[050/104] virtiofsd: add seccomp whitelist

Message ID	20191212163904.159893-51-dgilbert@redhat.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=PTTO=2C=nongnu.org=qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@kernel.org> DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org E737521655 From: "Dr. David Alan Gilbert (git)" <dgilbert@redhat.com> To: qemu-devel@nongnu.org, stefanha@redhat.com, vgoyal@redhat.com Subject: [PATCH 050/104] virtiofsd: add seccomp whitelist Date: Thu, 12 Dec 2019 16:38:10 +0000 Message-Id: <20191212163904.159893-51-dgilbert@redhat.com> In-Reply-To: <20191212163904.159893-1-dgilbert@redhat.com> References: <20191212163904.159893-1-dgilbert@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Precedence: list Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" <qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org>
Series	virtiofs daemon [all] \| expand [000/104] virtiofs daemon [all] [001/104] virtiofsd: Pull in upstream headers [002/104] virtiofsd: Pull in kernel's fuse.h [003/104] virtiofsd: Add auxiliary .c's [004/104] virtiofsd: Add fuse_lowlevel.c [005/104] virtiofsd: Add passthrough_ll [006/104] virtiofsd: Trim down imported files [007/104] virtiofsd: Format imported files to qemu style [008/104] virtiofsd: remove mountpoint dummy argument [009/104] virtiofsd: remove unused notify reply support [010/104] virtiofsd: Fix fuse_daemonize ignored return values [011/104] virtiofsd: Fix common header and define for QEMU builds [012/104] virtiofsd: Trim out compatibility code [013/104] virtiofsd: Make fsync work even if only inode is passed in [014/104] virtiofsd: Add options for virtio [015/104] virtiofsd: add -o source=PATH to help output [016/104] virtiofsd: Open vhost connection instead of mounting [017/104] virtiofsd: Start wiring up vhost-user [018/104] virtiofsd: Add main virtio loop [019/104] virtiofsd: get/set features callbacks [020/104] virtiofsd: Start queue threads [021/104] virtiofsd: Poll kick_fd for queue [022/104] virtiofsd: Start reading commands from queue [023/104] virtiofsd: Send replies to messages [024/104] virtiofsd: Keep track of replies [025/104] virtiofsd: Add Makefile wiring for virtiofsd contrib [026/104] virtiofsd: Fast path for virtio read [027/104] virtiofsd: add --fd=FDNUM fd passing option [028/104] virtiofsd: make -f (foreground) the default [029/104] virtiofsd: add vhost-user.json file [030/104] virtiofsd: add --print-capabilities option [031/104] virtiofs: Add maintainers entry [032/104] virtiofsd: passthrough_ll: create new files in caller's context [033/104] virtiofsd: passthrough_ll: add lo_map for ino/fh indirection [034/104] virtiofsd: passthrough_ll: add ino_map to hide lo_inode pointers [035/104] virtiofsd: passthrough_ll: add dirp_map to hide lo_dirp pointers [036/104] virtiofsd: passthrough_ll: add fd_map to hide file descriptors [037/104] virtiofsd: passthrough_ll: add fallback for racy ops [038/104] virtiofsd: validate path components [039/104] virtiofsd: Plumb fuse_bufvec through to do_write_buf [040/104] virtiofsd: Pass write iov's all the way through [041/104] virtiofsd: add fuse_mbuf_iter API [042/104] virtiofsd: validate input buffer sizes in do_write_buf() [043/104] virtiofsd: check input buffer size in fuse_lowlevel.c ops [044/104] virtiofsd: prevent ".." escape in lo_do_lookup() [045/104] virtiofsd: prevent ".." escape in lo_do_readdir() [046/104] virtiofsd: use /proc/self/fd/ O_PATH file descriptor [047/104] virtiofsd: sandbox mount namespace [048/104] virtiofsd: move to an empty network namespace [049/104] virtiofsd: move to a new pid namespace [050/104] virtiofsd: add seccomp whitelist [051/104] virtiofsd: Parse flag FUSE_WRITE_KILL_PRIV [052/104] virtiofsd: cap-ng helpers [053/104] virtiofsd: Drop CAP_FSETID if client asked for it [054/104] virtiofsd: set maximum RLIMIT_NOFILE limit [055/104] virtiofsd: fix libfuse information leaks [056/104] virtiofsd: add security guide document [057/104] virtiofsd: add --syslog command-line option [058/104] virtiofsd: print log only when priority is high enough [059/104] virtiofsd: Add ID to the log with FUSE_LOG_DEBUG level [060/104] virtiofsd: Add timestamp to the log with FUSE_LOG_DEBUG level [061/104] virtiofsd: Handle reinit [062/104] virtiofsd: Handle hard reboot [063/104] virtiofsd: Kill threads when queues are stopped [064/104] vhost-user: Print unexpected slave message types [065/104] contrib/libvhost-user: Protect slave fd with mutex [066/104] virtiofsd: passthrough_ll: add renameat2 support [067/104] virtiofsd: passthrough_ll: disable readdirplus on cache=never [068/104] virtiofsd: passthrough_ll: control readdirplus [069/104] virtiofsd: rename unref_inode() to unref_inode_lolocked() [070/104] virtiofsd: fail when parent inode isn't known in lo_do_lookup() [071/104] virtiofsd: extract root inode init into setup_root() [072/104] virtiofsd: passthrough_ll: fix refcounting on remove/rename [073/104] virtiofsd: passthrough_ll: clean up cache related options [074/104] virtiofsd: passthrough_ll: use hashtable [075/104] virtiofsd: Clean up inodes on destroy [076/104] virtiofsd: support nanosecond resolution for file timestamp [077/104] virtiofsd: fix error handling in main() [078/104] virtiofsd: cleanup allocated resource in se [079/104] virtiofsd: fix memory leak on lo.source [080/104] virtiofsd: add helper for lo_data cleanup [081/104] virtiofsd: Prevent multiply running with same vhost_user_socket [082/104] virtiofsd: enable PARALLEL_DIROPS during INIT [083/104] virtiofsd: fix incorrect error handling in lo_do_lookup [084/104] Virtiofsd: fix memory leak on fuse queueinfo [085/104] virtiofsd: Support remote posix locks [086/104] virtiofsd: use fuse_lowlevel_is_virtio() in fuse_session_destroy() [087/104] virtiofsd: prevent fv_queue_thread() vs virtio_loop() races [088/104] virtiofsd: make lo_release() atomic [089/104] virtiofsd: prevent races with lo_dirp_put() [090/104] virtiofsd: rename inode->refcount to inode->nlookup [091/104] libvhost-user: Fix some memtable remap cases [092/104] virtiofsd: add man page [093/104] virtiofsd: introduce inode refcount to prevent use-after-free [094/104] virtiofsd: do not always set FUSE_FLOCK_LOCKS [095/104] virtiofsd: convert more fprintf and perror to use fuse log infra [096/104] virtiofsd: Reset O_DIRECT flag during file open [097/104] virtiofsd: Fix data corruption with O_APPEND wirte in writeback mode [098/104] virtiofsd: add definition of fuse_buf_writev() [099/104] virtiofsd: use fuse_buf_writev to replace fuse_buf_write for better performance [100/104] virtiofsd: process requests in a thread pool [101/104] virtiofsd: prevent FUSE_INIT/FUSE_DESTROY races [102/104] virtiofsd: fix lo_destroy() resource leaks [103/104] virtiofsd: add --thread-pool-size=NUM option [104/104] virtiofsd: Convert lo_destroy to take the lo->mutex lock itself [105/104] virtiofsd: Unref old/new inodes with the same mutex lock in lo_rename()

