a1batross
/
kore
forked from mirrors/kore
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
kore/include/kore/seccomp.h

180 lines
6.1 KiB
C
Raw Permalink Normal View History

Add seccomp syscall filtering to kore. With this commit all Kore processes (minus the parent) are running under seccomp. The worker processes get the bare minimum allowed syscalls while each module like curl, pgsql, etc will add their own filters to allow what they require. New API functions: int kore_seccomp_filter(const char *name, void *filter, size_t len); Adds a filter into the seccomp system (must be called before seccomp is enabled). New helpful macro: define KORE_SYSCALL_ALLOW(name) Allow the syscall with a given name, should be used in a sock_filter data structure. New hooks: void kore_seccomp_hook(void); Called before seccomp is enabled, allows developers to add their own BPF filters into seccomp.
2019-09-25 14:25:49 +02:00
/*
i forgot, it's 2022.
2022-01-31 22:02:06 +01:00
* Copyright (c) 2019-2022 Joris Vink <joris@coders.se>
Add seccomp syscall filtering to kore. With this commit all Kore processes (minus the parent) are running under seccomp. The worker processes get the bare minimum allowed syscalls while each module like curl, pgsql, etc will add their own filters to allow what they require. New API functions: int kore_seccomp_filter(const char *name, void *filter, size_t len); Adds a filter into the seccomp system (must be called before seccomp is enabled). New helpful macro: define KORE_SYSCALL_ALLOW(name) Allow the syscall with a given name, should be used in a sock_filter data structure. New hooks: void kore_seccomp_hook(void); Called before seccomp is enabled, allows developers to add their own BPF filters into seccomp.
2019-09-25 14:25:49 +02:00
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#ifndef __H_SECCOMP_H
#define __H_SECCOMP_H
#include <sys/syscall.h>
#include <linux/audit.h>
#include <linux/filter.h>
#include <linux/seccomp.h>
Pull in stddef.h in seccomp.h. offsetof() on Linux is defined in it.
2022-03-21 12:51:22 +01:00
#include <stddef.h>
seccomp improvements. More BPF helper macros, more helper for granular syscall checking. Use these throughout kore where it makes sense. The new helpers: - KORE_SYSCALL_DENY_ARG(name, arg, value, errno): Deny the system call with errno if the argument matches value. - KORE_SYSCALL_DENY_MASK(name, arg, mask, errno): Deny the system call with errno if the mask argument does not match the exact mask given. - KORE_SYSCALL_DENY_WITH_FLAG(name, arg, flag, errno): Deny the system call with errno if the argument contains the given flag. The reverse also exists: - KORE_SYSCALL_ALLOW_ARG() - KORE_SYSCALL_ALLOW_MASK() - KORE_SYSCALL_ALLOW_WITH_FLAG()
2019-09-26 13:51:53 +02:00
#if __BYTE_ORDER == __LITTLE_ENDIAN
#define ARGS_LO_OFFSET 0
#define ARGS_HI_OFFSET sizeof(u_int32_t)
#elif __BYTE_ORDER == __BIG_ENDIAN
#define ARGS_LO_OFFSET sizeof(u_int32_t)
#define ARGS_HI_OFFSET 0
#else
#error "__BYTE_ORDER unknown"
#endif
seccomp improvements for developers. - Add KORE_SECCOMP_FILTER() as a helpful shortcut to create your application seccomp filter. You can still roll your own and hook into kore_seccomp_hook() yourself to load your filters. - Add KORE_SYSCALL_ALLOW_LOG(_name) Allows a system call but will log it.
2019-09-26 09:19:26 +02:00
/* Do something with a syscall with a user-supplied action. */
seccomp improvements. More BPF helper macros, more helper for granular syscall checking. Use these throughout kore where it makes sense. The new helpers: - KORE_SYSCALL_DENY_ARG(name, arg, value, errno): Deny the system call with errno if the argument matches value. - KORE_SYSCALL_DENY_MASK(name, arg, mask, errno): Deny the system call with errno if the mask argument does not match the exact mask given. - KORE_SYSCALL_DENY_WITH_FLAG(name, arg, flag, errno): Deny the system call with errno if the argument contains the given flag. The reverse also exists: - KORE_SYSCALL_ALLOW_ARG() - KORE_SYSCALL_ALLOW_MASK() - KORE_SYSCALL_ALLOW_WITH_FLAG()
2019-09-26 13:51:53 +02:00
#define KORE_SYSCALL_FILTER(_name, _action) \
KORE_BPF_CMP(SYS_##_name, 0, 1), \
KORE_BPF_RET(_action)
/*
* Check if a system call is called with the supplied value as argument.
