[openssh-commits] [openssh] 01/01: aarch64 support for seccomp-bpf sandbox

git+noreply at mindrot.org git+noreply at mindrot.org
Wed Jun 17 10:51:50 AEST 2015 

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit 99f33d7304893bd9fa04d227cb6e870171cded19
Author: Damien Miller <djm at mindrot.org>
Date:   Wed Jun 17 10:50:51 2015 +1000

    aarch64 support for seccomp-bpf sandbox
    
    Also resort and tidy syscall list. Based on patches by Jakub Jelen
    bz#2361; ok dtucker@
---
 configure.ac             |  11 +++--
 sandbox-seccomp-filter.c | 105 ++++++++++++++++++++++++++++++++++++++---------
 2 files changed, 92 insertions(+), 24 deletions(-)

diff --git a/configure.ac b/configure.ac
index b6f9302..a1a29a6 100644
--- a/configure.ac
+++ b/configure.ac
@@ -781,14 +781,17 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
 	i*86-*)
 		seccomp_audit_arch=AUDIT_ARCH_I386
 		;;
-        arm*-*)
+	arm*-*)
 		seccomp_audit_arch=AUDIT_ARCH_ARM
-                ;;
+		;;
+	aarch64*-*)
+		seccomp_audit_arch=AUDIT_ARCH_AARCH64
+		;
 	esac
 	if test "x$seccomp_audit_arch" != "x" ; then
 		AC_MSG_RESULT(["$seccomp_audit_arch"])
-                AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch],
-                    [Specify the system call convention in use])
+		AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch],
+		    [Specify the system call convention in use])
 	else
 		AC_MSG_RESULT([architecture not supported])
 	fi
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index b6f6258..badfee2 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -43,6 +43,7 @@
 #include <sys/resource.h>
 #include <sys/prctl.h>
 
+#include <linux/net.h>
 #include <linux/audit.h>
 #include <linux/filter.h>
 #include <linux/seccomp.h>
@@ -79,6 +80,16 @@
 #define SC_ALLOW(_nr) \
 	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \
 	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
+#define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \
+	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 3), \
+	/* load first syscall argument */ \
+	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
+	    offsetof(struct seccomp_data, args[(_arg_nr)])), \
+	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_arg_val), 0, 1), \
+	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), \
+	/* reload syscall number; all rules expect it in accumulator */ \
+	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
+		offsetof(struct seccomp_data, nr))
 
 /* Syscall filtering set for preauth. */
 static const struct sock_filter preauth_insns[] = {
@@ -90,45 +101,99 @@ static const struct sock_filter preauth_insns[] = {
 	/* Load the syscall number for checking. */
 	BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
 		offsetof(struct seccomp_data, nr)),
+
+	/* Syscalls to non-fatally deny */
+#ifdef __NR_fstat
+	SC_DENY(fstat, EACCES),
+#endif
+#ifdef __NR_fstat64
+	SC_DENY(fstat64, EACCES),
+#endif
+#ifdef __NR_open
 	SC_DENY(open, EACCES),
+#endif
+#ifdef __NR_openat
+	SC_DENY(openat, EACCES),
+#endif
+#ifdef __NR_newfstatat
+	SC_DENY(newfstatat, EACCES),
+#endif
+#ifdef __NR_stat
 	SC_DENY(stat, EACCES),
-	SC_ALLOW(getpid),
-	SC_ALLOW(gettimeofday),
+#endif
+#ifdef __NR_stat64
+	SC_DENY(stat64, EACCES),
+#endif
+
+	/* Syscalls to permit */
+#ifdef __NR_brk
+	SC_ALLOW(brk),
+#endif
+#ifdef __NR_clock_gettime
 	SC_ALLOW(clock_gettime),
-#ifdef __NR_time /* not defined on EABI ARM */
-	SC_ALLOW(time),
 #endif
-	SC_ALLOW(read),
-	SC_ALLOW(write),
+#ifdef __NR_close
 	SC_ALLOW(close),
-#ifdef __NR_shutdown /* not defined on archs that go via socketcall(2) */
-	SC_ALLOW(shutdown),
 #endif
-	SC_ALLOW(brk),
-	SC_ALLOW(poll),
-#ifdef __NR__newselect
-	SC_ALLOW(_newselect),
-#else
-	SC_ALLOW(select),
+#ifdef __NR_exit
+	SC_ALLOW(exit),
 #endif
+#ifdef __NR_exit_group
+	SC_ALLOW(exit_group),
+#endif
+#ifdef __NR_getpid
+	SC_ALLOW(getpid),
+#endif
+#ifdef __NR_gettimeofday
+	SC_ALLOW(gettimeofday),
+#endif
+#ifdef __NR_madvise
 	SC_ALLOW(madvise),
-#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */
-	SC_ALLOW(mmap2),
 #endif
 #ifdef __NR_mmap
 	SC_ALLOW(mmap),
 #endif
-#ifdef __dietlibc__
+#ifdef __NR_mmap2
+	SC_ALLOW(mmap2),
+#endif
+#ifdef __NR_mremap
 	SC_ALLOW(mremap),
-	SC_ALLOW(exit),
 #endif
+#ifdef __NR_munmap
 	SC_ALLOW(munmap),
-	SC_ALLOW(exit_group),
+#endif
+#ifdef __NR__newselect
+	SC_ALLOW(_newselect),
+#endif
+#ifdef __NR_poll
+	SC_ALLOW(poll),
+#endif
+#ifdef __NR_read
+	SC_ALLOW(read),
+#endif
 #ifdef __NR_rt_sigprocmask
 	SC_ALLOW(rt_sigprocmask),
-#else
+#endif
+#ifdef __NR_select
+	SC_ALLOW(select),
+#endif
+#ifdef __NR_shutdown
+	SC_ALLOW(shutdown),
+#endif
+#ifdef __NR_sigprocmask
 	SC_ALLOW(sigprocmask),
 #endif
+#ifdef __NR_time
+	SC_ALLOW(time),
+#endif
+#ifdef __NR_write
+	SC_ALLOW(write),
+#endif
+#ifdef __NR_socketcall
+	SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN),
+#endif
+
+	/* Default deny */
 	BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
 };
 

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list