UBUNTU: SAUCE: seccomp_filter: new mode with configurable syscall filters

This change adds a new seccomp mode which specifies the allowed system
calls dynamically.  When in the new mode (13), all system calls are
checked against process-defined filters - first by system call number,
then by a filter string.  If an entry exists for a given system call and
all filter predicates evaluate to true, then the task may proceed.
Otherwise, the task is killed.

Filter string parsing and evaluation is handled by the ftrace filter
engine.  Related patches tweak to the perf filter trace and free
allowing the calls to be shared. Filters inherit their understanding of
types and arguments for each system call from the CONFIG_FTRACE_SYSCALLS
subsystem which already populates this information in syscall_metadata
associated enter_event (and exit_event) structures. If
CONFIG_FTRACE_SYSCALLS is not compiled in, only filter strings of "1"
will be allowed.

The net result is a process may have its system calls filtered using the
ftrace filter engine's inherent understanding of systems calls.  The set
of filters is specified through the PR_SET_SECCOMP_FILTER argument in
prctl(). For example, a filterset for a process, like pdftotext, that
should only process read-only input could (roughly) look like:
  sprintf(rdonly, "flags == %u", O_RDONLY|O_LARGEFILE);
  type = PR_SECCOMP_FILTER_SYSCALL;
  prctl(PR_SET_SECCOMP_FILTER, type, __NR_open, rdonly);
  prctl(PR_SET_SECCOMP_FILTER, type, __NR__llseek, "1");
  prctl(PR_SET_SECCOMP_FILTER, type, __NR_brk, "1");
  prctl(PR_SET_SECCOMP_FILTER, type, __NR_close, "1");
  prctl(PR_SET_SECCOMP_FILTER, type, __NR_exit_group, "1");
  prctl(PR_SET_SECCOMP_FILTER, type, __NR_fstat64, "1");
  prctl(PR_SET_SECCOMP_FILTER, type, __NR_mmap2, "1");
  prctl(PR_SET_SECCOMP_FILTER, type, __NR_munmap, "1");
  prctl(PR_SET_SECCOMP_FILTER, type, __NR_read, "1");
  prctl(PR_SET_SECCOMP_FILTER, type, __NR_write, "fd == 1 || fd == 2");
  prctl(PR_SET_SECCOMP, 13);

Subsequent calls to PR_SET_SECCOMP_FILTER for the same system call will
be &&'d together to ensure that attack surface may only be reduced:
  prctl(PR_SET_SECCOMP_FILTER, __NR_write, "fd != 2");

With the earlier example, the active filter becomes:
  "(fd == 1 || fd == 2) && (fd != 2)"

The patch also adds PR_CLEAR_SECCOMP_FILTER and PR_GET_SECCOMP_FILTER.
The latter returns the current filter for a system call to userspace:

  prctl(PR_GET_SECCOMP_FILTER, type, __NR_write, buf, bufsize);

while the former clears any filters for a given system call changing it
back to a defaulty deny:

  prctl(PR_CLEAR_SECCOMP_FILTER, type, __NR_write);

Note, type may be either PR_SECCOMP_FILTER_EVENT or
PR_SECCOMP_FILTER_SYSCALL.  This allows for ftrace event ids to be used
in lieu of system call numbers.  At present, only syscalls:sys_enter_*
event id are supported, but this allows for potential future extension
of the backend.

