From nobody Fri May 17 09:01:28 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1627909575; cv=none; d=zohomail.com; s=zohoarc; b=LNNJ+2Bhz2IKwYGcOaKizODAfPw1ZRv7YHQTLB1oblMgkn1Ygn0mCZm+mkJ3Uy5py8/ryaO5V14ryTYMDLNBOmac+wieFVP8p1LqHN2m8aI7ISIOcLewN4iyX6oRnPa2jZ3WqvrWMNhNgfmC0fI+Fz4oOuVXhUhxYk5B9thDAQs= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1627909575; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=/ge0RMbJJhFitOMa06xnVX0OQambquC6tRT3uVK65V0=; b=S2jryviWrThn58rj5Yx0DQJ4fE1KYSF1wCkpTVuvqAq51nFIUHwPnGV/+MgghjpOJ20AOjY74pnPaUkGoJ6xEa4U/t6SDlTBmJidS2fkD7dqF8UIz+eHWyX1qHbrUYKVvKpdhWgtdG9lBuqyPKD66G8Jy5X19TeZnWowJs3fn7c= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1627909575566671.04660357504; Mon, 2 Aug 2021 06:06:15 -0700 (PDT) Received: from localhost ([::1]:54806 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mAXe2-00055P-7H for importer@patchew.org; Mon, 02 Aug 2021 09:06:14 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:32982) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mAXb9-0000e1-IG for qemu-devel@nongnu.org; Mon, 02 Aug 2021 09:03:15 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:23717) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mAXb7-0000OO-Ih for qemu-devel@nongnu.org; Mon, 02 Aug 2021 09:03:15 -0400 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-522-cFXonkjiNdO2R7C67wTcAg-1; Mon, 02 Aug 2021 09:03:11 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id B79C787D541 for ; Mon, 2 Aug 2021 13:03:10 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.39.194.210]) by smtp.corp.redhat.com (Postfix) with ESMTP id 959EE2C607; Mon, 2 Aug 2021 13:03:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1627909392; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=/ge0RMbJJhFitOMa06xnVX0OQambquC6tRT3uVK65V0=; b=WKbLHPCW+j1ZDdn7qj7MpPyTqYHNgS2sWucVe6hCblSJYOoFthNAQXEPO7QBD3tsTQCUhw 2/e74sKZipH0cPaAKMtaiSNUxX70TeL/XpvpbKW9+gnCSSA8SxyJhgNEoBSA5GV57O2vx+ VgaBCheW2LvOyIJf66JyWowLz5aiSlg= X-MC-Unique: cFXonkjiNdO2R7C67wTcAg-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 1/5] seccomp: allow action to be customized per syscall Date: Mon, 2 Aug 2021 14:02:59 +0100 Message-Id: <20210802130303.3300108-2-berrange@redhat.com> In-Reply-To: <20210802130303.3300108-1-berrange@redhat.com> References: <20210802130303.3300108-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=berrange@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -34 X-Spam_score: -3.5 X-Spam_bar: --- X-Spam_report: (-3.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.701, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UPPERCASE_50_75=0.008 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Eduardo Otubo , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1627909577304100001 We're currently tailoring whether to use kill process or return EPERM based on the syscall set. This is not flexible enough for future requirements where we also need to be able to return a variety of actions on a per-syscall granularity. Signed-off-by: Daniel P. Berrang=C3=A9 Acked-by: Eduardo Otubo --- softmmu/qemu-seccomp.c | 172 +++++++++++++++++++++++++---------------- 1 file changed, 106 insertions(+), 66 deletions(-) diff --git a/softmmu/qemu-seccomp.c b/softmmu/qemu-seccomp.c index f50026778c..9f6df8d033 100644 --- a/softmmu/qemu-seccomp.c +++ b/softmmu/qemu-seccomp.c @@ -38,6 +38,7 @@ struct QemuSeccompSyscall { uint8_t set; uint8_t narg; const struct scmp_arg_cmp *arg_cmp; + uint32_t action; }; =20 const struct scmp_arg_cmp sched_setscheduler_arg[] =3D { @@ -47,61 +48,111 @@ const struct scmp_arg_cmp sched_setscheduler_arg[] =3D= { =20 static const struct QemuSeccompSyscall denylist[] =3D { /* default set of syscalls that should get blocked */ - { SCMP_SYS(reboot), QEMU_SECCOMP_SET_DEFAULT }, - { SCMP_SYS(swapon), QEMU_SECCOMP_SET_DEFAULT }, - { SCMP_SYS(swapoff), QEMU_SECCOMP_SET_DEFAULT }, - { SCMP_SYS(syslog), QEMU_SECCOMP_SET_DEFAULT }, - { SCMP_SYS(mount), QEMU_SECCOMP_SET_DEFAULT }, - { SCMP_SYS(umount), QEMU_SECCOMP_SET_DEFAULT }, - { SCMP_SYS(kexec_load), QEMU_SECCOMP_SET_DEFAULT }, - { SCMP_SYS(afs_syscall), QEMU_SECCOMP_SET_DEFAULT }, - { SCMP_SYS(break), QEMU_SECCOMP_SET_DEFAULT }, - { SCMP_SYS(ftime), QEMU_SECCOMP_SET_DEFAULT }, - { SCMP_SYS(getpmsg), QEMU_SECCOMP_SET_DEFAULT }, - { SCMP_SYS(gtty), QEMU_SECCOMP_SET_DEFAULT }, - { SCMP_SYS(lock), QEMU_SECCOMP_SET_DEFAULT }, - { SCMP_SYS(mpx), QEMU_SECCOMP_SET_DEFAULT }, - { SCMP_SYS(prof), QEMU_SECCOMP_SET_DEFAULT }, - { SCMP_SYS(profil), QEMU_SECCOMP_SET_DEFAULT }, - { SCMP_SYS(putpmsg), QEMU_SECCOMP_SET_DEFAULT }, - { SCMP_SYS(security), QEMU_SECCOMP_SET_DEFAULT }, - { SCMP_SYS(stty), QEMU_SECCOMP_SET_DEFAULT }, - { SCMP_SYS(tuxcall), QEMU_SECCOMP_SET_DEFAULT }, - { SCMP_SYS(ulimit), QEMU_SECCOMP_SET_DEFAULT }, - { SCMP_SYS(vserver), QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(reboot), QEMU_SECCOMP_SET_DEFAULT, + 0, NULL, SCMP_ACT_TRAP }, + { SCMP_SYS(swapon), QEMU_SECCOMP_SET_DEFAULT, + 0, NULL, SCMP_ACT_TRAP }, + { SCMP_SYS(swapoff), QEMU_SECCOMP_SET_DEFAULT, + 0, NULL, SCMP_ACT_TRAP }, + { SCMP_SYS(syslog), QEMU_SECCOMP_SET_DEFAULT, + 0, NULL, SCMP_ACT_TRAP }, + { SCMP_SYS(mount), QEMU_SECCOMP_SET_DEFAULT, + 0, NULL, SCMP_ACT_TRAP }, + { SCMP_SYS(umount), QEMU_SECCOMP_SET_DEFAULT, + 0, NULL, SCMP_ACT_TRAP }, + { SCMP_SYS(kexec_load), QEMU_SECCOMP_SET_DEFAULT, + 0, NULL, SCMP_ACT_TRAP }, + { SCMP_SYS(afs_syscall), QEMU_SECCOMP_SET_DEFAULT, + 0, NULL, SCMP_ACT_TRAP }, + { SCMP_SYS(break), QEMU_SECCOMP_SET_DEFAULT, + 0, NULL, SCMP_ACT_TRAP }, + { SCMP_SYS(ftime), QEMU_SECCOMP_SET_DEFAULT, + 0, NULL, SCMP_ACT_TRAP }, + { SCMP_SYS(getpmsg), QEMU_SECCOMP_SET_DEFAULT, + 0, NULL, SCMP_ACT_TRAP }, + { SCMP_SYS(gtty), QEMU_SECCOMP_SET_DEFAULT, + 0, NULL, SCMP_ACT_TRAP }, + { SCMP_SYS(lock), QEMU_SECCOMP_SET_DEFAULT, + 0, NULL, SCMP_ACT_TRAP }, + { SCMP_SYS(mpx), QEMU_SECCOMP_SET_DEFAULT, + 0, NULL, SCMP_ACT_TRAP }, + { SCMP_SYS(prof), QEMU_SECCOMP_SET_DEFAULT, + 0, NULL, SCMP_ACT_TRAP }, + { SCMP_SYS(profil), QEMU_SECCOMP_SET_DEFAULT, + 0, NULL, SCMP_ACT_TRAP }, + { SCMP_SYS(putpmsg), QEMU_SECCOMP_SET_DEFAULT, + 0, NULL, SCMP_ACT_TRAP }, + { SCMP_SYS(security), QEMU_SECCOMP_SET_DEFAULT, + 0, NULL, SCMP_ACT_TRAP }, + { SCMP_SYS(stty), QEMU_SECCOMP_SET_DEFAULT, + 0, NULL, SCMP_ACT_TRAP }, + { SCMP_SYS(tuxcall), QEMU_SECCOMP_SET_DEFAULT, + 0, NULL, SCMP_ACT_TRAP }, + { SCMP_SYS(ulimit), QEMU_SECCOMP_SET_DEFAULT, + 0, NULL, SCMP_ACT_TRAP }, + { SCMP_SYS(vserver), QEMU_SECCOMP_SET_DEFAULT, + 0, NULL, SCMP_ACT_TRAP }, /* obsolete */ - { SCMP_SYS(readdir), QEMU_SECCOMP_SET_OBSOLETE }, - { SCMP_SYS(_sysctl), QEMU_SECCOMP_SET_OBSOLETE }, - { SCMP_SYS(bdflush), QEMU_SECCOMP_SET_OBSOLETE }, - { SCMP_SYS(create_module), QEMU_SECCOMP_SET_OBSOLETE }, - { SCMP_SYS(get_kernel_syms), QEMU_SECCOMP_SET_OBSOLETE }, - { SCMP_SYS(query_module), QEMU_SECCOMP_SET_OBSOLETE }, - { SCMP_SYS(sgetmask), QEMU_SECCOMP_SET_OBSOLETE }, - { SCMP_SYS(ssetmask), QEMU_SECCOMP_SET_OBSOLETE }, - { SCMP_SYS(sysfs), QEMU_SECCOMP_SET_OBSOLETE }, - { SCMP_SYS(uselib), QEMU_SECCOMP_SET_OBSOLETE }, - { SCMP_SYS(ustat), QEMU_SECCOMP_SET_OBSOLETE }, + { SCMP_SYS(readdir), QEMU_SECCOMP_SET_OBSOLETE, + 0, NULL, SCMP_ACT_TRAP }, + { SCMP_SYS(_sysctl), QEMU_SECCOMP_SET_OBSOLETE, + 0, NULL, SCMP_ACT_TRAP }, + { SCMP_SYS(bdflush), QEMU_SECCOMP_SET_OBSOLETE, + 0, NULL, SCMP_ACT_TRAP }, + { SCMP_SYS(create_module), QEMU_SECCOMP_SET_OBSOLETE, + 0, NULL, SCMP_ACT_TRAP }, + { SCMP_SYS(get_kernel_syms), QEMU_SECCOMP_SET_OBSOLETE, + 0, NULL, SCMP_ACT_TRAP }, + { SCMP_SYS(query_module), QEMU_SECCOMP_SET_OBSOLETE, + 0, NULL, SCMP_ACT_TRAP }, + { SCMP_SYS(sgetmask), QEMU_SECCOMP_SET_OBSOLETE, + 0, NULL, SCMP_ACT_TRAP }, + { SCMP_SYS(ssetmask), QEMU_SECCOMP_SET_OBSOLETE, + 0, NULL, SCMP_ACT_TRAP }, + { SCMP_SYS(sysfs), QEMU_SECCOMP_SET_OBSOLETE, + 0, NULL, SCMP_ACT_TRAP }, + { SCMP_SYS(uselib), QEMU_SECCOMP_SET_OBSOLETE, + 0, NULL, SCMP_ACT_TRAP }, + { SCMP_SYS(ustat), QEMU_SECCOMP_SET_OBSOLETE, + 0, NULL, SCMP_ACT_TRAP }, /* privileged */ - { SCMP_SYS(setuid), QEMU_SECCOMP_SET_PRIVILEGED }, - { SCMP_SYS(setgid), QEMU_SECCOMP_SET_PRIVILEGED }, - { SCMP_SYS(setpgid), QEMU_SECCOMP_SET_PRIVILEGED }, - { SCMP_SYS(setsid), QEMU_SECCOMP_SET_PRIVILEGED }, - { SCMP_SYS(setreuid), QEMU_SECCOMP_SET_PRIVILEGED }, - { SCMP_SYS(setregid), QEMU_SECCOMP_SET_PRIVILEGED }, - { SCMP_SYS(setresuid), QEMU_SECCOMP_SET_PRIVILEGED }, - { SCMP_SYS(setresgid), QEMU_SECCOMP_SET_PRIVILEGED }, - { SCMP_SYS(setfsuid), QEMU_SECCOMP_SET_PRIVILEGED }, - { SCMP_SYS(setfsgid), QEMU_SECCOMP_SET_PRIVILEGED }, + { SCMP_SYS(setuid), QEMU_SECCOMP_SET_PRIVILEGED, + 0, NULL, SCMP_ACT_TRAP }, + { SCMP_SYS(setgid), QEMU_SECCOMP_SET_PRIVILEGED, + 0, NULL, SCMP_ACT_TRAP }, + { SCMP_SYS(setpgid), QEMU_SECCOMP_SET_PRIVILEGED, + 0, NULL, SCMP_ACT_TRAP }, + { SCMP_SYS(setsid), QEMU_SECCOMP_SET_PRIVILEGED, + 0, NULL, SCMP_ACT_TRAP }, + { SCMP_SYS(setreuid), QEMU_SECCOMP_SET_PRIVILEGED, + 0, NULL, SCMP_ACT_TRAP }, + { SCMP_SYS(setregid), QEMU_SECCOMP_SET_PRIVILEGED, + 0, NULL, SCMP_ACT_TRAP }, + { SCMP_SYS(setresuid), QEMU_SECCOMP_SET_PRIVILEGED, + 0, NULL, SCMP_ACT_TRAP }, + { SCMP_SYS(setresgid), QEMU_SECCOMP_SET_PRIVILEGED, + 0, NULL, SCMP_ACT_TRAP }, + { SCMP_SYS(setfsuid), QEMU_SECCOMP_SET_PRIVILEGED, + 0, NULL, SCMP_ACT_TRAP }, + { SCMP_SYS(setfsgid), QEMU_SECCOMP_SET_PRIVILEGED, + 0, NULL, SCMP_ACT_TRAP }, /* spawn */ - { SCMP_SYS(fork), QEMU_SECCOMP_SET_SPAWN }, - { SCMP_SYS(vfork), QEMU_SECCOMP_SET_SPAWN }, - { SCMP_SYS(execve), QEMU_SECCOMP_SET_SPAWN }, + { SCMP_SYS(fork), QEMU_SECCOMP_SET_SPAWN, + 0, NULL, SCMP_ACT_TRAP }, + { SCMP_SYS(vfork), QEMU_SECCOMP_SET_SPAWN, + 0, NULL, SCMP_ACT_TRAP }, + { SCMP_SYS(execve), QEMU_SECCOMP_SET_SPAWN, + 0, NULL, SCMP_ACT_TRAP }, /* resource control */ - { SCMP_SYS(setpriority), QEMU_SECCOMP_SET_RESOURCECTL }, - { SCMP_SYS(sched_setparam), QEMU_SECCOMP_SET_RESOURCECTL }, + { SCMP_SYS(setpriority), QEMU_SECCOMP_SET_RESOURCECTL, + 0, NULL, SCMP_ACT_ERRNO(EPERM) }, + { SCMP_SYS(sched_setparam), QEMU_SECCOMP_SET_RESOURCECTL, + 0, NULL, SCMP_ACT_ERRNO(EPERM) }, { SCMP_SYS(sched_setscheduler), QEMU_SECCOMP_SET_RESOURCECTL, - ARRAY_SIZE(sched_setscheduler_arg), sched_setscheduler_arg }, - { SCMP_SYS(sched_setaffinity), QEMU_SECCOMP_SET_RESOURCECTL }, + ARRAY_SIZE(sched_setscheduler_arg), sched_setscheduler_arg, + SCMP_ACT_ERRNO(EPERM) }, + { SCMP_SYS(sched_setaffinity), QEMU_SECCOMP_SET_RESOURCECTL, + 0, NULL, SCMP_ACT_ERRNO(EPERM) }, }; =20 static inline __attribute__((unused)) int @@ -115,15 +166,11 @@ qemu_seccomp(unsigned int operation, unsigned int fla= gs, void *args) #endif } =20 -static uint32_t qemu_seccomp_get_action(int set) +static uint32_t qemu_seccomp_update_action(uint32_t action) { - switch (set) { - case QEMU_SECCOMP_SET_DEFAULT: - case QEMU_SECCOMP_SET_OBSOLETE: - case QEMU_SECCOMP_SET_PRIVILEGED: - case QEMU_SECCOMP_SET_SPAWN: { #if defined(SECCOMP_GET_ACTION_AVAIL) && defined(SCMP_ACT_KILL_PROCESS) &&= \ defined(SECCOMP_RET_KILL_PROCESS) + if (action =3D=3D SCMP_ACT_TRAP) { static int kill_process =3D -1; if (kill_process =3D=3D -1) { uint32_t action =3D SECCOMP_RET_KILL_PROCESS; @@ -137,16 +184,9 @@ static uint32_t qemu_seccomp_get_action(int set) if (kill_process =3D=3D 1) { return SCMP_ACT_KILL_PROCESS; } -#endif - return SCMP_ACT_TRAP; - } - - case QEMU_SECCOMP_SET_RESOURCECTL: - return SCMP_ACT_ERRNO(EPERM); - - default: - g_assert_not_reached(); } +#endif + return action; } =20 =20 @@ -175,7 +215,7 @@ static int seccomp_start(uint32_t seccomp_opts, Error *= *errp) continue; } =20 - action =3D qemu_seccomp_get_action(denylist[i].set); + action =3D qemu_seccomp_update_action(denylist[i].action); rc =3D seccomp_rule_add_array(ctx, action, denylist[i].num, denylist[i].narg, denylist[i].arg_cmp); if (rc < 0) { --=20 2.31.1 From nobody Fri May 17 09:01:28 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1627909495; cv=none; d=zohomail.com; s=zohoarc; b=eHSUgSGaY3J2QS54V4oncEKGY6DBHMPRBx6JVe7dPFgZ2quBRm0CfVygRuvdRWUOrP3NYt2XGWJoLN+zhyGirkAVzYdhYftxSi7eAmSxMAfiajM3xBQlFztmaRGyNLgJr8bqOKQ7S1L0vBRYZnOTi+Kc2Teff4Qh3fHbpLOT05Y= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1627909495; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=OHyhNBQIg1R4Z76B6tBmY7CbKCz0YbJECE4RYVoM8O4=; b=KmahcTOYdRMB0W5kUBZhlPVCzeW6BRyz3mjOX5aJ7/MpaQITBxlF/2sDEA4XqCveahdL0rRTgZhroSwxLZDAOhUCvsUtMUffPxfWoUAnKi+Fc6BL2rcLjnQbbsqpAICxZ3eVmDqU9MNRBecbEw6ItQwtg5rTjx8hlzi3tmv2NPo= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1627909495603553.5919445375918; Mon, 2 Aug 2021 06:04:55 -0700 (PDT) Received: from localhost ([::1]:51812 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mAXck-0002yH-Bz for importer@patchew.org; Mon, 02 Aug 2021 09:04:54 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:33004) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mAXbB-0000g6-L7 for qemu-devel@nongnu.org; Mon, 02 Aug 2021 09:03:18 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:51552) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mAXb9-0000PV-8O for qemu-devel@nongnu.org; Mon, 02 Aug 2021 09:03:17 -0400 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-51-Soj_x4ClOvSd5lLW-9-7cg-1; Mon, 02 Aug 2021 09:03:13 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 21DCE1084F61 for ; Mon, 2 Aug 2021 13:03:12 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.39.194.210]) by smtp.corp.redhat.com (Postfix) with ESMTP id 2F2CA69280; Mon, 2 Aug 2021 13:03:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1627909394; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=OHyhNBQIg1R4Z76B6tBmY7CbKCz0YbJECE4RYVoM8O4=; b=RuGx7Qo1ZNZqwps+GM6gIztr05ClVBzjrdQInJFrcO4ERVHU0dKEY+ajeDAye689IQuD2c yvTaboMVC/wpctDj5rBwT7lh6SzIgM1AX2n9a48NaL4Il5Cp6GUuYm0oqqMDJPrqek3tor 84wqUGrC4sH2ZVZZWJc0cXp7skqjRqo= X-MC-Unique: Soj_x4ClOvSd5lLW-9-7cg-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 2/5] seccomp: add unit test for seccomp filtering Date: Mon, 2 Aug 2021 14:03:00 +0100 Message-Id: <20210802130303.3300108-3-berrange@redhat.com> In-Reply-To: <20210802130303.3300108-1-berrange@redhat.com> References: <20210802130303.3300108-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=berrange@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=216.205.24.