ndhc/ndhc/seccomp.c
Nicholas J. Kain 1824802fb2 Merge ifchd into ndhc. Rather than function as entirely separate daemons,
ndhc will fork off an ifchd child that it will communicate with via
pipes rather than by connecting to a SO_PEERCRED AF_UNIX socket.

The advantages include:

1. Simpler configuration.  Much easier for users and packagers to set up.
2. Drastically less complex code for the ifch functionality.  More code
   is removed than added, and the result is a lot less complex.
3. Potentially better security.  The ifch can only service the parent
   ndhc process, and it is restricted to issuing modifications to
   the single interface that ndhc manages.
4. Less memory used on systems that allow overcommit.

The downsides:

1. Possibly more memory used on systems that run multiple ndhcs and use
   strict commit limits.

At the same time, use netlink rather than ioctls so that the
interface ip, subnet, and broadcast address can be set simultaneously.
This change reduces the netlink notification spam greatly.

The current code builds but isn't yet complete.  Subsequent commits will
flesh things out and polish out some remaining issues.
2014-03-10 00:52:56 -04:00

154 lines
4.9 KiB
C

/* seccomp.h - seccomp syscall filters for ndhc
*
* Copyright (c) 2012-2014 Nicholas J. Kain <njkain at gmail dot com>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* - Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* - Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include <stdbool.h>
#include "log.h"
#include "seccomp-bpf.h"
bool seccomp_enforce = false;
int enforce_seccomp_ndhc(void)
{
if (!seccomp_enforce)
return 0;
struct sock_filter filter[] = {
VALIDATE_ARCHITECTURE,
EXAMINE_SYSCALL,
ALLOW_SYSCALL(sendto), // used for glibc syslog routines
ALLOW_SYSCALL(epoll_wait),
ALLOW_SYSCALL(epoll_ctl),
ALLOW_SYSCALL(read),
ALLOW_SYSCALL(write),
ALLOW_SYSCALL(close),
ALLOW_SYSCALL(recvmsg),
ALLOW_SYSCALL(socket),
ALLOW_SYSCALL(setsockopt),
ALLOW_SYSCALL(fcntl),
ALLOW_SYSCALL(bind),
ALLOW_SYSCALL(open),
ALLOW_SYSCALL(connect),
ALLOW_SYSCALL(getsockname),
// Allowed by vDSO
ALLOW_SYSCALL(getcpu),
ALLOW_SYSCALL(time),
ALLOW_SYSCALL(gettimeofday),
ALLOW_SYSCALL(clock_gettime),
// These are for 'write_leasefile()'
ALLOW_SYSCALL(ftruncate),
ALLOW_SYSCALL(lseek),
ALLOW_SYSCALL(fsync),
// These are for 'background()'
ALLOW_SYSCALL(socketpair),
ALLOW_SYSCALL(clone),
ALLOW_SYSCALL(set_robust_list),
ALLOW_SYSCALL(setsid),
ALLOW_SYSCALL(chdir),
ALLOW_SYSCALL(fstat),
ALLOW_SYSCALL(dup2),
ALLOW_SYSCALL(rt_sigprocmask),
ALLOW_SYSCALL(signalfd4),
ALLOW_SYSCALL(mmap),
ALLOW_SYSCALL(munmap),
ALLOW_SYSCALL(rt_sigreturn),
#ifdef __NR_sigreturn
ALLOW_SYSCALL(sigreturn),
#endif
ALLOW_SYSCALL(exit_group),
ALLOW_SYSCALL(exit),
KILL_PROCESS,
};
struct sock_fprog prog = {
.len = (unsigned short)(sizeof filter / sizeof filter[0]),
.filter = filter,
};
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0))
return -1;
if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog))
return -1;
log_line("ndhc seccomp filter installed. Please disable seccomp if you encounter problems.");
return 0;
}
int enforce_seccomp_ifch(void)
{
if (!seccomp_enforce)
return 0;
struct sock_filter filter[] = {
VALIDATE_ARCHITECTURE,
EXAMINE_SYSCALL,
ALLOW_SYSCALL(read),
ALLOW_SYSCALL(write),
ALLOW_SYSCALL(sendto),
ALLOW_SYSCALL(epoll_wait),
ALLOW_SYSCALL(epoll_ctl),
ALLOW_SYSCALL(close),
ALLOW_SYSCALL(socket),
ALLOW_SYSCALL(ioctl),
ALLOW_SYSCALL(getsockname),
ALLOW_SYSCALL(open),
ALLOW_SYSCALL(fstat),
ALLOW_SYSCALL(connect),
ALLOW_SYSCALL(recvmsg),
ALLOW_SYSCALL(fsync),
ALLOW_SYSCALL(lseek),
ALLOW_SYSCALL(truncate),
ALLOW_SYSCALL(fcntl),
ALLOW_SYSCALL(unlink),
ALLOW_SYSCALL(bind),
ALLOW_SYSCALL(chmod),
ALLOW_SYSCALL(rt_sigreturn),
#ifdef __NR_sigreturn
ALLOW_SYSCALL(sigreturn),
#endif
// Allowed by vDSO
ALLOW_SYSCALL(getcpu),
ALLOW_SYSCALL(time),
ALLOW_SYSCALL(gettimeofday),
ALLOW_SYSCALL(clock_gettime),
ALLOW_SYSCALL(exit_group),
ALLOW_SYSCALL(exit),
KILL_PROCESS,
};
struct sock_fprog prog = {
.len = (unsigned short)(sizeof filter / sizeof filter[0]),
.filter = filter,
};
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0))
return -1;
if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog))
return -1;
log_line("ndhc-ifch seccomp filter installed. Please disable seccomp if you encounter problems.");
return 0;
}