1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/sandbox/linux/linux_seccomp.h Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,267 @@
1.4 +// Copyright (c) 2012 The Chromium Authors. All rights reserved.
1.5 +// Use of this source code is governed by a BSD-style license that can be
1.6 +// found in the LICENSE file.
1.7 +
1.8 +/* This file has been initially imported from
1.9 + * http://git.chromium.org/gitweb/?p=chromium.git;a=blob;f=sandbox/linux/seccomp-bpf/linux_seccomp.h;h=0de0259da39ecdb745e5923b9a6ff3961c13be00;hb=2362c9abea79cae475921bdeee58f9e3910d211c
1.10 + *
1.11 + * Contains code for macro for common filters from:
1.12 + * http://outflux.net/teach-seccomp/step-5/seccomp-bpf.h
1.13 + *
1.14 + * Contains code for arch_seccomp_data and arch_sigsys from:
1.15 + * http://git.chromium.org/gitweb/?p=chromium.git;a=blob;f=sandbox/linux/seccomp-bpf/sandbox_bpf.h;h=3d269916070c97b8be8938503b9b799f12d79ca6;hb=2362c9abea79cae475921bdeee58f9e3910d211c
1.16 + *
1.17 + * For more information about Seccomp, see also:
1.18 + * Documentation/prctl/seccomp_filter.txt and
1.19 + * samples/seccomp in the Linux kernel directory, for any kernel >= 3.5.0.
1.20 + */
1.21 +
1.22 +#ifndef SANDBOX_LINUX_SECCOMP_BPF_LINUX_SECCOMP_H__
1.23 +#define SANDBOX_LINUX_SECCOMP_BPF_LINUX_SECCOMP_H__
1.24 +
1.25 +struct arch_seccomp_data {
1.26 + int nr;
1.27 + uint32_t arch;
1.28 + uint64_t instruction_pointer;
1.29 + uint64_t args[6];
1.30 +};
1.31 +
1.32 +struct arch_sigsys {
1.33 + void *ip;
1.34 + int nr;
1.35 + unsigned int arch;
1.36 +};
1.37 +
1.38 +// The Seccomp2 kernel ABI is not part of older versions of glibc.
1.39 +// As we can't break compilation with these versions of the library,
1.40 +// we explicitly define all missing symbols.
1.41 +// If we ever decide that we can now rely on system headers, the following
1.42 +// include files should be enabled:
1.43 +// #include <linux/audit.h>
1.44 +// #include <linux/seccomp.h>
1.45 +
1.46 +#include <asm/unistd.h>
1.47 +#include <linux/filter.h>
1.48 +
1.49 +// From <linux/elf.h> and <linux/audit.h>
1.50 +// This is necessary as we can't expect recent audit headers.
1.51 +#ifndef EM_ARM
1.52 +#define EM_ARM 40
1.53 +#endif
1.54 +#ifndef EM_386
1.55 +#define EM_386 3
1.56 +#endif
1.57 +#ifndef EM_X86_64
1.58 +#define EM_X86_64 62
1.59 +#endif
1.60 +
1.61 +#ifndef __AUDIT_ARCH_64BIT
1.62 +#define __AUDIT_ARCH_64BIT 0x80000000
1.63 +#endif
1.64 +#ifndef __AUDIT_ARCH_LE
1.65 +#define __AUDIT_ARCH_LE 0x40000000
1.66 +#endif
1.67 +#ifndef AUDIT_ARCH_ARM
1.68 +#define AUDIT_ARCH_ARM (EM_ARM|__AUDIT_ARCH_LE)
1.69 +#endif
1.70 +#ifndef AUDIT_ARCH_I386
1.71 +#define AUDIT_ARCH_I386 (EM_386|__AUDIT_ARCH_LE)
1.72 +#endif
1.73 +#ifndef AUDIT_ARCH_X86_64
1.74 +#define AUDIT_ARCH_X86_64 (EM_X86_64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
1.75 +#endif
1.76 +
1.77 +// From <linux/prctl.h>
1.78 +// This is necessary as we can't expect recent prctl headers.
