From e08d3b15b53f54ae47993e229bfd40ed3d643f86 Mon Sep 17 00:00:00 2001 From: "Nicholas J. Kain" Date: Fri, 9 Feb 2018 03:33:04 -0500 Subject: [PATCH] Remove seccomp support. It breaks with the existing whitelists on the latest glibc and is just too much maintenance burden. It also causes the most questions for new users. Something like openbsd's pledge() would be fine, but I have no intention of maintaining such a thing. Most of the value-gain would come from disallowing high-risk syscalls like ptrace() and the perf syscalls, anyway. ndhc already uses extensive defense-in-depth and wasn't using seccomp on non-(x86|x86-64) platforms, so it's not a huge loss. --- CMakeLists.txt | 13 --- src/cfg.rl | 7 +- src/ifchd.c | 4 - src/ndhc.8 | 9 -- src/ndhc.c | 7 -- src/seccomp.c | 224 ------------------------------------------------- src/seccomp.h | 39 --------- src/sockd.c | 4 - 8 files changed, 2 insertions(+), 305 deletions(-) delete mode 100644 src/seccomp.c delete mode 100644 src/seccomp.h diff --git a/CMakeLists.txt b/CMakeLists.txt index fb527d1..6579a2f 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -134,19 +134,6 @@ else() set(MACHINENAME $ENV{CROSSCOMPILE_MACHINENAME}) endif() -if (${MACHINENAME} STREQUAL "x86_64") - message("Detected that the current host is x86_64. Enabling seccomp-filter.") - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DENABLE_SECCOMP_FILTER") - set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DENABLE_SECCOMP_FILTER") -elseif ((${MACHINENAME} STREQUAL "i686") OR (${MACHINENAME} STREQUAL "i586") OR - (${MACHINENAME} STREQUAL "i486") OR (${MACHINENAME} STREQUAL "i386")) - message("Detected that the current host is x86. Enabling seccomp-filter.") - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DENABLE_SECCOMP_FILTER") - set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DENABLE_SECCOMP_FILTER") -else() - message("Host machine type does not support seccomp-filter.") -endif() - include_directories("${PROJECT_SOURCE_DIR}/ncmlib") add_subdirectory(ncmlib) diff --git a/src/cfg.rl b/src/cfg.rl index 789368e..99765b9 100644 --- a/src/cfg.rl +++ b/src/cfg.rl @@ -11,7 +11,6 @@ #include "ndhc.h" #include "ifchd.h" #include "sockd.h" -#include "seccomp.h" #include "nk/log.h" #include "nk/privilege.h" #include "nk/copy_cmdarg.h" @@ -108,10 +107,8 @@ struct cfgparse { copy_cmdarg(state_dir, ccfg.buf, sizeof state_dir, "state-dir"); } action seccomp_enforce { - switch (ccfg.ternary) { - case 1: seccomp_enforce = true; break; - case -1: seccomp_enforce = false; default: break; - } + log_line("seccomp_enforce option is deprecated; please remove it"); + log_line("In the meanwhile, it is ignored and seccomp is disabled."); } action relentless_defense { switch (ccfg.ternary) { diff --git a/src/ifchd.c b/src/ifchd.c index 88f2d55..019558d 100644 --- a/src/ifchd.c +++ b/src/ifchd.c @@ -45,7 +45,6 @@ #include "nk/signals.h" #include "nk/io.h" -#include "seccomp.h" #include "ifchd.h" #include "ndhc.h" #include "ifchd-parse.h" @@ -346,9 +345,6 @@ static void do_ifch_work(void) if (epollfd < 0) suicide("epoll_create1 failed"); - if (enforce_seccomp_ifch()) - log_line("ifch seccomp filter cannot be installed"); - cl.state = STATE_NOTHING; memset(cl.ibuf, 0, sizeof cl.ibuf); memset(cl.namesvrs, 0, sizeof cl.namesvrs); diff --git a/src/ndhc.8 b/src/ndhc.8 index 724dfc8..716e141 100644 --- a/src/ndhc.8 +++ b/src/ndhc.8 @@ -101,15 +101,6 @@ hostname option field provided by a remote DHCP server on the request of a ndhc client. If this option is not specified, ndhc will never change the system hostname. .TP -.BI \-S ,\ \-\-seccomp\-enforce -Enforces seccomp-based syscall whitelisting. System calls that ndhc and -ndhc-ifch are not expected to need are prohibited from being called if this -flag is set. The lists of allowed syscalls are hardcoded, and attempts -to call a non-listed syscall will result in the ndhc process being -terminated. As