capstone: Update to upstream "next" branch
[qemu.git] / tools / virtiofsd / passthrough_seccomp.c
1 /*
2 * Seccomp sandboxing for virtiofsd
3 *
4 * Copyright (C) 2019 Red Hat, Inc.
5 *
6 * SPDX-License-Identifier: GPL-2.0-or-later
7 */
8
9 #include "qemu/osdep.h"
10 #include "passthrough_seccomp.h"
11 #include "fuse_i.h"
12 #include "fuse_log.h"
13 #include <errno.h>
14 #include <glib.h>
15 #include <seccomp.h>
16 #include <stdlib.h>
17
18 /* Bodge for libseccomp 2.4.2 which broke ppoll */
19 #if !defined(__SNR_ppoll) && defined(__SNR_brk)
20 #ifdef __NR_ppoll
21 #define __SNR_ppoll __NR_ppoll
22 #else
23 #define __SNR_ppoll __PNR_ppoll
24 #endif
25 #endif
26
27 static const int syscall_whitelist[] = {
28 /* TODO ireg sem*() syscalls */
29 SCMP_SYS(brk),
30 SCMP_SYS(capget), /* For CAP_FSETID */
31 SCMP_SYS(capset),
32 SCMP_SYS(clock_gettime),
33 SCMP_SYS(clone),
34 #ifdef __NR_clone3
35 SCMP_SYS(clone3),
36 #endif
37 SCMP_SYS(close),
38 SCMP_SYS(copy_file_range),
39 SCMP_SYS(dup),
40 SCMP_SYS(eventfd2),
41 SCMP_SYS(exit),
42 SCMP_SYS(exit_group),
43 SCMP_SYS(fallocate),
44 SCMP_SYS(fchdir),
45 SCMP_SYS(fchmod),
46 SCMP_SYS(fchmodat),
47 SCMP_SYS(fchownat),
48 SCMP_SYS(fcntl),
49 SCMP_SYS(fdatasync),
50 SCMP_SYS(fgetxattr),
51 SCMP_SYS(flistxattr),
52 SCMP_SYS(flock),
53 SCMP_SYS(fremovexattr),
54 SCMP_SYS(fsetxattr),
55 SCMP_SYS(fstat),
56 SCMP_SYS(fstatfs),
57 SCMP_SYS(fsync),
58 SCMP_SYS(ftruncate),
59 SCMP_SYS(futex),
60 SCMP_SYS(getdents),
61 SCMP_SYS(getdents64),
62 SCMP_SYS(getegid),
63 SCMP_SYS(geteuid),
64 SCMP_SYS(getpid),
65 SCMP_SYS(gettid),
66 SCMP_SYS(gettimeofday),
67 SCMP_SYS(getxattr),
68 SCMP_SYS(linkat),
69 SCMP_SYS(listxattr),
70 SCMP_SYS(lseek),
71 SCMP_SYS(madvise),
72 SCMP_SYS(mkdirat),
73 SCMP_SYS(mknodat),
74 SCMP_SYS(mmap),
75 SCMP_SYS(mprotect),
76 SCMP_SYS(mremap),
77 SCMP_SYS(munmap),
78 SCMP_SYS(newfstatat),
79 SCMP_SYS(open),
80 SCMP_SYS(openat),
81 SCMP_SYS(ppoll),
82 SCMP_SYS(prctl), /* TODO restrict to just PR_SET_NAME? */
83 SCMP_SYS(preadv),
84 SCMP_SYS(pread64),
85 SCMP_SYS(pwritev),
86 SCMP_SYS(pwrite64),
87 SCMP_SYS(read),
88 SCMP_SYS(readlinkat),
89 SCMP_SYS(recvmsg),
90 SCMP_SYS(renameat),
91 SCMP_SYS(renameat2),
92 SCMP_SYS(removexattr),
93 SCMP_SYS(rt_sigaction),
94 SCMP_SYS(rt_sigprocmask),
95 SCMP_SYS(rt_sigreturn),
96 SCMP_SYS(sched_getattr),
97 SCMP_SYS(sched_setattr),
98 SCMP_SYS(sendmsg),
99 SCMP_SYS(setresgid),
100 SCMP_SYS(setresuid),
101 #ifdef __NR_setresgid32
102 SCMP_SYS(setresgid32),
103 #endif
104 #ifdef __NR_setresuid32
105 SCMP_SYS(setresuid32),
106 #endif
107 SCMP_SYS(set_robust_list),
108 SCMP_SYS(setxattr),
109 SCMP_SYS(symlinkat),
110 SCMP_SYS(time), /* Rarely needed, except on static builds */
111 SCMP_SYS(tgkill),
112 SCMP_SYS(unlinkat),
113 SCMP_SYS(unshare),
114 SCMP_SYS(utimensat),
115 SCMP_SYS(write),
116 SCMP_SYS(writev),
117 };
118
119 /* Syscalls used when --syslog is enabled */
120 static const int syscall_whitelist_syslog[] = {
121 SCMP_SYS(sendto),
122 };
123
124 static void add_whitelist(scmp_filter_ctx ctx, const int syscalls[], size_t len)
125 {
126 size_t i;
127
128 for (i = 0; i < len; i++) {
129 if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, syscalls[i], 0) != 0) {
130 fuse_log(FUSE_LOG_ERR, "seccomp_rule_add syscall %d failed\n",
131 syscalls[i]);
132 exit(1);
133 }
134 }
135 }
136
137 void setup_seccomp(bool enable_syslog)
138 {
139 scmp_filter_ctx ctx;
140
141 #ifdef SCMP_ACT_KILL_PROCESS
142 ctx = seccomp_init(SCMP_ACT_KILL_PROCESS);
143 /* Handle a newer libseccomp but an older kernel */
144 if (!ctx && errno == EOPNOTSUPP) {
145 ctx = seccomp_init(SCMP_ACT_TRAP);
146 }
147 #else
148 ctx = seccomp_init(SCMP_ACT_TRAP);
149 #endif
150 if (!ctx) {
151 fuse_log(FUSE_LOG_ERR, "seccomp_init() failed\n");
152 exit(1);
153 }
154
155 add_whitelist(ctx, syscall_whitelist, G_N_ELEMENTS(syscall_whitelist));
156 if (enable_syslog) {
157 add_whitelist(ctx, syscall_whitelist_syslog,
158 G_N_ELEMENTS(syscall_whitelist_syslog));
159 }
160
161 /* libvhost-user calls this for post-copy migration, we don't need it */
162 if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS),
163 SCMP_SYS(userfaultfd), 0) != 0) {
164 fuse_log(FUSE_LOG_ERR, "seccomp_rule_add userfaultfd failed\n");
165 exit(1);
166 }
167
168 if (seccomp_load(ctx) < 0) {
169 fuse_log(FUSE_LOG_ERR, "seccomp_load() failed\n");
170 exit(1);
171 }
172
173 seccomp_release(ctx);
174 }