github.com/bugraaydogar/snapd@v0.0.0-20210315170335-8c70bb858939/interfaces/seccomp/template.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2016-2018 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package seccomp 21 22 // defaultTemplate contains default seccomp template. 23 // It can be overridden for testing using MockTemplate(). 24 var defaultTemplate = []byte(` 25 # Description: Allows access to app-specific directories and basic runtime 26 # 27 # The default seccomp policy is default deny with a whitelist of allowed 28 # syscalls. The default policy is intended to be safe for any application to 29 # use and should be evaluated in conjunction with other security backends (eg 30 # AppArmor). For example, a few particularly problematic syscalls that are left 31 # out of the default policy are (non-exhaustive): 32 # - kexec_load 33 # - create_module, init_module, finit_module, delete_module (kernel modules) 34 # - name_to_handle_at (history of vulnerabilities) 35 # - open_by_handle_at (history of vulnerabilities) 36 # - ptrace (can be used to break out of sandbox with <4.8 kernels) 37 # - add_key, keyctl, request_key (kernel keyring) 38 39 # 40 # Allowed accesses 41 # 42 43 access 44 faccessat 45 faccessat2 46 47 alarm 48 brk 49 50 # ARM private syscalls 51 breakpoint 52 cacheflush 53 get_tls 54 set_tls 55 usr26 56 usr32 57 58 capget 59 # AppArmor mediates capabilities, so allow capset (useful for apps that for 60 # example want to drop capabilities) 61 capset 62 63 chdir 64 fchdir 65 66 # We can't effectively block file perms due to open() with O_CREAT, so allow 67 # chmod until we have syscall arg filtering (LP: #1446748) 68 chmod 69 fchmod 70 fchmodat 71 72 # Daemons typically run as 'root' so allow chown to 'root'. DAC will prevent 73 # non-root from chowning to root. 74 # (chown root:root) 75 chown - u:root g:root 76 chown32 - u:root g:root 77 fchown - u:root g:root 78 fchown32 - u:root g:root 79 fchownat - - u:root g:root 80 lchown - u:root g:root 81 lchown32 - u:root g:root 82 # (chown root) 83 chown - u:root -1 84 chown32 - u:root -1 85 fchown - u:root -1 86 fchown32 - u:root -1 87 fchownat - - u:root -1 88 lchown - u:root -1 89 lchown32 - u:root -1 90 # (chgrp root) 91 chown - -1 g:root 92 chown32 - -1 g:root 93 fchown - -1 g:root 94 fchown32 - -1 g:root 95 fchownat - - -1 g:root 96 lchown - -1 g:root 97 lchown32 - -1 g:root 98 99 clock_getres 100 clock_getres_time64 101 clock_gettime 102 clock_gettime64 103 clock_nanosleep 104 clock_nanosleep_time64 105 clone 106 close 107 108 # needed by ls -l 109 connect 110 111 # the file descriptors used here will already be mediated by apparmor, 112 # the 6th argument is flags, which currently is always 0 113 copy_file_range - - - - - 0 114 115 chroot 116 117 creat 118 dup 119 dup2 120 dup3 121 epoll_create 122 epoll_create1 123 epoll_ctl 124 epoll_ctl_old 125 epoll_pwait 126 epoll_wait 127 epoll_wait_old 128 eventfd 129 eventfd2 130 execve 131 execveat 132 _exit 133 exit 134 exit_group 135 fallocate 136 137 # requires CAP_SYS_ADMIN 138 #fanotify_init 139 #fanotify_mark 140 141 fcntl 142 fcntl64 143 flock 144 fork 145 ftime 146 futex 147 futex_time64 148 get_mempolicy 149 get_robust_list 150 get_thread_area 151 getcpu 152 getcwd 153 getdents 154 getdents64 155 getegid 156 getegid32 157 geteuid 158 