seccomp : log non authorized syscall

Signed-off-by: hanen mizouni <[email protected]>
outscale · Sep 14, 2020 · f726594 · f726594
1 parent db56b17
commit f726594
Show file tree

Hide file tree

Showing 3 changed files with 57 additions and 6 deletions.
diff --git a/include/packetgraph/common.h b/include/packetgraph/common.h
@@ -65,5 +65,5 @@ static inline enum pg_side pg_flip_side(enum pg_side side)
  * @return 0 if the filter has been correctly build, -1 on the contrary.
  */
 int pg_init_seccomp(void);
-
+int init_seccomp_filters(void);
 #endif /* _PG_COMMON_H */
diff --git a/include/packetgraph/seccomp-bpf.h b/include/packetgraph/seccomp-bpf.h
@@ -34,6 +34,8 @@ struct seccomp_data {
 };
 #endif
 
+extern int errno;
+
 #define syscall_nr (offsetof(struct seccomp_data, nr))
 #define arch_nr (offsetof(struct seccomp_data, arch))
 
@@ -61,5 +63,9 @@ struct seccomp_data {
 #define KILL_PROCESS \
  BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
 
+#define TRAP_PROCESS \
+ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_getppid, 0, 1), \
+ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_TRAP)
+
 #endif /* SECCOMP_BPF_H */
 
diff --git a/src/seccomp.c b/src/seccomp.c
@@ -17,8 +17,11 @@
 
 #include <packetgraph/common.h>
 #include <packetgraph/seccomp-bpf.h>
+#include <errno.h>
+#include <signal.h>
+#include <string.h>
 
-int pg_init_seccomp(void)
+int init_seccomp_filters(void)
 {
  struct sock_filter filter[] = {
  VALIDATE_ARCHITECTURE,
@@ -81,17 +84,59 @@ int pg_init_seccomp(void)
  ALLOW_SYSCALL(gettimeofday),
  ALLOW_SYSCALL(stat),
  ALLOW_SYSCALL(clock_gettime),
+ ALLOW_SYSCALL(mprotect),
+ ALLOW_SYSCALL(rt_sigreturn),
+ ALLOW_SYSCALL(epoll_create),
+ ALLOW_SYSCALL(epoll_ctl),
+ ALLOW_SYSCALL(epoll_wait),
+ ALLOW_SYSCALL(getsockopt),
+ ALLOW_SYSCALL(setsockopt),
+ ALLOW_SYSCALL(readlink),
+ ALLOW_SYSCALL(prlimit64),
+ ALLOW_SYSCALL(memfd_create),
+ ALLOW_SYSCALL(timerfd_create),
+ ALLOW_SYSCALL(uname),
+ ALLOW_SYSCALL(iopl),
 
- KILL_PROCESS,
+ TRAP_PROCESS,
  };
  struct sock_fprog prog = {
  .len = (unsigned short)(sizeof(filter) / sizeof(*filter)),
  .filter = filter,
  };
-
- if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0))
+ if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
  return -1;
- if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog))
+ if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) == 0)
  return -1;
  return 0;
 }
+/*
+ * * Catch violations so we see, which system call caused the problems
+ * *
+ */
+static void catchViolation(int sig, siginfo_t *si, void *void_context)
+{
+ int old_errno = errno;
+
+ printf("Attempted banned syscall number [%d] and sig [%d]\n",
+ si->si_syscall, sig);
+ errno = old_errno;
+}
+/*
+ * * Setup error handling
+ * *
+ */
+static void init_error_handling(void)
+{
+ struct sigaction sa = { .sa_sigaction = catchViolation,
+ .sa_flags = SA_SIGINFO | SA_NODEFER };
+
+ if (sigaction(SIGSYS, &sa, NULL))
+ printf("Failed to configure SIGSYS handler [%s]\n",
+ strerror(errno));
+}
+int pg_init_seccomp(void)
+{
+ init_error_handling();
+ return init_seccomp_filters();
+}