github.com/rigado/snapd@v2.42.5-go-mod+incompatible/interfaces/seccomp/template.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2016-2018 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package seccomp 21 22 // defaultTemplate contains default seccomp template. 23 // It can be overridden for testing using MockTemplate(). 24 var defaultTemplate = []byte(` 25 # Description: Allows access to app-specific directories and basic runtime 26 # 27 # The default seccomp policy is default deny with a whitelist of allowed 28 # syscalls. The default policy is intended to be safe for any application to 29 # use and should be evaluated in conjunction with other security backends (eg 30 # AppArmor). For example, a few particularly problematic syscalls that are left 31 # out of the default policy are (non-exhaustive): 32 # - kexec_load 33 # - create_module, init_module, finit_module, delete_module (kernel modules) 34 # - name_to_handle_at (history of vulnerabilities) 35 # - open_by_handle_at (history of vulnerabilities) 36 # - ptrace (can be used to break out of sandbox with <4.8 kernels) 37 # - add_key, keyctl, request_key (kernel keyring) 38 39 # 40 # Allowed accesses 41 # 42 43 access 44 faccessat 45 46 alarm 47 brk 48 49 # ARM private syscalls 50 breakpoint 51 cacheflush 52 set_tls 53 usr26 54 usr32 55 56 capget 57 # AppArmor mediates capabilities, so allow capset (useful for apps that for 58 # example want to drop capabilities) 59 capset 60 61 chdir 62 fchdir 63 64 # We can't effectively block file perms due to open() with O_CREAT, so allow 65 # chmod until we have syscall arg filtering (LP: #1446748) 66 chmod 67 fchmod 68 fchmodat 69 70 # Daemons typically run as 'root' so allow chown to 'root'. DAC will prevent 71 # non-root from chowning to root. 72 # (chown root:root) 73 chown - u:root g:root 74 chown32 - u:root g:root 75 fchown - u:root g:root 76 fchown32 - u:root g:root 77 fchownat - - u:root g:root 78 lchown - u:root g:root 79 lchown32 - u:root g:root 80 # (chown root) 81 chown - u:root -1 82 chown32 - u:root -1 83 fchown - u:root -1 84 fchown32 - u:root -1 85 fchownat - - u:root -1 86 lchown - u:root -1 87 lchown32 - u:root -1 88 # (chgrp root) 89 chown - -1 g:root 90 chown32 - -1 g:root 91 fchown - -1 g:root 92 fchown32 - -1 g:root 93 fchownat - - -1 g:root 94 lchown - -1 g:root 95 lchown32 - -1 g:root 96 97 clock_getres 98 clock_gettime 99 clock_nanosleep 100 clone 101 close 102 103 # needed by ls -l 104 connect 105 106 chroot 107 108 creat 109 dup 110 dup2 111 dup3 112 epoll_create 113 epoll_create1 114 epoll_ctl 115 epoll_ctl_old 116 epoll_pwait 117 epoll_wait 118 epoll_wait_old 119 eventfd 120 eventfd2 121 execve 122 execveat 123 _exit 124 exit 125 exit_group 126 fallocate 127 128 # requires CAP_SYS_ADMIN 129 #fanotify_init 130 #fanotify_mark 131 132 fcntl 133 fcntl64 134 flock 135 fork 136 ftime 137 futex 138 get_mempolicy 139 get_robust_list 140 get_thread_area 141 getcpu 142 getcwd 143 getdents 144 getdents64 145 getegid 146 getegid32 147 geteuid 148 geteuid32 149 getgid 150 getgid32 151 getgroups 152 getgroups32 153 getitimer 154 getpgid 155 getpgrp 156 getpid 157 getppid 158 getpriority 159 getrandom 160 getresgid 161 getresgid32 162 getresuid 163 getresuid32 164 165 getrlimit 166 ugetrlimit 167 168 getrusage 169 getsid 170 gettid 171 gettimeofday 172 getuid 173 getuid32 174 175 getxattr 176 fgetxattr 177 lgetxattr 178 179 inotify_add_watch 180 inotify_init 181 inotify_init1 182 inotify_rm_watch 183 184 # TIOCSTI allows for faking input (man tty_ioctl) 185 # TODO: this should be scaled back even more 186 ioctl - !TIOCSTI 187 188 io_cancel 189 io_destroy 190 io_getevents 191 io_setup 192 io_submit 193 ioprio_get 194 # affects other processes, requires CAP_SYS_ADMIN. Potentially allow with 195 # syscall filtering of (at least) IOPRIO_WHO_USER (LP: #1446748) 196 #ioprio_set 197 198 ipc 199 kill 200 link 201 linkat 202 203 listxattr 204 llistxattr 205 flistxattr 206 207 lseek 208 llseek 209 _llseek 210 lstat 211 lstat64 212 213 madvise 214 fadvise64 215 fadvise64_64 216 arm_fadvise64_64 217 218 mbind 219 membarrier 220 memfd_create 221 mincore 222 mkdir 223 mkdirat 224 mlock 225 mlock2 226 mlockall 227 mmap 228 mmap2 229 230 # Allow mknod for regular files, pipes and sockets (and not block or char 231 # devices) 232 mknod - |S_IFREG - 233 mknodat - - |S_IFREG - 234 mknod - |S_IFIFO - 235 mknodat - - |S_IFIFO - 236 mknod - |S_IFSOCK - 237 mknodat - - |S_IFSOCK - 238 239 modify_ldt 240 mprotect 241 242 # LP: #1448184 - these aren't currently mediated by AppArmor. Deny for now 243 #mq_getsetattr 244 #mq_notify 245 #mq_open 246 #mq_timedreceive 247 #mq_timedsend 248 #mq_unlink 249 250 mremap 251 msgctl 252 msgget 253 msgrcv 254 msgsnd 255 msync 256 munlock 257 munlockall 258 munmap 259 260 nanosleep 261 262 # Allow using nice() with default or lower priority 263 # FIXME: https://github.com/seccomp/libseccomp/issues/69 which means we 264 # currently have to use <=19. When that bug is fixed, use >=0 265 nice <=19 266 # Allow using setpriority to set the priority of the calling process to default 267 # or lower priority (eg, 'nice -n 9 <command>') 268 # default or lower priority. 269 # FIXME: https://github.com/seccomp/libseccomp/issues/69 which means we 270 # currently have to use <=19. When that bug is fixed, use >=0 271 setpriority PRIO_PROCESS 0 <=19 272 273 # LP: #1446748 - support syscall arg filtering for mode_t with O_CREAT 274 open 275 276 openat 277 pause 278 personality 279 pipe 280 pipe2 281 poll 282 ppoll 283 284 # LP: #1446748 - support syscall arg filtering 285 prctl 286 arch_prctl 287 288 read 289 pread 290 pread64 291 preadv 292 readv 293 294 readahead 295 readdir 296 readlink 297 readlinkat 298 299 # allow reading from sockets 300 recv 301 recvfrom 302 recvmsg 303 recvmmsg 304 305 remap_file_pages 306 307 removexattr 308 fremovexattr 309 lremovexattr 310 311 rename 312 renameat 313 renameat2 314 315 # The man page says this shouldn't be needed, but we've seen denials for it 316 # in the wild 317 restart_syscall 318 319 rmdir 320 rt_sigaction 321 rt_sigpending 322 rt_sigprocmask 323 rt_sigqueueinfo 324 rt_sigreturn 325 rt_sigsuspend 326 rt_sigtimedwait 327 rt_tgsigqueueinfo 328 sched_getaffinity 329 sched_getattr 330 sched_getparam 331 sched_get_priority_max 332 sched_get_priority_min 333 sched_getscheduler 334 sched_rr_get_interval 335 # enforce pid_t is 0 so the app may only change its own scheduler and affinity. 336 # Use process-control interface for controlling other pids. 337 sched_setaffinity 0 - - 338 sched_setparam 0 - 339 340 # 'sched_setscheduler' without argument filtering was allowed in 2.21 and 341 # earlier and 2.22 added 'sched_setscheduler 0 - -', introducing LP: #1661265. 342 # For now, continue to allow sched_setscheduler unconditionally. 343 sched_setscheduler 344 345 sched_yield 346 347 # Allow configuring seccomp filter. This is ok because the kernel enforces that 348 # the new filter is a subset of the current filter (ie, no widening 349 # permissions) 350 seccomp 351 352 select 353 _newselect 354 pselect 355 pselect6 356 357 # Allow use of SysV semaphores. Note that allocated resources are not freed by 358 # OOM which can lead to global kernel resource leakage. 