github.com/hugh712/snapd@v0.0.0-20200910133618-1a99902bd583/interfaces/seccomp/template.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2016-2018 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package seccomp 21 22 // defaultTemplate contains default seccomp template. 23 // It can be overridden for testing using MockTemplate(). 24 var defaultTemplate = []byte(` 25 # Description: Allows access to app-specific directories and basic runtime 26 # 27 # The default seccomp policy is default deny with a whitelist of allowed 28 # syscalls. The default policy is intended to be safe for any application to 29 # use and should be evaluated in conjunction with other security backends (eg 30 # AppArmor). For example, a few particularly problematic syscalls that are left 31 # out of the default policy are (non-exhaustive): 32 # - kexec_load 33 # - create_module, init_module, finit_module, delete_module (kernel modules) 34 # - name_to_handle_at (history of vulnerabilities) 35 # - open_by_handle_at (history of vulnerabilities) 36 # - ptrace (can be used to break out of sandbox with <4.8 kernels) 37 # - add_key, keyctl, request_key (kernel keyring) 38 39 # 40 # Allowed accesses 41 # 42 43 access 44 faccessat 45 faccessat2 46 47 alarm 48 brk 49 50 # ARM private syscalls 51 breakpoint 52 cacheflush 53 get_tls 54 set_tls 55 usr26 56 usr32 57 58 capget 59 # AppArmor mediates capabilities, so allow capset (useful for apps that for 60 # example want to drop capabilities) 61 capset 62 63 chdir 64 fchdir 65 66 # We can't effectively block file perms due to open() with O_CREAT, so allow 67 # chmod until we have syscall arg filtering (LP: #1446748) 68 chmod 69 fchmod 70 fchmodat 71 72 # Daemons typically run as 'root' so allow chown to 'root'. DAC will prevent 73 # non-root from chowning to root. 74 # (chown root:root) 75 chown - u:root g:root 76 chown32 - u:root g:root 77 fchown - u:root g:root 78 fchown32 - u:root g:root 79 fchownat - - u:root g:root 80 lchown - u:root g:root 81 lchown32 - u:root g:root 82 # (chown root) 83 chown - u:root -1 84 chown32 - u:root -1 85 fchown - u:root -1 86 fchown32 - u:root -1 87 fchownat - - u:root -1 88 lchown - u:root -1 89 lchown32 - u:root -1 90 # (chgrp root) 91 chown - -1 g:root 92 chown32 - -1 g:root 93 fchown - -1 g:root 94 fchown32 - -1 g:root 95 fchownat - - -1 g:root 96 lchown - -1 g:root 97 lchown32 - -1 g:root 98 99 clock_getres 100 clock_getres_time64 101 clock_gettime 102 clock_gettime64 103 clock_nanosleep 104 clock_nanosleep_time64 105 clone 106 close 107 108 # needed by ls -l 109 connect 110 111 chroot 112 113 creat 114 dup 115 dup2 116 dup3 117 epoll_create 118 epoll_create1 119 epoll_ctl 120 epoll_ctl_old 121 epoll_pwait 122 epoll_wait 123 epoll_wait_old 124 eventfd 125 eventfd2 126 execve 127 execveat 128 _exit 129 exit 130 exit_group 131 fallocate 132 133 # requires CAP_SYS_ADMIN 134 #fanotify_init 135 #fanotify_mark 136 137 fcntl 138 fcntl64 139 flock 140 fork 141 ftime 142 futex 143 futex_time64 144 get_mempolicy 145 get_robust_list 146 get_thread_area 147 getcpu 148 getcwd 149 getdents 150 getdents64 151 getegid 152 getegid32 153 geteuid 154 geteuid32 155 getgid 156 getgid32 157 getgroups 158 getgroups32 159 getitimer 160 getpgid 161 getpgrp 162 getpid 163 getppid 164 getpriority 165 