xref: /freebsd/contrib/file/src/seccomp.c (revision 4996ebdb720042239a197ebec2d265cdfdf1bbf3) 
1 /*
2  * Redistribution and use in source and binary forms, with or without
3  * modification, are permitted provided that the following conditions
4  * are met:
5  * 1. Redistributions of source code must retain the above copyright
6  *    notice immediately at the beginning of the file, without modification,
7  *    this list of conditions, and the following disclaimer.
8  * 2. Redistributions in binary form must reproduce the above copyright
9  *    notice, this list of conditions and the following disclaimer in the
10  *    documentation and/or other materials provided with the distribution.
11  *
12  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
13  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
14  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
15  * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR
16  * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
17  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
18  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
19  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
20  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
21  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
22  * SUCH DAMAGE.
23  */
24 /*
25  * libseccomp hooks.
26  */
27 #include "file.h"
28 
29 #ifndef	lint
30 FILE_RCSID("@(#)$File: seccomp.c,v 1.36 2026/02/06 14:04:20 christos Exp $")
31 #endif	/* lint */
32 
33 #if HAVE_LIBSECCOMP
34 #include <seccomp.h> /* libseccomp */
35 #include <sys/prctl.h> /* prctl */
36 #include <sys/socket.h>
37 // See: https://sourceware.org/bugzilla/show_bug.cgi?id=32806
38 #include <asm/termbits.h>
39 #include <sys/ioctl.h>
40 #include <fcntl.h>
41 #include <stdlib.h>
42 #include <errno.h>
43 
44 #define DENY_RULE(call) \
45     do \
46 	if (seccomp_rule_add (ctx, SCMP_ACT_KILL, SCMP_SYS(call), 0) == -1) \
47 	    goto out; \
48     while (/*CONSTCOND*/0)
49 #define ALLOW_RULE(call) \
50     do \
51 	if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(call), 0) == -1) \
52 	    goto out; \
53     while (/*CONSTCOND*/0)
54 
55 #define ALLOW_IOCTL_RULE(param) \
56     do \
57 	if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1, \
58 	    SCMP_CMP(1, SCMP_CMP_EQ, (scmp_datum_t)param, \
59 		     (scmp_datum_t)0)) == -1) \
60 		goto out; \
61     while (/*CONSTCOND*/0)
62 
63 static scmp_filter_ctx ctx;
64 
65 int
66 enable_sandbox(void)
67 {
68 
69 	// prevent child processes from getting more priv e.g. via setuid,
70 	// capabilities, ...
71 	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
72 		return -1;
73 
74 #if 0
75 	if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) == -1)
76 		return -1;
77 #endif
78 
79 	// initialize the filter
80 	ctx = seccomp_init(SCMP_ACT_KILL);
81 	if (ctx == NULL)
82 		return -1;
83 
84 	ALLOW_RULE(access);
85 	ALLOW_RULE(brk);
86 	ALLOW_RULE(close);
87 	ALLOW_RULE(dup2);
88 	ALLOW_RULE(exit);
89 	ALLOW_RULE(exit_group);
90 #ifdef __NR_faccessat
91 	ALLOW_RULE(faccessat);
92 #endif
93 	ALLOW_RULE(fcntl);
94  	ALLOW_RULE(fcntl64);
95 #ifdef __NR_fstat
96 	ALLOW_RULE(fstat);
97 #endif
98  	ALLOW_RULE(fstat64);
99 #ifdef __NR_fstatat64
100 	ALLOW_RULE(fstatat64);
101 #endif
102 	ALLOW_RULE(futex);
103 	ALLOW_RULE(getdents);
104 #ifdef __NR_getdents64
105 	ALLOW_RULE(getdents64);
106 #endif
107 	ALLOW_RULE(getpid);	// Used by glibc in file_pipe2file()
