Add seccomp(2) support.

Add support for the seccomp syscall and the flag SECCOMP_FILTER_FLAG_TSYNC.

PiperOrigin-RevId: 207101507
Change-Id: I5eb8ba9d5ef71b0e683930a6429182726dc23175

4 files changed, 86 insertions, 30 deletions

diff --git a/pkg/sentry/syscalls/linux/BUILD b/pkg/sentry/syscalls/linux/BUILD
index 574621ad2..32fca3811 100644
--- a/pkg/sentry/syscalls/linux/BUILD
+++ b/pkg/sentry/syscalls/linux/BUILD
@@ -42,6 +42,7 @@ go_library(
         "sys_rlimit.go",
         "sys_rusage.go",
         "sys_sched.go",
+        "sys_seccomp.go",
         "sys_sem.go",
         "sys_shm.go",
         "sys_signal.go",
diff --git a/pkg/sentry/syscalls/linux/linux64.go b/pkg/sentry/syscalls/linux/linux64.go
index edfcdca3f..c102af101 100644
--- a/pkg/sentry/syscalls/linux/linux64.go
+++ b/pkg/sentry/syscalls/linux/linux64.go
@@ -359,6 +359,7 @@ var AMD64 = &kernel.SyscallTable{
 		312: syscalls.CapError(linux.CAP_SYS_PTRACE), // Kcmp, requires cap_sys_ptrace
 		313: syscalls.CapError(linux.CAP_SYS_MODULE), // FinitModule, requires cap_sys_module
 		// "Backports."
+		317: Seccomp,
 		318: GetRandom,
 	},
 
diff --git a/pkg/sentry/syscalls/linux/sys_prctl.go b/pkg/sentry/syscalls/linux/sys_prctl.go
index 2ca7471cf..911fef658 100644
--- a/pkg/sentry/syscalls/linux/sys_prctl.go
+++ b/pkg/sentry/syscalls/linux/sys_prctl.go
@@ -18,29 +18,13 @@ import (
 	"syscall"
 
 	"gvisor.googlesource.com/gvisor/pkg/abi/linux"
-	"gvisor.googlesource.com/gvisor/pkg/bpf"
 	"gvisor.googlesource.com/gvisor/pkg/sentry/arch"
 	"gvisor.googlesource.com/gvisor/pkg/sentry/fs"
 	"gvisor.googlesource.com/gvisor/pkg/sentry/kernel"
 	"gvisor.googlesource.com/gvisor/pkg/sentry/kernel/auth"
 	"gvisor.googlesource.com/gvisor/pkg/sentry/kernel/kdefs"
-	"gvisor.googlesource.com/gvisor/pkg/sentry/usermem"
 )
 
-// userSockFprog is equivalent to Linux's struct sock_fprog on amd64.
-type userSockFprog struct {
-	// Len is the length of the filter in BPF instructions.
-	Len uint16
-
-	_ [6]byte // padding for alignment
-
-	// Filter is a user pointer to the struct sock_filter array that makes up
-	// the filter program. Filter is a uint64 rather than a usermem.Addr
-	// because usermem.Addr is actually uintptr, which is not a fixed-size
-	// type, and encoding/binary.Read objects to this.
-	Filter uint64
-}
-
 // Prctl implements linux syscall prctl(2).
 // It has a list of subfunctions which operate on the process. The arguments are
 // all based on each subfunction.
@@ -143,20 +127,8 @@ func Prctl(t *kernel.Task, args arch.SyscallArguments) (uintptr, *kernel.Syscall
 			// Unsupported mode.
 			return 0, nil, syscall.EINVAL
 		}
-		var fprog userSockFprog
-		if _, err := t.CopyIn(args[2].Pointer(), &fprog); err != nil {
-			return 0, nil, err
-		}
-		filter := make([]linux.BPFInstruction, int(fprog.Len))
-		if _, err := t.CopyIn(usermem.Addr(fprog.Filter), &filter); err != nil {
-			return 0, nil, err
-		}
-		compiledFilter, err := bpf.Compile(filter)
-		if err != nil {
-			t.Debugf("Invalid seccomp-bpf filter: %v", err)
-			return 0, nil, syscall.EINVAL
-		}
-		return 0, nil, t.AppendSyscallFilter(compiledFilter)
+
+		return 0, nil, seccomp(t, linux.SECCOMP_SET_MODE_FILTER, 0, args[2].Pointer())
 
 	case linux.PR_GET_SECCOMP:
 		return uintptr(t.SeccompMode()), nil, nil
diff --git a/pkg/sentry/syscalls/linux/sys_seccomp.go b/pkg/sentry/syscalls/linux/sys_seccomp.go
new file mode 100644
index 000000000..4323a4df4
--- /dev/null
+++ b/pkg/sentry/syscalls/linux/sys_seccomp.go
@@ -0,0 +1,82 @@
+// Copyright 2018 Google Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package linux
+
+import (
+	"syscall"
+
+	"gvisor.googlesource.com/gvisor/pkg/abi/linux"
+	"gvisor.googlesource.com/gvisor/pkg/bpf"
+	"gvisor.googlesource.com/gvisor/pkg/sentry/arch"
+	"gvisor.googlesource.com/gvisor/pkg/sentry/kernel"
+	"gvisor.googlesource.com/gvisor/pkg/sentry/usermem"
+)
+
+// userSockFprog is equivalent to Linux's struct sock_fprog on amd64.
+type userSockFprog struct {
+	// Len is the length of the filter in BPF instructions.
+	Len uint16
+
+	_ [6]byte // padding for alignment
+
+	// Filter is a user pointer to the struct sock_filter array that makes up
+	// the filter program. Filter is a uint64 rather than a usermem.Addr
+	// because usermem.Addr is actually uintptr, which is not a fixed-size
+	// type, and encoding/binary.Read objects to this.
+	Filter uint64
+}
+
+// seccomp applies a seccomp policy to the current task.
+func seccomp(t *kernel.Task, mode, flags uint64, addr usermem.Addr) error {
+	// We only support SECCOMP_SET_MODE_FILTER at the moment.
+	if mode != linux.SECCOMP_SET_MODE_FILTER {
+		// Unsupported mode.
+		return syscall.EINVAL
+	}
+
+	tsync := flags&linux.SECCOMP_FILTER_FLAG_TSYNC != 0
+
+	// The only flag we support now is SECCOMP_FILTER_FLAG_TSYNC.
+	if flags&^linux.SECCOMP_FILTER_FLAG_TSYNC != 0 {
+		// Unsupported flag.
+		return syscall.EINVAL
+	}
+
+	var fprog userSockFprog
+	if _, err := t.CopyIn(addr, &fprog); err != nil {
+		return err
+	}
+	filter := make([]linux.BPFInstruction, int(fprog.Len))
+	if _, err := t.CopyIn(usermem.Addr(fprog.Filter), &filter); err != nil {
+		return err
+	}
+	compiledFilter, err := bpf.Compile(filter)
+	if err != nil {
+		t.Debugf("Invalid seccomp-bpf filter: %v", err)
+		return syscall.EINVAL
+	}
+
+	err = t.AppendSyscallFilter(compiledFilter)
+	if err == nil && tsync {
+		// Now we must copy this seccomp program to all other threads.
+		err = t.SyncSyscallFiltersToThreadGroup()
+	}
+	return err
+}
+
+// Seccomp implements linux syscall seccomp(2).
+func Seccomp(t *kernel.Task, args arch.SyscallArguments) (uintptr, *kernel.SyscallControl, error) {
+	return 0, nil, seccomp(t, args[0].Uint64(), args[1].Uint64(), args[2].Pointer())
+}