github.com/ttpreport/gvisor-ligolo@v0.0.0-20240123134145-a858404967ba/pkg/seccomp/seccomp_unsafe.go

github.com/ttpreport/gvisor-ligolo@v0.0.0-20240123134145-a858404967ba/pkg/seccomp/seccomp_unsafe.go (about)

     1  // Copyright 2018 The gVisor Authors.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package seccomp
    16  
    17  import (
    18  	"fmt"
    19  	"runtime"
    20  	"unsafe"
    21  
    22  	"github.com/ttpreport/gvisor-ligolo/pkg/abi/linux"
    23  	"golang.org/x/sys/unix"
    24  )
    25  
    26  // SetFilter installs the given BPF program.
    27  func SetFilter(instrs []linux.BPFInstruction) error {
    28  	// PR_SET_NO_NEW_PRIVS is required in order to enable seccomp. See
    29  	// seccomp(2) for details.
    30  	//
    31  	// PR_SET_NO_NEW_PRIVS is specific to the calling thread, not the whole
    32  	// thread group, so between PR_SET_NO_NEW_PRIVS and seccomp() below we must
    33  	// remain on the same thread. no_new_privs will be propagated to other
    34  	// threads in the thread group by seccomp(SECCOMP_FILTER_FLAG_TSYNC), in
    35  	// kernel/seccomp.c:seccomp_sync_threads().
    36  	runtime.LockOSThread()
    37  	defer runtime.UnlockOSThread()
    38  	if _, _, errno := unix.RawSyscall6(unix.SYS_PRCTL, linux.PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0, 0); errno != 0 {
    39  		return errno
    40  	}
    41  
    42  	sockProg := linux.SockFprog{
    43  		Len:    uint16(len(instrs)),
    44  		Filter: (*linux.BPFInstruction)(unsafe.Pointer(&instrs[0])),
    45  	}
    46  	tid, errno := seccomp(linux.SECCOMP_SET_MODE_FILTER, linux.SECCOMP_FILTER_FLAG_TSYNC, unsafe.Pointer(&sockProg))
    47  	if errno != 0 {
    48  		return errno
    49  	}
    50  	// "On error, if SECCOMP_FILTER_FLAG_TSYNC was used, the return value is
    51  	// the ID of the thread that caused the synchronization failure. (This ID
    52  	// is a kernel thread ID of the type returned by clone(2) and gettid(2).)"
    53  	// - seccomp(2)
    54  	if tid != 0 {
    55  		return fmt.Errorf("couldn't synchronize filter to TID %d", tid)
    56  	}
    57  	return nil
    58  }
    59  
    60  // SetFilterInChild is equivalent to SetFilter, but:
    61  //
    62  //   - It is safe to call after runtime.syscall_runtime_AfterForkInChild.
    63  //
    64  //   - It requires that the calling goroutine cannot be moved to another thread,
    65  //     which either requires that runtime.LockOSThread() is in effect or that the
    66  //     caller is in fact in a fork()ed child process.
    67  //
    68  //   - Since fork()ed child processes cannot perform heap allocation, it returns
    69  //     a unix.Errno rather than an error.
    70  //
    71  //   - The race instrumentation has to be disabled for all functions that are
    72  //     called in a forked child.
    73  //
    74  //go:norace
    75  //go:nosplit
    76  func SetFilterInChild(instrs []linux.BPFInstruction) unix.Errno {
    77  	if _, _, errno := unix.RawSyscall6(unix.SYS_PRCTL, linux.PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0, 0); errno != 0 {
    78  		return errno
    79  	}
    80  
    81  	sockProg := linux.SockFprog{
    82  		Len:    uint16(len(instrs)),
    83  		Filter: (*linux.BPFInstruction)(unsafe.Pointer(&instrs[0])),
    84  	}
    85  	tid, errno := seccomp(linux.SECCOMP_SET_MODE_FILTER, linux.SECCOMP_FILTER_FLAG_TSYNC, unsafe.Pointer(&sockProg))
    86  	if errno != 0 {
    87  		return errno
    88  	}
    89  	if tid != 0 {
    90  		// Return an errno that seccomp(2) doesn't to uniquely identify this
    91  		// case. Since this case occurs if another thread has a conflicting
    92  		// filter set, "name not unique on network" is at least suggestive?
    93  		return unix.ENOTUNIQ
    94  	}
    95  	return 0
    96  }
    97  
    98  func isKillProcessAvailable() (bool, error) {
    99  	action := uint32(linux.SECCOMP_RET_KILL_PROCESS)
   100  	if _, errno := seccomp(linux.SECCOMP_GET_ACTION_AVAIL, 0, unsafe.Pointer(&action)); errno != 0 {
   101  		// EINVAL: SECCOMP_GET_ACTION_AVAIL not in this kernel yet.
   102  		// EOPNOTSUPP: SECCOMP_RET_KILL_PROCESS not supported.
   103  		if errno == unix.EINVAL || errno == unix.EOPNOTSUPP {
   104  			return false, nil
   105  		}
   106  		return false, errno
   107  	}
   108  	return true, nil
   109  }
   110  
   111  // seccomp calls seccomp(2). This is safe to call from an afterFork context.
   112  //
   113  //go:nosplit
   114  func seccomp(op, flags uint32, ptr unsafe.Pointer) (uintptr, unix.Errno) {
   115  	n, _, errno := unix.RawSyscall(SYS_SECCOMP, uintptr(op), uintptr(flags), uintptr(ptr))
   116  	return n, errno
   117  }