systems vary, it cannot be guaranteed that these system -call lists are accurate for your system, and thus seccomp filtering will -not be used unless this flag is set. -.TP .BI \-w\ TIMEMS ,\ \-\-arp\-probe\-wait= TIMEMS Adjusts the time that we wait for an ARP response when checking to see if our lease assignment is already taken by an existing host. Default is diff --git a/src/ndhc.c b/src/ndhc.c index fc73b6e..e16b032 100644 --- a/src/ndhc.c +++ b/src/ndhc.c @@ -57,7 +57,6 @@ #include "ndhc.h" #include "ndhc-defines.h" #include "cfg.h" -#include "seccomp.h" #include "state.h" #include "options.h" #include "dhcp.h" @@ -145,9 +144,6 @@ void show_usage(void) " -D, --sockd-user=USER Change ndhc-sockd privileges to this user\n" " -C, --chroot=DIR Chroot to this directory\n" " -s, --state-dir=DIR State storage dir (default: /etc/ndhc)\n" -#ifdef ENABLE_SECCOMP_FILTER -" -S, --seccomp-enforce Enforce seccomp syscall restrictions\n" -#endif " -d, --relentless-defense Never back off in defending IP against\n" " conflicting hosts (servers only)\n" " -w, --arp-probe-wait Time to delay before first ARP probe\n" @@ -270,9 +266,6 @@ static void do_ndhc_work(void) if (cs.epollFd < 0) suicide("epoll_create1 failed"); - if (enforce_seccomp_ndhc()) - log_line("ndhc seccomp filter cannot be installed"); - setup_signals_ndhc(); epoll_add(cs.epollFd, cs.nlFd); diff --git a/src/seccomp.c b/src/seccomp.c deleted file mode 100644 index 6157728..0000000 --- a/src/seccomp.c +++ /dev/null @@ -1,224 +0,0 @@ -/* seccomp.h - seccomp syscall filters for ndhc - * - * Copyright (c) 2012-2017 Nicholas J. Kain - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * - Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * - Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ -#include -#include "seccomp.h" -#include "nk/log.h" -#include "nk/seccomp-bpf.h" - -bool seccomp_enforce = false; - -int enforce_seccomp_ndhc(void) -{ -#ifdef ENABLE_SECCOMP_FILTER - if (!seccomp_enforce) - return 0; - struct sock_filter filter[] = { - VALIDATE_ARCHITECTURE, - EXAMINE_SYSCALL, - ALLOW_SYSCALL(epoll_wait), - ALLOW_SYSCALL(epoll_ctl), - ALLOW_SYSCALL(read), - ALLOW_SYSCALL(write), - ALLOW_SYSCALL(close), - -#if defined(__x86_64__) || (defined(__arm__) && defined(__ARM_EABI__)) - ALLOW_SYSCALL(sendto), // used for glibc syslog routines - ALLOW_SYSCALL(recvmsg), - ALLOW_SYSCALL(sendmsg), - ALLOW_SYSCALL(recvfrom), - ALLOW_SYSCALL(connect), -#elif defined(__i386__) - ALLOW_SYSCALL(socketcall), -#else -#error Target platform does not support seccomp-filter. -#endif - - ALLOW_SYSCALL(open), - - // Allowed by vDSO - ALLOW_SYSCALL(getcpu), - ALLOW_SYSCALL(time), - ALLOW_SYSCALL(gettimeofday), - ALLOW_SYSCALL(clock_gettime), - - // These are for 'write_leasefile()' - ALLOW_SYSCALL(ftruncate), - ALLOW_SYSCALL(lseek), - ALLOW_SYSCALL(fsync), - - // These are for 'background()' - ALLOW_SYSCALL(clone), - ALLOW_SYSCALL(set_robust_list), - ALLOW_SYSCALL(setsid), - ALLOW_SYSCALL(chdir), - ALLOW_SYSCALL(fstat), - ALLOW_SYSCALL(dup2), - ALLOW_SYSCALL(rt_sigprocmask), - ALLOW_SYSCALL(signalfd4), - ALLOW_SYSCALL(mmap), - ALLOW_SYSCALL(munmap), - - ALLOW_SYSCALL(rt_sigreturn), -#ifdef __NR_sigreturn - ALLOW_SYSCALL(sigreturn), -#endif - ALLOW_SYSCALL(exit_group), - ALLOW_SYSCALL(exit), - KILL_PROCESS, - }; - struct sock_fprog prog = { - .len = (unsigned short)(sizeof filter / sizeof filter[0]), - .filter = filter, - }; - if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) - return -1; - if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) - return -1; - log_line("ndhc seccomp filter installed. Please disable seccomp if you encounter problems."); -#endif - return 0; -} - -int enforce_seccomp_ifch(void) -{ -#ifdef ENABLE_SECCOMP_FILTER - if (!seccomp_enforce) - return 0; - struct sock_filter filter[] = { - VALIDATE_ARCHITECTURE, - EXAMINE_SYSCALL, - ALLOW_SYSCALL(read), - ALLOW_SYSCALL(write), - ALLOW_SYSCALL(epoll_wait), - ALLOW_SYSCALL(epoll_ctl), - ALLOW_SYSCALL(close), - -#if