108 	ALLOW_RULE(getrandom);	// Used by glibc in file_pipe2file()
109 #ifdef __NR_getcwd
110 	ALLOW_RULE(getcwd);	// GCONV_PATH=
111 #endif
112 #ifdef FIONREAD
113 	// called in src/compress.c under sread
114 	ALLOW_IOCTL_RULE(FIONREAD);
115 #endif
116 #ifdef TIOCGWINSZ
117 	// musl libc may call ioctl TIOCGWINSZ on stdout
118 	ALLOW_IOCTL_RULE(TIOCGWINSZ);
119 #endif
120 #ifdef TCGETS
121 	// glibc may call ioctl TCGETS on stdout on physical terminal
122 	ALLOW_IOCTL_RULE(TCGETS);
123 #endif
124 #ifdef TCGETS2
125 	// glibc may call ioctl TCGETS2 on stdout on physical terminal
126 	ALLOW_IOCTL_RULE(TCGETS2);
127 #endif
128 	ALLOW_RULE(lseek);
129  	ALLOW_RULE(_llseek);
130 	ALLOW_RULE(lstat);
131  	ALLOW_RULE(lstat64);
132 	ALLOW_RULE(madvise);
133 	ALLOW_RULE(mmap);
134  	ALLOW_RULE(mmap2);
135 	ALLOW_RULE(mprotect);
136 	ALLOW_RULE(mremap);
137 	ALLOW_RULE(munmap);
138 #ifdef __NR_newfstatat
139 	ALLOW_RULE(newfstatat);
140 #endif
141 	ALLOW_RULE(open);
142 	ALLOW_RULE(openat);
143 	ALLOW_RULE(pread64);
144 	ALLOW_RULE(read);
145 	ALLOW_RULE(readlink);
146 #ifdef __NR_readlinkat
147 	ALLOW_RULE(readlinkat);
148 #endif
149 	ALLOW_RULE(rseq);	// Used by glibc to randomize malloc
150 	ALLOW_RULE(rt_sigaction);
151 	ALLOW_RULE(rt_sigprocmask);
152 	ALLOW_RULE(rt_sigreturn);
153 	ALLOW_RULE(select);
154 	ALLOW_RULE(stat);
155 	ALLOW_RULE(statx);
156 	ALLOW_RULE(stat64);
157 	ALLOW_RULE(sysinfo);
158 	ALLOW_RULE(umask);	// Used in file_pipe2file()
159 	ALLOW_RULE(unlink);
160 	ALLOW_RULE(utimes);
161 	ALLOW_RULE(write);
162 	ALLOW_RULE(writev);
163 
164 
165 #if 0
166 	// needed by valgrind
167 	ALLOW_RULE(gettid);
168 	ALLOW_RULE(rt_sigtimedwait);
169 #endif
170 
171 #if 0
172 	 /* special restrictions for socket, only allow AF_UNIX/AF_LOCAL */
173 	 if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 1,
174 	     SCMP_CMP(0, SCMP_CMP_EQ, AF_UNIX)) == -1)
175 	 	goto out;
176 
177 	 if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 1,
178 	     SCMP_CMP(0, SCMP_CMP_EQ, AF_LOCAL)) == -1)
179 	 	goto out;
180 
181 
182 	 /* special restrictions for open, prevent opening files for writing */
183 	 if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 1,
184 	     SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_WRONLY | O_RDWR, 0)) == -1)
185 	 	goto out;
186 
187 	 if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(open), 1,
188 	     SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_WRONLY, O_WRONLY)) == -1)
189 	 	goto out;
190 
191 	 if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(open), 1,
192 	     SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_RDWR, O_RDWR)) == -1)
193 	 	goto out;
194 
195 
196 	 /* allow stderr */
197 	 if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1,
198 	     SCMP_CMP(0, SCMP_CMP_EQ, 2)) == -1)
199 		 goto out;
200 #endif
201 
202 #if defined(PR_SET_VMA) && defined(PR_SET_VMA_ANON_NAME)
203 	/* allow glibc to name malloc areas */
204 	if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(prctl), 2,
205 	    SCMP_CMP32(0, SCMP_CMP_EQ, PR_SET_VMA),
206 	    SCMP_CMP64(1, SCMP_CMP_EQ, PR_SET_VMA_ANON_NAME)) == -1)
207 		goto out;
208 #endif
209 
210 	// applying filter...
211 	if (seccomp_load(ctx) == -1)
212 		goto out;
213 	// free ctx after the filter has been loaded into the kernel
214 	seccomp_release(ctx);
215 	return 0;
216 
217 out:
218 	// something went wrong
219 	seccomp_release(ctx);
220 	return -1;
221 }
222 #endif
223