summaryrefslogtreecommitdiffhomepage
path: root/pkg/seccomp/seccomp.go
diff options
context:
space:
mode:
authorGoogler <noreply@google.com>2018-04-27 10:37:02 -0700
committerAdin Scannell <ascannell@google.com>2018-04-28 01:44:26 -0400
commitd02b74a5dcfed4bfc8f2f8e545bca4d2afabb296 (patch)
tree54f95eef73aee6bacbfc736fffc631be2605ed53 /pkg/seccomp/seccomp.go
parentf70210e742919f40aa2f0934a22f1c9ba6dada62 (diff)
Check in gVisor.
PiperOrigin-RevId: 194583126 Change-Id: Ica1d8821a90f74e7e745962d71801c598c652463
Diffstat (limited to 'pkg/seccomp/seccomp.go')
-rw-r--r--pkg/seccomp/seccomp.go210
1 files changed, 210 insertions, 0 deletions
diff --git a/pkg/seccomp/seccomp.go b/pkg/seccomp/seccomp.go
new file mode 100644
index 000000000..7ee63140c
--- /dev/null
+++ b/pkg/seccomp/seccomp.go
@@ -0,0 +1,210 @@
+// Copyright 2018 Google Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package seccomp provides basic seccomp filters.
+package seccomp
+
+import (
+ "fmt"
+ "sort"
+
+ "gvisor.googlesource.com/gvisor/pkg/abi/linux"
+ "gvisor.googlesource.com/gvisor/pkg/bpf"
+ "gvisor.googlesource.com/gvisor/pkg/log"
+)
+
+const (
+ // violationLabel is added to the program to take action on a violation.
+ violationLabel = "violation"
+
+ // allowLabel is added to the program to allow the syscall to take place.
+ allowLabel = "allow"
+)
+
+// Install generates BPF code based on the set of syscalls provided. It only
+// allows syscalls that conform to the specification (*) and generates SIGSYS
+// trap unless kill is set.
+//
+// (*) The current implementation only checks the syscall number. It does NOT
+// validate any of the arguments.
+func Install(syscalls []uintptr, kill bool) error {
+ // Sort syscalls and remove duplicates to build the BST.
+ sort.Slice(syscalls, func(i, j int) bool { return syscalls[i] < syscalls[j] })
+ syscalls = filterUnique(syscalls)
+
+ log.Infof("Installing seccomp filters for %d syscalls (kill=%t)", len(syscalls), kill)
+ for _, s := range syscalls {
+ log.Infof("syscall filter: %v", s)
+ }
+
+ instrs, err := buildProgram(syscalls, kill)
+ if err != nil {
+ return err
+ }
+ if log.IsLogging(log.Debug) {
+ programStr, err := bpf.DecodeProgram(instrs)
+ if err != nil {
+ programStr = fmt.Sprintf("Error: %v\n%s", err, programStr)
+ }
+ log.Debugf("Seccomp program dump:\n%s", programStr)
+ }
+
+ if err := seccomp(instrs); err != nil {
+ return err
+ }
+
+ log.Infof("Seccomp filters installed.")
+ return nil
+}
+
+// buildProgram builds a BPF program that whitelists all given syscalls.
+//
+// Precondition: syscalls must be sorted and unique.
+func buildProgram(syscalls []uintptr, kill bool) ([]linux.BPFInstruction, error) {
+ const archOffset = 4 // offsetof(seccomp_data, arch)
+ program := bpf.NewProgramBuilder()
+ violationAction := uint32(linux.SECCOMP_RET_KILL)
+ if !kill {
+ violationAction = linux.SECCOMP_RET_TRAP
+ }
+
+ // Be paranoid and check that syscall is done in the expected architecture.