359 semctl 360 semget 361 semop 362 semtimedop 363 364 # allow sending to sockets 365 send 366 sendto 367 sendmsg 368 sendmmsg 369 370 sendfile 371 sendfile64 372 373 # These break isolation but are common and can't be mediated at the seccomp 374 # level with arg filtering 375 setpgid 376 setpgrp 377 378 set_thread_area 379 setitimer 380 381 # apps don't have CAP_SYS_RESOURCE so these can't be abused to raise the hard 382 # limits 383 setrlimit 384 prlimit64 385 386 set_mempolicy 387 set_robust_list 388 setsid 389 set_tid_address 390 391 setxattr 392 fsetxattr 393 lsetxattr 394 395 shmat 396 shmctl 397 shmdt 398 shmget 399 shutdown 400 signal 401 sigaction 402 signalfd 403 signalfd4 404 sigaltstack 405 sigpending 406 sigprocmask 407 sigreturn 408 sigsuspend 409 sigtimedwait 410 sigwaitinfo 411 412 # AppArmor mediates AF_UNIX/AF_LOCAL via 'unix' rules and all other AF_* 413 # domains via 'network' rules. We won't allow bare 'network' AppArmor rules, so 414 # we can allow 'socket' for all domains except AF_NETLINK and let AppArmor 415 # handle the rest. 416 socket AF_UNIX 417 socket AF_LOCAL 418 socket AF_INET 419 socket AF_INET6 420 socket AF_IPX 421 socket AF_X25 422 socket AF_AX25 423 socket AF_ATMPVC 424 socket AF_APPLETALK 425 socket AF_PACKET 426 socket AF_ALG 427 socket AF_CAN 428 socket AF_BRIDGE 429 socket AF_NETROM 430 socket AF_ROSE 431 socket AF_NETBEUI 432 socket AF_SECURITY 433 socket AF_KEY 434 socket AF_ASH 435 socket AF_ECONET 436 socket AF_SNA 437 socket AF_IRDA 438 socket AF_PPPOX 439 socket AF_WANPIPE 440 socket AF_BLUETOOTH 441 socket AF_RDS 442 socket AF_LLC 443 socket AF_TIPC 444 socket AF_IUCV 445 socket AF_RXRPC 446 socket AF_ISDN 447 socket AF_PHONET 448 socket AF_IEEE802154 449 socket AF_CAIF 450 socket AF_NFC 451 socket AF_VSOCK 452 socket AF_MPLS 453 socket AF_IB 454 455 # For usrsctp, AppArmor doesn't support 'network conn,' since AF_CONN is 456 # userspace and encapsulated in other domains that are mediated. As such, do 457 # not allow AF_CONN by default here. 458 # socket AF_CONN 459 460 # For AF_NETLINK, we'll use a combination of AppArmor coarse mediation and 461 # seccomp arg filtering of netlink families. 462 # socket AF_NETLINK - - 463 464 # needed by snapctl 465 getsockopt 466 setsockopt 467 getsockname 468 getpeername 469 470 # Per man page, on Linux this is limited to only AF_UNIX so it is ok to have 471 # in the default template 472 socketpair 473 474 splice 475 476 stat 477 stat64 478 fstat 479 fstat64 480 fstatat64 481 lstat 482 newfstatat 483 oldfstat 484 oldlstat 485 oldstat 486 statx 487 488 statfs 489 statfs64 490 fstatfs 491 fstatfs64 492 statvfs 493 fstatvfs 494 ustat 495 496 symlink 497 symlinkat 498 499 sync 500 sync_file_range 501 sync_file_range2 502 arm_sync_file_range 503 fdatasync 504 fsync 505 syncfs 506 sysinfo 507 syslog 508 tee 509 tgkill 510 time 511 timer_create 512 timer_delete 513 timer_getoverrun 514 timer_gettime 515 timer_settime 516 timerfd 517 timerfd_create 518 timerfd_gettime 519 timerfd_settime 520 times 521 tkill 522 523 truncate 524 truncate64 525 ftruncate 526 ftruncate64 527 528 umask 529 530 uname 531 olduname 532 oldolduname 533 534 unlink 535 unlinkat 536 537 utime 538 utimensat 539 utimes 540 futimesat 541 542 vfork 543 vmsplice 544 wait4 545 oldwait4 546 waitpid 547 waitid 548 549 write 550 writev 551 pwrite 552 pwrite64 553 pwritev 554 `) 555 556 // Go's net package attempts to bind early to check whether IPv6 is available or not. 557 // For systems with apparmor enabled, this will be mediated and cause an error to be 558 // returned. Without apparmor, the call goes through to seccomp and the process is 559 // killed instead of just getting the error. 