getrandom 166 getresgid 167 getresgid32 168 getresuid 169 getresuid32 170 171 getrlimit 172 ugetrlimit 173 174 getrusage 175 getsid 176 gettid 177 gettimeofday 178 getuid 179 getuid32 180 181 getxattr 182 fgetxattr 183 lgetxattr 184 185 inotify_add_watch 186 inotify_init 187 inotify_init1 188 inotify_rm_watch 189 190 # ioctl() mediation currently primarily relies on Linux capabilities as well as 191 # the initial syscall for the fd to pass to ioctl(). See 'man capabilities' 192 # and 'man ioctl_list'. TIOCSTI requires CAP_SYS_ADMIN but allows for faking 193 # input (man tty_ioctl), so we disallow it to prevent snaps plugging interfaces 194 # with 'capability sys_admin' from interfering with other snaps or the 195 # unconfined user's terminal. 196 # TODO: this should be scaled back even more 197 ioctl - !TIOCSTI 198 199 io_cancel 200 io_destroy 201 io_getevents 202 io_pgetevents 203 io_pgetevents_time64 204 io_setup 205 io_submit 206 ioprio_get 207 # affects other processes, requires CAP_SYS_ADMIN. Potentially allow with 208 # syscall filtering of (at least) IOPRIO_WHO_USER (LP: #1446748) 209 #ioprio_set 210 211 ipc 212 kill 213 link 214 linkat 215 216 listxattr 217 llistxattr 218 flistxattr 219 220 lseek 221 llseek 222 _llseek 223 lstat 224 lstat64 225 226 madvise 227 fadvise64 228 fadvise64_64 229 arm_fadvise64_64 230 231 mbind 232 membarrier 233 memfd_create 234 mincore 235 mkdir 236 mkdirat 237 mlock 238 mlock2 239 mlockall 240 mmap 241 mmap2 242 243 # Allow mknod for regular files, pipes and sockets (and not block or char 244 # devices) 245 mknod - |S_IFREG - 246 mknodat - - |S_IFREG - 247 mknod - |S_IFIFO - 248 mknodat - - |S_IFIFO - 249 mknod - |S_IFSOCK - 250 mknodat - - |S_IFSOCK - 251 252 modify_ldt 253 mprotect 254 255 # LP: #1448184 - these aren't currently mediated by AppArmor. Deny for now 256 #mq_getsetattr 257 #mq_notify 258 #mq_open 259 #mq_timedreceive 260 #mq_timedreceive_time64 261 #mq_timedsend 262 #mq_timedsend_time64 263 #mq_unlink 264 265 mremap 266 msgctl 267 msgget 268 msgrcv 269 msgsnd 270 msync 271 munlock 272 munlockall 273 munmap 274 275 nanosleep 276 277 # Argument filtering with gt/ge/lt/le does not work properly with 278 # libseccomp < 2.4 or golang-seccomp < 0.9.1. See: 279 # - https://bugs.launchpad.net/snapd/+bug/1825052/comments/9 280 # - https://github.com/seccomp/libseccomp/issues/69 281 # Eventually we want to use >=0, but we need libseccomp and golang-seccomp to 282 # be updated everywhere first. In the meantime, use <=19 and rely on the fact 283 # that AppArmor mediates CAP_SYS_NICE (and for systems without AppArmor, we 284 # ignore this lack of mediation since snaps are not meaningfully confined). 285 # 286 # Allow using nice() with default or lower priority 287 nice <=19 288 # Allow using setpriority to set the priority of the calling process to default 289 # or lower priority (eg, 'nice -n 9 <command>') 290 setpriority PRIO_PROCESS 0 <=19 291 292 # LP: #1446748 - support syscall arg filtering for mode_t with O_CREAT 293 open 294 295 openat 296 pause 297 personality 298 pipe 299 pipe2 300 poll 301 ppoll 302 ppoll_time64 303 304 # LP: #1446748 - support syscall arg filtering 305 prctl 306 arch_prctl 307 308 read 309 pread 310 pread64 311 preadv 312 readv 313 314 readahead 315 readdir 316 readlink 