diff --git a/CMakeLists.txt b/CMakeLists.txt index fb527d1..6579a2f 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -134,19 +134,6 @@ else() set(MACHINENAME $ENV{CROSSCOMPILE_MACHINENAME}) endif() -if (${MACHINENAME} STREQUAL "x86_64") - message("Detected that the current host is x86_64. Enabling seccomp-filter.") - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DENABLE_SECCOMP_FILTER") - set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DENABLE_SECCOMP_FILTER") -elseif ((${MACHINENAME} STREQUAL "i686") OR (${MACHINENAME} STREQUAL "i586") OR - (${MACHINENAME} STREQUAL "i486") OR (${MACHINENAME} STREQUAL "i386")) - message("Detected that the current host is x86. Enabling seccomp-filter.") - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DENABLE_SECCOMP_FILTER") - set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DENABLE_SECCOMP_FILTER") -else() - message("Host machine type does not support seccomp-filter.") -endif() - include_directories("${PROJECT_SOURCE_DIR}/ncmlib") add_subdirectory(ncmlib) diff --git a/src/cfg.rl b/src/cfg.rl index 789368e..99765b9 100644 --- a/src/cfg.rl +++ b/src/cfg.rl @@ -11,7 +11,6 @@ #include "ndhc.h" #include "ifchd.h" #include "sockd.h" -#include "seccomp.h" #include "nk/log.h" #include "nk/privilege.h" #include "nk/copy_cmdarg.h" @@ -108,10 +107,8 @@ struct cfgparse { copy_cmdarg(state_dir, ccfg.buf, sizeof state_dir, "state-dir"); } action seccomp_enforce { - switch (ccfg.ternary) { - case 1: seccomp_enforce = true; break; - case -1: seccomp_enforce = false; default: break; - } + log_line("seccomp_enforce option is deprecated; please remove it"); + log_line("In the meanwhile, it is ignored and seccomp is disabled."); } action relentless_defense { switch (ccfg.ternary) { diff --git a/src/ifchd.c b/src/ifchd.c index 88f2d55..019558d 100644 --- a/src/ifchd.c +++ b/src/ifchd.c @@ -45,7 +45,6 @@ #include "nk/signals.h" #include "nk/io.h" -#include "seccomp.h" #include "ifchd.h" #include "ndhc.h" #include "ifchd-parse.h" @@ -346,9 +345,6 @@ static void do_ifch_work(void) if (epollfd < 0) suicide("epoll_create1 failed"); - if (enforce_seccomp_ifch()) - log_line("ifch seccomp filter cannot be installed"); - cl.state = STATE_NOTHING; memset(cl.ibuf, 0, sizeof cl.ibuf); memset(cl.namesvrs, 0, sizeof cl.namesvrs); diff --git a/src/ndhc.8 b/src/ndhc.8 index 724dfc8..716e141 100644 --- a/src/ndhc.8 +++ b/src/ndhc.8 @@ -101,15 +101,6 @@ hostname option field provided by a remote DHCP server on the request of a ndhc client. If this option is not specified, ndhc will never change the system hostname. .TP -.BI \-S ,\ \-\-seccomp\-enforce -Enforces seccomp-based syscall whitelisting. System calls that ndhc and -ndhc-ifch are not expected to need are prohibited from being called if this -flag is set. The lists of allowed syscalls are hardcoded, and attempts -to call a non-listed syscall will result in the ndhc process being -terminated. As systems vary, it cannot be guaranteed that these system -call lists are accurate for your system, and thus seccomp filtering will -not be used unless this flag is set. -.TP .BI \-w\ TIMEMS ,\ \-\-arp\-probe\-wait= TIMEMS Adjusts the time that we wait for an ARP response when checking to see if our lease assignment is already taken by an existing host. Default is diff --git a/src/ndhc.c b/src/ndhc.c index fc73b6e..e16b032 100644 --- a/src/ndhc.c +++ b/src/ndhc.c @@ -57,7 +57,6 @@ #include "ndhc.h" #include "ndhc-defines.h" #include "cfg.h" -#include "seccomp.h" #include "state.h" #include "options.h" #include "dhcp.h" @@ -145,9 +144,6 @@ void