Skip to content

Commit

Permalink
seccomp : log non authorized syscall
Browse files Browse the repository at this point in the history
Signed-off-by: hanen mizouni <[email protected]>
  • Loading branch information
outscale-hmi committed Nov 9, 2020
1 parent db56b17 commit 98389a1
Show file tree
Hide file tree
Showing 2 changed files with 57 additions and 5 deletions.
8 changes: 7 additions & 1 deletion include/packetgraph/seccomp-bpf.h
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,8 @@ struct seccomp_data {
};
#endif

extern int errno;

#define syscall_nr (offsetof(struct seccomp_data, nr))
#define arch_nr (offsetof(struct seccomp_data, arch))

Expand All @@ -49,7 +51,8 @@ struct seccomp_data {
#define VALIDATE_ARCHITECTURE \
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, arch_nr), \
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_TRAP), \
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW)

#define EXAMINE_SYSCALL \
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, syscall_nr)
Expand All @@ -61,5 +64,8 @@ struct seccomp_data {
#define KILL_PROCESS \
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)

#define TRAP_PROCESS \
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_TRAP)

#endif /* SECCOMP_BPF_H */

54 changes: 50 additions & 4 deletions src/seccomp.c
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,41 @@

#include <packetgraph/common.h>
#include <packetgraph/seccomp-bpf.h>
#include <errno.h>
#include <signal.h>
#include <string.h>

/*
* * Catch violations so we see, which system call caused the problems
* *
*/
static void catchViolation(int sig, siginfo_t *si, void *void_context)
{
int old_errno = errno;

fprintf(stderr, "Catch sig [%d] when attemption to
catch syscall: [%d]\n",sig, si->si_syscall);
errno = old_errno;
}
/*
* * Setup error handling
* *
*/
static void init_error_handling(void)
{
struct sigaction sa = { .sa_sigaction = catchViolation,
.sa_flags = SA_SIGINFO | SA_NODEFER };

if (sigaction(SIGSYS, &sa, NULL)) {
printf("Failed to configure SIGSYS handler [%s]\n",
strerror(errno));
}
}

int pg_init_seccomp(void)
{
init_error_handling();

struct sock_filter filter[] = {
VALIDATE_ARCHITECTURE,
EXAMINE_SYSCALL,
Expand Down Expand Up @@ -81,17 +113,31 @@ int pg_init_seccomp(void)
ALLOW_SYSCALL(gettimeofday),
ALLOW_SYSCALL(stat),
ALLOW_SYSCALL(clock_gettime),
ALLOW_SYSCALL(rt_sigreturn),
ALLOW_SYSCALL(epoll_create),
ALLOW_SYSCALL(epoll_ctl),
ALLOW_SYSCALL(epoll_wait),
ALLOW_SYSCALL(getsockopt),
ALLOW_SYSCALL(setsockopt),
ALLOW_SYSCALL(readlink),
ALLOW_SYSCALL(prlimit64),
ALLOW_SYSCALL(memfd_create),
ALLOW_SYSCALL(timerfd_create),
ALLOW_SYSCALL(uname),
ALLOW_SYSCALL(iopl),

KILL_PROCESS,
TRAP_PROCESS,
};
struct sock_fprog prog = {
.len = (unsigned short)(sizeof(filter) / sizeof(*filter)),
.filter = filter,
};

if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0))
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
return -1;
if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog))
if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) == -1) {
fprintf(stderr, "unknown PR_GET_SECCOMP error: %s\n",
strerror(errno));
return -1;
}
return 0;
}

0 comments on commit 98389a1

Please sign in to comment.