317 readlinkat 318 319 # allow reading from sockets 320 recv 321 recvfrom 322 recvmsg 323 recvmmsg 324 recvmmsg_time64 325 326 remap_file_pages 327 328 removexattr 329 fremovexattr 330 lremovexattr 331 332 rename 333 renameat 334 renameat2 335 336 # The man page says this shouldn't be needed, but we've seen denials for it 337 # in the wild 338 restart_syscall 339 340 rmdir 341 rt_sigaction 342 rt_sigpending 343 rt_sigprocmask 344 rt_sigqueueinfo 345 rt_sigreturn 346 rt_sigsuspend 347 rt_sigtimedwait 348 rt_sigtimedwait_time64 349 rt_tgsigqueueinfo 350 sched_getaffinity 351 sched_getattr 352 sched_getparam 353 sched_get_priority_max 354 sched_get_priority_min 355 sched_getscheduler 356 sched_rr_get_interval 357 sched_rr_get_interval_time64 358 # enforce pid_t is 0 so the app may only change its own scheduler and affinity. 359 # Use process-control interface for controlling other pids. 360 sched_setaffinity 0 - - 361 sched_setparam 0 - 362 363 # 'sched_setscheduler' without argument filtering was allowed in 2.21 and 364 # earlier and 2.22 added 'sched_setscheduler 0 - -', introducing LP: #1661265. 365 # For now, continue to allow sched_setscheduler unconditionally. 366 sched_setscheduler 367 368 sched_yield 369 370 # Allow configuring seccomp filter. This is ok because the kernel enforces that 371 # the new filter is a subset of the current filter (ie, no widening 372 # permissions) 373 seccomp 374 375 select 376 _newselect 377 pselect 378 pselect6 379 pselect6_time64 380 381 # Allow use of SysV semaphores. Note that allocated resources are not freed by 382 # OOM which can lead to global kernel resource leakage. 383 semctl 384 semget 385 semop 386 semtimedop 387 semtimedop_time64 388 389 # allow sending to sockets 390 send 391 sendto 392 sendmsg 393 sendmmsg 394 395 sendfile 396 sendfile64 397 398 # These break isolation but are common and can't be mediated at the seccomp 399 # level with arg filtering 400 setpgid 401 setpgrp 402 403 set_thread_area 404 setitimer 405 406 # apps don't have CAP_SYS_RESOURCE so these can't be abused to raise the hard 407 # limits 408 setrlimit 409 prlimit64 410 411 set_mempolicy 412 set_robust_list 413 setsid 414 set_tid_address 415 416 setxattr 417 fsetxattr 418 lsetxattr 419 420 shmat 421 shmctl 422 shmdt 423 shmget 424 shutdown 425 signal 426 sigaction 427 signalfd 428 signalfd4 429 sigaltstack 430 sigpending 431 sigprocmask 432 sigreturn 433 sigsuspend 434 sigtimedwait 435 sigwaitinfo 436 437 # AppArmor mediates AF_UNIX/AF_LOCAL via 'unix' rules and all other AF_* 438 # domains via 'network' rules. We won't allow bare 'network' AppArmor rules, so 439 # we can allow 'socket' for all domains except AF_NETLINK and let AppArmor 440 # handle the rest. 441 socket AF_UNIX 442 socket AF_LOCAL 443 socket AF_INET 444 socket AF_INET6 445 socket AF_IPX 446 socket AF_X25 447 socket AF_AX25 448 socket AF_ATMPVC 449 socket AF_APPLETALK 450 socket AF_PACKET 451 socket AF_ALG 452 socket AF_CAN 453 socket AF_BRIDGE 454 socket AF_NETROM 455 socket AF_ROSE 456 socket AF_NETBEUI 457 socket AF_SECURITY 458 socket AF_KEY 459 socket AF_ASH 460 socket AF_ECONET 461 socket AF_SNA 462 socket AF_IRDA 463 socket AF_PPPOX 464 socket AF_WANPIPE 465 socket AF_BLUETOOTH 466 socket AF_RDS 467 socket AF_LLC 468 socket AF_TIPC 469 