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -34 X-Spam_score: -3.5 X-Spam_bar: --- X-Spam_report: (-3.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.701, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Eduardo Otubo , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1627909496501100001 The handling of some syscalls / libc function is quite subtle. For example, 'fork' at a libc level doesn't always correspond to 'fork' at a syscall level, since the 'clone' syscall is preferred usually. The unit test will help to detect these kind of problems. A point of difficulty in writing a test though is that the QEMU build process may already be confined by seccomp. For example, if running inside a container. Since we can't predict what filtering might have been applied already, we are quite conservative and skip all tests if we see any kind of seccomp filter active. Signed-off-by: Daniel P. Berrang=C3=A9 Acked-by: Eduardo Otubo --- MAINTAINERS | 1 + tests/unit/meson.build | 4 + tests/unit/test-seccomp.c | 270 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 275 insertions(+) create mode 100644 tests/unit/test-seccomp.c diff --git a/MAINTAINERS b/MAINTAINERS index 6831978d2c..de98e4933f 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -2799,6 +2799,7 @@ M: Eduardo Otubo S: Supported F: softmmu/qemu-seccomp.c F: include/sysemu/seccomp.h +F: tests/unit/test-seccomp.c =20 Cryptography M: Daniel P. Berrange diff --git a/tests/unit/meson.build b/tests/unit/meson.build index 5736d285b2..64bce201d7 100644 --- a/tests/unit/meson.build +++ b/tests/unit/meson.build @@ -51,6 +51,10 @@ if have_system or have_tools tests +=3D { 'test-qmp-event': [testqapi], } + + if seccomp.found() + tests +=3D {'test-seccomp': ['../../softmmu/qemu-seccomp.c', seccomp]} + endif endif =20 if have_block diff --git a/tests/unit/test-seccomp.c b/tests/unit/test-seccomp.c new file mode 100644 index 0000000000..10ab3e8fe5 --- /dev/null +++ b/tests/unit/test-seccomp.c @@ -0,0 +1,270 @@ +/* + * QEMU seccomp test suite + * + * Copyright (c) 2021 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, see . + * + */ + +#include "qemu/osdep.h" +#include "qemu/config-file.h" +#include "qemu/option.h" +#include "sysemu/seccomp.h" +#include "qapi/error.h" +#include "qemu/module.h" + +#include +#include + +static void test_seccomp_helper(const char *args, bool killed, + int errnum, int (*doit)(void)) +{ + if (g_test_subprocess()) { + QemuOptsList *olist; + QemuOpts *opts; + int ret; + + module_call_init(MODULE_INIT_OPTS); + olist =3D qemu_find_opts("sandbox"); + g_assert(olist !=3D NULL); + + opts =3D qemu_opts_parse_noisily(olist, args, true); + g_assert(opts !=3D NULL); + + parse_sandbox(NULL, opts, &error_abort); + + /* Running in a child process */ + ret =3D doit(); + + if (errnum !=3D 0) { + g_assert(ret !=3D 0); + g_assert(errno =3D=3D errnum); + } else { + g_assert(ret =3D=3D 0); + } + + _exit(0); + } else { + /* Running in main test process, spawning the child */ + g_test_trap_subprocess(NULL, 0, 0); + if (killed) { + g_test_trap_assert_failed(); + } else { + g_test_trap_assert_passed(); + } + } +} + + +static void test_seccomp_killed(const char *args, int (*doit)(void)) +{ + test_seccomp_helper(args, true, 0, doit); +} + +static void test_seccomp_errno(const char *args, int errnum, int (*doit)(v= oid)) +{ + test_seccomp_helper(args, false, errnum, doit); +} + +static void test_seccomp_passed(const char *args, int (*doit)(void)) +{ + test_seccomp_helper(args, false, 0, doit); +} + +#ifdef SYS_fork +static int doit_sys_fork(void) +{ + int ret =3D syscall(SYS_fork); + if (ret < 0) { + return ret; + } + if (ret =3D=3D 0) { + _exit(0); + } + return 0; +} + +static void test_seccomp_sys_fork_on_nospawn(void) +{ + test_seccomp_killed("on,spawn=3Ddeny", doit_sys_fork); +} + +static void test_seccomp_sys_fork_on(void) +{ + test_seccomp_passed("on", doit_sys_fork); +} + +static void test_seccomp_sys_fork_off(void) +{ + test_seccomp_passed("off", doit_sys_fork); +} +#endif + +static int doit_fork(void) +{ + int ret =3D fork(); + if (ret < 0) { + return ret; + } + if (ret =3D=3D 0) { + _exit(0); + } + return 0; +} + +static void test_seccomp_fork_on_nospawn(void) +{ + /* XXX fixme - should be killed */ + test_seccomp_passed("on,spawn=3Ddeny", doit_fork); +} + +static void test_seccomp_fork_on(void) +{ + test_seccomp_passed("on", doit_fork); +} + +static void test_seccomp_fork_off(void) +{ + test_seccomp_passed("off", doit_fork); +} + +static void *noop(void *arg) +{ + return arg; +} + +static int doit_thread(void) +{ + pthread_t th; + int ret =3D pthread_create(&th, NULL, noop, NULL); + if (ret !