1.79 +#ifndef PR_SET_SECCOMP
1.80 +#define PR_SET_SECCOMP 22
1.81 +#define PR_GET_SECCOMP 21
1.82 +#endif
1.83 +#ifndef PR_SET_NO_NEW_PRIVS
1.84 +#define PR_SET_NO_NEW_PRIVS 38
1.85 +#define PR_GET_NO_NEW_PRIVS 39
1.86 +#endif
1.87 +#ifndef IPC_64
1.88 +#define IPC_64 0x0100
1.89 +#endif
1.90 +
1.91 +#ifndef BPF_MOD
1.92 +#define BPF_MOD 0x90
1.93 +#endif
1.94 +#ifndef BPF_XOR
1.95 +#define BPF_XOR 0xA0
1.96 +#endif
1.97 +
1.98 +// From <linux/seccomp.h>
1.99 +// This is necessary as we can't expect recent seccomp headers.
1.100 +#ifndef SECCOMP_MODE_FILTER
1.101 +#define SECCOMP_MODE_DISABLED 0
1.102 +#define SECCOMP_MODE_STRICT 1
1.103 +#define SECCOMP_MODE_FILTER 2 // User user-supplied filter (seccomp-bpf)
1.104 +#endif
1.105 +
1.106 +#ifndef SECCOMP_RET_KILL
1.107 +// Return values supported for BPF filter programs. Please note that the
1.108 +// "illegal" SECCOMP_RET_INVALID is not supported by the kernel, should only
1.109 +// ever be used internally, and would result in the kernel killing our process.
1.110 +#define SECCOMP_RET_KILL 0x00000000U // Kill the task immediately
1.111 +#define SECCOMP_RET_INVALID 0x00010000U // Illegal return value
1.112 +#define SECCOMP_RET_TRAP 0x00030000U // Disallow and force a SIGSYS
1.113 +#define SECCOMP_RET_ERRNO 0x00050000U // Returns an errno
1.114 +#define SECCOMP_RET_TRACE 0x7ff00000U // Pass to a tracer or disallow
1.115 +#define SECCOMP_RET_ALLOW 0x7fff0000U // Allow
1.116 +#define SECCOMP_RET_ACTION 0xffff0000U // Masks for the return value
1.117 +#define SECCOMP_RET_DATA 0x0000ffffU // sections
1.118 +#else
1.119 +#define SECCOMP_RET_INVALID 0x00010000U // Illegal return value
1.120 +#endif
1.121 +
1.122 +#ifndef SYS_SECCOMP
1.123 +#define SYS_SECCOMP 1
1.124 +#endif
1.125 +
1.126 +// Impose some reasonable maximum BPF program size. Realistically, the
1.127 +// kernel probably has much lower limits. But by limiting to less than
1.128 +// 30 bits, we can ease requirements on some of our data types.
1.129 +#define SECCOMP_MAX_PROGRAM_SIZE (1<<30)
1.130 +
1.131 +#if defined(__i386__)
1.132 +#define MIN_SYSCALL 0u
1.133 +#define MAX_PUBLIC_SYSCALL 1024u
1.134 +#define MAX_SYSCALL MAX_PUBLIC_SYSCALL
1.135 +#define SECCOMP_ARCH AUDIT_ARCH_I386
1.136 +
1.137 +#define SECCOMP_REG(_ctx, _reg) ((_ctx)->uc_mcontext.gregs[(_reg)])
1.138 +#define SECCOMP_RESULT(_ctx) SECCOMP_REG(_ctx, REG_EAX)
1.139 +#define SECCOMP_SYSCALL(_ctx) SECCOMP_REG(_ctx, REG_EAX)
1.140 +#define SECCOMP_IP(_ctx) SECCOMP_REG(_ctx, REG_EIP)
1.141 +#define SECCOMP_PARM1(_ctx) SECCOMP_REG(_ctx, REG_EBX)
1.142 +#define SECCOMP_PARM2(_ctx) SECCOMP_REG(_ctx, REG_ECX)
1.143 +#define SECCOMP_PARM3(_ctx) SECCOMP_REG(_ctx, REG_EDX)
1.144 +#define SECCOMP_PARM4(_ctx) SECCOMP_REG(_ctx, REG_ESI)
1.145 +#define SECCOMP_PARM5(_ctx) SECCOMP_REG(_ctx, REG_EDI)
1.146 +#define SECCOMP_PARM6(_ctx) SECCOMP_REG(_ctx, REG_EBP)