560 // 561 // For that reason once apparmor is disabled the seccomp profile is given access 562 // to bind, so that these processes are not improperly killed. There is on going 563 // work to make seccomp return an error in those cases as well and log the error. 564 // Once that's in place we can drop this hack. 565 const bindSyscallWorkaround = ` 566 # Add bind() for systems with only Seccomp enabled to workaround 567 # LP #1644573 568 bind 569 ` 570 571 // socketcall is an older interface and single entry point that can be used 572 // instead of socket(), bind(), connect(), etc individually. It isn't needed 573 // by most architectures with new enough kernels and glibc, so we leave it out 574 // of the default policy and add only when needed. 575 const socketcallSyscallDeprecated = ` 576 # Add socketcall() for system and/or base that requires it. LP: #1446748 577 socketcall 578 ` 579 580 // Historically snapd has allowed the use of the various setuid, setgid and 581 // setgroups syscalls, relying on AppArmor for mediation of the CAP_SETUID and 582 // CAP_SETGID. In core20, these can be dropped. 583 var barePrivDropSyscalls = ` 584 # Allow these and rely on AppArmor to mediate CAP_SETUID and CAP_SETGID. When 585 # dropping to particular UID/GIDs, we'll use a different set of 586 # argument-filtered syscalls. 587 setgid 588 setgid32 589 setregid 590 setregid32 591 setresgid 592 setresgid32 593 setresuid 594 setresuid32 595 setreuid 596 setreuid32 597 setuid 598 setuid32 599 ` 600 601 // Syscalls for setuid/setgid family of syscalls when dealing with only root 602 // uid and gid 603 var rootSetUidGidSyscalls = ` 604 # Allow various setuid/setgid/chown family of syscalls with argument 605 # filtering. AppArmor has corresponding CAP_SETUID, CAP_SETGID and CAP_CHOWN 606 # rules. 607 608 # allow use of setgroups(0, NULL) 609 setgroups 0 0 610 setgroups32 0 0 611 612 # allow setgid to root 613 setgid g:root 614 setgid32 g:root 615 616 # allow setuid to root 617 setuid u:root 618 setuid32 u:root 619 620 # allow setregid to root 621 setregid g:root g:root 622 setregid32 g:root g:root 623 setregid -1 g:root 624 setregid32 -1 g:root 625 setregid g:root -1 626 setregid32 g:root -1 627 628 # allow setresgid to root 629 # (permanent drop) 630 setresgid g:root g:root g:root 631 setresgid32 g:root g:root g:root 632 # (setegid) 633 setresgid -1 g:root -1 634 setresgid32 -1 g:root -1 635 # (setgid equivalent) 636 setresgid g:root g:root -1 637 setresgid32 g:root g:root -1 638 639 # allow setreuid to root 640 setreuid u:root u:root 641 setreuid32 u:root u:root 642 setreuid -1 u:root 643 setreuid32 -1 u:root 644 setreuid u:root -1 645 setreuid32 u:root -1 646 647 # allow setresuid to root 648 # (permanent drop) 649 setresuid u:root u:root u:root 650 setresuid32 u:root u:root u:root 651 # (seteuid) 652 setresuid -1 u:root -1 653 setresuid32 -1 u:root -1 654 # (setuid equivalent) 655 setresuid u:root u:root -1 656 setresuid32 u:root u:root -1 657 ` 658 659 // Template for privilege drop and chown operations. This intentionally does 660 // not support all combinations of users or obscure combinations (we can add 661 // combinations as users dictate). Eg, these are supported: 