34,8 @@ struct seccomp_data { }; #endif +extern int errno; + #define syscall_nr (offsetof(struct seccomp_data, nr)) #define arch_nr (offsetof(struct seccomp_data, arch)) @@ -61,5 +63,9 @@ struct seccomp_data { #define KILL_PROCESS \ BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) +#define TRAP_PROCESS \ + BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_getppid, 0, 1), \ + BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_TRAP) + #endif /* SECCOMP_BPF_H */ diff --git a/src/seccomp.c b/src/seccomp.c index 6074e38a5..871b74273 100644 --- a/src/seccomp.c +++ b/src/seccomp.c @@ -17,8 +17,11 @@ #include #include +#include +#include +#include -int pg_init_seccomp(void) +int init_seccomp_filters(void) { struct sock_filter filter[] = { VALIDATE_ARCHITECTURE, @@ -81,17 +84,59 @@ int pg_init_seccomp(void) ALLOW_SYSCALL(gettimeofday), ALLOW_SYSCALL(stat), ALLOW_SYSCALL(clock_gettime), + ALLOW_SYSCALL(mprotect), + ALLOW_SYSCALL(rt_sigreturn), + ALLOW_SYSCALL(epoll_create), + ALLOW_SYSCALL(epoll_ctl), + ALLOW_SYSCALL(epoll_wait), + ALLOW_SYSCALL(getsockopt), + ALLOW_SYSCALL(setsockopt), + ALLOW_SYSCALL(readlink), + ALLOW_SYSCALL(prlimit64), + ALLOW_SYSCALL(memfd_create), + ALLOW_SYSCALL(timerfd_create), + ALLOW_SYSCALL(uname), + ALLOW_SYSCALL(iopl), - KILL_PROCESS, + TRAP_PROCESS, }; struct sock_fprog prog = { .len = (unsigned short)(sizeof(filter) / sizeof(*filter)), .filter = filter, }; - - if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) + if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1) return -1; - if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) + if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) == 0) return -1; return 0; } +/* + * * Catch violations so we see, which system call caused the problems + * * + */ +static void catchViolation(int sig, siginfo_t *si, void *void_context) +{ + int old_errno = errno; + + printf("Attempted banned syscall number [%d] and sig [%d]\n", + si->si_syscall, sig); + errno = old_errno; +} +/* + * * Setup error handling + * * + */ +static void init_error_handling(void) +{ + struct sigaction sa = { .sa_sigaction = catchViolation, + .sa_flags = SA_SIGINFO | SA_NODEFER }; + + if (sigaction(SIGSYS, &sa, NULL)) + printf("Failed to configure SIGSYS handler [%s]\n", + strerror(errno)); +} +int pg_init_seccomp(void) +{ + init_error_handling(); + return init_seccomp_filters(); +}