1.147 +#define SECCOMP_NR_IDX (offsetof(struct arch_seccomp_data, nr))
1.148 +#define SECCOMP_ARCH_IDX (offsetof(struct arch_seccomp_data, arch))
1.149 +#define SECCOMP_IP_MSB_IDX (offsetof(struct arch_seccomp_data, \
1.150 + instruction_pointer) + 4)
1.151 +#define SECCOMP_IP_LSB_IDX (offsetof(struct arch_seccomp_data, \
1.152 + instruction_pointer) + 0)
1.153 +#define SECCOMP_ARG_MSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) + \
1.154 + 8*(nr) + 4)
1.155 +#define SECCOMP_ARG_LSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) + \
1.156 + 8*(nr) + 0)
1.157 +
1.158 +#elif defined(__x86_64__)
1.159 +#define MIN_SYSCALL 0u
1.160 +#define MAX_PUBLIC_SYSCALL 1024u
1.161 +#define MAX_SYSCALL MAX_PUBLIC_SYSCALL
1.162 +#define SECCOMP_ARCH AUDIT_ARCH_X86_64
1.163 +
1.164 +#define SECCOMP_REG(_ctx, _reg) ((_ctx)->uc_mcontext.gregs[(_reg)])
1.165 +#define SECCOMP_RESULT(_ctx) SECCOMP_REG(_ctx, REG_RAX)
1.166 +#define SECCOMP_SYSCALL(_ctx) SECCOMP_REG(_ctx, REG_RAX)
1.167 +#define SECCOMP_IP(_ctx) SECCOMP_REG(_ctx, REG_RIP)
1.168 +#define SECCOMP_PARM1(_ctx) SECCOMP_REG(_ctx, REG_RDI)
1.169 +#define SECCOMP_PARM2(_ctx) SECCOMP_REG(_ctx, REG_RSI)
1.170 +#define SECCOMP_PARM3(_ctx) SECCOMP_REG(_ctx, REG_RDX)
1.171 +#define SECCOMP_PARM4(_ctx) SECCOMP_REG(_ctx, REG_R10)
1.172 +#define SECCOMP_PARM5(_ctx) SECCOMP_REG(_ctx, REG_R8)
1.173 +#define SECCOMP_PARM6(_ctx) SECCOMP_REG(_ctx, REG_R9)
1.174 +#define SECCOMP_NR_IDX (offsetof(struct arch_seccomp_data, nr))
1.175 +#define SECCOMP_ARCH_IDX (offsetof(struct arch_seccomp_data, arch))
1.176 +#define SECCOMP_IP_MSB_IDX (offsetof(struct arch_seccomp_data, \
1.177 + instruction_pointer) + 4)
1.178 +#define SECCOMP_IP_LSB_IDX (offsetof(struct arch_seccomp_data, \
1.179 + instruction_pointer) + 0)
1.180 +#define SECCOMP_ARG_MSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) + \
1.181 + 8*(nr) + 4)
1.182 +#define SECCOMP_ARG_LSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) + \
1.183 + 8*(nr) + 0)
1.184 +
1.185 +#elif defined(__arm__) && (defined(__thumb__) || defined(__ARM_EABI__))
1.186 +// ARM EABI includes "ARM private" system calls starting at |__ARM_NR_BASE|,
1.187 +// and a "ghost syscall private to the kernel", cmpxchg,
1.188 +// at |__ARM_NR_BASE+0x00fff0|.
1.189 +// See </arch/arm/include/asm/unistd.h> in the Linux kernel.
1.190 +#define MIN_SYSCALL ((unsigned int)__NR_SYSCALL_BASE)
1.191 +#define MAX_PUBLIC_SYSCALL (MIN_SYSCALL + 1024u)
1.192 +#define MIN_PRIVATE_SYSCALL ((unsigned int)__ARM_NR_BASE)
1.193 +#define MAX_PRIVATE_SYSCALL (MIN_PRIVATE_SYSCALL + 16u)
1.194 +#define MIN_GHOST_SYSCALL ((unsigned int)__ARM_NR_BASE + 0xfff0u)
1.195 +#define MAX_SYSCALL (MIN_GHOST_SYSCALL + 4u)
1.196 +
1.197 +#define SECCOMP_ARCH AUDIT_ARCH_ARM
1.198 +
1.199 +// ARM sigcontext_t is different from i386/x86_64.