socket AF_IUCV 470 socket AF_RXRPC 471 socket AF_ISDN 472 socket AF_PHONET 473 socket AF_IEEE802154 474 socket AF_CAIF 475 socket AF_NFC 476 socket AF_VSOCK 477 socket AF_MPLS 478 socket AF_IB 479 480 # For usrsctp, AppArmor doesn't support 'network conn,' since AF_CONN is 481 # userspace and encapsulated in other domains that are mediated. As such, do 482 # not allow AF_CONN by default here. 483 # socket AF_CONN 484 485 # For AF_NETLINK, we'll use a combination of AppArmor coarse mediation and 486 # seccomp arg filtering of netlink families. 487 # socket AF_NETLINK - - 488 489 # needed by snapctl 490 getsockopt 491 setsockopt 492 getsockname 493 getpeername 494 495 # Per man page, on Linux this is limited to only AF_UNIX so it is ok to have 496 # in the default template 497 socketpair 498 499 splice 500 501 stat 502 stat64 503 fstat 504 fstat64 505 fstatat64 506 lstat 507 newfstatat 508 oldfstat 509 oldlstat 510 oldstat 511 statx 512 513 statfs 514 statfs64 515 fstatfs 516 fstatfs64 517 statvfs 518 fstatvfs 519 ustat 520 521 symlink 522 symlinkat 523 524 sync 525 sync_file_range 526 sync_file_range2 527 arm_sync_file_range 528 fdatasync 529 fsync 530 syncfs 531 sysinfo 532 syslog 533 tee 534 tgkill 535 time 536 timer_create 537 timer_delete 538 timer_getoverrun 539 timer_gettime 540 timer_gettime64 541 timer_settime 542 timer_settime64 543 timerfd 544 timerfd_create 545 timerfd_gettime 546 timerfd_gettime64 547 timerfd_settime 548 timerfd_settime64 549 times 550 tkill 551 552 truncate 553 truncate64 554 ftruncate 555 ftruncate64 556 557 umask 558 559 uname 560 olduname 561 oldolduname 562 563 unlink 564 unlinkat 565 566 utime 567 utimensat 568 utimensat_time64 569 utimes 570 futimesat 571 572 vfork 573 vmsplice 574 wait4 575 oldwait4 576 waitpid 577 waitid 578 579 write 580 writev 581 pwrite 582 pwrite64 583 pwritev 584 `) 585 586 // Go's net package attempts to bind early to check whether IPv6 is available or not. 587 // For systems with apparmor enabled, this will be mediated and cause an error to be 588 // returned. Without apparmor, the call goes through to seccomp and the process is 589 // killed instead of just getting the error. 590 // 591 // For that reason once apparmor is disabled the seccomp profile is given access 592 // to bind, so that these processes are not improperly killed. There is on going 593 // work to make seccomp return an error in those cases as well and log the error. 594 // Once that's in place we can drop this hack. 595 const bindSyscallWorkaround = ` 596 # Add bind() for systems with only Seccomp enabled to workaround 597 # LP #1644573 598 bind 599 ` 600 601 // socketcall is an older interface and single entry point that can be used 602 // instead of socket(), bind(), connect(), etc individually. It isn't needed 603 // by most architectures with new enough kernels and glibc, so we leave it out 604 // of the default policy and add only when needed. 605 const socketcallSyscallDeprecated = ` 606 # Add socketcall() for system and/or base that requires it. LP: #1446748 607 socketcall 608 ` 609 610 // Historically snapd has allowed the use of the various setuid, setgid and 611 // setgroups syscalls, relying on AppArmor for mediation of the CAP_SETUID and 612 // CAP_SETGID. In core20, these can be dropped. 