github.com/metacubex/gvisor@v0.0.0-20240320004321-933faba989ec/pkg/seccomp/seccomp_unsafe.go

github.com/metacubex/gvisor@v0.0.0-20240320004321-933faba989ec/pkg/seccomp/seccomp_unsafe.go (about)

     1  // Copyright 2018 The gVisor Authors.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package seccomp
    16  
    17  import (
    18  	"fmt"
    19  	"runtime"
    20  	"unsafe"
    21  
    22  	"golang.org/x/sys/unix"
    23  	"github.com/metacubex/gvisor/pkg/abi/linux"
    24  	"github.com/metacubex/gvisor/pkg/bpf"
    25  )
    26  
    27  // SetFilter installs the given BPF program.
    28  func SetFilter(instrs []bpf.Instruction) error {
    29  	// PR_SET_NO_NEW_PRIVS is required in order to enable seccomp. See
    30  	// seccomp(2) for details.
    31  	//
    32  	// PR_SET_NO_NEW_PRIVS is specific to the calling thread, not the whole
    33  	// thread group, so between PR_SET_NO_NEW_PRIVS and seccomp() below we must
    34  	// remain on the same thread. no_new_privs will be propagated to other
    35  	// threads in the thread group by seccomp(SECCOMP_FILTER_FLAG_TSYNC), in
    36  	// kernel/seccomp.c:seccomp_sync_threads().
    37  	runtime.LockOSThread()
    38  	defer runtime.UnlockOSThread()
    39  	if _, _, errno := unix.RawSyscall6(unix.SYS_PRCTL, linux.PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0, 0); errno != 0 {
    40  		return errno
    41  	}
    42  
    43  	sockProg := linux.SockFprog{
    44  		Len:    uint16(len(instrs)),
    45  		Filter: (*linux.BPFInstruction)(unsafe.Pointer(&instrs[0])),
    46  	}
    47  	tid, errno := seccomp(linux.SECCOMP_SET_MODE_FILTER, linux.SECCOMP_FILTER_FLAG_TSYNC, unsafe.Pointer(&sockProg))
    48  	if errno != 0 {
    49  		return errno
    50  	}
    51  	// "On error, if SECCOMP_FILTER_FLAG_TSYNC was used, the return value is
    52  	// the ID of the thread that caused the synchronization failure. (This ID
    53  	// is a kernel thread ID of the type returned by clone(2) and gettid(2).)"
    54  	// - seccomp(2)
    55  	if tid != 0 {
    56  		return fmt.Errorf("couldn't synchronize filter to TID %d", tid)
    57  	}
    58  	return nil
    59  }
    60  
    61  // SetFilterInChild is equivalent to SetFilter, but:
    62  //
    63  //   - It is safe to call after runtime.syscall_runtime_AfterForkInChild.
    64  //
    65  //   - It requires that the calling goroutine cannot be moved to another thread,
    66  //     which either requires that runtime.LockOSThread() is in effect or that the
    67  //     caller is in fact in a fork()ed child process.
    68  //
    69  //   - Since fork()ed child processes cannot perform heap allocation, it returns
    70  //     a unix.Errno rather than an error.
    71  //
    72  //   - The race instrumentation has to be disabled for all functions that are
    73  //     called in a forked child.
    74  //
    75  //go:norace
    76  //go:nosplit
    77  func SetFilterInChild(instrs []bpf.Instruction) unix.Errno {
    78  	if _, _, errno := unix.RawSyscall6(unix.SYS_PRCTL, linux.PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0, 0); errno != 0 {
    79  		return errno
    80  	}
    81  
    82  	sockProg := linux.SockFprog{
    83  		Len:    uint16(len(instrs)),
    84  		Filter: (*linux.BPFInstruction)(unsafe.Pointer(&instrs[0])),
    85  	}
    86  	tid, errno := seccomp(linux.SECCOMP_SET_MODE_FILTER, linux.SECCOMP_FILTER_FLAG_TSYNC, unsafe.Pointer(&sockProg))
    87  	if errno != 0 {
    88  		return errno
    89  	}
    90  	if tid != 0 {
    91  		// Return an errno that seccomp(2) doesn't to uniquely identify this
    92  		// case. Since this case occurs if another thread has a conflicting
    93  		// filter set, "name not unique on network" is at least suggestive?
    94  		return unix.ENOTUNIQ
    95  	}
    96  	return 0
    97  }
    98  
    99  func isKillProcessAvailable() (bool, error) {
   100  	action := uint32(linux.SECCOMP_RET_KILL_PROCESS)
   101  	if _, errno := seccomp(linux.SECCOMP_GET_ACTION_AVAIL, 0, unsafe.Pointer(&action)); errno != 0 {
   102  		// EINVAL: SECCOMP_GET_ACTION_AVAIL not in this kernel yet.
   103  		// EOPNOTSUPP: SECCOMP_RET_KILL_PROCESS not supported.
   104  		if errno == unix.EINVAL || errno == unix.EOPNOTSUPP {
   105  			return false, nil
   106  		}
   107  		return false, errno
   108  	}
   109  	return true, nil
   110  }
   111  
   112  // seccomp calls seccomp(2). This is safe to call from an afterFork context.
   113  //
   114  //go:nosplit
   115  func seccomp(op, flags uint32, ptr unsafe.Pointer) (uintptr, unix.Errno) {
   116  	n, _, errno := unix.RawSyscall(SYS_SECCOMP, uintptr(op), uintptr(flags), uintptr(ptr))
   117  	return n, errno
   118  }