Message ID

20191212163904.159893-51-dgilbert@redhat.com (mailing list archive)

State

New, archived

Headers

DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org E737521655
From: "Dr. David Alan Gilbert (git)" <dgilbert@redhat.com>
To: qemu-devel@nongnu.org,
	stefanha@redhat.com,
	vgoyal@redhat.com
Subject: [PATCH 050/104] virtiofsd: add seccomp whitelist
Date: Thu, 12 Dec 2019 16:38:10 +0000
Message-Id: <20191212163904.159893-51-dgilbert@redhat.com>
In-Reply-To: <20191212163904.159893-1-dgilbert@redhat.com>
References: <20191212163904.159893-1-dgilbert@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
Precedence: list
Errors-To: 
 qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org
Sender: "Qemu-devel"
 <qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org>

Series

virtiofs daemon [all] | expand

Commit Message

Dr. David Alan Gilbert Dec. 12, 2019, 4:38 p.m. UTC

From: Stefan Hajnoczi <stefanha@redhat.com>

Only allow system calls that are needed by virtiofsd.  All other system
calls cause SIGSYS to be directed at the thread and the process will
coredump.

Restricting system calls reduces the kernel attack surface and limits
what the process can do when compromised.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
with additional entries by:
Signed-off-by: Ganesh Maharaj Mahalingam <ganesh.mahalingam@intel.com>
Signed-off-by: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com>
Signed-off-by: Misono Tomohiro <misono.tomohiro@jp.fujitsu.com>
Signed-off-by: piaojun <piaojun@huawei.com>
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Signed-off-by: Eric Ren <renzhen@linux.alibaba.com>
---
 Makefile                         |   2 +
 tools/virtiofsd/Makefile.objs    |   5 +-
 tools/virtiofsd/passthrough_ll.c |   2 +
 tools/virtiofsd/seccomp.c        | 141 +++++++++++++++++++++++++++++++
 tools/virtiofsd/seccomp.h        |  14 +++
 5 files changed, 163 insertions(+), 1 deletion(-)
 create mode 100644 tools/virtiofsd/seccomp.c
 create mode 100644 tools/virtiofsd/seccomp.h

Comments

Daniel P. Berrangé Jan. 6, 2020, 2:56 p.m. UTC | #1

On Thu, Dec 12, 2019 at 04:38:10PM +0000, Dr. David Alan Gilbert (git) wrote:
> From: Stefan Hajnoczi <stefanha@redhat.com>
> 
> Only allow system calls that are needed by virtiofsd.  All other system
> calls cause SIGSYS to be directed at the thread and the process will
> coredump.
> 
> Restricting system calls reduces the kernel attack surface and limits
> what the process can do when compromised.
> 
> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
> with additional entries by:
> Signed-off-by: Ganesh Maharaj Mahalingam <ganesh.mahalingam@intel.com>
> Signed-off-by: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com>
> Signed-off-by: Misono Tomohiro <misono.tomohiro@jp.fujitsu.com>
> Signed-off-by: piaojun <piaojun@huawei.com>
> Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
> Signed-off-by: Eric Ren <renzhen@linux.alibaba.com>
> ---
>  Makefile                         |   2 +
>  tools/virtiofsd/Makefile.objs    |   5 +-
>  tools/virtiofsd/passthrough_ll.c |   2 +
>  tools/virtiofsd/seccomp.c        | 141 +++++++++++++++++++++++++++++++
>  tools/virtiofsd/seccomp.h        |  14 +++
>  5 files changed, 163 insertions(+), 1 deletion(-)
>  create mode 100644 tools/virtiofsd/seccomp.c
>  create mode 100644 tools/virtiofsd/seccomp.h
> 
> diff --git a/Makefile b/Makefile
> index 8a5746d8a0..3f5d04e1f7 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -322,8 +322,10 @@ HELPERS-y =
>  HELPERS-$(call land,$(CONFIG_SOFTMMU),$(CONFIG_LINUX)) = qemu-bridge-helper$(EXESUF)
>  
>  ifdef CONFIG_LINUX
> +ifdef CONFIG_SECCOMP
>  HELPERS-y += virtiofsd$(EXESUF)
>  vhost-user-json-y += tools/virtiofsd/50-qemu-virtiofsd.json
> +endif
>  
>  ifdef CONFIG_VIRGL
>  ifdef CONFIG_GBM
> diff --git a/tools/virtiofsd/Makefile.objs b/tools/virtiofsd/Makefile.objs
> index 67be16332c..941b19f18e 100644
> --- a/tools/virtiofsd/Makefile.objs
> +++ b/tools/virtiofsd/Makefile.objs
> @@ -6,5 +6,8 @@ virtiofsd-obj-y = buffer.o \
>                    fuse_signals.o \
>                    fuse_virtio.o \
>                    helper.o \
> -                  passthrough_ll.o
> +                  passthrough_ll.o \
> +                  seccomp.o
>  
> +seccomp.o-cflags := $(SECCOMP_CFLAGS)
> +seccomp.o-libs := $(SECCOMP_LIBS)
> diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
> index 754ef2618b..701608c6df 100644
> --- a/tools/virtiofsd/passthrough_ll.c
> +++ b/tools/virtiofsd/passthrough_ll.c
> @@ -58,6 +58,7 @@
>  #include <unistd.h>
>  
>  #include "passthrough_helpers.h"
> +#include "seccomp.h"
>  
>  #define HAVE_POSIX_FALLOCATE 1
>  struct lo_map_elem {
> @@ -2073,6 +2074,7 @@ static void setup_sandbox(struct lo_data *lo, struct fuse_session *se)
>  {
>      setup_namespaces(lo, se);
>      setup_mounts(lo->source);
> +    setup_seccomp();
>  }
>  
>  int main(int argc, char *argv[])
> diff --git a/tools/virtiofsd/seccomp.c b/tools/virtiofsd/seccomp.c
> new file mode 100644
> index 0000000000..6359bb55bb
> --- /dev/null
> +++ b/tools/virtiofsd/seccomp.c
> @@ -0,0 +1,141 @@
> +/*
> + * Seccomp sandboxing for virtiofsd
> + *
> + * Copyright (C) 2019 Red Hat, Inc.
> + *
> + * SPDX-License-Identifier: GPL-2.0-or-later
> + */
> +
> +#include "seccomp.h"
> +#include "fuse_i.h"
> +#include "fuse_log.h"
> +#include <errno.h>
> +#include <glib.h>
> +#include <seccomp.h>
> +#include <stdlib.h>
> +
> +/* Bodge for libseccomp 2.4.2 which broke ppoll */
> +#if !defined(__SNR_ppoll) && defined(__SNR_brk)
> +#ifdef __NR_ppoll
> +#define __SNR_ppoll __NR_ppoll
> +#else
> +#define __SNR_ppoll __PNR_ppoll
> +#endif
> +#endif
> +
> +static const int syscall_whitelist[] = {
> +    /* TODO ireg sem*() syscalls */
> +    SCMP_SYS(brk),
> +    SCMP_SYS(capget), /* For CAP_FSETID */
> +    SCMP_SYS(capset),
> +    SCMP_SYS(clock_gettime),
> +    SCMP_SYS(clone),

