Merge b36a546 into 9e61fd7

seccomp · Sep 19, 2017 · dceb5d4 · dceb5d4
2 parents 9e61fd7 + b36a546
commit dceb5d4
Show file tree

Hide file tree

Showing 31 changed files with 656 additions and 30 deletions.
diff --git a/doc/man/man3/seccomp_action_valid.3 b/doc/man/man3/seccomp_action_valid.3
@@ -0,0 +1,55 @@
+.TH "seccomp_action_valid" 3 "14 Aug 2017" "tyhicks@canonical.com" "libseccomp Documentation"
+.\" //////////////////////////////////////////////////////////////////////////
+.SH NAME
+.\" //////////////////////////////////////////////////////////////////////////
+seccomp_action_valid \- Validate the seccomp filter action
+.\" //////////////////////////////////////////////////////////////////////////
+.SH SYNOPSIS
+.\" //////////////////////////////////////////////////////////////////////////
+.nf
+.B #include <seccomp.h>
+.sp
+.BI "int seccomp_action_valid(uint32_t " action ");"
+.sp
+Link with \fI\-lseccomp\fP.
+.fi
+.\" //////////////////////////////////////////////////////////////////////////
+.SH DESCRIPTION
+.\" //////////////////////////////////////////////////////////////////////////
+.P
+The
+.BR seccomp_action_valid ()
+function validates that the given seccomp filter
+.I action
+is known to libseccomp and, in the case of newer actions, supported by the
+kernel that's currently running. This function is affected by the
+.BR SCMP_GLBATR_CTL_KCHECKACTS
+attribute which will disable the kernel support check for newer actions.
+.\" //////////////////////////////////////////////////////////////////////////
+.SH RETURN VALUE
+.\" //////////////////////////////////////////////////////////////////////////
+Returns zero if the action is valid, negative errno values on failure.
+.\" //////////////////////////////////////////////////////////////////////////
+.SH NOTES
+.\" //////////////////////////////////////////////////////////////////////////
+.P
+This function can be used before
+.BR seccomp_init()
+to determine acceptable values for its
+.I def_action
+parameter.
+.P
+The libseccomp project site, with more information and the source code
+repository, can be found at https://github.com/seccomp/libseccomp.  This tool,
+as well as the libseccomp library, is currently under development, please
+report any bugs at the project site or directly to the author.
+.\" //////////////////////////////////////////////////////////////////////////
+.SH AUTHOR
+.\" //////////////////////////////////////////////////////////////////////////
+Tyler Hicks <tyhicks@canonical.com>
+.\" //////////////////////////////////////////////////////////////////////////
+.SH SEE ALSO
+.\" //////////////////////////////////////////////////////////////////////////
+.BR seccomp_init (3),
+.BR seccomp_attr_set (3)
+
diff --git a/doc/man/man3/seccomp_attr_set.3 b/doc/man/man3/seccomp_attr_set.3
@@ -2,7 +2,7 @@
 .\" //////////////////////////////////////////////////////////////////////////
 .SH NAME
 .\" //////////////////////////////////////////////////////////////////////////
-seccomp_attr_set, seccomp_attr_get \- Manage the seccomp filter attributes
+seccomp_attr_set, seccomp_attr_get \- Manage the seccomp attributes
 .\" //////////////////////////////////////////////////////////////////////////
 .SH SYNOPSIS
 .\" //////////////////////////////////////////////////////////////////////////
@@ -25,24 +25,35 @@ Link with \fI\-lseccomp\fP.
 .P
 The
 .BR seccomp_attr_set ()
-function sets the different seccomp filter attributes while the
+function sets the different seccomp attributes while the
 .BR seccomp_attr_get ()
-function fetches the filter attributes.  The seccomp filter attributes are
-tunable values that affect how the library behaves when generating and loading
-the seccomp filter into the kernel.  The attributes are reset to their default
-values whenever the filter is initialized or reset via
+function fetches the attributes.  The seccomp attributes are tunable values
+that affect how the library behaves when generating and loading the seccomp
+filter into the kernel.
+.P
+There are filter attributes, containing
+.BR FLTATR
+in their name, and there are global attributes, containing
+.BR GLBATR
+in their name.  The filter attributes are reset to their default values
+whenever the filter is initialized or reset via
 .BR seccomp_filter_init (3)
 or
-.BR seccomp_filter_reset (3).
+.BR seccomp_filter_reset (3)
+while the global attributes only change by calling
+.BR seccomp_attr_set (3).
 .P
 The filter context
 .I ctx
 is the value returned by the call to
-.BR seccomp_init (3).
+.BR seccomp_init (3)
+and it is required when operating on filter attributes. The
+.I ctx
+must be NULL when operating on global attributes.
 .P
 Valid
 .I attr
-values are as follows:
+values for filter attributes are as follows:
 .TP
 .B SCMP_FLTATR_ACT_DEFAULT
 The default filter action as specified in the call to
@@ -86,6 +97,27 @@ specific syscall invocations, see
 for more information.  Defaults to off (
 .I value
 == 0).
+.TP
+.B SCMP_GLBATR_CTL_KCHECKACTS
+A flag to control if the kernel should be queried when new actions
+(added after Linux kernel version 4.13) are used in functions such as
+.BR seccomp_init (3),
+.BR seccomp_rule_add (3),
+.BR seccomp_action_valid (3),
+etc. This may be useful when constructing a filter while running a kernel that
+is older than the kernel that will load the filter or when testing your
+application's usage of libseccomp with a kernel that may not be new enough to
+support your desired actions. Defaults to on (
+.I value
+== 1).
+.TP
+.B SCMP_FLTATR_CTL_LOG
+A flag to specify if the kernel should log all filter actions taken except for
+the
+.BR SCMP_ACT_ALLOW
+action. Defaults to off (
+.I value
+== 0).
 .\" //////////////////////////////////////////////////////////////////////////
 .SH RETURN VALUE
 .\" //////////////////////////////////////////////////////////////////////////

