github.com/MerlinKodo/gvisor@v0.0.0-20231110090155-957f62ecf90e/pkg/sentry/seccheck/syscall.go (about)

     1  // Copyright 2022 The gVisor Authors.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package seccheck
    16  
    17  // SyscallType is an enum that denotes different types of syscall points. There
    18  // are 2 types of syscall point: fully-schematized and raw. Schematizes are
    19  // points that have syscall specific format, e.g. open => {path, flags, mode}.
    20  // Raw uses a generic schema that contains syscall number and 6 arguments. Each
    21  // of these type have a corresponding enter and exit points. Exit points include
    22  // return value and errno information.
    23  type SyscallType int
    24  
    25  const (
    26  	// SyscallEnter represents schematized/enter syscall.
    27  	SyscallEnter SyscallType = iota
    28  	// SyscallExit represents schematized/exit syscall.
    29  	SyscallExit
    30  	// SyscallRawEnter represents raw/enter syscall.
    31  	SyscallRawEnter
    32  	// SyscallRawExit represents raw/exit syscall.
    33  	SyscallRawExit
    34  
    35  	syscallTypesCount
    36  )
    37  
    38  // SyscallFlagListener is an interface that is notified when syscall point enablement changes.
    39  //
    40  // It is used to notify the kernel's syscall table about syscall points, without introducing a
    41  // direct dependency on it.
    42  type SyscallFlagListener interface {
    43  	// UpdateSecCheck is called each time the system call point enablement may have changed.
    44  	// This is called with seccheck.State.mu held, so it is expected to be fast and not re-entrant
    45  	// with seccheck.State functions that attempt to re-lock it.
    46  	UpdateSecCheck(state *State)
    47  }
    48  
    49  const (
    50  	// Copied from kernel.maxSyscallNum to avoid reverse dependency.
    51  	syscallsMax   = 2000
    52  	syscallPoints = syscallsMax * int(syscallTypesCount)
    53  )
    54  
    55  // Fields that are common for many syscalls.
    56  const (
    57  	// FieldSyscallPath is an optional field to collect path from an FD. Given
    58  	// that many syscalls operate on FDs, this const is used across syscalls.
    59  	FieldSyscallPath Field = iota
    60  )
    61  
    62  // Fields for execve*(2) syscalls.
    63  const (
    64  	// FieldSyscallExecveEnvv is an optional field to collect list of environment
    65  	// variables. Start after FieldSyscallPath because execveat(2) can collect
    66  	// path from FD.
    67  	FieldSyscallExecveEnvv = FieldSyscallPath + 1
    68  )
    69  
    70  // GetPointForSyscall translates the syscall number to the corresponding Point.
    71  func GetPointForSyscall(typ SyscallType, sysno uintptr) Point {
    72  	return Point(sysno)*Point(syscallTypesCount) + Point(typ) + pointLengthBeforeSyscalls
    73  }
    74  
    75  // SyscallEnabled checks if the corresponding point for the syscall is enabled.
    76  func (s *State) SyscallEnabled(typ SyscallType, sysno uintptr) bool {
    77  	// Prevent overflow.
    78  	if sysno >= syscallsMax {
    79  		return false
    80  	}
    81  	return s.Enabled(GetPointForSyscall(typ, sysno))
    82  }