geteuid32 159 getgid 160 getgid32 161 getgroups 162 getgroups32 163 getitimer 164 getpgid 165 getpgrp 166 getpid 167 getppid 168 getpriority 169 getrandom 170 getresgid 171 getresgid32 172 getresuid 173 getresuid32 174 175 getrlimit 176 ugetrlimit 177 178 getrusage 179 getsid 180 gettid 181 gettimeofday 182 getuid 183 getuid32 184 185 getxattr 186 fgetxattr 187 lgetxattr 188 189 inotify_add_watch 190 inotify_init 191 inotify_init1 192 inotify_rm_watch 193 194 # ioctl() mediation currently primarily relies on Linux capabilities as well as 195 # the initial syscall for the fd to pass to ioctl(). See 'man capabilities' 196 # and 'man ioctl_list'. TIOCSTI requires CAP_SYS_ADMIN but allows for faking 197 # input (man tty_ioctl), so we disallow it to prevent snaps plugging interfaces 198 # with 'capability sys_admin' from interfering with other snaps or the 199 # unconfined user's terminal. 200 # TODO: this should be scaled back even more 201 ioctl - !TIOCSTI 202 203 io_cancel 204 io_destroy 205 io_getevents 206 io_pgetevents 207 io_pgetevents_time64 208 io_setup 209 io_submit 210 ioprio_get 211 # affects other processes, requires CAP_SYS_ADMIN. Potentially allow with 212 # syscall filtering of (at least) IOPRIO_WHO_USER (LP: #1446748) 213 #ioprio_set 214 215 ipc 216 kill 217 link 218 linkat 219 220 listxattr 221 llistxattr 222 flistxattr 223 224 lseek 225 llseek 226 _llseek 227 lstat 228 lstat64 229 230 madvise 231 fadvise64 232 fadvise64_64 233 arm_fadvise64_64 234 235 mbind 236 membarrier 237 memfd_create 238 mincore 239 mkdir 240 mkdirat 241 mlock 242 mlock2 243 mlockall 244 mmap 245 mmap2 246 247 # Allow mknod for regular files, pipes and sockets (and not block or char 248 # devices) 249 mknod - |S_IFREG - 250 mknodat - - |S_IFREG - 251 mknod - |S_IFIFO - 252 mknodat - - |S_IFIFO - 253 mknod - |S_IFSOCK - 254 mknodat - - |S_IFSOCK - 255 256 modify_ldt 257 mprotect 258 259 # LP: #1448184 - these aren't currently mediated by AppArmor. Deny for now 260 #mq_getsetattr 261 #mq_notify 262 #mq_open 263 #mq_timedreceive 264 #mq_timedreceive_time64 265 #mq_timedsend 266 #mq_timedsend_time64 267 #mq_unlink 268 269 mremap 270 msgctl 271 msgget 272 msgrcv 273 msgsnd 274 msync 275 munlock 276 munlockall 277 munmap 278 279 nanosleep 280 281 # Argument filtering with gt/ge/lt/le does not work properly with 282 # libseccomp < 2.4 or golang-seccomp < 0.9.1. See: 283 # - https://bugs.launchpad.net/snapd/+bug/1825052/comments/9 284 # - https://github.com/seccomp/libseccomp/issues/69 285 # Eventually we want to use >=0, but we need libseccomp and golang-seccomp to 286 # be updated everywhere first. In the meantime, use <=19 and rely on the fact 287 # that AppArmor mediates CAP_SYS_NICE (and for systems without AppArmor, we 288 # ignore this lack of mediation since snaps are not meaningfully confined). 