Add SyscallRules that supports argument filtering

PiperOrigin-RevId: 198919043
Change-Id: I7f1f0a3b3430cd0936a4ee4fc6859aab71820bdf

5 files changed, 154 insertions, 142 deletions

diff --git a/runsc/boot/filter/config.go b/runsc/boot/filter/config.go
index 130e987df..86c256c5b 100644
--- a/runsc/boot/filter/config.go
+++ b/runsc/boot/filter/config.go
@@ -18,77 +18,78 @@ import (
 	"syscall"
 
 	"golang.org/x/sys/unix"
+	"gvisor.googlesource.com/gvisor/pkg/seccomp"
 )
 
 // allowedSyscalls is the set of syscalls executed by the Sentry
 // to the host OS.
-var allowedSyscalls = []uintptr{
-	syscall.SYS_ACCEPT,
-	syscall.SYS_ARCH_PRCTL,
-	syscall.SYS_CLOCK_GETTIME,
-	syscall.SYS_CLONE,
-	syscall.SYS_CLOSE,
-	syscall.SYS_DUP,
-	syscall.SYS_DUP2,
-	syscall.SYS_EPOLL_CREATE1,
-	syscall.SYS_EPOLL_CTL,
-	syscall.SYS_EPOLL_PWAIT,
-	syscall.SYS_EPOLL_WAIT,
-	syscall.SYS_EVENTFD2,
-	syscall.SYS_EXIT,
-	syscall.SYS_EXIT_GROUP,
-	syscall.SYS_FALLOCATE,
-	syscall.SYS_FCHMOD,
-	syscall.SYS_FCNTL,
-	syscall.SYS_FSTAT,
-	syscall.SYS_FSYNC,
-	syscall.SYS_FTRUNCATE,
-	syscall.SYS_FUTEX,
-	syscall.SYS_GETDENTS64,
-	syscall.SYS_GETPID,
-	unix.SYS_GETRANDOM,
-	syscall.SYS_GETSOCKOPT,
-	syscall.SYS_GETTID,
-	syscall.SYS_GETTIMEOFDAY,
-	syscall.SYS_LISTEN,
-	syscall.SYS_LSEEK,
-	syscall.SYS_MADVISE,
-	syscall.SYS_MINCORE,
-	syscall.SYS_MMAP,
-	syscall.SYS_MPROTECT,
-	syscall.SYS_MUNMAP,
-	syscall.SYS_NEWFSTATAT,
-	syscall.SYS_POLL,
-	syscall.SYS_PREAD64,
-	syscall.SYS_PSELECT6,
-	syscall.SYS_PWRITE64,
-	syscall.SYS_READ,
-	syscall.SYS_READLINKAT,
-	syscall.SYS_READV,
-	syscall.SYS_RECVMSG,
-	syscall.SYS_RENAMEAT,
-	syscall.SYS_RESTART_SYSCALL,
-	syscall.SYS_RT_SIGACTION,
-	syscall.SYS_RT_SIGPROCMASK,
-	syscall.SYS_RT_SIGRETURN,
-	syscall.SYS_SCHED_YIELD,
-	syscall.SYS_SENDMSG,
-	syscall.SYS_SETITIMER,
-	syscall.SYS_SHUTDOWN,
-	syscall.SYS_SIGALTSTACK,
-	syscall.SYS_SYNC_FILE_RANGE,
-	syscall.SYS_TGKILL,
-	syscall.SYS_UTIMENSAT,
-	syscall.SYS_WRITE,
-	syscall.SYS_WRITEV,
+var allowedSyscalls = seccomp.SyscallRules{
+	syscall.SYS_ACCEPT:          {},
+	syscall.SYS_ARCH_PRCTL:      {},
+	syscall.SYS_CLOCK_GETTIME:   {},
+	syscall.SYS_CLONE:           {},
+	syscall.SYS_CLOSE:           {},
+	syscall.SYS_DUP:             {},
+	syscall.SYS_DUP2:            {},
+	syscall.SYS_EPOLL_CREATE1:   {},
+	syscall.SYS_EPOLL_CTL:       {},
+	syscall.SYS_EPOLL_PWAIT:     {},
+	syscall.SYS_EPOLL_WAIT:      {},
+	syscall.SYS_EVENTFD2:        {},
+	syscall.SYS_EXIT:            {},
+	syscall.SYS_EXIT_GROUP:      {},
+	syscall.SYS_FALLOCATE:       {},
+	syscall.SYS_FCHMOD:          {},
+	syscall.SYS_FCNTL:           {},
+	syscall.SYS_FSTAT:           {},
+	syscall.SYS_FSYNC:           {},
+	syscall.SYS_FTRUNCATE:       {},
+	syscall.SYS_FUTEX:           {},
+	syscall.SYS_GETDENTS64:      {},
+	syscall.SYS_GETPID:          {},
+	unix.SYS_GETRANDOM:          {},
+	syscall.SYS_GETSOCKOPT:      {},
+	syscall.SYS_GETTID:          {},
+	syscall.SYS_GETTIMEOFDAY:    {},
+	syscall.SYS_LISTEN:          {},
+	syscall.SYS_LSEEK:           {},
+	syscall.SYS_MADVISE:         {},
+	syscall.SYS_MINCORE:         {},
+	syscall.SYS_MMAP:            {},
+	syscall.SYS_MPROTECT:        {},
+	syscall.SYS_MUNMAP:          {},
+	syscall.SYS_NEWFSTATAT:      {},
+	syscall.SYS_POLL:            {},
+	syscall.SYS_PREAD64:         {},
+	syscall.SYS_PSELECT6:        {},
+	syscall.SYS_PWRITE64:        {},
+	syscall.SYS_READ:            {},
+	syscall.SYS_READLINKAT:      {},
+	syscall.SYS_READV:           {},
+	syscall.SYS_RECVMSG:         {},
+	syscall.SYS_RENAMEAT:        {},
+	syscall.SYS_RESTART_SYSCALL: {},
+	syscall.SYS_RT_SIGACTION:    {},
+	syscall.SYS_RT_SIGPROCMASK:  {},
+	syscall.SYS_RT_SIGRETURN:    {},
+	syscall.SYS_SCHED_YIELD:     {},
+	syscall.SYS_SENDMSG:         {},
+	syscall.SYS_SETITIMER:       {},
+	syscall.SYS_SHUTDOWN:        {},
+	syscall.SYS_SIGALTSTACK:     {},
+	syscall.SYS_SYNC_FILE_RANGE: {},
+	syscall.SYS_TGKILL:          {},
+	syscall.SYS_UTIMENSAT:       {},
+	syscall.SYS_WRITE:           {},
+	syscall.SYS_WRITEV:          {},
 }
 