=3D 0) { + errno =3D ret; + return -1; + } else { + pthread_join(th, NULL); + return 0; + } +} + +static void test_seccomp_thread_on(void) +{ + test_seccomp_passed("on", doit_thread); +} + +static void test_seccomp_thread_on_nospawn(void) +{ + test_seccomp_passed("on,spawn=3Ddeny", doit_thread); +} + +static void test_seccomp_thread_off(void) +{ + test_seccomp_passed("off", doit_thread); +} + +static int doit_sched(void) +{ + struct sched_param param =3D { .sched_priority =3D 0 }; + return sched_setscheduler(getpid(), SCHED_OTHER, ¶m); +} + +static void test_seccomp_sched_on_nores(void) +{ + test_seccomp_errno("on,resourcecontrol=3Ddeny", EPERM, doit_sched); +} + +static void test_seccomp_sched_on(void) +{ + test_seccomp_passed("on", doit_sched); +} + +static void test_seccomp_sched_off(void) +{ + test_seccomp_passed("off", doit_sched); +} + +static bool can_play_with_seccomp(void) +{ + g_autofree char *status =3D NULL; + g_auto(GStrv) lines =3D NULL; + size_t i; + + if (!g_file_get_contents("/proc/self/status", &status, NULL, NULL)) { + return false; + } + + lines =3D g_strsplit(status, "\n", 0); + + for (i =3D 0; lines[i] !=3D NULL; i++) { + if (g_str_has_prefix(lines[i], "Seccomp:")) { + /* + * "Seccomp: 1" or "Seccomp: 2" indicate we're already + * confined, probably as we're inside a container. In + * this case our tests might get unexpected results, + * so we can't run reliably + */ + if (!strchr(lines[i], '0')) { + return false; + } + + return true; + } + } + + /* Doesn't look like seccomp is enabled in the kernel */ + return false; +} + +int main(int argc, char **argv) +{ + g_test_init(&argc, &argv, NULL); + if (can_play_with_seccomp()) { +#ifdef SYS_fork + g_test_add_func("/softmmu/seccomp/sys-fork/on", + test_seccomp_sys_fork_on); + g_test_add_func("/softmmu/seccomp/sys-fork/on-nospawn", + test_seccomp_sys_fork_on_nospawn); + g_test_add_func("/softmmu/seccomp/sys-fork/off", + test_seccomp_sys_fork_off); +#endif + + g_test_add_func("/softmmu/seccomp/fork/on", + test_seccomp_fork_on); + g_test_add_func("/softmmu/seccomp/fork/on-nospawn", + test_seccomp_fork_on_nospawn); + g_test_add_func("/softmmu/seccomp/fork/off", + test_seccomp_fork_off); + + g_test_add_func("/softmmu/seccomp/thread/on", + test_seccomp_thread_on); + g_test_add_func("/softmmu/seccomp/thread/on-nospawn", + test_seccomp_thread_on_nospawn); + g_test_add_func("/softmmu/seccomp/thread/off", + test_seccomp_thread_off); + + if (doit_sched() =3D=3D 0) { + /* + * musl doesn't impl sched_setscheduler, hence + * we check above if it works first + */ + g_test_add_func("/softmmu/seccomp/sched/on", + test_seccomp_sched_on); + g_test_add_func("/softmmu/seccomp/sched/on-nores", + test_seccomp_sched_on_nores); + g_test_add_func("/softmmu/seccomp/sched/off", + test_seccomp_sched_off); + } + } + return g_test_run(); +} --=20 2.31.1 From nobody Fri May 17 09:01:28 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1627909644; cv=none; d=zohomail.com; s=zohoarc; b=MYqmcWDlzbgWtZBDvVk1Bmgnogzn3E6UaCqd2KChVxoi/1JIm/xLzbE45inKlUpKbHpIhDaoGnwjJ2fBq2Vx2jtGC+u3Ypl9VSRvfAsXuNGn7PPWfiWzJ+gDKBybPSOFKAbfaccz/MtyyjezU0jLGzrGqTpXkPvHf8Q3YBABTKs= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1627909644; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=9d2/3bpDY1t4XsQxslnkCPrFxqCF7gn1s6shhmcNxcU=; b=UdytBV3AInyyOti4B6HFIgHLh0CGNHYvqgSa5xNqdnkDAPuzWOvNPKliC1/Z2Mj7ZOsOOy/HLaJFw9881XbylNKqNKwHwzuSTla0g5knk/SAlvRrFAtGaji3Gu3cmfXZ6/9/1NBQP8OhDAaCLjqXZqkzMi0490kocTdp7N9C/g8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1627909644318271.5664920766185; Mon, 2 Aug 2021 06:07:24 -0700 (PDT) Received: from localhost ([::1]:58292 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mAXf9-0007UI-8m for importer@patchew.org; Mon, 02 Aug 2021 09:07:23 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:33012) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mAXbC-0000g8-22 for qemu-devel@nongnu.org; Mon, 02 Aug 2021 09:03:20 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:48446) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mAXbA-0000Ph-Au for qemu-devel@nongnu.org; Mon, 02 Aug 2021 09:03:17 -0400 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-261-KybLuOVsMuay0RWlKOe9EQ-1; Mon, 