613 var barePrivDropSyscalls = ` 614 # Allow these and rely on AppArmor to mediate CAP_SETUID and CAP_SETGID. When 615 # dropping to particular UID/GIDs, we'll use a different set of 616 # argument-filtered syscalls. 617 setgid 618 setgid32 619 setregid 620 setregid32 621 setresgid 622 setresgid32 623 setresuid 624 setresuid32 625 setreuid 626 setreuid32 627 setuid 628 setuid32 629 ` 630 631 // Syscalls for setuid/setgid family of syscalls when dealing with only root 632 // uid and gid 633 var rootSetUidGidSyscalls = ` 634 # Allow various setuid/setgid/chown family of syscalls with argument 635 # filtering. AppArmor has corresponding CAP_SETUID, CAP_SETGID and CAP_CHOWN 636 # rules. 637 638 # allow use of setgroups(0, ...). Note: while the setgroups() man page states 639 # that 'setgroups(0, NULL) should be used to clear all supplementary groups, 640 # the kernel will not consult the group list when size is '0', so we allow it 641 # to be anything for compatibility with (arguably buggy) programs that expect 642 # to clear the groups with 'setgroups(0, <non-null>). 643 setgroups 0 - 644 setgroups32 0 - 645 646 # allow setgid to root 647 setgid g:root 648 setgid32 g:root 649 650 # allow setuid to root 651 setuid u:root 652 setuid32 u:root 653 654 # allow setregid to root 655 setregid g:root g:root 656 setregid32 g:root g:root 657 setregid -1 g:root 658 setregid32 -1 g:root 659 setregid g:root -1 660 setregid32 g:root -1 661 662 # allow setresgid to root 663 # (permanent drop) 664 setresgid g:root g:root g:root 665 setresgid32 g:root g:root g:root 666 # (setegid) 667 setresgid -1 g:root -1 668 setresgid32 -1 g:root -1 669 # (setgid equivalent) 670 setresgid g:root g:root -1 671 setresgid32 g:root g:root -1 672 673 # allow setreuid to root 674 setreuid u:root u:root 675 setreuid32 u:root u:root 676 setreuid -1 u:root 677 setreuid32 -1 u:root 678 setreuid u:root -1 679 setreuid32 u:root -1 680 681 # allow setresuid to root 682 # (permanent drop) 683 setresuid u:root u:root u:root 684 setresuid32 u:root u:root u:root 685 # (seteuid) 686 setresuid -1 u:root -1 687 setresuid32 -1 u:root -1 688 # (setuid equivalent) 689 setresuid u:root u:root -1 690 setresuid32 u:root u:root -1 691 ` 692 693 // Template for privilege drop and chown operations. This intentionally does 694 // not support all combinations of users or obscure combinations (we can add 695 // combinations as users dictate). Eg, these are supported: 696 // chown foo:foo 697 // chown foo 698 // chgrp foo 699 // but these are not: 700 // chown foo:bar 701 // chown bar:foo 702 // For now, users who want 'foo:bar' can do: 703 // chown foo ; chgrp bar 704 var privDropAndChownSyscalls = ` 705 # allow setgid to ###GROUP### 706 setgid g:###GROUP### 707 setgid32 g:###GROUP### 708 709 # allow setregid to ###GROUP### 710 setregid g:###GROUP### g:###GROUP### 711 setregid32 g:###GROUP### g:###GROUP### 712 setregid -1 g:###GROUP### 713 setregid32 -1 g:###GROUP### 714 setregid g:###GROUP### -1 715 setregid32 g:###GROUP### -1 716 # (real root) 717 setregid g:root g:###GROUP### 718 setregid32 g:root g:###GROUP### 719 # (euid root) 720 setregid g:###GROUP### g:root 721 setregid32 g:###GROUP### g:root 722 723 # allow setresgid to ###GROUP### 724 # (permanent drop) 725 setresgid