github.com/kubiko/snapd@v0.0.0-20201013125620-d4f3094d9ddf/cmd/snap-confine/seccomp-support-ext.c (about)

     1  /*
     2   * Copyright (C) 2019 Canonical Ltd
     3   *
     4   * This program is free software: you can redistribute it and/or modify
     5   * it under the terms of the GNU General Public License version 3 as
     6   * published by the Free Software Foundation.
     7   *
     8   * This program is distributed in the hope that it will be useful,
     9   * but WITHOUT ANY WARRANTY; without even the implied warranty of
    10   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    11   * GNU General Public License for more details.
    12   *
    13   * You should have received a copy of the GNU General Public License
    14   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
    15   *
    16   */
    17  #ifdef HAVE_CONFIG_H
    18  #include "config.h"
    19  #endif
    20  
    21  #include "seccomp-support-ext.h"
    22  
    23  #include <errno.h>
    24  #include <linux/seccomp.h>
    25  #include <stdio.h>
    26  #include <sys/prctl.h>
    27  #include <sys/syscall.h>
    28  #include <sys/types.h>
    29  #include <unistd.h>
    30  
    31  #include "../libsnap-confine-private/utils.h"
    32  
    33  #ifndef SECCOMP_FILTER_FLAG_LOG
    34  #define SECCOMP_FILTER_FLAG_LOG 2
    35  #endif
    36  
    37  #ifndef seccomp
    38  // prototype because we build with -Wstrict-prototypes
    39  int seccomp(unsigned int operation, unsigned int flags, void *args);
    40  
    41  int seccomp(unsigned int operation, unsigned int flags, void *args) {
    42      errno = 0;
    43      return syscall(__NR_seccomp, operation, flags, args);
    44  }
    45  #endif
    46  
    47  size_t sc_read_seccomp_filter(const char *filename, char *buf, size_t buf_size) {
    48      if (buf_size == 0) {
    49          die("seccomp load buffer cannot be empty");
    50      }
    51      FILE *file = fopen(filename, "rb");
    52      if (file == NULL) {
    53          die("cannot open seccomp filter %s", filename);
    54      }
    55      size_t num_read = fread(buf, 1, buf_size - 1, file);
    56      buf[num_read] = '\0';
    57      if (ferror(file) != 0) {
    58          die("cannot read seccomp profile %s", filename);
    59      }
    60      if (feof(file) == 0) {
    61          die("cannot fit seccomp profile %s to memory buffer", filename);
    62      }
    63      fclose(file);
    64      debug("read %zu bytes from %s", num_read, filename);
    65      return num_read;
    66  }
    67  
    68  void sc_apply_seccomp_filter(struct sock_fprog *prog) {
    69      int err;
    70  
    71      // Load filter into the kernel (by this point we have dropped to the
    72      // calling user but still retain CAP_SYS_ADMIN).
    73      //
    74      // Importantly we are intentionally *not* setting NO_NEW_PRIVS because it
    75      // interferes with exec transitions in AppArmor with certain snapd
    76      // interfaces. Not setting NO_NEW_PRIVS does mean that applications can
    77      // adjust their sandbox if they have CAP_SYS_ADMIN or, if running on < 4.8
    78      // kernels, break out of the seccomp via ptrace. Both CAP_SYS_ADMIN and
    79      // 'ptrace (trace)' are blocked by AppArmor with typical snapd interfaces.
    80      err = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_LOG, prog);
    81      if (err != 0) {
    82          /* The profile may fail to load using the "modern" interface.
    83           * In such case use the older prctl-based interface instead. */
    84          switch (errno) {
    85              case ENOSYS:
    86                  debug("kernel doesn't support the seccomp(2) syscall");
    87                  break;
    88              case EINVAL:
    89                  debug("kernel may not support the SECCOMP_FILTER_FLAG_LOG flag");
    90                  break;
    91          }
    92          debug("falling back to prctl(2) syscall to load seccomp filter");
    93          err = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, prog);
    94          if (err != 0) {
    95              die("cannot apply seccomp profile");
    96          }
    97      }
    98  }