clone2 ?  clone3 ? IIC some archs in Linux
will require the newer variants.

> +    SCMP_SYS(close),
> +    SCMP_SYS(copy_file_range),
> +    SCMP_SYS(dup),
> +    SCMP_SYS(eventfd2),
> +    SCMP_SYS(exit),
> +    SCMP_SYS(exit_group),
> +    SCMP_SYS(fallocate),
> +    SCMP_SYS(fchmodat),
> +    SCMP_SYS(fchownat),
> +    SCMP_SYS(fcntl),
> +    SCMP_SYS(fdatasync),
> +    SCMP_SYS(fgetxattr),
> +    SCMP_SYS(flistxattr),
> +    SCMP_SYS(flock),
> +    SCMP_SYS(fremovexattr),
> +    SCMP_SYS(fsetxattr),
> +    SCMP_SYS(fstat),
> +    SCMP_SYS(fstatfs),
> +    SCMP_SYS(fsync),
> +    SCMP_SYS(ftruncate),
> +    SCMP_SYS(futex),
> +    SCMP_SYS(getdents),
> +    SCMP_SYS(getdents64),
> +    SCMP_SYS(getegid),
> +    SCMP_SYS(geteuid),
> +    SCMP_SYS(getpid),
> +    SCMP_SYS(gettid),
> +    SCMP_SYS(gettimeofday),
> +    SCMP_SYS(linkat),
> +    SCMP_SYS(lseek),
> +    SCMP_SYS(madvise),
> +    SCMP_SYS(mkdirat),
> +    SCMP_SYS(mknodat),
> +    SCMP_SYS(mmap),
> +    SCMP_SYS(mprotect),
> +    SCMP_SYS(mremap),
> +    SCMP_SYS(munmap),
> +    SCMP_SYS(newfstatat),
> +    SCMP_SYS(open),
> +    SCMP_SYS(openat),
> +    SCMP_SYS(ppoll),
> +    SCMP_SYS(prctl), /* TODO restrict to just PR_SET_NAME? */
> +    SCMP_SYS(preadv),
> +    SCMP_SYS(pread64),
> +    SCMP_SYS(pwritev),
> +    SCMP_SYS(pwrite64),
> +    SCMP_SYS(read),
> +    SCMP_SYS(readlinkat),
> +    SCMP_SYS(recvmsg),
> +    SCMP_SYS(renameat),
> +    SCMP_SYS(renameat2),
> +    SCMP_SYS(rt_sigaction),
> +    SCMP_SYS(rt_sigprocmask),
> +    SCMP_SYS(rt_sigreturn),
> +    SCMP_SYS(sendmsg),
> +    SCMP_SYS(setresgid),

Should be setresgid32 instead I think. We don't
want the legacy syscall that's limted to 16-bit GIDs

Needs the code fix I mention in an earlier patch too.