diff --git a/doc/man/man3/seccomp_init.3 b/doc/man/man3/seccomp_init.3
@@ -79,6 +79,11 @@ can be retrieved using the
 .B PTRACE_GETEVENTMSG
 option.
 .TP
+.B SCMP_ACT_LOG
+The seccomp filter will have no effect on the thread calling the syscall if it
+does not match any of the configured seccomp filter rules but the syscall will
+be logged.
+.TP
 .B SCMP_ACT_ALLOW
 The seccomp filter will have no effect on the thread calling the syscall if it
 does not match any of the configured seccomp filter rules.

diff --git a/doc/man/man3/seccomp_rule_add.3 b/doc/man/man3/seccomp_rule_add.3
@@ -133,6 +133,10 @@ can be retrieved using the
 .B PTRACE_GETEVENTMSG
 option.
 .TP
+.B SCMP_ACT_LOG
+The seccomp filter will have no effect on the thread calling the syscall if it
+matches the filter rule but the syscall will be logged.
+.TP
 .B SCMP_ACT_ALLOW
 The seccomp filter will have no effect on the thread calling the syscall if it
 matches the filter rule.

diff --git a/include/seccomp.h.in b/include/seccomp.h.in
@@ -64,6 +64,8 @@ enum scmp_filter_attr {
 	SCMP_FLTATR_CTL_NNP = 3,	/**< set NO_NEW_PRIVS on filter load */
 	SCMP_FLTATR_CTL_TSYNC = 4,	/**< sync threads on filter load */
 	SCMP_FLTATR_API_TSKIP = 5,	/**< allow rules with a -1 syscall */
+	SCMP_GLBATR_CTL_KCHECKACTS = 6,	/**< ignore kernel support checks */
+	SCMP_FLTATR_CTL_LOG = 7,	/**< log not-allowed actions */
 	_SCMP_FLTATR_MAX,
 };
 
@@ -256,6 +258,10 @@ struct scmp_arg_cmp {
  * Notify a tracing process with the specified value
  */
 #define SCMP_ACT_TRACE(x)	(0x7ff00000U | ((x) & 0x0000ffffU))
+/**
+ * Allow the syscall to be executed after the action has been logged
+ */
+#define SCMP_ACT_LOG		0x7ffc0000U
 /**
  * Allow the syscall to be executed
  */
@@ -586,6 +592,15 @@ int seccomp_export_pfc(const scmp_filter_ctx ctx, int fd);
  */
 int seccomp_export_bpf(const scmp_filter_ctx ctx, int fd);
 
