POTD skeleton #102.

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>

7 files changed, 52 insertions, 11 deletions

diff --git a/src/jail.c b/src/jail.c
index ddd1926..9ed75f8 100644
--- a/src/jail.c
+++ b/src/jail.c
@@ -15,6 +15,7 @@
 #include "capabilities.h"
 #include "utils.h"
 #include "log.h"
+#include "options.h"
 
 typedef struct prisoner_process {
     psocket client_psock;
@@ -373,7 +374,8 @@ static int jail_childfn(prisoner_process *ctx)
             );
 
             pseccomp_set_immutable();
-            pseccomp_init(&psc, 0);
+            pseccomp_init(&psc,
+                (getopt_used(OPT_SECCOMP_MINIMAL) ? PS_MINIMUM : 0));
             if (pseccomp_jail_rules(psc))
                 FATAL("%s", "SECCOMP: adding jail rules");
             pseccomp_free(&psc);
diff --git a/src/main.c b/src/main.c
index d3df883..0e54fe0 100644
--- a/src/main.c
+++ b/src/main.c
@@ -338,7 +338,8 @@ int main(int argc, char *argv[])
     }
 
     caps_default_filter();
-    pseccomp_init(&psc, 0);
+    pseccomp_init(&psc,
+        (getopt_used(OPT_SECCOMP_MINIMAL) ? PS_MINIMUM : 0));
     if (pseccomp_default_rules(psc))
         FATAL("%s", "SECCOMP: adding default rules");
     pseccomp_free(&psc);
diff --git a/src/options.c b/src/options.c
index 7b83909..0f23f4d 100644
--- a/src/options.c
+++ b/src/options.c
@@ -79,6 +79,12 @@ static struct opt options[OPT_MAX+1] = {
         "path to root directory/image\n", NULL),
     OPT(OT_PATH, .str = POTD_NETNS_RUN_DIR, "netns-rundir",
         "set the network namespace run directory\n", NULL),
+    OPT_NOARG("seccomp-minimal", "use a minimal seccomp ruleset\n",
+        "instead of setting an allowed syscall ruleset\n"
+        "use a minimal set of blocked syscalls e.g.\n"
+        "mount, umount, ptrace, kernel module syscalls\n"
+        "and some io syscalls\n"
+        "(use this if you acknowledge errors on some platforms)\n"),
 
     OPT_NOARG("help", "this\n", NULL),
     OPT(OT_INVALID, .ll = 0, NULL, NULL, NULL)
diff --git a/src/options.h b/src/options.h
index 1e4832a..4c81c11 100644
--- a/src/options.h
+++ b/src/options.h
@@ -11,6 +11,7 @@ typedef enum opt_name {
     OPT_JAIL,
     OPT_ROOT,
     OPT_NETNS_RUN_DIR,
+    OPT_SECCOMP_MINIMAL,
 
     OPT_HELP,
     OPT_MAX
diff --git a/src/protocol_ssh.c b/src/protocol_ssh.c
index 44dd9b6..dfab000 100644
--- a/src/protocol_ssh.c
+++ b/src/protocol_ssh.c
@@ -147,7 +147,7 @@ int ssh_on_listen(protocol_ctx *ctx)
             return 1;
         case 0:
             pseccomp_set_immutable();
-            pseccomp_init(&psc, 1);
+            pseccomp_init(&psc, PS_ALLOW|PS_MINIMUM);
             s = pseccomp_protocol_rules(psc);
             pseccomp_free(&psc);
             if (s) {
diff --git a/src/pseccomp.c b/src/pseccomp.c
index 1626721..07f4152 100644
--- a/src/pseccomp.c
+++ b/src/pseccomp.c
@@ -14,6 +14,23 @@
 
 static int pseccomp_using_valgrind(void);
 
