diff options
Diffstat (limited to 'runsc')
-rw-r--r-- | runsc/boot/filter/config.go | 249 | ||||
-rw-r--r-- | runsc/boot/filter/extra_filters.go | 6 | ||||
-rw-r--r-- | runsc/boot/filter/extra_filters_msan.go | 10 | ||||
-rw-r--r-- | runsc/boot/filter/extra_filters_race.go | 19 | ||||
-rw-r--r-- | runsc/boot/filter/filter.go | 12 |
5 files changed, 154 insertions, 142 deletions
diff --git a/runsc/boot/filter/config.go b/runsc/boot/filter/config.go index 130e987df..86c256c5b 100644 --- a/runsc/boot/filter/config.go +++ b/runsc/boot/filter/config.go @@ -18,77 +18,78 @@ import ( "syscall" "golang.org/x/sys/unix" + "gvisor.googlesource.com/gvisor/pkg/seccomp" ) // allowedSyscalls is the set of syscalls executed by the Sentry // to the host OS. -var allowedSyscalls = []uintptr{ - syscall.SYS_ACCEPT, - syscall.SYS_ARCH_PRCTL, - syscall.SYS_CLOCK_GETTIME, - syscall.SYS_CLONE, - syscall.SYS_CLOSE, - syscall.SYS_DUP, - syscall.SYS_DUP2, - syscall.SYS_EPOLL_CREATE1, - syscall.SYS_EPOLL_CTL, - syscall.SYS_EPOLL_PWAIT, - syscall.SYS_EPOLL_WAIT, - syscall.SYS_EVENTFD2, - syscall.SYS_EXIT, - syscall.SYS_EXIT_GROUP, - syscall.SYS_FALLOCATE, - syscall.SYS_FCHMOD, - syscall.SYS_FCNTL, - syscall.SYS_FSTAT, - syscall.SYS_FSYNC, - syscall.SYS_FTRUNCATE, - syscall.SYS_FUTEX, - syscall.SYS_GETDENTS64, - syscall.SYS_GETPID, - unix.SYS_GETRANDOM, - syscall.SYS_GETSOCKOPT, - syscall.SYS_GETTID, - syscall.SYS_GETTIMEOFDAY, - syscall.SYS_LISTEN, - syscall.SYS_LSEEK, - syscall.SYS_MADVISE, - syscall.SYS_MINCORE, - syscall.SYS_MMAP, - syscall.SYS_MPROTECT, - syscall.SYS_MUNMAP, - syscall.SYS_NEWFSTATAT, - syscall.SYS_POLL, - syscall.SYS_PREAD64, - syscall.SYS_PSELECT6, - syscall.SYS_PWRITE64, - syscall.SYS_READ, - syscall.SYS_READLINKAT, - syscall.SYS_READV, - syscall.SYS_RECVMSG, - syscall.SYS_RENAMEAT, - syscall.SYS_RESTART_SYSCALL, - syscall.SYS_RT_SIGACTION, - syscall.SYS_RT_SIGPROCMASK, - syscall.SYS_RT_SIGRETURN, - syscall.SYS_SCHED_YIELD, - syscall.SYS_SENDMSG, - syscall.SYS_SETITIMER, - syscall.SYS_SHUTDOWN, - syscall.SYS_SIGALTSTACK, - syscall.SYS_SYNC_FILE_RANGE, - syscall.SYS_TGKILL, - syscall.SYS_UTIMENSAT, - syscall.SYS_WRITE, - syscall.SYS_WRITEV, +var allowedSyscalls = seccomp.SyscallRules{ + syscall.SYS_ACCEPT: {}, + syscall.SYS_ARCH_PRCTL: {}, + syscall.SYS_CLOCK_GETTIME: {}, + syscall.SYS_CLONE: {}, + syscall.SYS_CLOSE: {}, + syscall.SYS_DUP: {}, + syscall.SYS_DUP2: {}, + syscall.SYS_EPOLL_CREATE1: {}, + syscall.SYS_EPOLL_CTL: {}, + syscall.SYS_EPOLL_PWAIT: {}, + syscall.SYS_EPOLL_WAIT: {}, + syscall.SYS_EVENTFD2: {}, + syscall.SYS_EXIT: {}, + syscall.SYS_EXIT_GROUP: {}, + syscall.SYS_FALLOCATE: {}, + syscall.SYS_FCHMOD: {}, + syscall.SYS_FCNTL: {}, + syscall.SYS_FSTAT: {}, + syscall.SYS_FSYNC: {}, + syscall.SYS_FTRUNCATE: {}, + syscall.SYS_FUTEX: {}, + syscall.SYS_GETDENTS64: {}, + syscall.SYS_GETPID: {}, + unix.SYS_GETRANDOM: {}, + syscall.SYS_GETSOCKOPT: {}, + syscall.SYS_GETTID: {}, + syscall.SYS_GETTIMEOFDAY: {}, + syscall.SYS_LISTEN: {}, + syscall.SYS_LSEEK: {}, + syscall.SYS_MADVISE: {}, + syscall.SYS_MINCORE: {}, + syscall.SYS_MMAP: {}, + syscall.SYS_MPROTECT: {}, + syscall.SYS_MUNMAP: {}, + syscall.SYS_NEWFSTATAT: {}, + syscall.SYS_POLL: {}, + syscall.SYS_PREAD64: {}, + syscall.SYS_PSELECT6: {}, + syscall.SYS_PWRITE64: {}, + syscall.SYS_READ: {}, + syscall.SYS_READLINKAT: {}, + syscall.SYS_READV: {}, + syscall.SYS_RECVMSG: {}, + syscall.SYS_RENAMEAT: {}, + syscall.SYS_RESTART_SYSCALL: {}, + syscall.SYS_RT_SIGACTION: {}, + syscall.SYS_RT_SIGPROCMASK: {}, + syscall.SYS_RT_SIGRETURN: {}, + syscall.SYS_SCHED_YIELD: {}, + syscall.SYS_SENDMSG: {}, + syscall.SYS_SETITIMER: {}, + syscall.SYS_SHUTDOWN: {}, + syscall.SYS_SIGALTSTACK: {}, + syscall.SYS_SYNC_FILE_RANGE: {}, + syscall.SYS_TGKILL: {}, + syscall.SYS_UTIMENSAT: {}, + syscall.SYS_WRITE: {}, + syscall.SYS_WRITEV: {}, } // TODO: Ioctl is needed in order to support tty consoles. // Once filters support argument-checking, we should only allow ioctl // with tty-related arguments. -func consoleFilters() []uintptr { - return []uintptr{ - syscall.SYS_IOCTL, +func consoleFilters() seccomp.SyscallRules { + return seccomp.SyscallRules{ + syscall.SYS_IOCTL: {}, } } @@ -97,79 +98,79 @@ func consoleFilters() []uintptr { // file operations that would otherwise be disabled by seccomp when a Gofer is // used. When whitelistFS is not used, openning new FD in the Sentry is // disallowed. -func whitelistFSFilters() []uintptr { - return []uintptr{ - syscall.SYS_ACCESS, - syscall.SYS_FCHMOD, - syscall.SYS_FSTAT, - syscall.SYS_FSYNC, - syscall.SYS_FTRUNCATE, - syscall.SYS_GETCWD, - syscall.SYS_GETDENTS, - syscall.SYS_GETDENTS64, - syscall.SYS_LSEEK, - syscall.SYS_LSTAT, - syscall.SYS_MKDIR, - syscall.SYS_MKDIRAT, - syscall.SYS_NEWFSTATAT, - syscall.SYS_OPEN, - syscall.SYS_OPENAT, - syscall.SYS_PREAD64, - syscall.SYS_PWRITE64, - syscall.SYS_READ, - syscall.SYS_READLINK, - syscall.SYS_READLINKAT, - syscall.SYS_RENAMEAT, - syscall.SYS_STAT, - syscall.SYS_SYMLINK, - syscall.SYS_SYMLINKAT, - syscall.SYS_SYNC_FILE_RANGE, - syscall.SYS_UNLINK, - syscall.SYS_UNLINKAT, - syscall.SYS_UTIMENSAT, - syscall.SYS_WRITE, +func whitelistFSFilters() seccomp.SyscallRules { + return seccomp.SyscallRules{ + syscall.SYS_ACCESS: {}, + syscall.SYS_FCHMOD: {}, + syscall.SYS_FSTAT: {}, + syscall.SYS_FSYNC: {}, + syscall.SYS_FTRUNCATE: {}, + syscall.SYS_GETCWD: {}, + syscall.SYS_GETDENTS: {}, + syscall.SYS_GETDENTS64: {}, + syscall.SYS_LSEEK: {}, + syscall.SYS_LSTAT: {}, + syscall.SYS_MKDIR: {}, + syscall.SYS_MKDIRAT: {}, + syscall.SYS_NEWFSTATAT: {}, + syscall.SYS_OPEN: {}, + syscall.SYS_OPENAT: {}, + syscall.SYS_PREAD64: {}, + syscall.SYS_PWRITE64: {}, + syscall.SYS_READ: {}, + syscall.SYS_READLINK: {}, + syscall.SYS_READLINKAT: {}, + syscall.SYS_RENAMEAT: {}, + syscall.SYS_STAT: {}, + syscall.SYS_SYMLINK: {}, + syscall.SYS_SYMLINKAT: {}, + syscall.SYS_SYNC_FILE_RANGE: {}, + syscall.SYS_UNLINK: {}, + syscall.SYS_UNLINKAT: {}, + syscall.SYS_UTIMENSAT: {}, + syscall.SYS_WRITE: {}, } } // hostInetFilters contains syscalls that are needed by sentry/socket/hostinet. -func hostInetFilters() []uintptr { - return []uintptr{ - syscall.SYS_ACCEPT4, - syscall.SYS_BIND, - syscall.SYS_CONNECT, - syscall.SYS_GETPEERNAME, - syscall.SYS_GETSOCKNAME, - syscall.SYS_GETSOCKOPT, - syscall.SYS_IOCTL, - syscall.SYS_LISTEN, - syscall.SYS_READV, - syscall.SYS_RECVFROM, - syscall.SYS_RECVMSG, - syscall.SYS_SENDMSG, - syscall.SYS_SENDTO, - syscall.SYS_SETSOCKOPT, - syscall.SYS_SHUTDOWN, - syscall.SYS_SOCKET, - syscall.SYS_WRITEV, +func hostInetFilters() seccomp.SyscallRules { + return seccomp.SyscallRules{ + syscall.SYS_ACCEPT4: {}, + syscall.SYS_BIND: {}, + syscall.SYS_CONNECT: {}, + syscall.SYS_GETPEERNAME: {}, + syscall.SYS_GETSOCKNAME: {}, + syscall.SYS_GETSOCKOPT: {}, + syscall.SYS_IOCTL: {}, + syscall.SYS_LISTEN: {}, + syscall.SYS_READV: {}, + syscall.SYS_RECVFROM: {}, + syscall.SYS_RECVMSG: {}, + syscall.SYS_SENDMSG: {}, + syscall.SYS_SENDTO: {}, + syscall.SYS_SETSOCKOPT: {}, + syscall.SYS_SHUTDOWN: {}, + syscall.SYS_SOCKET: {}, + syscall.SYS_WRITEV: {}, } } // ptraceFilters returns syscalls made exclusively by the ptrace platform. -func ptraceFilters() []uintptr { - return []uintptr{ - syscall.SYS_PTRACE, - syscall.SYS_WAIT4, - unix.SYS_GETCPU, - unix.SYS_SCHED_SETAFFINITY, +func ptraceFilters() seccomp.SyscallRules { + return seccomp.SyscallRules{ + syscall.SYS_PTRACE: {}, + syscall.SYS_WAIT4: {}, + unix.SYS_GETCPU: {}, + unix.SYS_SCHED_SETAFFINITY: {}, } } // kvmFilters returns syscalls made exclusively by the KVM platform. -func kvmFilters() []uintptr { - return []uintptr{ - syscall.SYS_IOCTL, - syscall.SYS_RT_SIGSUSPEND, - syscall.SYS_RT_SIGTIMEDWAIT, - 0xffffffffffffffff, // KVM uses syscall -1 to transition to host. +func kvmFilters() seccomp.SyscallRules { + return seccomp.SyscallRules{ + syscall.SYS_IOCTL: {}, + syscall.SYS_RT_SIGSUSPEND: {}, + syscall.SYS_RT_SIGTIMEDWAIT: {}, + 0xffffffffffffffff: {}, // KVM uses syscall -1 to transition to host. } } diff --git a/runsc/boot/filter/extra_filters.go b/runsc/boot/filter/extra_filters.go index e10d9bf4c..82cf00dfb 100644 --- a/runsc/boot/filter/extra_filters.go +++ b/runsc/boot/filter/extra_filters.go @@ -16,9 +16,13 @@ package filter +import ( + "gvisor.googlesource.com/gvisor/pkg/seccomp" +) + // instrumentationFilters returns additional filters for syscalls used by // Go intrumentation tools, e.g. -race, -msan. // Returns empty when disabled. -func instrumentationFilters() []uintptr { +func instrumentationFilters() seccomp.SyscallRules { return