linux/samples/seccomp/bpf-fancy.c

/*
 * Seccomp BPF example using a macro-based generator.
 *
 * Copyright (c) 2012 The Chromium OS Authors <chromium-os-dev@chromium.org>
 * Author: Will Drewry <wad@chromium.org>
 *
 * The code may be used by anyone for any purpose,
 * and can serve as a starting point for developing
 * applications using prctl(PR_ATTACH_SECCOMP_FILTER).
 */

#include <linux/filter.h>
#include <linux/seccomp.h>
#include <linux/unistd.h>
#include <stdio.h>
#include <string.h>
#include <sys/prctl.h>
#include <unistd.h>

#include "bpf-helper.h"

#ifndef PR_SET_NO_NEW_PRIVS
#define PR_SET_NO_NEW_PRIVS 38
#endif

int main(int argc, char **argv)
{
	struct bpf_labels l = {
		.count = 0,
	};
	static const char msg1[] = "Please type something: ";
	static const char msg2[] = "You typed: ";
	char buf[256];
	struct sock_filter filter[] = {
		/* TODO: LOAD_SYSCALL_NR(arch) and enforce an arch */
		LOAD_SYSCALL_NR,
		SYSCALL(__NR_exit, ALLOW),
		SYSCALL(__NR_exit_group, ALLOW),
		SYSCALL(__NR_write, JUMP(&l, write_fd)),
		SYSCALL(__NR_read, JUMP(&l, read)),
		DENY,  /* Don't passthrough into a label */

		LABEL(&l, read),
		ARG(0),
		JNE(STDIN_FILENO, DENY),
		ARG(1),
		JNE((unsigned long)buf, DENY),
		ARG(2),
		JGE(sizeof(buf), DENY),
		ALLOW,

		LABEL(&l, write_fd),
		ARG(0),
		JEQ(STDOUT_FILENO, JUMP(&l, write_buf)),
		JEQ(STDERR_FILENO, JUMP(&l, write_buf)),
		DENY,

		LABEL(&l, write_buf),
		ARG(1),
		JEQ((unsigned long)msg1, JUMP(&l, msg1_len)),
		JEQ((unsigned long)msg2, JUMP(&l, msg2_len)),
		JEQ((unsigned long)buf, JUMP(&l, buf_len)),
		DENY,

		LABEL(&l, msg1_len),
		ARG(2),
		JLT(sizeof(msg1), ALLOW),
		DENY,

		LABEL(&l, msg2_len),
		ARG(2),
		JLT(sizeof(msg2), ALLOW),
		DENY,

		LABEL(&l, buf_len),
		ARG(2),
		JLT(sizeof(buf), ALLOW),
		DENY,
	};
	struct sock_fprog prog = {
		.filter = filter,
		.len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
	};
	ssize_t bytes;
	bpf_resolve_jumps(&l, filter, sizeof(filter)/sizeof(*filter));

	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
		perror("prctl(NO_NEW_PRIVS)");
		return 1;
	}