+static const int minimum_disabled_syscalls[] = {
+    SCMP_SYS(mount),
+    SCMP_SYS(umount), SCMP_SYS(umount2),
+    SCMP_SYS(ptrace),
+    SCMP_SYS(kexec_load),
+    SCMP_SYS(open_by_handle_at),
+    SCMP_SYS(init_module),
+    SCMP_SYS(finit_module),
+    SCMP_SYS(delete_module),
+    SCMP_SYS(iopl),
+    SCMP_SYS(swapon),
+    SCMP_SYS(swapoff),
+    SCMP_SYS(syslog),
+    SCMP_SYS(nice),
+    SCMP_SYS(kcmp)
+};
+
 static const int default_allowed_syscalls[] = {
     SCMP_SYS(signalfd), SCMP_SYS(signalfd4),
     SCMP_SYS(rt_sigreturn), SCMP_SYS(rt_sigprocmask),
@@ -49,7 +66,8 @@ static const int default_allowed_syscalls[] = {
     SCMP_SYS(getgid), SCMP_SYS(getgid32), SCMP_SYS(getegid), SCMP_SYS(getegid),
     SCMP_SYS(getgroups), SCMP_SYS(getdents),
     /* operations on processes */
-    SCMP_SYS(getpgrp), SCMP_SYS(setpgid), SCMP_SYS(getpid), SCMP_SYS(kill),
+    SCMP_SYS(getpgrp), SCMP_SYS(setpgid), SCMP_SYS(getpid), SCMP_SYS(getppid),
+    SCMP_SYS(kill),
     /* other */
     SCMP_SYS(unshare), SCMP_SYS(setns),
     SCMP_SYS(chroot), SCMP_SYS(chdir), SCMP_SYS(mount), SCMP_SYS(umount2),
@@ -68,6 +86,7 @@ static const int jail_allowed_syscalls[] = {
     SCMP_SYS(signalfd), SCMP_SYS(signalfd4),
     SCMP_SYS(rt_sigreturn), SCMP_SYS(rt_sigprocmask),
     SCMP_SYS(rt_sigaction), SCMP_SYS(time), SCMP_SYS(nanosleep),
+    SCMP_SYS(clock_gettime), SCMP_SYS(set_tid_address),
     SCMP_SYS(exit), SCMP_SYS(exit_group),
     SCMP_SYS(read), SCMP_SYS(write), SCMP_SYS(writev),
     SCMP_SYS(fcntl), SCMP_SYS(fcntl64),
@@ -84,7 +103,8 @@ static const int jail_allowed_syscalls[] = {
     SCMP_SYS(setresuid), SCMP_SYS(setresgid),
     SCMP_SYS(getuid), SCMP_SYS(geteuid), SCMP_SYS(getgid), SCMP_SYS(getegid),
     SCMP_SYS(getgroups), SCMP_SYS(getdents),
-    SCMP_SYS(getpgrp), SCMP_SYS(setpgid), SCMP_SYS(getpid), SCMP_SYS(kill),
+    SCMP_SYS(getpgrp), SCMP_SYS(setpgid), SCMP_SYS(getpid), SCMP_SYS(getppid),
+    SCMP_SYS(kill),
     SCMP_SYS(chdir), SCMP_SYS(mount),
     SCMP_SYS(umount2),
     SCMP_SYS(ioctl),
@@ -104,7 +124,7 @@ static int pseccomp_using_valgrind(void)
     return 0;
 }
 
-int pseccomp_init(pseccomp_ctx **ctx, unsigned int defact_allow)
+int pseccomp_init(pseccomp_ctx **ctx, unsigned flags)
 {
     assert(ctx);
 
@@ -114,7 +134,8 @@ int pseccomp_init(pseccomp_ctx **ctx, unsigned int defact_allow)
 
     memset(*ctx, 0, sizeof(**ctx));
     (*ctx)->sfilter = seccomp_init(
-        (defact_allow ? SCMP_ACT_ALLOW : SCMP_ACT_ERRNO(EINVAL))
+        (flags & PS_ALLOW || flags & PS_MINIMUM ?
+            SCMP_ACT_ALLOW : SCMP_ACT_ERRNO(EINVAL))
     );
 
     return 0;
@@ -147,9 +168,15 @@ int pseccomp_default_rules(pseccomp_ctx *ctx)
     if (pseccomp_using_valgrind())
         return 0;
 
-    for (i = 0; i < SIZEOF(default_allowed_syscalls); ++i)
-        seccomp_rule_add(ctx->sfilter, SCMP_ACT_ALLOW,
-            default_allowed_syscalls[i], 0);
+    if (ctx->flags & PS_MINIMUM) {
+        for (i = 0; i < SIZEOF(minimum_disabled_syscalls); ++i)
+            seccomp_rule_add(ctx->sfilter, SCMP_ACT_ERRNO(EINVAL),
+                minimum_disabled_syscalls[i], 0);
+    } else {
+        for (i = 0; i < SIZEOF(default_allowed_syscalls); ++i)
+            seccomp_rule_add(ctx->sfilter, SCMP_ACT_ALLOW,
+                default_allowed_syscalls[i], 0);
+    }
 
     return seccomp_load(ctx->sfilter);
 }
diff --git a/src/pseccomp.h b/src/pseccomp.h
index 0bb5b2c..70fe3de 100644
--- a/src/pseccomp.h
+++ b/src/pseccomp.h
@@ -3,12 +3,16 @@
 
 #include <seccomp.h>
 
+#define PS_ALLOW 0x1
+#define PS_MINIMUM 0x2
+
 typedef struct pseccomp_ctx {
+    unsigned flags;
     scmp_filter_ctx sfilter;
 } pseccomp_ctx;
 
 
-int pseccomp_init(pseccomp_ctx **ctx, unsigned int defact_allow);
+int pseccomp_init(pseccomp_ctx **ctx, unsigned flags);
 
 void pseccomp_free(pseccomp_ctx **ctx);