02 Aug 2021 09:03:14 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 8AEF81F6B2 for ; Mon, 2 Aug 2021 13:03:13 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.39.194.210]) by smtp.corp.redhat.com (Postfix) with ESMTP id 7F67317567; Mon, 2 Aug 2021 13:03:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1627909395; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=9d2/3bpDY1t4XsQxslnkCPrFxqCF7gn1s6shhmcNxcU=; b=hY66oLkxSnMrFJplxIRitJNv0TL3xs7CvwxKsJx8YJAHKnkGdMwjpOS8ksjpLmPcVnxFQ8 uipAOs5w1VuPzq6tifNcw08uv27XcxT3BV358bb3yCQbO2tIODptSxzjBs4e2P+HyHn91S DxusfhNVDJBFQ0lIaFjE4UzB5fImlGI= X-MC-Unique: KybLuOVsMuay0RWlKOe9EQ-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 3/5] seccomp: fix blocking of process spawning Date: Mon, 2 Aug 2021 14:03:01 +0100 Message-Id: <20210802130303.3300108-4-berrange@redhat.com> In-Reply-To: <20210802130303.3300108-1-berrange@redhat.com> References: <20210802130303.3300108-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=berrange@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=216.205.24.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -34 X-Spam_score: -3.5 X-Spam_bar: --- X-Spam_report: (-3.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.701, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Eduardo Otubo , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1627909646163100005 When '-sandbox on,spawn=3Ddeny' is given, we are supposed to block the ability to spawn processes. We naively blocked the 'fork' syscall, forgetting that any modern libc will use the 'clone' syscall instead. We can't simply block the 'clone' syscall though, as that will break thread creation. We thus list the set of flags used to create threads and block anything that doesn't match this exactly. Signed-off-by: Daniel P. Berrang=C3=A9 Acked-by: Eduardo Otubo --- softmmu/qemu-seccomp.c | 101 ++++++++++++++++++++++++++++++++++++++ tests/unit/test-seccomp.c | 3 +- 2 files changed, 102 insertions(+), 2 deletions(-) diff --git a/softmmu/qemu-seccomp.c b/softmmu/qemu-seccomp.c index 9f6df8d033..57139cc9ce 100644 --- a/softmmu/qemu-seccomp.c +++ b/softmmu/qemu-seccomp.c @@ -46,6 +46,82 @@ const struct scmp_arg_cmp sched_setscheduler_arg[] =3D { { .arg =3D 1, .op =3D SCMP_CMP_NE, .datum_a =3D SCHED_IDLE } }; =20 +/* + * See 'NOTES' in 'man 2 clone' - s390 & cross have 'flags' in + * different position to other architectures + */ +#if defined(HOST_S390X) || defined(HOST_S390) || defined(HOST_CRIS) +#define CLONE_FLAGS_ARG 1 +#else +#define CLONE_FLAGS_ARG 0 +#endif + +#ifndef CLONE_PIDFD +# define CLONE_PIDFD 0x00001000 +#endif + +#define REQUIRE_CLONE_FLAG(flag) \ + const struct scmp_arg_cmp clone_arg ## flag[] =3D { \ + { .arg =3D CLONE_FLAGS_ARG, \ + .op =3D SCMP_CMP_MASKED_EQ, \ + .datum_a =3D flag, .datum_b =3D 0 } } + +#define FORBID_CLONE_FLAG(flag) \ + const struct scmp_arg_cmp clone_arg ## flag[] =3D { \ + { .arg =3D CLONE_FLAGS_ARG, \ + .op =3D SCMP_CMP_MASKED_EQ, \ + .datum_a =3D flag, .datum_b =3D flag } } + +#define RULE_CLONE_FLAG(flag) \ + { SCMP_SYS(clone), QEMU_SECCOMP_SET_SPAWN, \ + ARRAY_SIZE(clone_arg ## flag), clone_arg ## flag, SCMP_ACT_TRAP } + +/* If no CLONE_* flags are set, except CSIGNAL, deny */ +const struct scmp_arg_cmp clone_arg_none[] =3D { + { .arg =3D CLONE_FLAGS_ARG, + .op =3D SCMP_CMP_MASKED_EQ, + .datum_a =3D ~(CSIGNAL), .datum_b =3D 0 } +}; + +/* + * pthread_create should always set all of these. + */ +REQUIRE_CLONE_FLAG(CLONE_VM); +REQUIRE_CLONE_FLAG(CLONE_FS); +REQUIRE_CLONE_FLAG(CLONE_FILES); +REQUIRE_CLONE_FLAG(CLONE_SIGHAND); +REQUIRE_CLONE_FLAG(CLONE_THREAD); +REQUIRE_CLONE_FLAG(CLONE_SYSVSEM); +REQUIRE_CLONE_FLAG(CLONE_SETTLS); +REQUIRE_CLONE_FLAG(CLONE_PARENT_SETTID); +REQUIRE_CLONE_FLAG(CLONE_CHILD_CLEARTID); +/* + * Musl sets this in pthread_create too, but it is + * obsolete and harmless since its behaviour is + * subsumed under CLONE_THREAD + */ +/*REQUIRE_CLONE_FLAG(CLONE_DETACHED);*/ + + +/* + * These all indicate an attempt to spawn a process + * instead of a thread, or other undesirable scenarios + */ +FORBID_CLONE_FLAG(CLONE_PIDFD); +FORBID_CLONE_FLAG(CLONE_PTRACE); +FORBID_CLONE_FLAG(CLONE_VFORK); +FORBID_CLONE_FLAG(CLONE_PARENT); +FORBID_CLONE_FLAG(CLONE_NEWNS); +FORBID_CLONE_FLAG(CLONE_UNTRACED); +FORBID_CLONE_FLAG(CLONE_NEWCGROUP); +FORBID_CLONE_FLAG(CLONE_NEWUTS); +FORBID_CLONE_FLAG(CLONE_NEWIPC); +FORBID_CLONE_FLAG(CLONE_NEWUSER); +FORBID_CLONE_FLAG(CLONE_NEWPID); +FORBID_CLONE_FLAG(CLONE_NEWNET); +FORBID_CLONE_FLAG(CLONE_IO); + + static const struct QemuSeccompSyscall denylist[] =3D { /* default set of syscalls