289 # 290 # Allow using nice() with default or lower priority 291 nice <=19 292 # Allow using setpriority to set the priority of the calling process to default 293 # or lower priority (eg, 'nice -n 9 <command>') 294 setpriority PRIO_PROCESS 0 <=19 295 296 # LP: #1446748 - support syscall arg filtering for mode_t with O_CREAT 297 open 298 299 openat 300 pause 301 personality 302 pipe 303 pipe2 304 poll 305 ppoll 306 ppoll_time64 307 308 # LP: #1446748 - support syscall arg filtering 309 prctl 310 arch_prctl 311 312 read 313 pread 314 pread64 315 preadv 316 readv 317 318 readahead 319 readdir 320 readlink 321 readlinkat 322 323 # allow reading from sockets 324 recv 325 recvfrom 326 recvmsg 327 recvmmsg 328 recvmmsg_time64 329 330 remap_file_pages 331 332 removexattr 333 fremovexattr 334 lremovexattr 335 336 rename 337 renameat 338 renameat2 339 340 # The man page says this shouldn't be needed, but we've seen denials for it 341 # in the wild 342 restart_syscall 343 344 rmdir 345 rt_sigaction 346 rt_sigpending 347 rt_sigprocmask 348 rt_sigqueueinfo 349 rt_sigreturn 350 rt_sigsuspend 351 rt_sigtimedwait 352 rt_sigtimedwait_time64 353 rt_tgsigqueueinfo 354 sched_getaffinity 355 sched_getattr 356 sched_getparam 357 sched_get_priority_max 358 sched_get_priority_min 359 sched_getscheduler 360 sched_rr_get_interval 361 sched_rr_get_interval_time64 362 # enforce pid_t is 0 so the app may only change its own scheduler and affinity. 363 # Use process-control interface for controlling other pids. 364 sched_setaffinity 0 - - 365 sched_setparam 0 - 366 367 # 'sched_setscheduler' without argument filtering was allowed in 2.21 and 368 # earlier and 2.22 added 'sched_setscheduler 0 - -', introducing LP: #1661265. 369 # For now, continue to allow sched_setscheduler unconditionally. 370 sched_setscheduler 371 372 sched_yield 373 374 # Allow configuring seccomp filter. This is ok because the kernel enforces that 375 # the new filter is a subset of the current filter (ie, no widening 376 # permissions) 377 seccomp 378 379 select 380 _newselect 381 pselect 382 pselect6 383 pselect6_time64 384 385 # Allow use of SysV semaphores. Note that allocated resources are not freed by 386 # OOM which can lead to global kernel resource leakage. 387 semctl 388 semget 389 semop 390 semtimedop 391 semtimedop_time64 392 393 # allow sending to sockets 394 send 395 sendto 396 sendmsg 397 sendmmsg 398 399 sendfile 400 sendfile64 401 402 # These break isolation but are common and can't be mediated at the seccomp 403 # level with arg filtering 404 setpgid 405 setpgrp 406 407 set_thread_area 408 setitimer 409 410 # apps don't have CAP_SYS_RESOURCE so these can't be abused to raise the hard 411 # limits 412 setrlimit 413 prlimit64 414 415 set_mempolicy 416 set_robust_list 417 setsid 418 set_tid_address 419 420 setxattr 421 fsetxattr 422 lsetxattr 423 424 shmat 425 shmctl 426 shmdt 427 shmget 428 shutdown 429 signal 430 sigaction 431 signalfd 432 signalfd4 433 sigaltstack 434 sigpending 435 sigprocmask 436 sigreturn 437 sigsuspend 438 sigtimedwait 439 sigwaitinfo 440 441 # AppArmor mediates AF_UNIX/AF_LOCAL via 'unix' rules and all other AF_* 442 # domains via 'network' rules. We won't allow bare 'network' AppArmor rules, so 443 # we can allow 'socket' for all domains except AF_NETLINK and let AppArmor 444 # handle the rest. 445 socket AF_UNIX 446 socket AF_LOCAL 447 socket AF_INET 448 socket AF_INET6 449 socket AF_IPX 450 socket AF_X25 451 socket AF_AX25 452 socket AF_ATMPVC 453 socket AF_APPLETALK 454 socket AF_PACKET 455 socket AF_ALG 456 socket AF_CAN 457 socket AF_BRIDGE 458 socket AF_NETROM 459 socket AF_ROSE 460 socket AF_NETBEUI 461 socket AF_SECURITY 462 socket AF_KEY 463 socket AF_ASH 464 socket AF_ECONET 465 socket AF_SNA 466 socket AF_IRDA 467 socket AF_PPPOX 468 socket