*
* This is checked in 2 steps due to args being 64-bit and the accumulator
* only being a 32-bit register.
*
* If true we return the given action, otherwise nothing happens.
*/
#define KORE_SYSCALL_ARG(_name, _arg, _val, _action) \
KORE_BPF_CMP(SYS_##_name, 0, 6), \
KORE_BPF_LOAD(args[(_arg)], ARGS_LO_OFFSET), \
KORE_BPF_CMP(((_val) & 0xffffffff), 0, 3), \
KORE_BPF_LOAD(args[(_arg)], ARGS_HI_OFFSET), \
KORE_BPF_CMP((((uint32_t)((uint64_t)(_val) >> 32)) & 0xffffffff), 0, 1), \
KORE_BPF_RET(_action), \
KORE_BPF_LOAD(nr, 0)
/*
* Check if a system call is called with the supplied mask as argument.
*
* As KORE_SYSCALL_ARG() this is done in 2 steps.
*/
#define KORE_SYSCALL_MASK(_name, _arg, _mask, _action) \
KORE_BPF_CMP(SYS_##_name, 0, 8), \
KORE_BPF_LOAD(args[(_arg)], ARGS_LO_OFFSET), \
KORE_BPF_AND(~((_mask) & 0xffffffff)), \
KORE_BPF_CMP(0, 0, 4), \
KORE_BPF_LOAD(args[(_arg)], ARGS_HI_OFFSET), \
KORE_BPF_AND(~(((uint32_t)((uint64_t)(_mask) >> 32)) & 0xffffffff)), \
KORE_BPF_CMP(0, 0, 1), \
KORE_BPF_RET(_action), \
KORE_BPF_LOAD(nr, 0)
/*
* Check if the system call is called with the given value in the argument
* contains the given flag.
*/
#define KORE_SYSCALL_WITH_FLAG(_name, _arg, _flag, _action) \
KORE_BPF_CMP(SYS_##_name, 0, 8), \
KORE_BPF_LOAD(args[(_arg)], ARGS_LO_OFFSET), \
KORE_BPF_AND(((_flag) & 0xffffffff)), \
KORE_BPF_CMP(((_flag) & 0xffffffff), 0, 4), \
KORE_BPF_LOAD(args[(_arg)], ARGS_HI_OFFSET), \
KORE_BPF_AND((((uint32_t)((uint64_t)(_flag) >> 32)) & 0xffffffff)), \
KORE_BPF_CMP((((uint32_t)((uint64_t)(_flag) >> 32)) & 0xffffffff), 0, 1), \
KORE_BPF_RET(_action), \
KORE_BPF_LOAD(nr, 0)
simplify bpf rule generation, add deny macro.
2019-09-25 23:41:43 +02:00
seccomp improvements. More BPF helper macros, more helper for granular syscall checking. Use these throughout kore where it makes sense. The new helpers: - KORE_SYSCALL_DENY_ARG(name, arg, value, errno): Deny the system call with errno if the argument matches value. - KORE_SYSCALL_DENY_MASK(name, arg, mask, errno): Deny the system call with errno if the mask argument does not match the exact mask given. - KORE_SYSCALL_DENY_WITH_FLAG(name, arg, flag, errno): Deny the system call with errno if the argument contains the given flag. The reverse also exists: - KORE_SYSCALL_ALLOW_ARG() - KORE_SYSCALL_ALLOW_MASK() - KORE_SYSCALL_ALLOW_WITH_FLAG()
2019-09-26 13:51:53 +02:00
/* Denying of system calls macros (with an errno). */
#define KORE_SYSCALL_DENY(_name, _errno) \
KORE_SYSCALL_FILTER(_name, SECCOMP_RET_ERRNO|(_errno))
#define KORE_SYSCALL_DENY_ARG(_name, _arg, _val, _errno) \
KORE_SYSCALL_ARG(_name, _arg, _val, SECCOMP_RET_ERRNO|(_errno))
#define KORE_SYSCALL_DENY_MASK(_name, _arg, _val, _errno) \
KORE_SYSCALL_MASK(_name, _arg, _val, SECCOMP_RET_ERRNO|(_errno))
#define KORE_SYSCALL_DENY_WITH_FLAG(_name, _arg, _flag, _errno) \
KORE_SYSCALL_WITH_FLAG(_name, _arg, _flag, SECCOMP_RET_ERRNO|(_errno))
/* Allowing of system call macros. */
#define KORE_SYSCALL_ALLOW(_name) \
seccomp improvements for developers. - Add KORE_SECCOMP_FILTER() as a helpful shortcut to create your application seccomp filter. You can still roll your own and hook into kore_seccomp_hook() yourself to load your filters. - Add KORE_SYSCALL_ALLOW_LOG(_name) Allows a system call but will log it.
