github.com/MerlinKodo/gvisor@v0.0.0-20231110090155-957f62ecf90e/pkg/sentry/seccheck/syscall.go (about) 1 // Copyright 2022 The gVisor Authors. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package seccheck 16 17 // SyscallType is an enum that denotes different types of syscall points. There 18 // are 2 types of syscall point: fully-schematized and raw. Schematizes are 19 // points that have syscall specific format, e.g. open => {path, flags, mode}. 20 // Raw uses a generic schema that contains syscall number and 6 arguments. Each 21 // of these type have a corresponding enter and exit points. Exit points include 22 // return value and errno information. 23 type SyscallType int 24 25 const ( 26 // SyscallEnter represents schematized/enter syscall. 27 SyscallEnter SyscallType = iota 28 // SyscallExit represents schematized/exit syscall. 29 SyscallExit 30 // SyscallRawEnter represents raw/enter syscall. 31 SyscallRawEnter 32 // SyscallRawExit represents raw/exit syscall. 33 SyscallRawExit 34 35 syscallTypesCount 36 ) 37 38 // SyscallFlagListener is an interface that is notified when syscall point enablement changes. 39 // 40 // It is used to notify the kernel's syscall table about syscall points, without introducing a 41 // direct dependency on it. 42 type SyscallFlagListener interface { 43 // UpdateSecCheck is called each time the system call point enablement may have changed. 44 // This is called with seccheck.State.mu held, so it is expected to be fast and not re-entrant 45 // with seccheck.State functions that attempt to re-lock it. 46 UpdateSecCheck(state *State) 47 } 48 49 const ( 50 // Copied from kernel.maxSyscallNum to avoid reverse dependency. 51 syscallsMax = 2000 52 syscallPoints = syscallsMax * int(syscallTypesCount) 53 ) 54 55 // Fields that are common for many syscalls. 56 const ( 57 // FieldSyscallPath is an optional field to collect path from an FD. Given 58 // that many syscalls operate on FDs, this const is used across syscalls. 59 FieldSyscallPath Field = iota 60 ) 61 62 // Fields for execve*(2) syscalls. 63 const ( 64 // FieldSyscallExecveEnvv is an optional field to collect list of environment 65 // variables. Start after FieldSyscallPath because execveat(2) can collect 66 // path from FD. 67 FieldSyscallExecveEnvv = FieldSyscallPath + 1 68 ) 69 70 // GetPointForSyscall translates the syscall number to the corresponding Point. 71 func GetPointForSyscall(typ SyscallType, sysno uintptr) Point { 72 return Point(sysno)*Point(syscallTypesCount) + Point(typ) + pointLengthBeforeSyscalls 73 } 74 75 // SyscallEnabled checks if the corresponding point for the syscall is enabled. 76 func (s *State) SyscallEnabled(typ SyscallType, sysno uintptr) bool { 77 // Prevent overflow. 78 if sysno >= syscallsMax { 79 return false 80 } 81 return s.Enabled(GetPointForSyscall(typ, sysno)) 82 }