+ //
+ // A = seccomp_data.arch
+ // if (A != AUDIT_ARCH_X86_64) goto violation
+ program.AddStmt(bpf.Ld|bpf.Abs|bpf.W, archOffset)
+ program.AddJumpFalseLabel(bpf.Jmp|bpf.Jeq|bpf.K, linux.AUDIT_ARCH_X86_64, 0, violationLabel)
+
+ if err := buildIndex(syscalls, program); err != nil {
+ return nil, err
+ }
+
+ // violation: return violationAction
+ if err := program.AddLabel(violationLabel); err != nil {
+ return nil, err
+ }
+ program.AddStmt(bpf.Ret|bpf.K, violationAction)
+
+ // allow: return SECCOMP_RET_ALLOW
+ if err := program.AddLabel(allowLabel); err != nil {
+ return nil, err
+ }
+ program.AddStmt(bpf.Ret|bpf.K, linux.SECCOMP_RET_ALLOW)
+
+ return program.Instructions()
+}
+
+// filterUnique filters unique system calls.
+//
+// Precondition: syscalls must be sorted.
+func filterUnique(syscalls []uintptr) []uintptr {
+ filtered := make([]uintptr, 0, len(syscalls))
+ for i := 0; i < len(syscalls); i++ {
+ if len(filtered) > 0 && syscalls[i] == filtered[len(filtered)-1] {
+ // This call has already been inserted, skip.
+ continue
+ }
+ filtered = append(filtered, syscalls[i])
+ }
+ return filtered
+}
+
+// buildIndex builds a BST to quickly search through all syscalls that are whitelisted.
+//
+// Precondition: syscalls must be sorted and unique.
+func buildIndex(syscalls []uintptr, program *bpf.ProgramBuilder) error {
+ root := createBST(syscalls)
+
+ // Load syscall number into A and run through BST.
+ //
+ // A = seccomp_data.nr
+ program.AddStmt(bpf.Ld|bpf.Abs|bpf.W, 0)
+ return root.buildBSTProgram(program, true)
+}
+
+// createBST converts sorted syscall slice into a balanced BST.
+// Panics if syscalls is empty.
+func createBST(syscalls []uintptr) *node {
+ i := len(syscalls) / 2
+ parent := node{value: syscalls[i]}
+ if i > 0 {
+ parent.left = createBST(syscalls[:i])
+ }
+ if i+1 < len(syscalls) {
+ parent.right = createBST(syscalls[i+1:])
+ }
+ return &parent
+}
+
+// node represents a tree node.
+type node struct {
+ value uintptr
+ left *node
+ right *node
+}
+
+// label returns the label corresponding to this node. If node is nil (syscall not present),
+// violationLabel is returned for convenience.
+func (n *node) label() string {
+ if n == nil {
+ return violationLabel
+ }
+ return fmt.Sprintf("index_%v", n.value)
+}
+
+// buildBSTProgram converts a binary tree started in 'root' into BPF code. The ouline of the code
+// is as follows:
+//
+// // SYS_PIPE(22), root
+// (A == 22) ? goto allow : continue
+// (A > 22) ? goto index_35 : goto index_9
+//
+// index_9: // SYS_MMAP(9), leaf
+// (A == 9) ? goto allow : goto violation
+//
+// index_35: // SYS_NANOSLEEP(35), single child
+// (A == 35) ? goto allow : continue
+// (A > 35) ? goto index_50 : goto violation
+//
+// index_50: // SYS_LISTEN(50), leaf
+// (A == 50) ? goto allow : goto violation
+//
+func (n *node) buildBSTProgram(program *bpf.ProgramBuilder, root bool) error {
+ if n == nil {
+ return nil
+ }
+
+ // Root node is never referenced by label, skip it.
+ if !root {
+ if err := program.AddLabel(n.label()); err != nil {
+ return err
+ }
+ }
+
+ // Leaf nodes don't require extra check, they either allow or violate!
+ if n.left == nil && n.right == nil {
+ program.AddJumpLabels(bpf.Jmp|bpf.Jeq|bpf.K, uint32(n.value), allowLabel, violationLabel)
+ return nil
+ }
+
+ // Non-leaf node. Allows syscall if it matches, check which turn to take otherwise. Note
+ // that 'violationLabel' is returned for nil children.
+ program.AddJumpTrueLabel(bpf.Jmp|bpf.Jeq|bpf.K, uint32(n.value), allowLabel, 0)
+ program.AddJumpLabels(bpf.Jmp|bpf.Jgt|bpf.K, uint32(n.value), n.right.label(), n.left.label())
+
+ if err := n.left.buildBSTProgram(program, false); err != nil {
+ return err
+ }
+ return n.right.buildBSTProgram(program, false)
+}