AF_WANPIPE 469 socket AF_BLUETOOTH 470 socket AF_RDS 471 socket AF_LLC 472 socket AF_TIPC 473 socket AF_IUCV 474 socket AF_RXRPC 475 socket AF_ISDN 476 socket AF_PHONET 477 socket AF_IEEE802154 478 socket AF_CAIF 479 socket AF_NFC 480 socket AF_VSOCK 481 socket AF_MPLS 482 socket AF_IB 483 484 # For usrsctp, AppArmor doesn't support 'network conn,' since AF_CONN is 485 # userspace and encapsulated in other domains that are mediated. As such, do 486 # not allow AF_CONN by default here. 487 # socket AF_CONN 488 489 # For AF_NETLINK, we'll use a combination of AppArmor coarse mediation and 490 # seccomp arg filtering of netlink families. 491 # socket AF_NETLINK - - 492 493 # needed by snapctl 494 getsockopt 495 setsockopt 496 getsockname 497 getpeername 498 499 # Per man page, on Linux this is limited to only AF_UNIX so it is ok to have 500 # in the default template 501 socketpair 502 503 splice 504 505 stat 506 stat64 507 fstat 508 fstat64 509 fstatat64 510 lstat 511 newfstatat 512 oldfstat 513 oldlstat 514 oldstat 515 statx 516 517 statfs 518 statfs64 519 fstatfs 520 fstatfs64 521 statvfs 522 fstatvfs 523 ustat 524 525 symlink 526 symlinkat 527 528 sync 529 sync_file_range 530 sync_file_range2 531 arm_sync_file_range 532 fdatasync 533 fsync 534 syncfs 535 sysinfo 536 syslog 537 tee 538 tgkill 539 time 540 timer_create 541 timer_delete 542 timer_getoverrun 543 timer_gettime 544 timer_gettime64 545 timer_settime 546 timer_settime64 547 timerfd 548 timerfd_create 549 timerfd_gettime 550 timerfd_gettime64 551 timerfd_settime 552 timerfd_settime64 553 times 554 tkill 555 556 truncate 557 truncate64 558 ftruncate 559 ftruncate64 560 561 umask 562 563 uname 564 olduname 565 oldolduname 566 567 unlink 568 unlinkat 569 570 utime 571 utimensat 572 utimensat_time64 573 utimes 574 futimesat 575 576 vfork 577 vmsplice 578 wait4 579 oldwait4 580 waitpid 581 waitid 582 583 write 584 writev 585 pwrite 586 pwrite64 587 pwritev 588 `) 589 590 // Go's net package attempts to bind early to check whether IPv6 is available or not. 591 // For systems with apparmor enabled, this will be mediated and cause an error to be 592 // returned. Without apparmor, the call goes through to seccomp and the process is 593 // killed instead of just getting the error. 594 // 595 // For that reason once apparmor is disabled the seccomp profile is given access 596 // to bind, so that these processes are not improperly killed. There is on going 597 // work to make seccomp return an error in those cases as well and log the error. 598 // Once that's in place we can drop this hack. 599 const bindSyscallWorkaround = ` 600 # Add bind() for systems with only Seccomp enabled to workaround 601 # LP #1644573 602 bind 603 ` 604 605 // socketcall is an older interface and single entry point that can be used 606 // instead of socket(), bind(), connect(), etc individually. It isn't needed 607 // by most architectures with new enough kernels and glibc, so we leave it out 608 // of the default policy and add only when needed. 609 const socketcallSyscallDeprecated = ` 610 # Add socketcall() for system and/or base that requires it. LP: #1446748 611 socketcall 612 ` 613 614 // Historically snapd has allowed the use of the various setuid, setgid and 615 // setgroups syscalls, relying on AppArmor for mediation of the CAP_SETUID and 616 // CAP_SETGID. In core20, these can be dropped. 