Merge "Block bunch of privileged syscalls to apps"

spsforks · Jan 23, 2018 · 6ea8037 · 6ea8037
2 parents d00d38b + 2f23ced
commit 6ea8037
Show file tree

Hide file tree

Showing 8 changed files with 621 additions and 471 deletions.
diff --git a/libc/SECCOMP_BLACKLIST_APP.TXT b/libc/SECCOMP_BLACKLIST_APP.TXT
@@ -0,0 +1,68 @@
+# This file is used to populate seccomp's whitelist policy in combination with SYSCALLS.TXT.
+# Note that the resultant policy is applied only to zygote spawned processes.
+#
+# The final seccomp whitelist is SYSCALLS.TXT - SECCOMP_BLACKLIST.TXT + SECCOMP_WHITELIST.TXT
+# Any entry in the blacklist must be in the syscalls file and not be in the whitelist file
+#
+# Each non-blank, non-comment line has the following format:
+#
+# return_type func_name[|alias_list][:syscall_name[:socketcall_id]]([parameter_list]) arch_list
+#
+# where:
+#       arch_list ::= "all" | arch+
+#       arch      ::= "arm" | "arm64" | "mips" | "mips64" | "x86" | "x86_64"
+#
+# Note:
+#      - syscall_name corresponds to the name of the syscall, which may differ from
+#        the exported function name (example: the exit syscall is implemented by the _exit()
+#        function, which is not the same as the standard C exit() function which calls it)
+
+#      - alias_list is optional comma separated list of function aliases
+#
+#      - The call_id parameter, given that func_name and syscall_name have
+#        been provided, allows the user to specify dispatch style syscalls.
+#        For example, socket() syscall on i386 actually becomes:
+#          socketcall(__NR_socket, 1, *(rest of args on stack)).
+#
+#      - Each parameter type is assumed to be stored in 32 bits.
+#
+# This file is processed by a python script named genseccomp.py.
+
+# syscalls to modify IDs
+int     setgid:setgid32(gid_t)     arm,x86
+int     setgid:setgid(gid_t)       arm64,mips,mips64,x86_64
+int     setuid:setuid32(uid_t)    arm,x86
+int     setuid:setuid(uid_t)      arm64,mips,mips64,x86_64
+int     setreuid:setreuid32(uid_t, uid_t)   arm,x86
+int     setreuid:setreuid(uid_t, uid_t)     arm64,mips,mips64,x86_64
+int     setresuid:setresuid32(uid_t, uid_t, uid_t)   arm,x86
+int     setresuid:setresuid(uid_t, uid_t, uid_t)     arm64,mips,mips64,x86_64
+int     setresgid:setresgid32(gid_t, gid_t, gid_t)   arm,x86
+int     setresgid:setresgid(gid_t, gid_t, gid_t)     arm64,mips,mips64,x86_64
+int     setfsgid(gid_t)  all
+int     setfsuid(uid_t)  all
+int     setgroups:setgroups32(int, const gid_t*)   arm,x86
+int     setgroups:setgroups(int, const gid_t*)     arm64,mips,mips64,x86_64
+
+# syscalls to modify times
+int     adjtimex(struct timex*)   all
+int     clock_adjtime(clockid_t, struct timex*)   all
+int     clock_settime(clockid_t, const struct timespec*)  all
+int     settimeofday(const struct timeval*, const struct timezone*)   all
+
+int     acct(const char*  filepath)  all
+int     klogctl:syslog(int, char*, int)   all
+
+int     capset(cap_user_header_t header, const cap_user_data_t data) all
+int     chroot(const char*)  all
+
+# syscalls to change machine various configurations
+int     init_module(void*, unsigned long, const char*)  all
+int     delete_module(const char*, unsigned int)   all
+int     mount(const char*, const char*, const char*, unsigned long, const void*)  all
+int     umount2(const char*, int)  all
+int     swapon(const char*, int) all
+int     swapoff(const char*) all
+int     setdomainname(const char*, size_t)  all
+int     sethostname(const char*, size_t)  all
+int     __reboot:reboot(int, int, int, void*)  all
diff --git a/libc/seccomp/arm64_app_policy.cpp b/libc/seccomp/arm64_app_policy.cpp
@@ -5,36 +5,62 @@
 
 #include "seccomp_bpfs.h"
 const sock_filter arm64_app_filter[] = {
-BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 0, 0, 32),
-BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 220, 15, 0),
-BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 101, 7, 0),
-BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 43, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 0, 0, 58),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 153, 29, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 101, 15, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 52, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 41, 3, 0),
 BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 19, 1, 0),
-BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 18, 27, 26), //io_setup|io_destroy|io_submit|io_cancel|io_getevents|setxattr|lsetxattr|fsetxattr|getxattr|lgetxattr|fgetxattr|listxattr|llistxattr|flistxattr|removexattr|lremovexattr|fremovexattr|getcwd
-BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 42, 26, 25), //eventfd2|epoll_create1|epoll_ctl|epoll_pwait|dup|dup3|fcntl|inotify_init1|inotify_add_watch|inotify_rm_watch|ioctl|ioprio_set|ioprio_get|flock|mknodat|mkdirat|unlinkat|symlinkat|linkat|renameat|umount2|mount|pivot_root
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 18, 52, 51), //io_setup|io_destroy|io_submit|io_cancel|io_getevents|setxattr|lsetxattr|fsetxattr|getxattr|lgetxattr|fgetxattr|listxattr|llistxattr|flistxattr|removexattr|lremovexattr|fremovexattr|getcwd
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 39, 51, 50), //eventfd2|epoll_create1|epoll_ctl|epoll_pwait|dup|dup3|fcntl|inotify_init1|inotify_add_watch|inotify_rm_watch|ioctl|ioprio_set|ioprio_get|flock|mknodat|mkdirat|unlinkat|symlinkat|linkat|renameat
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 43, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 42, 49, 48), //pivot_root
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 51, 48, 47), //statfs|fstatfs|truncate|ftruncate|fallocate|faccessat|chdir|fchdir
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 90, 3, 0),
 BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 59, 1, 0),
-BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 58, 24, 23), //statfs|fstatfs|truncate|ftruncate|fallocate|faccessat|chdir|fchdir|chroot|fchmod|fchmodat|fchownat|fchown|openat|close
-BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 99, 23, 22), //pipe2|quotactl|getdents64|lseek|read|write|readv|writev|pread64|pwrite64|preadv|pwritev|sendfile|pselect6|ppoll|signalfd4|vmsplice|splice|tee|readlinkat|newfstatat|fstat|sync|fsync|fdatasync|sync_file_range|timerfd_create|timerfd_settime|timerfd_gettime|utimensat|acct|capget|capset|personality|exit|exit_group|waitid|set_tid_address|unshare|futex
-BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 198, 3, 0),
-BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 105, 1, 0),
-BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 104, 20, 19), //nanosleep|getitimer|setitimer
-BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 180, 19, 18), //init_module|delete_module|timer_create|timer_gettime|timer_getoverrun|timer_settime|timer_delete|clock_settime|clock_gettime|clock_getres|clock_nanosleep|syslog|ptrace|sched_setparam|sched_setscheduler|sched_getscheduler|sched_getparam|sched_setaffinity|sched_getaffinity|sched_yield|sched_get_priority_max|sched_get_priority_min|sched_rr_get_interval|restart_syscall|kill|tkill|tgkill|sigaltstack|rt_sigsuspend|rt_sigaction|rt_sigprocmask|rt_sigpending|rt_sigtimedwait|rt_sigqueueinfo|rt_sigreturn|setpriority|getpriority|reboot|setregid|setgid|setreuid|setuid|setresuid|getresuid|setresgid|getresgid|setfsuid|setfsgid|times|setpgid|getpgid|getsid|setsid|getgroups|setgroups|uname|sethostname|setdomainname|getrlimit|setrlimit|getrusage|umask|prctl|getcpu|gettimeofday|settimeofday|adjtimex|getpid|getppid|getuid|geteuid|getgid|getegid|gettid|sysinfo
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 58, 45, 44), //fchmod|fchmodat|fchownat|fchown|openat|close
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 89, 44, 43), //pipe2|quotactl|getdents64|lseek|read|write|readv|writev|pread64|pwrite64|preadv|pwritev|sendfile|pselect6|ppoll|signalfd4|vmsplice|splice|tee|readlinkat|newfstatat|fstat|sync|fsync|fdatasync|sync_file_range|timerfd_create|timerfd_settime|timerfd_gettime|utimensat
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 92, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 91, 42, 41), //capget
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 99, 41, 40), //personality|exit|exit_group|waitid|set_tid_address|unshare|futex
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 143, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 113, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 107, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 104, 37, 36), //nanosleep|getitimer|setitimer
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 112, 36, 35), //timer_create|timer_gettime|timer_getoverrun|timer_settime|timer_delete
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 117, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 116, 34, 33), //clock_gettime|clock_getres|clock_nanosleep