defined(__x86_64__) || (defined(__arm__) && defined(__ARM_EABI__)) - ALLOW_SYSCALL(sendto), // used for glibc syslog routines - ALLOW_SYSCALL(recvmsg), - ALLOW_SYSCALL(sendmsg), - ALLOW_SYSCALL(recvfrom), - ALLOW_SYSCALL(socket), -#elif defined(__i386__) - ALLOW_SYSCALL(socketcall), -#else -#error Target platform does not support seccomp-filter. -#endif - - ALLOW_SYSCALL(open), - ALLOW_SYSCALL(fstat), - ALLOW_SYSCALL(fsync), - ALLOW_SYSCALL(lseek), - ALLOW_SYSCALL(truncate), - - ALLOW_SYSCALL(rt_sigreturn), -#ifdef __NR_sigreturn - ALLOW_SYSCALL(sigreturn), -#endif - // Allowed by vDSO - ALLOW_SYSCALL(getcpu), - ALLOW_SYSCALL(time), - ALLOW_SYSCALL(gettimeofday), - ALLOW_SYSCALL(clock_gettime), - - ALLOW_SYSCALL(exit_group), - ALLOW_SYSCALL(exit), - KILL_PROCESS, - }; - struct sock_fprog prog = { - .len = (unsigned short)(sizeof filter / sizeof filter[0]), - .filter = filter, - }; - if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) - return -1; - if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) - return -1; - log_line("ndhc-ifch seccomp filter installed. Please disable seccomp if you encounter problems."); -#endif - return 0; -} - -int enforce_seccomp_sockd(void) -{ -#ifdef ENABLE_SECCOMP_FILTER - if (!seccomp_enforce) - return 0; - struct sock_filter filter[] = { - VALIDATE_ARCHITECTURE, - EXAMINE_SYSCALL, - ALLOW_SYSCALL(epoll_wait), - ALLOW_SYSCALL(epoll_ctl), - ALLOW_SYSCALL(read), - ALLOW_SYSCALL(write), - ALLOW_SYSCALL(close), - -#if defined(__x86_64__) || (defined(__arm__) && defined(__ARM_EABI__)) - ALLOW_SYSCALL(sendto), // used for glibc syslog routines - ALLOW_SYSCALL(recvmsg), - ALLOW_SYSCALL(sendmsg), - ALLOW_SYSCALL(recvfrom), - ALLOW_SYSCALL(socket), - ALLOW_SYSCALL(setsockopt), - ALLOW_SYSCALL(bind), -#elif defined(__i386__) - ALLOW_SYSCALL(socketcall), - ALLOW_SYSCALL(fcntl64), -#else -#error Target platform does not support seccomp-filter. -#endif - - ALLOW_SYSCALL(fcntl), - ALLOW_SYSCALL(open), - - // Allowed by vDSO - ALLOW_SYSCALL(getcpu), - ALLOW_SYSCALL(time), - ALLOW_SYSCALL(gettimeofday), - ALLOW_SYSCALL(clock_gettime), - - ALLOW_SYSCALL(rt_sigreturn), -#ifdef __NR_sigreturn - ALLOW_SYSCALL(sigreturn), -#endif - ALLOW_SYSCALL(exit_group), - ALLOW_SYSCALL(exit), - KILL_PROCESS, - }; - struct sock_fprog prog = { - .len = (unsigned short)(sizeof filter / sizeof filter[0]), - .filter = filter, - }; - if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) - return -1; - if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) - return -1; - log_line("ndhc-sockd seccomp filter installed. Please disable seccomp if you encounter problems."); -#endif - return 0; -} - diff --git a/src/seccomp.h b/src/seccomp.h deleted file mode 100644 index 0adb7cd..0000000 --- a/src/seccomp.h +++ /dev/null @@ -1,39 +0,0 @@ -/* seccomp.h - seccomp syscall filters for ndhc - * - * Copyright (c) 2012-2017 Nicholas J. Kain - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * - Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * - Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ -#ifndef NJK_NDHC_SECCOMP_H_ -#define NJK_NDHC_SECCOMP_H_ - -#include - -extern bool seccomp_enforce; - -int enforce_seccomp_ndhc(void); -int enforce_seccomp_ifch(void); -int enforce_seccomp_sockd(void); - -#endif /* NJK_NDHC_SECCOMP_H_ */ diff --git a/src/sockd.c b/src/sockd.c index f88223a..c3507a0 100644 --- a/src/sockd.c +++ b/src/sockd.c @@ -57,7 +57,6 @@ #include "ndhc.h" #include "dhcp.h" #include "sys.h" -#include "seccomp.h" static int epollfd, signalFd; /* Slots are for signalFd and the ndhc -> ifchd socket. */ @@ -555,9 +554,6 @@ static void do_sockd_work(void) if (epollfd < 0) suicide("epoll_create1 failed"); - if (enforce_seccomp_sockd()) - log_line("sockd seccomp filter cannot be installed"); - epoll_add(epollfd, sockdSock[1]); epoll_add(epollfd, sockdStream[1]); epoll_add(epollfd, signalFd);