> +    SCMP_SYS(setresuid),

Same as above

> +    SCMP_SYS(set_robust_list),
> +    SCMP_SYS(symlinkat),
> +    SCMP_SYS(time), /* Rarely needed, except on static builds */
> +    SCMP_SYS(tgkill),
> +    SCMP_SYS(unlinkat),
> +    SCMP_SYS(utimensat),
> +    SCMP_SYS(write),
> +    SCMP_SYS(writev),
> +};


Regards,
Daniel

Dr. David Alan Gilbert Jan. 6, 2020, 6:54 p.m. UTC | #2

* Daniel P. Berrangé (berrange@redhat.com) wrote:
> On Thu, Dec 12, 2019 at 04:38:10PM +0000, Dr. David Alan Gilbert (git) wrote:
> > From: Stefan Hajnoczi <stefanha@redhat.com>
> > 
> > Only allow system calls that are needed by virtiofsd.  All other system
> > calls cause SIGSYS to be directed at the thread and the process will
> > coredump.
> > 
> > Restricting system calls reduces the kernel attack surface and limits
> > what the process can do when compromised.
> > 
> > Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
> > with additional entries by:
> > Signed-off-by: Ganesh Maharaj Mahalingam <ganesh.mahalingam@intel.com>
> > Signed-off-by: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com>
> > Signed-off-by: Misono Tomohiro <misono.tomohiro@jp.fujitsu.com>
> > Signed-off-by: piaojun <piaojun@huawei.com>
> > Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
> > Signed-off-by: Eric Ren <renzhen@linux.alibaba.com>
> > ---
> >  Makefile                         |   2 +
> >  tools/virtiofsd/Makefile.objs    |   5 +-
> >  tools/virtiofsd/passthrough_ll.c |   2 +
> >  tools/virtiofsd/seccomp.c        | 141 +++++++++++++++++++++++++++++++
> >  tools/virtiofsd/seccomp.h        |  14 +++
> >  5 files changed, 163 insertions(+), 1 deletion(-)
> >  create mode 100644 tools/virtiofsd/seccomp.c
> >  create mode 100644 tools/virtiofsd/seccomp.h
> > 
> > diff --git a/Makefile b/Makefile
> > index 8a5746d8a0..3f5d04e1f7 100644
> > --- a/Makefile
> > +++ b/Makefile
> > @@ -322,8 +322,10 @@ HELPERS-y =
> >  HELPERS-$(call land,$(CONFIG_SOFTMMU),$(CONFIG_LINUX)) = qemu-bridge-helper$(EXESUF)
> >  
> >  ifdef CONFIG_LINUX
> > +ifdef CONFIG_SECCOMP
> >  HELPERS-y += virtiofsd$(EXESUF)
> >  vhost-user-json-y += tools/virtiofsd/50-qemu-virtiofsd.json
> > +endif
> >  
> >  ifdef CONFIG_VIRGL
> >  ifdef CONFIG_GBM
> > diff --git a/tools/virtiofsd/Makefile.objs b/tools/virtiofsd/Makefile.objs
> > index 67be16332c..941b19f18e 100644
> > --- a/tools/virtiofsd/Makefile.objs
> > +++ b/tools/virtiofsd/Makefile.objs
> > @@ -6,5 +6,8 @@ virtiofsd-obj-y = buffer.o \
> >                    fuse_signals.o \
> >                    fuse_virtio.o \
> >                    helper.o \
> > -                  passthrough_ll.o
> > +                  passthrough_ll.o \
> > +                  seccomp.o
> >  
> > +seccomp.o-cflags := $(SECCOMP_CFLAGS)
> > +seccomp.o-libs := $(SECCOMP_LIBS)
> > diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
> > index 754ef2618b..701608c6df 100644
> > --- a/tools/virtiofsd/passthrough_ll.c
> > +++ b/tools/virtiofsd/passthrough_ll.c
> > @@ -58,6 +58,7 @@
> >  #include <unistd.h>
> >  
> >  #include "passthrough_helpers.h"
> > +#include "seccomp.h"
> >  
> >  #define HAVE_POSIX_FALLOCATE 1
> >  struct lo_map_elem {
> > @@ -2073,6 +2074,7 @@ static void setup_sandbox(struct lo_data *lo, struct fuse_session *se)
> >  {
> >      setup_namespaces(lo, se);
> >      setup_mounts(lo->source);
> > +    setup_seccomp();
> >  }
> >  
> >  int main(int argc, char *argv[])
> > diff --git a/tools/virtiofsd/seccomp.c b/tools/virtiofsd/seccomp.c
> > new file mode 100644
> > index 0000000000..6359bb55bb
> > --- /dev/null
> > +++ b/tools/virtiofsd/seccomp.c
> > @@ -0,0 +1,141 @@
> > +/*
> > + * Seccomp sandboxing for virtiofsd
> > + *
> > + * Copyright (C) 2019 Red Hat, Inc.
> > + *
> > + * SPDX-License-Identifier: GPL-2.0-or-later
> > + */
> > +
> > +#include "seccomp.h"
> > +#include "fuse_i.h"
> > +#include "fuse_log.h"
> > +#include <errno.h>
> > +#include <glib.h>
> > +#include <seccomp.h>
> > +#include <stdlib.h>
> > +
> > +/* Bodge for libseccomp 2.4.2 which broke ppoll */
> > +#if !defined(__SNR_ppoll) && defined(__SNR_brk)
> > +#ifdef __NR_ppoll
> > +#define __SNR_ppoll __NR_ppoll
> > +#else
> > +#define __SNR_ppoll __PNR_ppoll
> > +#endif
> > +#endif
> > +
> > +static const int syscall_whitelist[] = {
> > +    /* TODO ireg sem*() syscalls */
> > +    SCMP_SYS(brk),
> > +    SCMP_SYS(capget), /* For CAP_FSETID */
> > +    SCMP_SYS(capset),
> > +    SCMP_SYS(clock_gettime),
> > +    SCMP_SYS(clone),
> 
> clone2 ?  clone3 ? IIC some archs in Linux
> will require the newer variants.