 // TODO: Ioctl is needed in order to support tty consoles.
 // Once filters support argument-checking, we should only allow ioctl
 // with tty-related arguments.
-func consoleFilters() []uintptr {
-	return []uintptr{
-		syscall.SYS_IOCTL,
+func consoleFilters() seccomp.SyscallRules {
+	return seccomp.SyscallRules{
+		syscall.SYS_IOCTL: {},
 	}
 }
 
@@ -97,79 +98,79 @@ func consoleFilters() []uintptr {
 // file operations that would otherwise be disabled by seccomp when a Gofer is
 // used. When whitelistFS is not used, openning new FD in the Sentry is
 // disallowed.
-func whitelistFSFilters() []uintptr {
-	return []uintptr{
-		syscall.SYS_ACCESS,
-		syscall.SYS_FCHMOD,
-		syscall.SYS_FSTAT,
-		syscall.SYS_FSYNC,
-		syscall.SYS_FTRUNCATE,
-		syscall.SYS_GETCWD,
-		syscall.SYS_GETDENTS,
-		syscall.SYS_GETDENTS64,
-		syscall.SYS_LSEEK,
-		syscall.SYS_LSTAT,
-		syscall.SYS_MKDIR,
-		syscall.SYS_MKDIRAT,
-		syscall.SYS_NEWFSTATAT,
-		syscall.SYS_OPEN,
-		syscall.SYS_OPENAT,
-		syscall.SYS_PREAD64,
-		syscall.SYS_PWRITE64,
-		syscall.SYS_READ,
-		syscall.SYS_READLINK,
-		syscall.SYS_READLINKAT,
-		syscall.SYS_RENAMEAT,
-		syscall.SYS_STAT,
-		syscall.SYS_SYMLINK,
-		syscall.SYS_SYMLINKAT,
-		syscall.SYS_SYNC_FILE_RANGE,
-		syscall.SYS_UNLINK,
-		syscall.SYS_UNLINKAT,
-		syscall.SYS_UTIMENSAT,
-		syscall.SYS_WRITE,
+func whitelistFSFilters() seccomp.SyscallRules {
+	return seccomp.SyscallRules{
+		syscall.SYS_ACCESS:          {},
+		syscall.SYS_FCHMOD:          {},
+		syscall.SYS_FSTAT:           {},
+		syscall.SYS_FSYNC:           {},
+		syscall.SYS_FTRUNCATE:       {},
+		syscall.SYS_GETCWD:          {},
+		syscall.SYS_GETDENTS:        {},
+		syscall.SYS_GETDENTS64:      {},
+		syscall.SYS_LSEEK:           {},
+		syscall.SYS_LSTAT:           {},
+		syscall.SYS_MKDIR:           {},
+		syscall.SYS_MKDIRAT:         {},
+		syscall.SYS_NEWFSTATAT:      {},
+		syscall.SYS_OPEN:            {},
+		syscall.SYS_OPENAT:          {},
+		syscall.SYS_PREAD64:         {},
+		syscall.SYS_PWRITE64:        {},
+		syscall.SYS_READ:            {},
+		syscall.SYS_READLINK:        {},
+		syscall.SYS_READLINKAT:      {},
+		syscall.SYS_RENAMEAT:        {},
+		syscall.SYS_STAT:            {},
+		syscall.SYS_SYMLINK:         {},
+		syscall.SYS_SYMLINKAT:       {},
+		syscall.SYS_SYNC_FILE_RANGE: {},
+		syscall.SYS_UNLINK:          {},
+		syscall.SYS_UNLINKAT:        {},
+		syscall.SYS_UTIMENSAT:       {},
+		syscall.SYS_WRITE:           {},
 	}
 }
 