+/**
+ * Validate that the seccomp action is available in the kernel
+ * @param action the filter action
+ *
+ * This function validates that an action is supported by the kernel currently
+ * running. Returns zero if the action is valid, negative values on failure.
+ */
+int seccomp_action_valid(uint32_t action);
+
 /*
  * pseudo syscall definitions
  */

diff --git a/src/api.c b/src/api.c
@@ -57,6 +57,20 @@ static int _ctx_valid(const scmp_filter_ctx *ctx)
 	return db_col_valid((struct db_filter_col *)ctx);
 }
 
+/**
+ * Validate a filter context and attribute combination
+ * @param ctx the filter context
+ * @param attr the attribute
+ *
+ * Attempt to validate the provided filter context and attribute combination.
+ * Returns zero if the combination is valid, negative values on failure.
+ */
+static int _ctx_attr_valid(const scmp_filter_ctx *ctx,
+			   enum scmp_filter_attr attr)
+{
+	return db_col_attr_valid((struct db_filter_col *)ctx, attr);
+}
+
 /**
  * Validate a syscall number
  * @param syscall the syscall number
@@ -212,7 +226,7 @@ API int seccomp_load(const scmp_filter_ctx ctx)
 API int seccomp_attr_get(const scmp_filter_ctx ctx,
 			 enum scmp_filter_attr attr, uint32_t *value)
 {
-	if (_ctx_valid(ctx))
+	if (_ctx_attr_valid(ctx, attr))
 		return -EINVAL;
 
 	return db_col_attr_get((const struct db_filter_col *)ctx, attr, value);
@@ -222,7 +236,7 @@ API int seccomp_attr_get(const scmp_filter_ctx ctx,
 API int seccomp_attr_set(scmp_filter_ctx ctx,
 			 enum scmp_filter_attr attr, uint32_t value)
 {
-	if (_ctx_valid(ctx))
+	if (_ctx_attr_valid(ctx, attr))
 		return -EINVAL;
 
 	return db_col_attr_set((struct db_filter_col *)ctx, attr, value);
@@ -448,3 +462,9 @@ API int seccomp_export_bpf(const scmp_filter_ctx ctx, int fd)
 
 	return 0;
 }
+
+/* NOTE - function header comment in include/seccomp.h */
+API int seccomp_action_valid(uint32_t action)
+{
+	return db_action_valid(action);
+}
diff --git a/src/db.c b/src/db.c
@@ -44,6 +44,8 @@
 #define _DB_PRI_MASK_USER		0x00FF0000
 #define _DB_PRI_USER(x)			(((x) << 16) & _DB_PRI_MASK_USER)
 
+static uint32_t _kcheckacts_enable = 1;
+
 /* private structure for tracking the state of the sub-tree "pruning" */
 struct db_prune_state {
 	bool prefix_exist;
@@ -669,7 +671,11 @@ int db_action_valid(uint32_t action)
 		return 0;
 	else if (action == SCMP_ACT_TRACE(action & 0x0000ffff))
 		return 0;
-	else if (action == SCMP_ACT_ALLOW)
+	else if (action == SCMP_ACT_LOG) {
+		if (_kcheckacts_enable == 0 ||
+		    sys_chk_seccomp_action(action) == 1)
+			return 0;
+	} else if (action == SCMP_ACT_ALLOW)
 		return 0;
 
 	return -EINVAL;
@@ -761,6 +767,43 @@ int db_col_arch_exist(struct db_filter_col *col, uint32_t arch_token)
 	return 0;
 }
 