show_usage(void) " -D, --sockd-user=USER Change ndhc-sockd privileges to this user\n" " -C, --chroot=DIR Chroot to this directory\n" " -s, --state-dir=DIR State storage dir (default: /etc/ndhc)\n" -#ifdef ENABLE_SECCOMP_FILTER -" -S, --seccomp-enforce Enforce seccomp syscall restrictions\n" -#endif " -d, --relentless-defense Never back off in defending IP against\n" " conflicting hosts (servers only)\n" " -w, --arp-probe-wait Time to delay before first ARP probe\n" @@ -270,9 +266,6 @@ static void do_ndhc_work(void) if (cs.epollFd < 0) suicide("epoll_create1 failed"); - if (enforce_seccomp_ndhc()) - log_line("ndhc seccomp filter cannot be installed"); - setup_signals_ndhc(); epoll_add(cs.epollFd, cs.nlFd); diff --git a/src/seccomp.c b/src/seccomp.c deleted file mode 100644 index 6157728..0000000 --- a/src/seccomp.c +++ /dev/null @@ -1,224 +0,0 @@ -/* seccomp.h - seccomp syscall filters for ndhc - * - * Copyright (c) 2012-2017 Nicholas J. Kain - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * - Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * - Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ -#include -#include "seccomp.h" -#include "nk/log.h" -#include "nk/seccomp-bpf.h" - -bool seccomp_enforce = false; - -int enforce_seccomp_ndhc(void) -{ -#ifdef ENABLE_SECCOMP_FILTER - if (!seccomp_enforce) - return 0; - struct sock_filter filter[] = { - VALIDATE_ARCHITECTURE, - EXAMINE_SYSCALL, - ALLOW_SYSCALL(epoll_wait), - ALLOW_SYSCALL(epoll_ctl), - ALLOW_SYSCALL(read), - ALLOW_SYSCALL(write), - ALLOW_SYSCALL(close), - -#if defined(__x86_64__) || (defined(__arm__) && defined(__ARM_EABI__)) - ALLOW_SYSCALL(sendto), // used for glibc syslog routines - ALLOW_SYSCALL(recvmsg), - ALLOW_SYSCALL(sendmsg), - ALLOW_SYSCALL(recvfrom), - ALLOW_SYSCALL(connect), -#elif defined(__i386__) - ALLOW_SYSCALL(socketcall), -#else -#error Target platform does not support seccomp-filter. -#endif - - ALLOW_SYSCALL(open), - - // Allowed by vDSO - ALLOW_SYSCALL(getcpu), - ALLOW_SYSCALL(time), - ALLOW_SYSCALL(gettimeofday), - ALLOW_SYSCALL(clock_gettime), - - // These are for 'write_leasefile()' - ALLOW_SYSCALL(ftruncate), - ALLOW_SYSCALL(lseek), - ALLOW_SYSCALL(fsync), - - // These are for 'background()' - ALLOW_SYSCALL(clone), - ALLOW_SYSCALL(set_robust_list), - ALLOW_SYSCALL(setsid), - ALLOW_SYSCALL(chdir), - ALLOW_SYSCALL(fstat), - ALLOW_SYSCALL(dup2), - ALLOW_SYSCALL(rt_sigprocmask), - ALLOW_SYSCALL(signalfd4), - ALLOW_SYSCALL(mmap), - ALLOW_SYSCALL(munmap), - - ALLOW_SYSCALL(rt_sigreturn), -#ifdef __NR_sigreturn - ALLOW_SYSCALL(sigreturn), -#endif - ALLOW_SYSCALL(exit_group), - ALLOW_SYSCALL(exit), - KILL_PROCESS, - }; - struct sock_fprog prog = { - .len = (unsigned short)(sizeof filter / sizeof filter[0]), - .filter = filter, - }; - if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) - return -1; - if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) - return -1; - log_line("ndhc seccomp filter installed. Please disable seccomp if you encounter problems."); -#endif - return 0; -} - -int enforce_seccomp_ifch(void) -{ -#ifdef ENABLE_SECCOMP_FILTER - if (!seccomp_enforce) - return 0; - struct sock_filter filter[] = { - VALIDATE_ARCHITECTURE, - EXAMINE_SYSCALL, - ALLOW_SYSCALL(read), - ALLOW_SYSCALL(write), - ALLOW_SYSCALL(epoll_wait), - ALLOW_SYSCALL(epoll_ctl), - ALLOW_SYSCALL(close), - -#if defined(__x86_64__) || (defined(__arm__) && defined(__ARM_EABI__)) - ALLOW_SYSCALL(sendto), // used for glibc syslog routines - ALLOW_SYSCALL(recvmsg), - ALLOW_SYSCALL(sendmsg), - ALLOW_SYSCALL(recvfrom), - ALLOW_SYSCALL(socket), -#elif defined(__i386__) - ALLOW_SYSCALL(socketcall), -#else -#error Target platform does not support seccomp-filter. -#endif - - ALLOW_SYSCALL(open), - ALLOW_SYSCALL(fstat), - ALLOW_SYSCALL(fsync), - ALLOW_SYSCALL(lseek), - ALLOW_SYSCALL(truncate), - - ALLOW_SYSCALL(rt_sigreturn), -#ifdef __NR_sigreturn - ALLOW_SYSCALL(sigreturn), -#endif - // Allowed by vDSO - ALLOW_SYSCALL(getcpu), - ALLOW_SYSCALL(time), - ALLOW_SYSCALL(gettimeofday), - ALLOW_SYSCALL(clock_gettime), - - ALLOW_SYSCALL(exit_group), - ALLOW_SYSCALL(exit), - KILL_PROCESS, - }; - struct sock_fprog prog = { - .len = (unsigned short)(sizeof filter / sizeof filter[0]), - .filter = filter, - }; - if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) - return -1; - if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) - return -1; - log_line("ndhc-ifch seccomp filter installed. Please disable seccomp if you encounter problems."); -#endif - return 0; -} - -int enforce_seccomp_sockd(void) -{ -#ifdef ENABLE_SECCOMP_FILTER - if (!seccomp_enforce) - return 0; - struct sock_filter filter[] = { - VALIDATE_ARCHITECTURE, - EXAMINE_SYSCALL, - ALLOW_SYSCALL(epoll_wait), - ALLOW_SYSCALL(epoll_ctl), - ALLOW_SYSCALL(read), - ALLOW_SYSCALL(write), - ALLOW_SYSCALL(close), - -#if defined(__x86_64__) || (defined(__arm__) && defined(__ARM_EABI__)) - ALLOW_SYSCALL(sendto), // used for glibc syslog routines - ALLOW_SYSCALL(recvmsg), - ALLOW_SYSCALL(sendmsg), - ALLOW_SYSCALL(recvfrom), - ALLOW_SYSCALL(socket), - ALLOW_SYSCALL(setsockopt), - ALLOW_SYSCALL(bind), -#elif defined(__i386__) - ALLOW_SYSCALL(socketcall), - ALLOW_SYSCALL(fcntl64), -#else -#error Target platform does not support seccomp-filter. -#endif - - ALLOW_SYSCALL(fcntl), - ALLOW_SYSCALL(open), - - // Allowed by vDSO - ALLOW_SYSCALL(getcpu), - ALLOW_SYSCALL(time), - ALLOW_SYSCALL(gettimeofday), - ALLOW_SYSCALL(clock_gettime), - - ALLOW_SYSCALL(rt_sigreturn), -#ifdef __NR_sigreturn - ALLOW_SYSCALL(sigreturn), -#endif - ALLOW_SYSCALL(exit_group), - ALLOW_SYSCALL(exit), - KILL_PROCESS, - }; - struct sock_fprog prog = { - .len = (unsigned short)(sizeof filter / sizeof filter[0]), - .filter = filter, - }; - if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) - return -1; - if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) - return -1; - log_line("ndhc-sockd seccomp filter installed. Please disable seccomp if you encounter problems."); -#endif - return 0; -} - diff --git a/src/seccomp.h b/src/seccomp.h deleted file mode 100644 index 0adb7cd..0000000 --- a/src/seccomp.h +++ /dev/null @@ -1,39 +0,0 @@ -/* seccomp.h - seccomp syscall filters for ndhc - * - * Copyright (c) 2012-2017 Nicholas J. Kain - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * - Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * - Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ -#ifndef NJK_NDHC_SECCOMP_H_ -#define NJK_NDHC_SECCOMP_H_ - -#include - -extern bool seccomp_enforce; - -int enforce_seccomp_ndhc(void); -int enforce_seccomp_ifch(void); -int enforce_seccomp_sockd(void); - -#endif /* NJK_NDHC_SECCOMP_H_ */ diff --git a/src/sockd.c b/src/sockd.c index f88223a..c3507a0 100644 --- a/src/sockd.c +++ b/src/sockd.c @@ -57,7 +57,6 @@ #include "ndhc.h" #include "dhcp.h" #include "sys.h" -#include "seccomp.h" static int epollfd, signalFd; /* Slots are for signalFd and the ndhc -> ifchd socket. */ @@ -555,9 +554,6 @@ static void do_sockd_work(void) if (epollfd < 0) suicide("epoll_create1 failed"); - if (enforce_seccomp_sockd()) - log_line("sockd seccomp filter cannot be installed"); - epoll_add(epollfd, sockdSock[1]); epoll_add(epollfd, sockdStream[1]); epoll_add(epollfd, signalFd);