that should get blocked */ { SCMP_SYS(reboot), QEMU_SECCOMP_SET_DEFAULT, @@ -143,6 +219,31 @@ static const struct QemuSeccompSyscall denylist[] =3D { 0, NULL, SCMP_ACT_TRAP }, { SCMP_SYS(execve), QEMU_SECCOMP_SET_SPAWN, 0, NULL, SCMP_ACT_TRAP }, + { SCMP_SYS(clone), QEMU_SECCOMP_SET_SPAWN, + ARRAY_SIZE(clone_arg_none), clone_arg_none, SCMP_ACT_TRAP }, + RULE_CLONE_FLAG(CLONE_VM), + RULE_CLONE_FLAG(CLONE_FS), + RULE_CLONE_FLAG(CLONE_FILES), + RULE_CLONE_FLAG(CLONE_SIGHAND), + RULE_CLONE_FLAG(CLONE_THREAD), + RULE_CLONE_FLAG(CLONE_SYSVSEM), + RULE_CLONE_FLAG(CLONE_SETTLS), + RULE_CLONE_FLAG(CLONE_PARENT_SETTID), + RULE_CLONE_FLAG(CLONE_CHILD_CLEARTID), + /*RULE_CLONE_FLAG(CLONE_DETACHED),*/ + RULE_CLONE_FLAG(CLONE_PIDFD), + RULE_CLONE_FLAG(CLONE_PTRACE), + RULE_CLONE_FLAG(CLONE_VFORK), + RULE_CLONE_FLAG(CLONE_PARENT), + RULE_CLONE_FLAG(CLONE_NEWNS), + RULE_CLONE_FLAG(CLONE_UNTRACED), + RULE_CLONE_FLAG(CLONE_NEWCGROUP), + RULE_CLONE_FLAG(CLONE_NEWUTS), + RULE_CLONE_FLAG(CLONE_NEWIPC), + RULE_CLONE_FLAG(CLONE_NEWUSER), + RULE_CLONE_FLAG(CLONE_NEWPID), + RULE_CLONE_FLAG(CLONE_NEWNET), + RULE_CLONE_FLAG(CLONE_IO), /* resource control */ { SCMP_SYS(setpriority), QEMU_SECCOMP_SET_RESOURCECTL, 0, NULL, SCMP_ACT_ERRNO(EPERM) }, diff --git a/tests/unit/test-seccomp.c b/tests/unit/test-seccomp.c index 10ab3e8fe5..3d7771e46c 100644 --- a/tests/unit/test-seccomp.c +++ b/tests/unit/test-seccomp.c @@ -126,8 +126,7 @@ static int doit_fork(void) =20 static void test_seccomp_fork_on_nospawn(void) { - /* XXX fixme - should be killed */ - test_seccomp_passed("on,spawn=3Ddeny", doit_fork); + test_seccomp_killed("on,spawn=3Ddeny", doit_fork); } =20 static void test_seccomp_fork_on(void) --=20 2.31.1 From nobody Fri May 17 09:01:28 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1627909710; cv=none; d=zohomail.com; s=zohoarc; b=GvjKp/H4wWBpk7qjATWdLOJUU1ATA0HrHxs+ND2RdgtR1I1YAUFKNSV6qbdOS3jU0MdemHHK0Elz9eEmLDwBNtoQXOmW2Fq20wiRMYQAFQkARyL5cExbrU8qNxN/9xOZ68r1JG53J8zbsbBJnUtLXSlaIdWGh4l7Ewn+sROtWaY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1627909710; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=qeAdYFwNG30K4OKc/m+Hcsdbxk+vvHMjFuRTy2s7Njc=; b=SZU1irGRXG9gTaKeIe1IGiXdM+PB8nJ25tiO+ZJbO3laXjsKH7W2c3mYLyXwSft1913FlXrVh4ZzaU2ugKKPOrVOykwDYduFX5ZhEOXBjA4iszFNZwoDZsnJDXwAeVmA2lpbxF7bkC/oL9X6a29gYRnOuq/V3cdZfkqcuxIxd8I= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1627909710507643.2049169065095; Mon, 2 Aug 2021 06:08:30 -0700 (PDT) Received: from localhost ([::1]:34716 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mAXgC-0002Bz-Da for importer@patchew.org; Mon, 02 Aug 2021 09:08:28 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:33036) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mAXbE-0000j4-Uf for qemu-devel@nongnu.org; Mon, 02 Aug 2021 09:03:20 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:28184) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mAXbD-0000Ry-Gw for qemu-devel@nongnu.org; Mon, 02 Aug 2021 09:03:20 -0400 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-540-kQ1j2c60Mz-yeGBchsmAzQ-1; Mon, 02 Aug 2021 09:03:15 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 00544190B2A3 for ; Mon, 2 Aug 2021 13:03:15 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.39.194.210]) by smtp.corp.redhat.com (Postfix) with ESMTP id E97915FC23; Mon, 2 Aug 2021 13:03:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1627909398; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=qeAdYFwNG30K4OKc/m+Hcsdbxk+vvHMjFuRTy2s7Njc=; b=axXc6Vw3yC+zSrtyteZGSCHA2/VMK7rKZoLlg5RjC7yaq1j1uUShKGlyxtMLxXhZ5Y/O+Y qEKVAdbDmH8BwSkqUXRLlC6d3SgrytYBiu+pzqMv8E4BFLz9yf7c7ASLhhqNInyiPc6i1w ULp9b0UEfSComEDToHUhif/OUG4WeUc= X-MC-Unique: kQ1j2c60Mz-yeGBchsmAzQ-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 4/5] seccomp: block use of clone3 syscall Date: Mon, 2 Aug 2021 14:03:02 +0100 Message-Id: <20210802130303.3300108-5-berrange@redhat.com> In-Reply-To: <20210802130303.3300108-1-berrange@redhat.com> References: <20210802130303.3300108-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=berrange@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -34 X-Spam_score: -3.5 X-Spam_bar: --- X-Spam_report: (-3.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.701, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Eduardo Otubo , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1627909711789100001 Modern glibc will use clone3 instead of clone, when it detects that it is available. We need to compare flags in order to decide whether to allow clone (thread create vs process fork), but in clone3 the flags are hidden inside a struct. Seccomp can't currently match on data inside a struct, so our only option is to block clone3 entirely. If we use ENOSYS to block it, then glibc transparently falls back to clone. This may need to be revisited if Linux adds a new architecture in future and only provides clone3, without clone. Signed-off-by: Daniel P. Berrang=C3=A9 Acked-by: Eduardo Otubo --- softmmu/qemu-seccomp.