	if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
		perror("prctl(SECCOMP)");
		return 1;
	}
	syscall(__NR_write, STDOUT_FILENO, msg1, strlen(msg1));
	bytes = syscall(__NR_read, STDIN_FILENO, buf, sizeof(buf)-1);
	bytes = (bytes > 0 ? bytes : 0);
	syscall(__NR_write, STDERR_FILENO, msg2, strlen(msg2));
	syscall(__NR_write, STDERR_FILENO, buf, bytes);
	/* Now get killed */
	syscall(__NR_write, STDERR_FILENO, msg2, strlen(msg2)+2);
	return 0;
}
Documentation: prctl/seccomp_filter Documents how system call filtering using Berkeley Packet Filter programs works and how it may be used. Includes an example for x86 and a semi-generic example using a macro-based code generator. Acked-by: Eric Paris <eparis@redhat.com> Signed-off-by: Will Drewry <wad@chromium.org> Acked-by: Kees Cook <keescook@chromium.org> v18: - added acked by - update no new privs numbers v17: - remove @compat note and add Pitfalls section for arch checking (keescook@chromium.org) v16: - v15: - v14: - rebase/nochanges v13: - rebase on to 88ebdda6159ffc15699f204c33feb3e431bf9bdc v12: - comment on the ptrace_event use - update arch support comment - note the behavior of SECCOMP_RET_DATA when there are multiple filters (keescook@chromium.org) - lots of samples/ clean up incl 64-bit bpf-direct support (markus@chromium.org) - rebase to linux-next v11: - overhaul return value language, updates (keescook@chromium.org) - comment on do_exit(SIGSYS) v10: - update for SIGSYS - update for new seccomp_data layout - update for ptrace option use v9: - updated bpf-direct.c for SIGILL v8: - add PR_SET_NO_NEW_PRIVS to the samples. v7: - updated for all the new stuff in v7: TRAP, TRACE - only talk about PR_SET_SECCOMP now - fixed bad JLE32 check (coreyb@linux.vnet.ibm.com) - adds dropper.c: a simple system call disabler v6: - tweak the language to note the requirement of PR_SET_NO_NEW_PRIVS being called prior to use. (luto@mit.edu) v5: - update sample to use system call arguments - adds a "fancy" example using a macro-based generator - cleaned up bpf in the sample - update docs to mention arguments - fix prctl value (eparis@redhat.com) - language cleanup (rdunlap@xenotime.net) v4: - update for no_new_privs use - minor tweaks v3: - call out BPF <-> Berkeley Packet Filter (rdunlap@xenotime.net) - document use of tentative always-unprivileged - guard sample compilation for i386 and x86_64 v2: - move code to samples (corbet@lwn.net) Signed-off-by: James Morris <james.l.morris@oracle.com> 2012-04-13 01:48:04 +04:00			`/*`
			`* Seccomp BPF example using a macro-based generator.`
			`*`
			`* Copyright (c) 2012 The Chromium OS Authors <chromium-os-dev@chromium.org>`
			`* Author: Will Drewry <wad@chromium.org>`
			`*`
			`* The code may be used by anyone for any purpose,`
			`* and can serve as a starting point for developing`
			`* applications using prctl(PR_ATTACH_SECCOMP_FILTER).`
			`*/`

			`#include <linux/filter.h>`
			`#include <linux/seccomp.h>`
			`#include <linux/unistd.h>`
			`#include <stdio.h>`
			`#include <string.h>`
			`#include <sys/prctl.h>`
			`#include <unistd.h>`