1.200 +// See </arch/arm/include/asm/sigcontext.h> in the Linux kernel.
1.201 +#define SECCOMP_REG(_ctx, _reg) ((_ctx)->uc_mcontext.arm_##_reg)
1.202 +// ARM EABI syscall convention.
1.203 +#define SECCOMP_RESULT(_ctx) SECCOMP_REG(_ctx, r0)
1.204 +#define SECCOMP_SYSCALL(_ctx) SECCOMP_REG(_ctx, r7)
1.205 +#define SECCOMP_IP(_ctx) SECCOMP_REG(_ctx, pc)
1.206 +#define SECCOMP_PARM1(_ctx) SECCOMP_REG(_ctx, r0)
1.207 +#define SECCOMP_PARM2(_ctx) SECCOMP_REG(_ctx, r1)
1.208 +#define SECCOMP_PARM3(_ctx) SECCOMP_REG(_ctx, r2)
1.209 +#define SECCOMP_PARM4(_ctx) SECCOMP_REG(_ctx, r3)
1.210 +#define SECCOMP_PARM5(_ctx) SECCOMP_REG(_ctx, r4)
1.211 +#define SECCOMP_PARM6(_ctx) SECCOMP_REG(_ctx, r5)
1.212 +#define SECCOMP_NR_IDX (offsetof(struct arch_seccomp_data, nr))
1.213 +#define SECCOMP_ARCH_IDX (offsetof(struct arch_seccomp_data, arch))
1.214 +#define SECCOMP_IP_MSB_IDX (offsetof(struct arch_seccomp_data, \
1.215 + instruction_pointer) + 4)
1.216 +#define SECCOMP_IP_LSB_IDX (offsetof(struct arch_seccomp_data, \
1.217 + instruction_pointer) + 0)
1.218 +#define SECCOMP_ARG_MSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) + \
1.219 + 8*(nr) + 4)
1.220 +#define SECCOMP_ARG_LSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) + \
1.221 + 8*(nr) + 0)
1.222 +
1.223 +#else
1.224 +#error Unsupported target platform
1.225 +
1.226 +#endif
1.227 +
1.228 +/* Macros to common filters */
1.229 +#define VALIDATE_ARCHITECTURE \
1.230 + BPF_STMT(BPF_LD+BPF_W+BPF_ABS, SECCOMP_ARCH_IDX), \
1.231 + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SECCOMP_ARCH, 1, 0), \
1.232 + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
1.233 +
1.234 +#define EXAMINE_SYSCALL \
1.235 + BPF_STMT(BPF_LD+BPF_W+BPF_ABS, SECCOMP_NR_IDX)
1.236 +
1.237 +#define ALLOW_SYSCALL(name) \
1.238 + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##name, 0, 1), \
1.239 + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
1.240 +
1.241 +#if defined(__arm__) && (defined(__thumb__) || defined(__ARM_EABI__))
1.242 +#define ALLOW_ARM_SYSCALL(name) \
1.243 + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __ARM_NR_##name, 0, 1), \
1.244 + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
1.245 +#endif
1.246 +
1.247 +#define DENY_KILL_SYSCALL(name) \
1.248 + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##name, 0, 1), \
1.249 + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
1.250 +
1.251 +#define DENY_SYSCALL(name, err) \
1.252 + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##name, 0, 1), \
1.253 + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO + err)
1.254 +
1.255 +#define KILL_PROCESS \
1.256 + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
1.257 +
1.258 +#define TRAP_PROCESS \
1.259 + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_TRAP)
1.260 +
1.261 +#define ALLOW_PROCESS \
1.262 + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
1.263 +
1.264 +#define TRACE_PROCESS \
1.265 + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_TRACE)
1.266 +
1.267 +#define ERRNO_PROCESS \
1.268 + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO)
1.269 +
1.270 +#endif // SANDBOX_LINUX_SECCOMP_BPF_LINUX_SECCOMP_H__
