[CRIU] [PATCH 4/5] check: add a check for seccomp filters c/r
Tycho Andersen
tycho.andersen at canonical.com
Fri Sep 4 09:22:14 PDT 2015
Signed-off-by: Tycho Andersen <tycho.andersen at canonical.com>
---
cr-check.c | 63 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 60 insertions(+), 3 deletions(-)
diff --git a/cr-check.c b/cr-check.c
index 213610b..80be376 100644
--- a/cr-check.c
+++ b/cr-check.c
@@ -12,6 +12,10 @@
#include <fcntl.h>
#include <signal.h>
#include <linux/if.h>
+#include <linux/filter.h>
+#include <linux/bpf.h>
+#include <linux/seccomp.h>
+#include <sys/syscall.h>
#include <sys/ioctl.h>
#include <termios.h>
#include <sys/mman.h>
@@ -529,7 +533,7 @@ static int check_sigqueuinfo()
return 0;
}
-static pid_t fork_and_ptrace_attach(void)
+static pid_t fork_and_ptrace_attach(int (*child_setup)(void))
{
pid_t pid;
@@ -538,6 +542,9 @@ static pid_t fork_and_ptrace_attach(void)
pr_perror("fork");
return -1;
} else if (pid == 0) {
+ if (child_setup && child_setup() != 0)
+ exit(1);
+
while (1)
sleep(1000);
exit(1);
@@ -561,7 +568,7 @@ static int check_ptrace_peeksiginfo()
pid_t pid, ret = 0;
k_rtsigset_t mask;
- pid = fork_and_ptrace_attach();
+ pid = fork_and_ptrace_attach(NULL);
if (pid < 0)
return -1;
@@ -593,7 +600,7 @@ static int check_ptrace_suspend_seccomp(void)
return 0;
}
- pid = fork_and_ptrace_attach();
+ pid = fork_and_ptrace_attach(NULL);
if (pid < 0)
return -1;
@@ -610,6 +617,53 @@ static int check_ptrace_suspend_seccomp(void)
return ret;
}
+static int setup_seccomp_filter(void)
+{
+ struct sock_filter filter[] = {
+ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, nr)),
+ /* Allow all syscalls except ptrace */
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ptrace, 0, 1),
+ BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL),
+ BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
+ };
+
+ struct sock_fprog bpf_prog = {
+ .len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
+ .filter = filter,
+ };
+
+ if (sys_prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, (long) &bpf_prog, 0, 0) < 0)
+ return -1;
+
+ return 0;
+}
+
+static int check_ptrace_dump_seccomp_filters(void)
+{
+ pid_t pid;
+ int ret = 0, fd;
+
+ if (opts.check_ms_kernel) {
+ pr_warn("Skipping PTRACE_SECCOMP_GET_FILTER_FD check");
+ return 0;
+ }
+
+ pid = fork_and_ptrace_attach(setup_seccomp_filter);
+ if (pid < 0)
+ return -1;
+
+ fd = ptrace(PTRACE_SECCOMP_GET_FILTER_FD, pid);
+ if (fd < 0) {
+ ret = -1;
+ pr_err("Dumping seccomp filters not supported\n");
+ } else {
+ close(fd);
+ }
+
+ kill(pid, SIGKILL);
+ return ret;
+}
+
static int check_mem_dirty_track(void)
{
if (kerndat_get_dirty_track() < 0)
@@ -800,6 +854,7 @@ int cr_check(void)
ret |= check_sigqueuinfo();
ret |= check_ptrace_peeksiginfo();
ret |= check_ptrace_suspend_seccomp();
+ ret |= check_ptrace_dump_seccomp_filters();
ret |= check_mem_dirty_track();
ret |= check_posix_timers();
ret |= check_tun_cr(0);
@@ -863,6 +918,8 @@ int check_add_feature(char *feat)
chk_feature = check_fdinfo_lock;
else if (!strcmp(feat, "seccomp_suspend"))
chk_feature = check_ptrace_suspend_seccomp;
+ else if (!strcmp(feat, "seccomp_filters"))
+ chk_feature = check_ptrace_dump_seccomp_filters;
else {
pr_err("Unknown feature %s\n", feat);
return -1;
--
2.5.0
More information about the CRIU
mailing list