617 var barePrivDropSyscalls = ` 618 # Allow these and rely on AppArmor to mediate CAP_SETUID and CAP_SETGID. When 619 # dropping to particular UID/GIDs, we'll use a different set of 620 # argument-filtered syscalls. 621 setgid 622 setgid32 623 setregid 624 setregid32 625 setresgid 626 setresgid32 627 setresuid 628 setresuid32 629 setreuid 630 setreuid32 631 setuid 632 setuid32 633 ` 634 635 // Syscalls for setuid/setgid family of syscalls when dealing with only root 636 // uid and gid 637 var rootSetUidGidSyscalls = ` 638 # Allow various setuid/setgid/chown family of syscalls with argument 639 # filtering. AppArmor has corresponding CAP_SETUID, CAP_SETGID and CAP_CHOWN 640 # rules. 641 642 # allow use of setgroups(0, ...). Note: while the setgroups() man page states 643 # that 'setgroups(0, NULL) should be used to clear all supplementary groups, 644 # the kernel will not consult the group list when size is '0', so we allow it 645 # to be anything for compatibility with (arguably buggy) programs that expect 646 # to clear the groups with 'setgroups(0, <non-null>). 647 setgroups 0 - 648 setgroups32 0 - 649 650 # allow setgid to root 651 setgid g:root 652 setgid32 g:root 653 654 # allow setuid to root 655 setuid u:root 656 setuid32 u:root 657 658 # allow setregid to root 659 setregid g:root g:root 660 setregid32 g:root g:root 661 setregid -1 g:root 662 setregid32 -1 g:root 663 setregid g:root -1 664 setregid32 g:root -1 665 666 # allow setresgid to root 667 # (permanent drop) 668 setresgid g:root g:root g:root 669 setresgid32 g:root g:root g:root 670 # (setegid) 671 setresgid -1 g:root -1 672 setresgid32 -1 g:root -1 673 # (setgid equivalent) 674 setresgid g:root g:root -1 675 setresgid32 g:root g:root -1 676 677 # allow setreuid to root 678 setreuid u:root u:root 679 setreuid32 u:root u:root 680 setreuid -1 u:root 681 setreuid32 -1 u:root 682 setreuid u:root -1 683 setreuid32 u:root -1 684 685 # allow setresuid to root 686 # (permanent drop) 687 setresuid u:root u:root u:root 688 setresuid32 u:root u:root u:root 689 # (seteuid) 690 setresuid -1 u:root -1 691 setresuid32 -1 u:root -1 692 # (setuid equivalent) 693 setresuid u:root u:root -1 694 setresuid32 u:root u:root -1 695 ` 696 697 // Template for privilege drop and chown operations. This intentionally does 698 // not support all combinations of users or obscure combinations (we can add 699 // combinations as users dictate). Eg, these are supported: 700 // chown foo:foo 701 // chown foo 702 // chgrp foo 703 // but these are not: 704 // chown foo:bar 705 // chown bar:foo 706 // For now, users who want 'foo:bar' can do: 707 // chown foo ; chgrp bar 708 var privDropAndChownSyscalls = ` 709 # allow setgid to ###GROUP### 710 setgid g:###GROUP### 711 setgid32 g:###GROUP### 712 713 # allow setregid to ###GROUP### 714 setregid g:###GROUP### g:###GROUP### 715 setregid32 g:###GROUP### g:###GROUP### 716 setregid -1 g:###GROUP### 717 setregid32 -1 g:###GROUP### 718 setregid g:###GROUP### -1 719 setregid32 g:###GROUP### -1 720 # (real root) 721 setregid g:root g:###GROUP### 722 setregid32 g:root g:###GROUP### 723 # (euid root) 724 setregid g:###GROUP### g:root 725 setregid32 g:###GROUP### g:root 726 727 # allow setresgid to ###GROUP### 728 # (permanent drop) 729 