662 // chown foo:foo 663 // chown foo 664 // chgrp foo 665 // but these are not: 666 // chown foo:bar 667 // chown bar:foo 668 // For now, users who want 'foo:bar' can do: 669 // chown foo ; chgrp bar 670 var privDropAndChownSyscalls = ` 671 # allow setgid to ###GROUP### 672 setgid g:###GROUP### 673 setgid32 g:###GROUP### 674 675 # allow setregid to ###GROUP### 676 setregid g:###GROUP### g:###GROUP### 677 setregid32 g:###GROUP### g:###GROUP### 678 setregid -1 g:###GROUP### 679 setregid32 -1 g:###GROUP### 680 setregid g:###GROUP### -1 681 setregid32 g:###GROUP### -1 682 # (real root) 683 setregid g:root g:###GROUP### 684 setregid32 g:root g:###GROUP### 685 # (euid root) 686 setregid g:###GROUP### g:root 687 setregid32 g:###GROUP### g:root 688 689 # allow setresgid to ###GROUP### 690 # (permanent drop) 691 setresgid g:###GROUP### g:###GROUP### g:###GROUP### 692 setresgid32 g:###GROUP### g:###GROUP### g:###GROUP### 693 # (setegid) 694 setresgid -1 g:###GROUP### -1 695 setresgid32 -1 g:###GROUP### -1 696 # (setgid equivalent) 697 setresgid g:###GROUP### g:###GROUP### -1 698 setresgid32 g:###GROUP### g:###GROUP### -1 699 # (saving root) 700 setresgid g:###GROUP### g:###GROUP### g:root 701 setresgid32 g:###GROUP### g:###GROUP### g:root 702 # (euid root and saving root) 703 setresgid g:###GROUP### g:root g:root 704 setresgid32 g:###GROUP### g:root g:root 705 706 # allow setuid to ###USERNAME### 707 setuid u:###USERNAME### 708 setuid32 u:###USERNAME### 709 710 # allow setreuid to ###USERNAME### 711 setreuid u:###USERNAME### u:###USERNAME### 712 setreuid32 u:###USERNAME### u:###USERNAME### 713 setreuid -1 u:###USERNAME### 714 setreuid32 -1 u:###USERNAME### 715 setreuid u:###USERNAME### -1 716 setreuid32 u:###USERNAME### -1 717 # (real root) 718 setreuid u:root u:###USERNAME### 719 setreuid32 u:root u:###USERNAME### 720 # (euid root) 721 setreuid u:###USERNAME### u:root 722 setreuid32 u:###USERNAME### u:root 723 724 # allow setresuid to ###USERNAME### 725 # (permanent drop) 726 setresuid u:###USERNAME### u:###USERNAME### u:###USERNAME### 727 setresuid32 u:###USERNAME### u:###USERNAME### u:###USERNAME### 728 # (seteuid) 729 setresuid -1 u:###USERNAME### -1 730 setresuid32 -1 u:###USERNAME### -1 731 # (setuid equivalent) 732 setresuid u:###USERNAME### u:###USERNAME### -1 733 setresuid32 u:###USERNAME### u:###USERNAME### -1 734 # (saving root) 735 setresuid u:###USERNAME### u:###USERNAME### u:root 736 setresuid32 u:###USERNAME### u:###USERNAME### u:root 737 # (euid root and saving root) 738 setresuid u:###USERNAME### u:root u:root 739 setresuid32 u:###USERNAME### u:root u:root 740 741 # allow chown to ###USERNAME###:###GROUP### 742 # (chown ###USERNAME###:###GROUP###) 743 chown - u:###USERNAME### g:###GROUP### 744 chown32 - u:###USERNAME### g:###GROUP### 745 fchown - u:###USERNAME### g:###GROUP### 746 fchown32 - u:###USERNAME### g:###GROUP### 747 fchownat - - u:###USERNAME### g:###GROUP### 748 lchown - u:###USERNAME### g:###GROUP### 749 lchown32 - u:###USERNAME### g:###GROUP### 750 # (chown ###USERNAME###) 751 chown - u:###USERNAME### -1 752 chown32 - u:###USERNAME### -1 753 fchown - u:###USERNAME### -1 754 fchown32 - u:###USERNAME### -1 755 fchownat - - u:###USERNAME### -1 756 lchown - u:###USERNAME### -1 757 lchown32 - u:###USERNAME### -1 758 # (chgrp ###GROUP###) 759 chown - -1 g:###GROUP### 760 chown32 - -1 g:###GROUP### 761 fchown - -1 g:###GROUP### 762 fchown32 - -1 g:###GROUP### 763 fchownat - - -1 g:###GROUP### 764 lchown - -1 g:###GROUP### 765 lchown32 - -1 g:###GROUP### 766 `