2019-09-26 09:19:26 +02:00
KORE_SYSCALL_FILTER(_name, SECCOMP_RET_ALLOW)
seccomp improvements. More BPF helper macros, more helper for granular syscall checking. Use these throughout kore where it makes sense. The new helpers: - KORE_SYSCALL_DENY_ARG(name, arg, value, errno): Deny the system call with errno if the argument matches value. - KORE_SYSCALL_DENY_MASK(name, arg, mask, errno): Deny the system call with errno if the mask argument does not match the exact mask given. - KORE_SYSCALL_DENY_WITH_FLAG(name, arg, flag, errno): Deny the system call with errno if the argument contains the given flag. The reverse also exists: - KORE_SYSCALL_ALLOW_ARG() - KORE_SYSCALL_ALLOW_MASK() - KORE_SYSCALL_ALLOW_WITH_FLAG()
2019-09-26 13:51:53 +02:00
#define KORE_SYSCALL_ALLOW_LOG(_name) \
seccomp improvements for developers. - Add KORE_SECCOMP_FILTER() as a helpful shortcut to create your application seccomp filter. You can still roll your own and hook into kore_seccomp_hook() yourself to load your filters. - Add KORE_SYSCALL_ALLOW_LOG(_name) Allows a system call but will log it.
2019-09-26 09:19:26 +02:00
KORE_SYSCALL_FILTER(_name, SECCOMP_RET_LOG)
seccomp improvements. More BPF helper macros, more helper for granular syscall checking. Use these throughout kore where it makes sense. The new helpers: - KORE_SYSCALL_DENY_ARG(name, arg, value, errno): Deny the system call with errno if the argument matches value. - KORE_SYSCALL_DENY_MASK(name, arg, mask, errno): Deny the system call with errno if the mask argument does not match the exact mask given. - KORE_SYSCALL_DENY_WITH_FLAG(name, arg, flag, errno): Deny the system call with errno if the argument contains the given flag. The reverse also exists: - KORE_SYSCALL_ALLOW_ARG() - KORE_SYSCALL_ALLOW_MASK() - KORE_SYSCALL_ALLOW_WITH_FLAG()
2019-09-26 13:51:53 +02:00
#define KORE_SYSCALL_ALLOW_ARG(_name, _arg, _val) \
KORE_SYSCALL_ARG(_name, _arg, _val, SECCOMP_RET_ALLOW)
#define KORE_SYSCALL_ALLOW_MASK(_name, _arg, _mask) \
KORE_SYSCALL_MASK(_name, _arg, _mask, SECCOMP_RET_ALLOW)
#define KORE_SYSCALL_ALLOW_WITH_FLAG(_name, _arg, _flag) \
KORE_SYSCALL_WITH_FLAG(_name, _arg, _flag, SECCOMP_RET_ALLOW)
/* Load field of seccomp_data into accumulator. */
#define KORE_BPF_LOAD(_field, _off) \
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, _field) + _off)
/* Return a constant from a BPF program. */
#define KORE_BPF_RET(_retval) \
BPF_STMT(BPF_RET+BPF_K, _retval)
/* Compare the accumulator against a constant (==). */
#define KORE_BPF_CMP(_k, _jt, _jf) \
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, _k, _jt, _jf)
/* AND operation on the accumulator. */
#define KORE_BPF_AND(_k) \
BPF_STMT(BPF_ALU+BPF_AND+BPF_K, _k)
Add seccomp syscall filtering to kore. With this commit all Kore processes (minus the parent) are running under seccomp. The worker processes get the bare minimum allowed syscalls while each module like curl, pgsql, etc will add their own filters to allow what they require. New API functions: int kore_seccomp_filter(const char *name, void *filter, size_t len); Adds a filter into the seccomp system (must be called before seccomp is enabled). New helpful macro: define KORE_SYSCALL_ALLOW(name) Allow the syscall with a given name, should be used in a sock_filter data structure. New hooks: void kore_seccomp_hook(void); Called before seccomp is enabled, allows developers to add their own BPF filters into seccomp.