 // hostInetFilters contains syscalls that are needed by sentry/socket/hostinet.
-func hostInetFilters() []uintptr {
-	return []uintptr{
-		syscall.SYS_ACCEPT4,
-		syscall.SYS_BIND,
-		syscall.SYS_CONNECT,
-		syscall.SYS_GETPEERNAME,
-		syscall.SYS_GETSOCKNAME,
-		syscall.SYS_GETSOCKOPT,
-		syscall.SYS_IOCTL,
-		syscall.SYS_LISTEN,
-		syscall.SYS_READV,
-		syscall.SYS_RECVFROM,
-		syscall.SYS_RECVMSG,
-		syscall.SYS_SENDMSG,
-		syscall.SYS_SENDTO,
-		syscall.SYS_SETSOCKOPT,
-		syscall.SYS_SHUTDOWN,
-		syscall.SYS_SOCKET,
-		syscall.SYS_WRITEV,
+func hostInetFilters() seccomp.SyscallRules {
+	return seccomp.SyscallRules{
+		syscall.SYS_ACCEPT4:     {},
+		syscall.SYS_BIND:        {},
+		syscall.SYS_CONNECT:     {},
+		syscall.SYS_GETPEERNAME: {},
+		syscall.SYS_GETSOCKNAME: {},
+		syscall.SYS_GETSOCKOPT:  {},
+		syscall.SYS_IOCTL:       {},
+		syscall.SYS_LISTEN:      {},
+		syscall.SYS_READV:       {},
+		syscall.SYS_RECVFROM:    {},
+		syscall.SYS_RECVMSG:     {},
+		syscall.SYS_SENDMSG:     {},
+		syscall.SYS_SENDTO:      {},
+		syscall.SYS_SETSOCKOPT:  {},
+		syscall.SYS_SHUTDOWN:    {},
+		syscall.SYS_SOCKET:      {},
+		syscall.SYS_WRITEV:      {},
 	}
 }
 
 // ptraceFilters returns syscalls made exclusively by the ptrace platform.
-func ptraceFilters() []uintptr {
-	return []uintptr{
-		syscall.SYS_PTRACE,
-		syscall.SYS_WAIT4,
-		unix.SYS_GETCPU,
-		unix.SYS_SCHED_SETAFFINITY,
+func ptraceFilters() seccomp.SyscallRules {
+	return seccomp.SyscallRules{
+		syscall.SYS_PTRACE:         {},
+		syscall.SYS_WAIT4:          {},
+		unix.SYS_GETCPU:            {},
+		unix.SYS_SCHED_SETAFFINITY: {},
 	}
 }
 
 // kvmFilters returns syscalls made exclusively by the KVM platform.
-func kvmFilters() []uintptr {
-	return []uintptr{
-		syscall.SYS_IOCTL,
-		syscall.SYS_RT_SIGSUSPEND,
-		syscall.SYS_RT_SIGTIMEDWAIT,
-		0xffffffffffffffff, // KVM uses syscall -1 to transition to host.
+func kvmFilters() seccomp.SyscallRules {
+	return seccomp.SyscallRules{
+		syscall.SYS_IOCTL:           {},
+		syscall.SYS_RT_SIGSUSPEND:   {},
+		syscall.SYS_RT_SIGTIMEDWAIT: {},
+		0xffffffffffffffff:          {}, // KVM uses syscall -1 to transition to host.
 	}
 }
diff --git a/runsc/boot/filter/extra_filters.go b/runsc/boot/filter/extra_filters.go
index e10d9bf4c..82cf00dfb 100644
--- a/runsc/boot/filter/extra_filters.go
+++ b/runsc/boot/filter/extra_filters.go
@@ -16,9 +16,13 @@
 