			`#include "bpf-helper.h"`

			`#ifndef PR_SET_NO_NEW_PRIVS`
			`#define PR_SET_NO_NEW_PRIVS 38`
			`#endif`

			`int main(int argc, char **argv)`
			`{`
samples/seccomp: improve label helper Fixes a potential corruption with uninitialized stack memory in the seccomp BPF sample program. [akpm@linux-foundation.org: coding-style fixlet] Signed-off-by: Kees Cook <keescook@chromium.org> Reported-by: Robert Swiecki <swiecki@google.com> Tested-by: Robert Swiecki <swiecki@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2015-02-18 00:47:58 +03:00			`struct bpf_labels l = {`
			`.count = 0,`
			`};`
Documentation: prctl/seccomp_filter Documents how system call filtering using Berkeley Packet Filter programs works and how it may be used. Includes an example for x86 and a semi-generic example using a macro-based code generator. Acked-by: Eric Paris <eparis@redhat.com> Signed-off-by: Will Drewry <wad@chromium.org> Acked-by: Kees Cook <keescook@chromium.org> v18: - added acked by - update no new privs numbers v17: - remove @compat note and add Pitfalls section for arch checking (keescook@chromium.org) v16: - v15: - v14: - rebase/nochanges v13: - rebase on to 88ebdda6159ffc15699f204c33feb3e431bf9bdc v12: - comment on the ptrace_event use - update arch support comment - note the behavior of SECCOMP_RET_DATA when there are multiple filters (keescook@chromium.org) - lots of samples/ clean up incl 64-bit bpf-direct support (markus@chromium.org) - rebase to linux-next v11: - overhaul return value language, updates (keescook@chromium.org) - comment on do_exit(SIGSYS) v10: - update for SIGSYS - update for new seccomp_data layout - update for ptrace option use v9: - updated bpf-direct.c for SIGILL v8: - add PR_SET_NO_NEW_PRIVS to the samples. v7: - updated for all the new stuff in v7: TRAP, TRACE - only talk about PR_SET_SECCOMP now - fixed bad JLE32 check (coreyb@linux.vnet.ibm.com) - adds dropper.c: a simple system call disabler v6: - tweak the language to note the requirement of PR_SET_NO_NEW_PRIVS being called prior to use. (luto@mit.edu) v5: - update sample to use system call arguments - adds a "fancy" example using a macro-based generator - cleaned up bpf in the sample - update docs to mention arguments - fix prctl value (eparis@redhat.com) - language cleanup (rdunlap@xenotime.net) v4: - update for no_new_privs use - minor tweaks v3: - call out BPF <-> Berkeley Packet Filter (rdunlap@xenotime.net) - document use of tentative always-unprivileged - guard sample compilation for i386 and x86_64 v2: - move code to samples (corbet@lwn.net) Signed-off-by: James Morris <james.l.morris@oracle.com> 2012-04-13 01:48:04 +04:00			`static const char msg1[] = "Please type something: ";`
			`static const char msg2[] = "You typed: ";`
			`char buf[256];`
			`struct sock_filter filter[] = {`
			`/* TODO: LOAD_SYSCALL_NR(arch) and enforce an arch */`
			`LOAD_SYSCALL_NR,`
			`SYSCALL(__NR_exit, ALLOW),`
			`SYSCALL(__NR_exit_group, ALLOW),`
			`SYSCALL(__NR_write, JUMP(&l, write_fd)),`
			`SYSCALL(__NR_read, JUMP(&l, read)),`
			`DENY, /* Don't passthrough into a label */`

			`LABEL(&l, read),`
			`ARG(0),`
			`JNE(STDIN_FILENO, DENY),`
			`ARG(1),`
			`JNE((unsigned long)buf, DENY),`
			`ARG(2),`
			`JGE(sizeof(buf), DENY),`
			`ALLOW,`

			`LABEL(&l, write_fd),`
			`ARG(0),`
			`JEQ(STDOUT_FILENO, JUMP(&l, write_buf)),`
			`JEQ(STDERR_FILENO, JUMP(&l, write_buf)),`
			`DENY,`

			`LABEL(&l, write_buf),`
			`ARG(1),`
			`JEQ((unsigned long)msg1, JUMP(&l, msg1_len)),`
			`JEQ((unsigned long)msg2, JUMP(&l, msg2_len)),`
			`JEQ((unsigned long)buf, JUMP(&l, buf_len)),`
			`DENY,`

			`LABEL(&l, msg1_len),`
			`ARG(2),`
			`JLT(sizeof(msg1), ALLOW),`
			`DENY,`

			`LABEL(&l, msg2_len),`
			`ARG(2),`
			`JLT(sizeof(msg2), ALLOW),`
			`DENY,`

			`LABEL(&l, buf_len),`
			`ARG(2),`
			`JLT(sizeof(buf), ALLOW),`
			`DENY,`
			`};`
			`struct sock_fprog prog = {`
			`.filter = filter,`
			`.len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),`
			`};`
			`ssize_t bytes;`
			`bpf_resolve_jumps(&l, filter, sizeof(filter)/sizeof(*filter));`

			`if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {`
			`perror("prctl(NO_NEW_PRIVS)");`
			`return 1;`
			`}`

			`if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {`
			`perror("prctl(SECCOMP)");`
			`return 1;`
			`}`
			`syscall(__NR_write, STDOUT_FILENO, msg1, strlen(msg1));`
			`bytes = syscall(__NR_read, STDIN_FILENO, buf, sizeof(buf)-1);`
			`bytes = (bytes > 0 ? bytes : 0);`
			`syscall(__NR_write, STDERR_FILENO, msg2, strlen(msg2));`
			`syscall(__NR_write, STDERR_FILENO, buf, bytes);`
			`/* Now get killed */`
			`syscall(__NR_write, STDERR_FILENO, msg2, strlen(msg2)+2);`
			`return 0;`
			`}`