2019-09-25 14:25:49 +02:00
/* The length of a filter. */
#define KORE_FILTER_LEN(x) (sizeof(x) / sizeof(x[0]))
Allow configuring seccomp on Linux via the python api. A new hook in the koreapp class is called right before seccomp is enabled. This hook receives a Kore seccomp object which has the following methods: seccomp.allow("syscall") seccomp.allow_arg("syscall", arg, value) seccomp.allow_flag("syscall", arg, flag) seccomp.allow_mask("syscall", arg, mask) seccomp.deny("syscall") seccomp.deny_arg("syscall", arg, value, errno=EACCES) seccomp.deny_flag("syscall", arg, flag, errno=EACCES) seccomp.deny_mask("syscall", arg, mask, errno=EACCES) This allows you to finetune the seccomp filters for your application from inside your koreapp.
2019-10-04 10:59:48 +02:00
/* Used to mark the end of a BPF program. */
#define KORE_BPF_GUARD { USHRT_MAX, UCHAR_MAX, UCHAR_MAX, UINT_MAX }
seccomp improvements for developers. - Add KORE_SECCOMP_FILTER() as a helpful shortcut to create your application seccomp filter. You can still roll your own and hook into kore_seccomp_hook() yourself to load your filters. - Add KORE_SYSCALL_ALLOW_LOG(_name) Allows a system call but will log it.
2019-09-26 09:19:26 +02:00
/*
* Macro for applications to make easily define custom filter.
*
* eg:
* KORE_SECCOMP_FILTER("filter",
* KORE_SYSCALL_DENY_ERRNO(socket, EACCESS),
* KORE_SYSCALL_DENY_ERRNO(ioctl, EACCESS),
* KORE_SYSCALL_ALLOW(poll),
KORE_SECCOMP_FILTER() does not require a semicolumn. It's a wrapper around a function.
2021-03-23 15:03:47 +01:00
* )
seccomp improvements for developers. - Add KORE_SECCOMP_FILTER() as a helpful shortcut to create your application seccomp filter. You can still roll your own and hook into kore_seccomp_hook() yourself to load your filters. - Add KORE_SYSCALL_ALLOW_LOG(_name) Allows a system call but will log it.
2019-09-26 09:19:26 +02:00
*/
#define KORE_SECCOMP_FILTER(name, ...) \
struct sock_filter _scfilt[] = { \
__VA_ARGS__ \
}; \
void \
kore_seccomp_hook(void) \
{ \
kore_seccomp_filter(name, _scfilt, \
KORE_FILTER_LEN(_scfilt)); \
}
Add seccomp_tracing configuration option for linux. If set to "yes" then Kore will trace its child processes and properly notify you of seccomp violations while still allowing the syscalls. This can be very useful when running Kore on new platforms that have not been properly tested with seccomp, allowing me to adjust the default policies as we move further.
2019-10-31 12:52:10 +01:00
extern int kore_seccomp_tracing;
Add seccomp syscall filtering to kore. With this commit all Kore processes (minus the parent) are running under seccomp. The worker processes get the bare minimum allowed syscalls while each module like curl, pgsql, etc will add their own filters to allow what they require. New API functions: int kore_seccomp_filter(const char *name, void *filter, size_t len); Adds a filter into the seccomp system (must be called before seccomp is enabled). New helpful macro: define KORE_SYSCALL_ALLOW(name) Allow the syscall with a given name, should be used in a sock_filter data structure. New hooks: void kore_seccomp_hook(void); Called before seccomp is enabled, allows developers to add their own BPF filters into seccomp.
2019-09-25 14:25:49 +02:00
void kore_seccomp_init(void);
void kore_seccomp_drop(void);
void kore_seccomp_enable(void);
Add seccomp_tracing configuration option for linux. If set to "yes" then Kore will trace its child processes and properly notify you of seccomp violations while still allowing the syscalls. This can be very useful when running Kore on new platforms that have not been properly tested with seccomp, allowing me to adjust the default policies as we move further.