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 142, 33, 32), //ptrace|sched_setparam|sched_setscheduler|sched_getscheduler|sched_getparam|sched_setaffinity|sched_getaffinity|sched_yield|sched_get_priority_max|sched_get_priority_min|sched_rr_get_interval|restart_syscall|kill|tkill|tgkill|sigaltstack|rt_sigsuspend|rt_sigaction|rt_sigprocmask|rt_sigpending|rt_sigtimedwait|rt_sigqueueinfo|rt_sigreturn|setpriority|getpriority
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 150, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 148, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 144, 30, 29), //setregid
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 149, 29, 28), //getresuid
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 151, 28, 27), //getresgid
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 226, 13, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 198, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 163, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 160, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 159, 23, 22), //times|setpgid|getpgid|getsid|setsid|getgroups
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 161, 22, 21), //uname
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 172, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 170, 20, 19), //getrlimit|setrlimit|getrusage|umask|prctl|getcpu|gettimeofday
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 180, 19, 18), //getpid|getppid|getuid|geteuid|getgid|getegid|gettid|sysinfo
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 220, 3, 0),
 BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 203, 1, 0),
-BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 202, 17, 16), //socket|socketpair|bind|listen
-BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 217, 16, 15), //connect|getsockname|getpeername|sendto|recvfrom|setsockopt|getsockopt|shutdown|sendmsg|recvmsg|readahead|brk|munmap|mremap
-BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 266, 7, 0),
-BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 240, 3, 0),
-BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 226, 1, 0),
-BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 224, 12, 11), //clone|execve|mmap|fadvise64
-BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 234, 11, 10), //mprotect|msync|mlock|munlock|mlockall|munlockall|mincore|madvise
-BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 260, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 202, 16, 15), //socket|socketpair|bind|listen
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 217, 15, 14), //connect|getsockname|getpeername|sendto|recvfrom|setsockopt|getsockopt|shutdown|sendmsg|recvmsg|readahead|brk|munmap|mremap
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 224, 14, 13), //clone|execve|mmap|fadvise64
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 274, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 260, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 240, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 234, 10, 9), //mprotect|msync|mlock|munlock|mlockall|munlockall|mincore|madvise
 BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 244, 9, 8), //rt_tgsigqueueinfo|perf_event_open|accept4|recvmmsg
-BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 262, 8, 7), //wait4|prlimit64
-BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 281, 3, 0),
-BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 274, 1, 0),
-BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 272, 5, 4), //clock_adjtime|syncfs|setns|sendmmsg|process_vm_readv|process_vm_writev
-BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 280, 4, 3), //sched_setattr|sched_getattr|renameat2|seccomp|getrandom|memfd_create
-BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 284, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 267, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 262, 7, 6), //wait4|prlimit64
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 272, 6, 5), //syncfs|setns|sendmmsg|process_vm_readv|process_vm_writev
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 284, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 281, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 280, 3, 2), //sched_setattr|sched_getattr|renameat2|seccomp|getrandom|memfd_create
 BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 282, 2, 1), //execveat
 BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 288, 1, 0), //mlock2|copy_file_range|preadv2|pwritev2
 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),