It looks like clone2 was an Itanium only thing; lets ignore that.
Clone3 is very new; so we're going to have to do:

  #ifdef __NR_clone3
  SCMP_SYS(clone3);
  #endif

> > +    SCMP_SYS(close),
> > +    SCMP_SYS(copy_file_range),
> > +    SCMP_SYS(dup),
> > +    SCMP_SYS(eventfd2),
> > +    SCMP_SYS(exit),
> > +    SCMP_SYS(exit_group),
> > +    SCMP_SYS(fallocate),
> > +    SCMP_SYS(fchmodat),
> > +    SCMP_SYS(fchownat),
> > +    SCMP_SYS(fcntl),
> > +    SCMP_SYS(fdatasync),
> > +    SCMP_SYS(fgetxattr),
> > +    SCMP_SYS(flistxattr),
> > +    SCMP_SYS(flock),
> > +    SCMP_SYS(fremovexattr),
> > +    SCMP_SYS(fsetxattr),
> > +    SCMP_SYS(fstat),
> > +    SCMP_SYS(fstatfs),
> > +    SCMP_SYS(fsync),
> > +    SCMP_SYS(ftruncate),
> > +    SCMP_SYS(futex),
> > +    SCMP_SYS(getdents),
> > +    SCMP_SYS(getdents64),
> > +    SCMP_SYS(getegid),
> > +    SCMP_SYS(geteuid),
> > +    SCMP_SYS(getpid),
> > +    SCMP_SYS(gettid),
> > +    SCMP_SYS(gettimeofday),
> > +    SCMP_SYS(linkat),
> > +    SCMP_SYS(lseek),
> > +    SCMP_SYS(madvise),
> > +    SCMP_SYS(mkdirat),
> > +    SCMP_SYS(mknodat),
> > +    SCMP_SYS(mmap),
> > +    SCMP_SYS(mprotect),
> > +    SCMP_SYS(mremap),
> > +    SCMP_SYS(munmap),
> > +    SCMP_SYS(newfstatat),
> > +    SCMP_SYS(open),
> > +    SCMP_SYS(openat),
> > +    SCMP_SYS(ppoll),
> > +    SCMP_SYS(prctl), /* TODO restrict to just PR_SET_NAME? */
> > +    SCMP_SYS(preadv),
> > +    SCMP_SYS(pread64),
> > +    SCMP_SYS(pwritev),
> > +    SCMP_SYS(pwrite64),
> > +    SCMP_SYS(read),
> > +    SCMP_SYS(readlinkat),
> > +    SCMP_SYS(recvmsg),
> > +    SCMP_SYS(renameat),
> > +    SCMP_SYS(renameat2),
> > +    SCMP_SYS(rt_sigaction),
> > +    SCMP_SYS(rt_sigprocmask),
> > +    SCMP_SYS(rt_sigreturn),
> > +    SCMP_SYS(sendmsg),
> > +    SCMP_SYS(setresgid),
> 
> Should be setresgid32 instead I think. We don't
> want the legacy syscall that's limted to 16-bit GIDs
> 
> Needs the code fix I mention in an earlier patch too.
> 
> > +    SCMP_SYS(setresuid),
> 
> Same as above

OK.
Interestingly I see setresuid/setresgid blacklisted as SET_PRIVILEGED
in qemu's qemu-secomp.c but not the 32 versions; perhaps those should
be added - but then I don't understand why qemu would ever allow them to
be enabled.