nil } diff --git a/runsc/boot/filter/extra_filters_msan.go b/runsc/boot/filter/extra_filters_msan.go index a862340f6..76f3f6865 100644 --- a/runsc/boot/filter/extra_filters_msan.go +++ b/runsc/boot/filter/extra_filters_msan.go @@ -18,13 +18,15 @@ package filter import ( "syscall" + + "gvisor.googlesource.com/gvisor/pkg/seccomp" ) // instrumentationFilters returns additional filters for syscalls used by MSAN. -func instrumentationFilters() []uintptr { +func instrumentationFilters() seccomp.SyscallRules { Report("MSAN is enabled: syscall filters less restrictive!") - return []uintptr{ - syscall.SYS_SCHED_GETAFFINITY, - syscall.SYS_SET_ROBUST_LIST, + return seccomp.SyscallRules{ + syscall.SYS_SCHED_GETAFFINITY: {}, + syscall.SYS_SET_ROBUST_LIST: {}, } } diff --git a/runsc/boot/filter/extra_filters_race.go b/runsc/boot/filter/extra_filters_race.go index b0c74a58a..c810773df 100644 --- a/runsc/boot/filter/extra_filters_race.go +++ b/runsc/boot/filter/extra_filters_race.go @@ -18,16 +18,21 @@ package filter import ( "syscall" + + "gvisor.googlesource.com/gvisor/pkg/seccomp" ) // instrumentationFilters returns additional filters for syscalls used by TSAN. -func instrumentationFilters() []uintptr { +func instrumentationFilters() seccomp.SyscallRules { Report("TSAN is enabled: syscall filters less restrictive!") - return []uintptr{ - syscall.SYS_BRK, - syscall.SYS_MUNLOCK, - syscall.SYS_NANOSLEEP, - syscall.SYS_OPEN, - syscall.SYS_SET_ROBUST_LIST, + return seccomp.SyscallRules{ + syscall.SYS_BRK: {}, + syscall.SYS_CLONE: {}, + syscall.SYS_FUTEX: {}, + syscall.SYS_MMAP: {}, + syscall.SYS_MUNLOCK: {}, + syscall.SYS_NANOSLEEP: {}, + syscall.SYS_OPEN: {}, + syscall.SYS_SET_ROBUST_LIST: {}, } } diff --git a/runsc/boot/filter/filter.go b/runsc/boot/filter/filter.go index 3ba56a318..6ea9c464e 100644 --- a/runsc/boot/filter/filter.go +++ b/runsc/boot/filter/filter.go @@ -33,26 +33,26 @@ func Install(p platform.Platform, whitelistFS, console, hostNetwork bool) error // Set of additional filters used by -race and -msan. Returns empty // when not enabled. - s = append(s, instrumentationFilters()...) + s.Merge(instrumentationFilters()) if whitelistFS { Report("direct file access allows unrestricted file access!") - s = append(s, whitelistFSFilters()...) + s.Merge(whitelistFSFilters()) } if console { Report("console is enabled: syscall filters less restrictive!") - s = append(s, consoleFilters()...) + s.Merge(consoleFilters()) } if hostNetwork { Report("host networking enabled: syscall filters less restrictive!") - s = append(s, hostInetFilters()...) + s.Merge(hostInetFilters()) } switch p := p.(type) { case *ptrace.PTrace: - s = append(s, ptraceFilters()...) + s.Merge(ptraceFilters()) case *kvm.KVM: - s = append(s, kvmFilters()...) + s.Merge(kvmFilters()) default: return fmt.Errorf("unknown platform type %T", p) } |