 package filter
 
+import (
+	"gvisor.googlesource.com/gvisor/pkg/seccomp"
+)
+
 // instrumentationFilters returns additional filters for syscalls used by
 // Go intrumentation tools, e.g. -race, -msan.
 // Returns empty when disabled.
-func instrumentationFilters() []uintptr {
+func instrumentationFilters() seccomp.SyscallRules {
 	return nil
 }
diff --git a/runsc/boot/filter/extra_filters_msan.go b/runsc/boot/filter/extra_filters_msan.go
index a862340f6..76f3f6865 100644
--- a/runsc/boot/filter/extra_filters_msan.go
+++ b/runsc/boot/filter/extra_filters_msan.go
@@ -18,13 +18,15 @@ package filter
 
 import (
 	"syscall"
+
+	"gvisor.googlesource.com/gvisor/pkg/seccomp"
 )
 
 // instrumentationFilters returns additional filters for syscalls used by MSAN.
-func instrumentationFilters() []uintptr {
+func instrumentationFilters() seccomp.SyscallRules {
 	Report("MSAN is enabled: syscall filters less restrictive!")
-	return []uintptr{
-		syscall.SYS_SCHED_GETAFFINITY,
-		syscall.SYS_SET_ROBUST_LIST,
+	return seccomp.SyscallRules{
+		syscall.SYS_SCHED_GETAFFINITY: {},
+		syscall.SYS_SET_ROBUST_LIST:   {},
 	}
 }
diff --git a/runsc/boot/filter/extra_filters_race.go b/runsc/boot/filter/extra_filters_race.go
index b0c74a58a..c810773df 100644
--- a/runsc/boot/filter/extra_filters_race.go
+++ b/runsc/boot/filter/extra_filters_race.go
@@ -18,16 +18,21 @@ package filter
 
 import (
 	"syscall"
+
+	"gvisor.googlesource.com/gvisor/pkg/seccomp"
 )
 
 // instrumentationFilters returns additional filters for syscalls used by TSAN.
-func instrumentationFilters() []uintptr {
+func instrumentationFilters() seccomp.SyscallRules {
 	Report("TSAN is enabled: syscall filters less restrictive!")
-	return []uintptr{
-		syscall.SYS_BRK,
-		syscall.SYS_MUNLOCK,
-		syscall.SYS_NANOSLEEP,
-		syscall.SYS_OPEN,
-		syscall.SYS_SET_ROBUST_LIST,
+	return seccomp.SyscallRules{
+		syscall.SYS_BRK:             {},
+		syscall.SYS_CLONE:           {},
+		syscall.SYS_FUTEX:           {},
+		syscall.SYS_MMAP:            {},
+		syscall.SYS_MUNLOCK:         {},
+		syscall.SYS_NANOSLEEP:       {},
+		syscall.SYS_OPEN:            {},
+		syscall.SYS_SET_ROBUST_LIST: {},
 	}
 }
diff --git a/runsc/boot/filter/filter.go b/runsc/boot/filter/filter.go
index 3ba56a318..6ea9c464e 100644
--- a/runsc/boot/filter/filter.go
+++ b/runsc/boot/filter/filter.go
@@ -33,26 +33,26 @@ func Install(p platform.Platform, whitelistFS, console, hostNetwork bool) error
 
 	// Set of additional filters used by -race and -msan. Returns empty
 	// when not enabled.
-	s = append(s, instrumentationFilters()...)
+	s.Merge(instrumentationFilters())
 
 	if whitelistFS {
 		Report("direct file access allows unrestricted file access!")
-		s = append(s, whitelistFSFilters()...)
+		s.Merge(whitelistFSFilters())
 	}
 	if console {
 		Report("console is enabled: syscall filters less restrictive!")
-		s = append(s, consoleFilters()...)
+		s.Merge(consoleFilters())
 	}
 	if hostNetwork {
 		Report("host networking enabled: syscall filters less restrictive!")
-		s = append(s, hostInetFilters()...)
+		s.Merge(hostInetFilters())
 	}
 
 	switch p := p.(type) {
 	case *ptrace.PTrace:
-		s = append(s, ptraceFilters()...)
+		s.Merge(ptraceFilters())
 	case *kvm.KVM:
-		s = append(s, kvmFilters()...)
+		s.Merge(kvmFilters())
 	default:
 		return fmt.Errorf("unknown platform type %T", p)
 	}