Dave

> > +    SCMP_SYS(set_robust_list),
> > +    SCMP_SYS(symlinkat),
> > +    SCMP_SYS(time), /* Rarely needed, except on static builds */
> > +    SCMP_SYS(tgkill),
> > +    SCMP_SYS(unlinkat),
> > +    SCMP_SYS(utimensat),
> > +    SCMP_SYS(write),
> > +    SCMP_SYS(writev),
> > +};
> 
> 
> Regards,
> Daniel
> -- 
> |: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
> |: https://libvirt.org         -o-            https://fstop138.berrange.com :|
> |: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK

diff --git a/Makefile b/Makefile
index 8a5746d8a0..3f5d04e1f7 100644
--- a/Makefile
+++ b/Makefile
@@ -322,8 +322,10 @@  HELPERS-y =
 HELPERS-$(call land,$(CONFIG_SOFTMMU),$(CONFIG_LINUX)) = qemu-bridge-helper$(EXESUF)
 
 ifdef CONFIG_LINUX
+ifdef CONFIG_SECCOMP
 HELPERS-y += virtiofsd$(EXESUF)
 vhost-user-json-y += tools/virtiofsd/50-qemu-virtiofsd.json
+endif
 
 ifdef CONFIG_VIRGL
 ifdef CONFIG_GBM
diff --git a/tools/virtiofsd/Makefile.objs b/tools/virtiofsd/Makefile.objs
index 67be16332c..941b19f18e 100644
--- a/tools/virtiofsd/Makefile.objs
+++ b/tools/virtiofsd/Makefile.objs
@@ -6,5 +6,8 @@  virtiofsd-obj-y = buffer.o \
                   fuse_signals.o \
                   fuse_virtio.o \
                   helper.o \
-                  passthrough_ll.o
+                  passthrough_ll.o \
+                  seccomp.o
 
+seccomp.o-cflags := $(SECCOMP_CFLAGS)
+seccomp.o-libs := $(SECCOMP_LIBS)
diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
index 754ef2618b..701608c6df 100644
--- a/tools/virtiofsd/passthrough_ll.c
+++ b/tools/virtiofsd/passthrough_ll.c
@@ -58,6 +58,7 @@ 
 #include <unistd.h>
 
 #include "passthrough_helpers.h"
+#include "seccomp.h"
 
 #define HAVE_POSIX_FALLOCATE 1
 struct lo_map_elem {
@@ -2073,6 +2074,7 @@  static void setup_sandbox(struct lo_data *lo, struct fuse_session *se)
 {
     setup_namespaces(lo, se);
     setup_mounts(lo->source);
+    setup_seccomp();
 }
 