g:###GROUP### g:###GROUP### g:###GROUP### 726 setresgid32 g:###GROUP### g:###GROUP### g:###GROUP### 727 # (setegid) 728 setresgid -1 g:###GROUP### -1 729 setresgid32 -1 g:###GROUP### -1 730 # (setgid equivalent) 731 setresgid g:###GROUP### g:###GROUP### -1 732 setresgid32 g:###GROUP### g:###GROUP### -1 733 # (saving root) 734 setresgid g:###GROUP### g:###GROUP### g:root 735 setresgid32 g:###GROUP### g:###GROUP### g:root 736 # (euid root and saving root) 737 setresgid g:###GROUP### g:root g:root 738 setresgid32 g:###GROUP### g:root g:root 739 740 # allow setuid to ###USERNAME### 741 setuid u:###USERNAME### 742 setuid32 u:###USERNAME### 743 744 # allow setreuid to ###USERNAME### 745 setreuid u:###USERNAME### u:###USERNAME### 746 setreuid32 u:###USERNAME### u:###USERNAME### 747 setreuid -1 u:###USERNAME### 748 setreuid32 -1 u:###USERNAME### 749 setreuid u:###USERNAME### -1 750 setreuid32 u:###USERNAME### -1 751 # (real root) 752 setreuid u:root u:###USERNAME### 753 setreuid32 u:root u:###USERNAME### 754 # (euid root) 755 setreuid u:###USERNAME### u:root 756 setreuid32 u:###USERNAME### u:root 757 758 # allow setresuid to ###USERNAME### 759 # (permanent drop) 760 setresuid u:###USERNAME### u:###USERNAME### u:###USERNAME### 761 setresuid32 u:###USERNAME### u:###USERNAME### u:###USERNAME### 762 # (seteuid) 763 setresuid -1 u:###USERNAME### -1 764 setresuid32 -1 u:###USERNAME### -1 765 # (setuid equivalent) 766 setresuid u:###USERNAME### u:###USERNAME### -1 767 setresuid32 u:###USERNAME### u:###USERNAME### -1 768 # (saving root) 769 setresuid u:###USERNAME### u:###USERNAME### u:root 770 setresuid32 u:###USERNAME### u:###USERNAME### u:root 771 # (euid root and saving root) 772 setresuid u:###USERNAME### u:root u:root 773 setresuid32 u:###USERNAME### u:root u:root 774 775 # allow chown to ###USERNAME###:###GROUP### 776 # (chown ###USERNAME###:###GROUP###) 777 chown - u:###USERNAME### g:###GROUP### 778 chown32 - u:###USERNAME### g:###GROUP### 779 fchown - u:###USERNAME### g:###GROUP### 780 fchown32 - u:###USERNAME### g:###GROUP### 781 fchownat - - u:###USERNAME### g:###GROUP### 782 lchown - u:###USERNAME### g:###GROUP### 783 lchown32 - u:###USERNAME### g:###GROUP### 784 # (chown ###USERNAME###) 785 chown - u:###USERNAME### -1 786 chown32 - u:###USERNAME### -1 787 fchown - u:###USERNAME### -1 788 fchown32 - u:###USERNAME### -1 789 fchownat - - u:###USERNAME### -1 790 lchown - u:###USERNAME### -1 791 lchown32 - u:###USERNAME### -1 792 # (chgrp ###GROUP###) 793 chown - -1 g:###GROUP### 794 chown32 - -1 g:###GROUP### 795 fchown - -1 g:###GROUP### 796 fchown32 - -1 g:###GROUP### 797 fchownat - - -1 g:###GROUP### 798 lchown - -1 g:###GROUP### 799 lchown32 - -1 g:###GROUP### 800 801 # allow chown to ###USERNAME###:root 802 chown - u:###USERNAME### g:root 803 chown32 - u:###USERNAME### g:root 804 fchown - u:###USERNAME### g:root 805 fchown32 - u:###USERNAME### g:root 806 fchownat - - u:###USERNAME### g:root 807 lchown - u:###USERNAME### g:root 808 lchown32 - u:###USERNAME### g:root 809 810 # allow chown to root:###GROUP### 811 chown - u:root g:###GROUP### 812 chown32 - u:root g:###GROUP### 813 fchown - u:root g:###GROUP### 814 fchown32 - u:root g:###GROUP### 815 fchownat - - u:root g:###GROUP### 816 lchown - u:root g:###GROUP### 817 lchown32 - u:root g:###GROUP### 818 `