setresgid g:###GROUP### g:###GROUP### g:###GROUP### 730 setresgid32 g:###GROUP### g:###GROUP### g:###GROUP### 731 # (setegid) 732 setresgid -1 g:###GROUP### -1 733 setresgid32 -1 g:###GROUP### -1 734 # (setgid equivalent) 735 setresgid g:###GROUP### g:###GROUP### -1 736 setresgid32 g:###GROUP### g:###GROUP### -1 737 # (saving root) 738 setresgid g:###GROUP### g:###GROUP### g:root 739 setresgid32 g:###GROUP### g:###GROUP### g:root 740 # (euid root and saving root) 741 setresgid g:###GROUP### g:root g:root 742 setresgid32 g:###GROUP### g:root g:root 743 744 # allow setuid to ###USERNAME### 745 setuid u:###USERNAME### 746 setuid32 u:###USERNAME### 747 748 # allow setreuid to ###USERNAME### 749 setreuid u:###USERNAME### u:###USERNAME### 750 setreuid32 u:###USERNAME### u:###USERNAME### 751 setreuid -1 u:###USERNAME### 752 setreuid32 -1 u:###USERNAME### 753 setreuid u:###USERNAME### -1 754 setreuid32 u:###USERNAME### -1 755 # (real root) 756 setreuid u:root u:###USERNAME### 757 setreuid32 u:root u:###USERNAME### 758 # (euid root) 759 setreuid u:###USERNAME### u:root 760 setreuid32 u:###USERNAME### u:root 761 762 # allow setresuid to ###USERNAME### 763 # (permanent drop) 764 setresuid u:###USERNAME### u:###USERNAME### u:###USERNAME### 765 setresuid32 u:###USERNAME### u:###USERNAME### u:###USERNAME### 766 # (seteuid) 767 setresuid -1 u:###USERNAME### -1 768 setresuid32 -1 u:###USERNAME### -1 769 # (setuid equivalent) 770 setresuid u:###USERNAME### u:###USERNAME### -1 771 setresuid32 u:###USERNAME### u:###USERNAME### -1 772 # (saving root) 773 setresuid u:###USERNAME### u:###USERNAME### u:root 774 setresuid32 u:###USERNAME### u:###USERNAME### u:root 775 # (euid root and saving root) 776 setresuid u:###USERNAME### u:root u:root 777 setresuid32 u:###USERNAME### u:root u:root 778 779 # allow chown to ###USERNAME###:###GROUP### 780 # (chown ###USERNAME###:###GROUP###) 781 chown - u:###USERNAME### g:###GROUP### 782 chown32 - u:###USERNAME### g:###GROUP### 783 fchown - u:###USERNAME### g:###GROUP### 784 fchown32 - u:###USERNAME### g:###GROUP### 785 fchownat - - u:###USERNAME### g:###GROUP### 786 lchown - u:###USERNAME### g:###GROUP### 787 lchown32 - u:###USERNAME### g:###GROUP### 788 # (chown ###USERNAME###) 789 chown - u:###USERNAME### -1 790 chown32 - u:###USERNAME### -1 791 fchown - u:###USERNAME### -1 792 fchown32 - u:###USERNAME### -1 793 fchownat - - u:###USERNAME### -1 794 lchown - u:###USERNAME### -1 795 lchown32 - u:###USERNAME### -1 796 # (chgrp ###GROUP###) 797 chown - -1 g:###GROUP### 798 chown32 - -1 g:###GROUP### 799 fchown - -1 g:###GROUP### 800 fchown32 - -1 g:###GROUP### 801 fchownat - - -1 g:###GROUP### 802 lchown - -1 g:###GROUP### 803 lchown32 - -1 g:###GROUP### 804 805 # allow chown to ###USERNAME###:root 806 chown - u:###USERNAME### g:root 807 chown32 - u:###USERNAME### g:root 808 fchown - u:###USERNAME### g:root 809 fchown32 - u:###USERNAME### g:root 810 fchownat - - u:###USERNAME### g:root 811 lchown - u:###USERNAME### g:root 812 lchown32 - u:###USERNAME### g:root 813 814 # allow chown to root:###GROUP### 815 chown - u:root g:###GROUP### 816 chown32 - u:root g:###GROUP### 817 fchown - u:root g:###GROUP### 818 fchown32 - u:root g:###GROUP### 819 fchownat - - u:root g:###GROUP### 820 lchown - u:root g:###GROUP### 821 lchown32 - u:root g:###GROUP### 822 `