+/**
+ * Validate a filter collection and attribute combination
+ * @param col the seccomp filter collection
+ * @param attr the attribute
+ *
+ * This function validates a seccomp filter collection and attribute
+ * combination. Filter attributes require a valid col and global attributes
+ * require a NULL col. Returns zero if the combination is valid, negative
+ * values on failure.
+ */
+int db_col_attr_valid(struct db_filter_col *col,
+		      enum scmp_filter_attr attr)
+{
+	int rc;
+
+	switch (attr) {
+	/* Filter attributes require a valid db_filter_col */
+	case SCMP_FLTATR_ACT_DEFAULT:
+	case SCMP_FLTATR_ACT_BADARCH:
+	case SCMP_FLTATR_CTL_NNP:
+	case SCMP_FLTATR_CTL_TSYNC:
+	case SCMP_FLTATR_API_TSKIP:
+	case SCMP_FLTATR_CTL_LOG:
+		rc = db_col_valid(col);
+		break;
+	/* Global attributes require a NULL db_filter_col */
+	case SCMP_GLBATR_CTL_KCHECKACTS:
+		rc = col == NULL ? 0 : -EINVAL;
+		break;
+	default:
+		rc = -EEXIST;
+		break;
+	}
+
+	return rc;
+}
+
 /**
  * Get a filter attribute
  * @param col the seccomp filter collection
@@ -792,6 +835,12 @@ int db_col_attr_get(const struct db_filter_col *col,
 	case SCMP_FLTATR_API_TSKIP:
 		*value = col->attr.api_tskip;
 		break;
+	case SCMP_GLBATR_CTL_KCHECKACTS:
+		*value = _kcheckacts_enable;
+		break;
+	case SCMP_FLTATR_CTL_LOG:
+		*value = col->attr.log_enable;
+		break;
 	default:
 		rc = -EEXIST;
 		break;
@@ -842,6 +891,20 @@ int db_col_attr_set(struct db_filter_col *col,
 	case SCMP_FLTATR_API_TSKIP:
 		col->attr.api_tskip = (value ? 1 : 0);
 		break;
+	case SCMP_GLBATR_CTL_KCHECKACTS:
+		_kcheckacts_enable = (value ? 1 : 0);
+		break;
+	case SCMP_FLTATR_CTL_LOG:
+		rc = sys_chk_seccomp_flag(SECCOMP_FILTER_FLAG_LOG);
+		if (rc == 1) {
+			/* supported */
+			rc = 0;
+			col->attr.log_enable = (value ? 1 : 0);
+		} else if (rc == 0) {
+			/* unsupported */
+			rc = -EOPNOTSUPP;
+		}
+		break;
 	default:
 		rc = -EEXIST;
 		break;

diff --git a/src/db.h b/src/db.h
@@ -139,6 +139,8 @@ struct db_filter_attr {
 	uint32_t tsync_enable;
 	/* allow rules with a -1 syscall value */
 	uint32_t api_tskip;
+	/* SECCOMP_FILTER_FLAG_LOG related attributes */
+	uint32_t log_enable;
 };
 
 struct db_filter {
@@ -202,6 +204,9 @@ int db_col_merge(struct db_filter_col *col_dst, struct db_filter_col *col_src);
 
 int db_col_arch_exist(struct db_filter_col *col, uint32_t arch_token);
 
+int db_col_attr_valid(struct db_filter_col *col,
+		      enum scmp_filter_attr attr);
+
 int db_col_attr_get(const struct db_filter_col *col,
 		    enum scmp_filter_attr attr, uint32_t *value);
 int db_col_attr_set(struct db_filter_col *col,

diff --git a/src/gen_pfc.c b/src/gen_pfc.c
@@ -130,6 +130,9 @@ static void _pfc_action(FILE *fds, uint32_t action)
 	case SCMP_ACT_TRACE(0):
 		fprintf(fds, "action TRACE(%u);\n", (action & 0x0000ffff));
 		break;
+	case SCMP_ACT_LOG:
+		fprintf(fds, "action LOG;\n");
+		break;
 	case SCMP_ACT_ALLOW:
 		fprintf(fds, "action ALLOW;\n");
 		break;

diff --git a/src/python/libseccomp.pxd b/src/python/libseccomp.pxd
@@ -57,6 +57,8 @@ cdef extern from "seccomp.h":
         SCMP_FLTATR_CTL_NNP
         SCMP_FLTATR_CTL_TSYNC
         SCMP_FLTATR_API_TSKIP
+        SCMP_GLBATR_CTL_KCHECKACTS
+        SCMP_FLTATR_CTL_LOG
 
     cdef enum scmp_compare:
         SCMP_CMP_NE
@@ -70,6 +72,7 @@ cdef extern from "seccomp.h":
     cdef enum:
         SCMP_ACT_KILL
         SCMP_ACT_TRAP
+        SCMP_ACT_LOG
         SCMP_ACT_ALLOW
     unsigned int SCMP_ACT_ERRNO(int errno)
     unsigned int SCMP_ACT_TRACE(int value)
@@ -126,5 +129,7 @@ cdef extern from "seccomp.h":
     int seccomp_export_pfc(scmp_filter_ctx ctx, int fd)
     int seccomp_export_bpf(scmp_filter_ctx ctx, int fd)
 
+    int seccomp_action_valid(uint32_t action)
+
 # kate: syntax python;
 # kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;