seccomp : log non authorized syscall

Signed-off-by: hanen mizouni <[email protected]>
outscale · Sep 2, 2020 · 1a852d8 · 1a852d8
1 parent c68feaa
commit 1a852d8
Show file tree

Hide file tree

Showing 3 changed files with 55 additions and 3 deletions.
diff --git a/include/packetgraph/common.h b/include/packetgraph/common.h
@@ -65,5 +65,5 @@ static inline enum pg_side pg_flip_side(enum pg_side side)
  * @return 0 if the filter has been correctly build, -1 on the contrary.
  */
 int pg_init_seccomp(void);
-
+int init_seccomp_filters(void);
 #endif /* _PG_COMMON_H */
diff --git a/include/packetgraph/seccomp-bpf.h b/include/packetgraph/seccomp-bpf.h
@@ -34,6 +34,8 @@ struct seccomp_data {
 };
 #endif
 
+extern int errno;
+
 #define syscall_nr (offsetof(struct seccomp_data, nr))
 #define arch_nr (offsetof(struct seccomp_data, arch))
 
@@ -61,5 +63,9 @@ struct seccomp_data {
 #define KILL_PROCESS \
 	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
 
+#define TRAP_PROCESS \
+	BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_getppid, 0, 1), \
+	BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_TRAP)
+
 #endif /* SECCOMP_BPF_H */
 
diff --git a/src/seccomp.c b/src/seccomp.c
@@ -17,8 +17,11 @@
 
 #include <packetgraph/common.h>
 #include <packetgraph/seccomp-bpf.h>
+#include <errno.h>
+#include <signal.h>
+#include <string.h>
 
-int pg_init_seccomp(void)
+int init_seccomp_filters(void)
 {
 	struct sock_filter filter[] = {
 		VALIDATE_ARCHITECTURE,
@@ -81,8 +84,21 @@ int pg_init_seccomp(void)
 		ALLOW_SYSCALL(gettimeofday),
 		ALLOW_SYSCALL(stat),
 		ALLOW_SYSCALL(clock_gettime),
+		ALLOW_SYSCALL(mprotect),
+		ALLOW_SYSCALL(rt_sigreturn),
+		ALLOW_SYSCALL(epoll_create),
+		ALLOW_SYSCALL(epoll_ctl),
+		ALLOW_SYSCALL(epoll_wait),
+		ALLOW_SYSCALL(getsockopt),
+		ALLOW_SYSCALL(setsockopt),
+		ALLOW_SYSCALL(readlink),
+		ALLOW_SYSCALL(prlimit64),
+		ALLOW_SYSCALL(memfd_create),
+		ALLOW_SYSCALL(timerfd_create),
+		ALLOW_SYSCALL(uname),
+		ALLOW_SYSCALL(iopl),
 
-		KILL_PROCESS,
+		TRAP_PROCESS,
 	};
 	struct sock_fprog prog = {
 		.len = (unsigned short)(sizeof(filter) / sizeof(*filter)),
@@ -95,3 +111,33 @@ int pg_init_seccomp(void)
 		return -1;
 	return 0;
 }
+/*
+ * * Catch violations so we see, which system call caused the problems
+ * *
+ */
+static void catchViolation(int sig, siginfo_t *si, void *void_context)
+{
+	int old_errno = errno;
+
+	printf("Attempted banned syscall number [%d] and sig  [%d]\n",
+			si->si_syscall, sig);
+	errno = old_errno;
+}
+/*
+ * * Setup error handling
+ * *
+ */
+static void init_error_handling(void)
+{
+	struct sigaction sa = { .sa_sigaction = catchViolation,
+		.sa_flags = SA_SIGINFO | SA_NODEFER };
+
+	if (sigaction(SIGSYS, &sa, NULL))
+		printf("Failed to configure SIGSYS handler [%s]\n",
+				strerror(errno));
+}
+int pg_init_seccomp(void)
+{
+	init_error_handling();
+	return init_seccomp_filters();
+}