 int main(int argc, char *argv[])
diff --git a/tools/virtiofsd/seccomp.c b/tools/virtiofsd/seccomp.c
new file mode 100644
index 0000000000..6359bb55bb
--- /dev/null
+++ b/tools/virtiofsd/seccomp.c
@@ -0,0 +1,141 @@ 
+/*
+ * Seccomp sandboxing for virtiofsd
+ *
+ * Copyright (C) 2019 Red Hat, Inc.
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include "seccomp.h"
+#include "fuse_i.h"
+#include "fuse_log.h"
+#include <errno.h>
+#include <glib.h>
+#include <seccomp.h>
+#include <stdlib.h>
+
+/* Bodge for libseccomp 2.4.2 which broke ppoll */
+#if !defined(__SNR_ppoll) && defined(__SNR_brk)
+#ifdef __NR_ppoll
+#define __SNR_ppoll __NR_ppoll
+#else
+#define __SNR_ppoll __PNR_ppoll
+#endif
+#endif
+
+static const int syscall_whitelist[] = {
+    /* TODO ireg sem*() syscalls */
+    SCMP_SYS(brk),
+    SCMP_SYS(capget), /* For CAP_FSETID */
+    SCMP_SYS(capset),
+    SCMP_SYS(clock_gettime),
+    SCMP_SYS(clone),
+    SCMP_SYS(close),
+    SCMP_SYS(copy_file_range),
+    SCMP_SYS(dup),
+    SCMP_SYS(eventfd2),
+    SCMP_SYS(exit),
+    SCMP_SYS(exit_group),
+    SCMP_SYS(fallocate),
+    SCMP_SYS(fchmodat),
+    SCMP_SYS(fchownat),
+    SCMP_SYS(fcntl),
+    SCMP_SYS(fdatasync),
+    SCMP_SYS(fgetxattr),
+    SCMP_SYS(flistxattr),
+    SCMP_SYS(flock),
+    SCMP_SYS(fremovexattr),
+    SCMP_SYS(fsetxattr),
+    SCMP_SYS(fstat),
+    SCMP_SYS(fstatfs),
+    SCMP_SYS(fsync),
+    SCMP_SYS(ftruncate),
+    SCMP_SYS(futex),
+    SCMP_SYS(getdents),
+    SCMP_SYS(getdents64),
+    SCMP_SYS(getegid),
+    SCMP_SYS(geteuid),
+    SCMP_SYS(getpid),
+    SCMP_SYS(gettid),
+    SCMP_SYS(gettimeofday),
+    SCMP_SYS(linkat),
+    SCMP_SYS(lseek),
+    SCMP_SYS(madvise),
+    SCMP_SYS(mkdirat),
+    SCMP_SYS(mknodat),
+    SCMP_SYS(mmap),
+    SCMP_SYS(mprotect),
+    SCMP_SYS(mremap),
+    SCMP_SYS(munmap),
+    SCMP_SYS(newfstatat),
+    SCMP_SYS(open),
+    SCMP_SYS(openat),
+    SCMP_SYS(ppoll),
+    SCMP_SYS(prctl), /* TODO restrict to just PR_SET_NAME? */
+    SCMP_SYS(preadv),
+    SCMP_SYS(pread64),
+    SCMP_SYS(pwritev),
+    SCMP_SYS(pwrite64),
+    SCMP_SYS(read),
+    SCMP_SYS(readlinkat),
+    SCMP_SYS(recvmsg),
+    SCMP_SYS(renameat),
+    SCMP_SYS(renameat2),
+    SCMP_SYS(rt_sigaction),
+    SCMP_SYS(rt_sigprocmask),
+    SCMP_SYS(rt_sigreturn),
+    SCMP_SYS(sendmsg),
+    SCMP_SYS(setresgid),
+    SCMP_SYS(setresuid),
+    SCMP_SYS(set_robust_list),
+    SCMP_SYS(symlinkat),
+    SCMP_SYS(time), /* Rarely needed, except on static builds */
+    SCMP_SYS(tgkill),
+    SCMP_SYS(unlinkat),
+    SCMP_SYS(utimensat),
+    SCMP_SYS(write),
+    SCMP_SYS(writev),
+};
+
+void setup_seccomp(void)
+{
+    scmp_filter_ctx ctx;
+    size_t i;
+
+#ifdef SCMP_ACT_KILL_PROCESS
+    ctx = seccomp_init(SCMP_ACT_KILL_PROCESS);
+    /* Handle a newer libseccomp but an older kernel */
+    if (!ctx && errno == EOPNOTSUPP) {
+        ctx = seccomp_init(SCMP_ACT_TRAP);
+    }
+#else
+    ctx = seccomp_init(SCMP_ACT_TRAP);
+#endif
+    if (!ctx) {
+        fuse_log(FUSE_LOG_ERR, "seccomp_init() failed\n");
+        exit(1);
+    }
+
+    for (i = 0; i < G_N_ELEMENTS(syscall_whitelist); i++) {
+        if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW,
+                             syscall_whitelist[i], 0) != 0) {
+            fuse_log(FUSE_LOG_ERR, "seccomp_rule_add syscall %d",
+                     syscall_whitelist[i]);
+            exit(1);
+        }
+    }
+
+    /* libvhost-user calls this for post-copy migration, we don't need it */
+    if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS),
+                         SCMP_SYS(userfaultfd), 0) != 0) {
+        fuse_log(FUSE_LOG_ERR, "seccomp_rule_add userfaultfd failed\n");
+        exit(1);
+    }
+
+    if (seccomp_load(ctx) < 0) {
+        fuse_log(FUSE_LOG_ERR, "seccomp_load() failed\n");
+        exit(1);
+    }
+
+    seccomp_release(ctx);
+}
diff --git a/tools/virtiofsd/seccomp.h b/tools/virtiofsd/seccomp.h
new file mode 100644
index 0000000000..86bce72652
--- /dev/null
+++ b/tools/virtiofsd/seccomp.h
@@ -0,0 +1,14 @@ 
+/*
+ * Seccomp sandboxing for virtiofsd
+ *
+ * Copyright (C) 2019 Red Hat, Inc.
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#ifndef VIRTIOFSD_SECCOMP_H
+#define VIRTIOFSD_SECCOMP_H
+
+void setup_seccomp(void);
+
+#endif /* VIRTIOFSD_SECCOMP_H */

[050/104] virtiofsd: add seccomp whitelist

Commit Message

Comments

Patch