2012-10-13 17:46:48 +08:00
|
|
|
#ifndef _UAPI_LINUX_SECCOMP_H
|
|
|
|
#define _UAPI_LINUX_SECCOMP_H
|
|
|
|
|
|
|
|
#include <linux/compiler.h>
|
|
|
|
#include <linux/types.h>
|
|
|
|
|
|
|
|
|
|
|
|
/* Valid values for seccomp.mode and prctl(PR_SET_SECCOMP, <mode>) */
|
|
|
|
#define SECCOMP_MODE_DISABLED 0 /* seccomp is not in use. */
|
|
|
|
#define SECCOMP_MODE_STRICT 1 /* uses hard-coded filter. */
|
|
|
|
#define SECCOMP_MODE_FILTER 2 /* uses user-supplied filter. */
|
|
|
|
|
2014-06-26 07:08:24 +08:00
|
|
|
/* Valid operations for seccomp syscall. */
|
2017-08-11 12:33:53 +08:00
|
|
|
#define SECCOMP_SET_MODE_STRICT 0
|
|
|
|
#define SECCOMP_SET_MODE_FILTER 1
|
|
|
|
#define SECCOMP_GET_ACTION_AVAIL 2
|
2014-06-26 07:08:24 +08:00
|
|
|
|
2014-06-05 15:23:17 +08:00
|
|
|
/* Valid flags for SECCOMP_SET_MODE_FILTER */
|
|
|
|
#define SECCOMP_FILTER_FLAG_TSYNC 1
|
seccomp: Filter flag to log all actions except SECCOMP_RET_ALLOW
Add a new filter flag, SECCOMP_FILTER_FLAG_LOG, that enables logging for
all actions except for SECCOMP_RET_ALLOW for the given filter.
SECCOMP_RET_KILL actions are always logged, when "kill" is in the
actions_logged sysctl, and SECCOMP_RET_ALLOW actions are never logged,
regardless of this flag.
This flag can be used to create noisy filters that result in all
non-allowed actions to be logged. A process may have one noisy filter,
which is loaded with this flag, as well as a quiet filter that's not
loaded with this flag. This allows for the actions in a set of filters
to be selectively conveyed to the admin.
Since a system could have a large number of allocated seccomp_filter
structs, struct packing was taken in consideration. On 64 bit x86, the
new log member takes up one byte of an existing four byte hole in the
struct. On 32 bit x86, the new log member creates a new four byte hole
(unavoidable) and consumes one of those bytes.
Unfortunately, the tests added for SECCOMP_FILTER_FLAG_LOG are not
capable of inspecting the audit log to verify that the actions taken in
the filter were logged.
With this patch, the logic for deciding if an action will be logged is:
if action == RET_ALLOW:
do not log
else if action == RET_KILL && RET_KILL in actions_logged:
log
else if filter-requests-logging && action in actions_logged:
log
else if audit_enabled && process-is-being-audited:
log
else:
do not log
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
2017-08-11 12:33:56 +08:00
|
|
|
#define SECCOMP_FILTER_FLAG_LOG 2
|
2014-06-05 15:23:17 +08:00
|
|
|
|
2012-10-13 17:46:48 +08:00
|
|
|
/*
|
|
|
|
* All BPF programs must return a 32-bit value.
|
|
|
|
* The bottom 16-bits are for optional return data.
|
|
|
|
* The upper 16-bits are ordered from least permissive values to most.
|
|
|
|
*
|
|
|
|
* The ordering ensures that a min_t() over composed return values always
|
|
|
|
* selects the least permissive choice.
|
|
|
|
*/
|
2017-08-12 03:53:18 +08:00
|
|
|
#define SECCOMP_RET_KILL_THREAD 0x00000000U /* kill the thread */
|
|
|
|
#define SECCOMP_RET_KILL SECCOMP_RET_KILL_THREAD
|
2012-10-13 17:46:48 +08:00
|
|
|
#define SECCOMP_RET_TRAP 0x00030000U /* disallow and force a SIGSYS */
|
|
|
|
#define SECCOMP_RET_ERRNO 0x00050000U /* returns an errno */
|
|
|
|
#define SECCOMP_RET_TRACE 0x7ff00000U /* pass to a tracer or disallow */
|
seccomp: Action to log before allowing
Add a new action, SECCOMP_RET_LOG, that logs a syscall before allowing
the syscall. At the implementation level, this action is identical to
the existing SECCOMP_RET_ALLOW action. However, it can be very useful when
initially developing a seccomp filter for an application. The developer
can set the default action to be SECCOMP_RET_LOG, maybe mark any
obviously needed syscalls with SECCOMP_RET_ALLOW, and then put the
application through its paces. A list of syscalls that triggered the
default action (SECCOMP_RET_LOG) can be easily gleaned from the logs and
that list can be used to build the syscall whitelist. Finally, the
developer can change the default action to the desired value.
This provides a more friendly experience than seeing the application get
killed, then updating the filter and rebuilding the app, seeing the
application get killed due to a different syscall, then updating the
filter and rebuilding the app, etc.
The functionality is similar to what's supported by the various LSMs.
SELinux has permissive mode, AppArmor has complain mode, SMACK has
bring-up mode, etc.
SECCOMP_RET_LOG is given a lower value than SECCOMP_RET_ALLOW as allow
while logging is slightly more restrictive than quietly allowing.
Unfortunately, the tests added for SECCOMP_RET_LOG are not capable of
inspecting the audit log to verify that the syscall was logged.
With this patch, the logic for deciding if an action will be logged is:
if action == RET_ALLOW:
do not log
else if action == RET_KILL && RET_KILL in actions_logged:
log
else if action == RET_LOG && RET_LOG in actions_logged:
log
else if filter-requests-logging && action in actions_logged:
log
else if audit_enabled && process-is-being-audited:
log
else:
do not log
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
2017-08-11 12:33:57 +08:00
|
|
|
#define SECCOMP_RET_LOG 0x7ffc0000U /* allow after logging */
|
2012-10-13 17:46:48 +08:00
|
|
|
#define SECCOMP_RET_ALLOW 0x7fff0000U /* allow */
|
|
|
|
|
|
|
|
/* Masks for the return value sections. */
|
|
|
|
#define SECCOMP_RET_ACTION 0x7fff0000U
|
|
|
|
#define SECCOMP_RET_DATA 0x0000ffffU
|
|
|
|
|
|
|
|
/**
|
|
|
|
* struct seccomp_data - the format the BPF program executes over.
|
|
|
|
* @nr: the system call number
|
|
|
|
* @arch: indicates system call convention as an AUDIT_ARCH_* value
|
|
|
|
* as defined in <linux/audit.h>.
|
|
|
|
* @instruction_pointer: at the time of the system call.
|
|
|
|
* @args: up to 6 system call arguments always stored as 64-bit values
|
|
|
|
* regardless of the architecture.
|
|
|
|
*/
|
|
|
|
struct seccomp_data {
|
|
|
|
int nr;
|
|
|
|
__u32 arch;
|
|
|
|
__u64 instruction_pointer;
|
|
|
|
__u64 args[6];
|
|
|
|
};
|
|
|
|
|
|
|
|
#endif /* _UAPI_LINUX_SECCOMP_H */
|