2019-10-31 12:52:10 +01:00
void kore_seccomp_traceme(void);
Add acmev2 (RFC8555) support to Kore. A new acme process is created that communicates with the acme servers. This process does not hold any of your private keys (no account keys, no domain keys etc). Whenever the acme process requires a signed payload it will ask the keymgr process to do the signing with the relevant keys. This process is also sandboxed with pledge+unveil on OpenBSD and seccomp syscall filtering on Linux. The implementation only supports the tls-alpn-01 challenge. This means that you do not need to open additional ports on your machine. http-01 and dns-01 are currently not supported (no wildcard support). A new configuration option "acme_provider" is available and can be set to the acme server its directory. By default this will point to the live letsencrypt environment: https://acme-v02.api.letsencrypt.org/directory The acme process can be controlled via the following config options: - acme_root (where the acme process will chroot/chdir into). - acme_runas (the user the acme process will run as). If none are set, the values from 'root' and 'runas' are taken. If you want to turn on acme for domains you do it as follows: domain kore.io { acme yes } You do not need to specify certkey/certfile anymore, if they are present still they will be overwritten by the acme system. The keymgr will store all certificates and keys under its root (keymgr_root), the account key is stored as "/account-key.pem" and all obtained certificates go under "certificates/<domain>/fullchain.pem" while keys go under "certificates/<domain>/key.pem". Kore will automatically renew certificates if they will expire in 7 days or less.
2019-11-06 19:33:53 +01:00
int kore_seccomp_trace(pid_t, int);
Allow configuring seccomp on Linux via the python api. A new hook in the koreapp class is called right before seccomp is enabled. This hook receives a Kore seccomp object which has the following methods: seccomp.allow("syscall") seccomp.allow_arg("syscall", arg, value) seccomp.allow_flag("syscall", arg, flag) seccomp.allow_mask("syscall", arg, mask) seccomp.deny("syscall") seccomp.deny_arg("syscall", arg, value, errno=EACCES) seccomp.deny_flag("syscall", arg, flag, errno=EACCES) seccomp.deny_mask("syscall", arg, mask, errno=EACCES) This allows you to finetune the seccomp filters for your application from inside your koreapp.
2019-10-04 10:59:48 +02:00
int kore_seccomp_syscall_resolve(const char *);
Add seccomp syscall filtering to kore. With this commit all Kore processes (minus the parent) are running under seccomp. The worker processes get the bare minimum allowed syscalls while each module like curl, pgsql, etc will add their own filters to allow what they require. New API functions: int kore_seccomp_filter(const char *name, void *filter, size_t len); Adds a filter into the seccomp system (must be called before seccomp is enabled). New helpful macro: define KORE_SYSCALL_ALLOW(name) Allow the syscall with a given name, should be used in a sock_filter data structure. New hooks: void kore_seccomp_hook(void); Called before seccomp is enabled, allows developers to add their own BPF filters into seccomp.
2019-09-25 14:25:49 +02:00
int kore_seccomp_filter(const char *, void *, size_t);
Add seccomp_tracing configuration option for linux. If set to "yes" then Kore will trace its child processes and properly notify you of seccomp violations while still allowing the syscalls. This can be very useful when running Kore on new platforms that have not been properly tested with seccomp, allowing me to adjust the default policies as we move further.
2019-10-31 12:52:10 +01:00
const char *kore_seccomp_syscall_name(long);
Allow configuring seccomp on Linux via the python api. A new hook in the koreapp class is called right before seccomp is enabled. This hook receives a Kore seccomp object which has the following methods: seccomp.allow("syscall") seccomp.allow_arg("syscall", arg, value) seccomp.allow_flag("syscall", arg, flag) seccomp.allow_mask("syscall", arg, mask) seccomp.deny("syscall") seccomp.deny_arg("syscall", arg, value, errno=EACCES) seccomp.deny_flag("syscall", arg, flag, errno=EACCES) seccomp.deny_mask("syscall", arg, mask, errno=EACCES) This allows you to finetune the seccomp filters for your application from inside your koreapp.
2019-10-04 10:59:48 +02:00
struct sock_filter *kore_seccomp_syscall_filter(const char *, int);
struct sock_filter *kore_seccomp_syscall_arg(const char *, int, int, int);
struct sock_filter *kore_seccomp_syscall_flag(const char *, int, int, int);
struct sock_filter *kore_seccomp_syscall_mask(const char *, int, int, int);
Add seccomp syscall filtering to kore. With this commit all Kore processes (minus the parent) are running under seccomp. The worker processes get the bare minimum allowed syscalls while each module like curl, pgsql, etc will add their own filters to allow what they require. New API functions: int kore_seccomp_filter(const char *name, void *filter, size_t len); Adds a filter into the seccomp system (must be called before seccomp is enabled). New helpful macro: define KORE_SYSCALL_ALLOW(name) Allow the syscall with a given name, should be used in a sock_filter data structure. New hooks: void kore_seccomp_hook(void); Called before seccomp is enabled, allows developers to add their own BPF filters into seccomp.
2019-09-25 14:25:49 +02:00
#endif