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/softmmu/qemu-seccomp.c b/softmmu/qemu-seccomp.c index 57139cc9ce..a7bb5c350f 100644 --- a/softmmu/qemu-seccomp.c +++ b/softmmu/qemu-seccomp.c @@ -244,6 +244,10 @@ static const struct QemuSeccompSyscall denylist[] =3D { RULE_CLONE_FLAG(CLONE_NEWPID), RULE_CLONE_FLAG(CLONE_NEWNET), RULE_CLONE_FLAG(CLONE_IO), +#ifdef __SNR_clone3 + { SCMP_SYS(clone3), QEMU_SECCOMP_SET_SPAWN, + 0, NULL, SCMP_ACT_ERRNO(ENOSYS) }, +#endif /* resource control */ { SCMP_SYS(setpriority), QEMU_SECCOMP_SET_RESOURCECTL, 0, NULL, SCMP_ACT_ERRNO(EPERM) }, --=20 2.31.1 From nobody Fri May 17 09:01:28 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1627909732; cv=none; d=zohomail.com; s=zohoarc; b=JLncEL1fXKKwCSHq0D2dpz6SbUjINO//I3rjcmK937CaE6qfpW6VlB4JeHSrVekIaf3q/0LUQcBi2WS9L3lEhLCZeovaZYgwe6kdGmU8z5UWPRXSVSSBgPvX12RtHsiz3+fOYd+cnQc5J4+ENVjiVyZ3azCRC2zSRkM6smk56II= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1627909732; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=d0gCLMAdEl7pQfQ6TSrm/lELvECOWIakWq73URsq4yQ=; b=lGEcUlzCI/LDb0hoqcP4jTLFNh09F/9u0w32JGS72bfb74V22ZZqWnXYBrJHFJcaId71u+ZKg2PrmxVYT0RYDwssN4yVnxfknAf9DBDhWZsvjMR91V92YMd5o569n7Kxs4zirD0+NFNfz51srqh+E+Tbpw4drpb29ti7SXTA2lg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1627909732320729.0507675495942; Mon, 2 Aug 2021 06:08:52 -0700 (PDT) Received: from localhost ([::1]:35396 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mAXgZ-0002fV-CT for importer@patchew.org; Mon, 02 Aug 2021 09:08:51 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:33042) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mAXbF-0000jM-KU for qemu-devel@nongnu.org; Mon, 02 Aug 2021 09:03:22 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:44855) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mAXbE-0000S3-Ae for qemu-devel@nongnu.org; Mon, 02 Aug 2021 09:03:21 -0400 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-598-LdsMNu_cOKiE885BtM-B_A-1; Mon, 02 Aug 2021 09:03:17 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 5407734891 for ; Mon, 2 Aug 2021 13:03:16 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.39.194.210]) by smtp.corp.redhat.com (Postfix) with ESMTP id 5F8AE5FC23; Mon, 2 Aug 2021 13:03:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1627909399; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=d0gCLMAdEl7pQfQ6TSrm/lELvECOWIakWq73URsq4yQ=; b=W2rdo71bRo4UdfuIxIPshCJe+vzGZ7SlvccPZZgStA1zJgth4lBT67cP6bh+7jEWAD0U4o tz0u+ht9Ck4LB+AefkYViPcjp3nRt+o+pUNwNH+RN/A7LWRUXEY0y6O3wq2Hs9qYkgzEDF RUGW3X0F+26KYjWr+o4aMwzHN5JBlas= X-MC-Unique: LdsMNu_cOKiE885BtM-B_A-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 5/5] seccomp: block setns, unshare and execveat syscalls Date: Mon, 2 Aug 2021 14:03:03 +0100 Message-Id: <20210802130303.3300108-6-berrange@redhat.com> In-Reply-To: <20210802130303.3300108-1-berrange@redhat.com> References: <20210802130303.3300108-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=berrange@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -34 X-Spam_score: -3.5 X-Spam_bar: --- X-Spam_report: (-3.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.701, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Eduardo Otubo , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1627909733366100001 setns/unshare are used to change namespaces which is not something QEMU needs to be able todo. execveat is a new variant of execve so should be blocked just like execve already is. Signed-off-by: Daniel P. Berrang=C3=A9 Acked-by: Eduardo Otubo --- softmmu/qemu-seccomp.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/softmmu/qemu-seccomp.c b/softmmu/qemu-seccomp.c index a7bb5c350f..deaf8a4ef5 100644 --- a/softmmu/qemu-seccomp.c +++ b/softmmu/qemu-seccomp.c @@ -248,6 +248,11 @@ static const struct QemuSeccompSyscall denylist[] =3D { { SCMP_SYS(clone3), QEMU_SECCOMP_SET_SPAWN, 0, NULL, SCMP_ACT_ERRNO(ENOSYS) }, #endif +#ifdef __SNR_execveat + { SCMP_SYS(execveat), QEMU_SECCOMP_SET_SPAWN }, +#endif + { SCMP_SYS(setns), QEMU_SECCOMP_SET_SPAWN }, + { SCMP_SYS(unshare), QEMU_SECCOMP_SET_SPAWN }, /* resource control */ { SCMP_SYS(setpriority), QEMU_SECCOMP_SET_RESOURCECTL, 0, NULL, SCMP_ACT_ERRNO(EPERM) }, --=20 2.31.1