v11: - Use mode "13" to avoid future overlap; with comment update
     - Use kref; extra memset; other clean up from msb@chromium.org
     - Cleaned up Makefile object merging since locally shared symbols are gone
v10: - Note that PERF_EVENTS are also needed for ftrace filter engine support.
     - Removed dependency on ftrace code changes for event_filters
       (wrapping with perf_events and violating opaqueness for the filter str)
     - pulled in all the hacks to get access to syscall_metadata and build
       call objects for filter evaluation.
v9: - rebase on to de505e709ffb09a7382ca8e0d8c7dbb171ba5
    - disallow PR_SECCOMP_FILTER_EVENT when a compat task is calling
      as ftrace has no compat_syscalls awareness yet.
    - return -ENOSYS when filter engine strings are used on a compat call
      as there are no compat_syscalls events to reference yet.
v8: - expand parenthical use during SET_SECCOMP_FILTER to avoid operator
      precedence undermining attack surface reduction (caught by
      segoon@openwall.com).  Opted to waste bytes on () than reparse to
      avoid OP_OR precedence overriding extend_filter's intentions.
    - remove more lingering references to @state
    - fix incorrect compat mismatch check (anyone up for a Tested-By?)
v7: - disallow seccomp_filter inheritance across fork except when seccomp
      is active.  This avoids filters leaking across processes when they
      are not actively in use but ensure an allowed fork/clone doesn't drop
      filters.
    - remove the Mode: print from show as it reflected current and not the
      filters holder.
v6: - clean up minor unnecessary changes (empty lines, ordering, etc)
    - fix one overly long line
    - add refcount overflow BUG_ON
v5: - drop mutex usage when the task_struct is safe to access directly
v4: - move off of RCU to a read/write guarding mutex after
      paulmck@linux.vnet.ibm.com's feedback (mem leak, rcu fail)
    - stopped inc/dec refcounts in mutex guard sections
    - added required changes to init the mutex in INIT_TASK and safely
      lock around fork inheritance.
    - added id_type support to the prctl interface to support using
      ftrace event ids as an alternative to syscall numbers.  Behavior
      is identical otherwise (as per discussion with mingo@elte.hu)
v3: - always block execve calls (as per torvalds@linux-foundation.org)
    - add __NR_seccomp_execve(_32) to seccomp-supporting arches
    - ensure compat tasks can't reach ftrace:syscalls
    - dropped new defines for seccomp modes.
    - two level array instead of hlists (sugg. by olofj@chromium.org)
    - added generic Kconfig entry that is not connected.
    - dropped internal seccomp.h
    - move prctl helpers to seccomp_filter
    - killed seccomp_t typedef (as per checkpatch)
v2: - changed to use the existing syscall number ABI.
    - prctl changes to minimize parsing in the kernel:
      prctl(PR_SET_SECCOMP, {0 | 1 | 2 }, { 0 | ON_EXEC });
      prctl(PR_SET_SECCOMP_FILTER, __NR_read, "fd == 5");
      prctl(PR_CLEAR_SECCOMP_FILTER, __NR_read);
      prctl(PR_GET_SECCOMP_FILTER, __NR_read, buf, bufsize);
    - defined PR_SECCOMP_MODE_STRICT and ..._FILTER
    - added flags
    - provide a default fail syscall_nr_to_meta in ftrace
    - provides fallback for unhooked system calls
    - use -ENOSYS and ERR_PTR(-ENOSYS) for stubbed functionality
    - added kernel/seccomp.h to share seccomp.c/seccomp_filter.c
    - moved to a hlist and 4 bit hash of linked lists
    - added support to operate without CONFIG_FTRACE_SYSCALLS
    - moved Kconfig support next to SECCOMP
    - made Kconfig entries dependent on EXPERIMENTAL
    - added macros to avoid ifdefs from kernel/fork.c
    - added compat task/filter matching
    - drop seccomp.h inclusion in sched.h and drop seccomp_t
    - added Filtering to "show" output
    - added on_exec state dup'ing when enabling after a fast-path accept.

Signed-off-by: Will Drewry <wad@chromium.org>

BUG=chromium-os:14496
TEST=built in x86-alex.  Out of tree commandline helper test confirms functionality works.  Will check in a test into the minijail repo which can be used from autotest.

Change-Id: I901595e3399914783739d113a058d83550ddf8e2
Reviewed-on: http://gerrit.chromium.org/gerrit/4814
Reviewed-by: Sonny Rao <sonnyrao@chromium.org>
Tested-by: Will Drewry <wad@chromium.org>
Signed-off-by: Kees Cook <kees.cook@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>

4 files changed, 136 insertions, 4 deletions

diff --git a/include/linux/init_task.h b/include/linux/init_task.h
index 580f70c0239..56deaf25371 100644
--- a/include/linux/init_task.h
+++ b/include/linux/init_task.h
@@ -126,6 +126,17 @@ extern struct cred init_cred;
 # define INIT_PERF_EVENTS(tsk)
 #endif
 
+#ifdef CONFIG_SECCOMP_FILTER
+# define INIT_SECCOMP_FILTER(tsk)                                       \
+        .seccomp = { \
+                .filters_guard = \
+                        __MUTEX_INITIALIZER(tsk.seccomp.filters_guard), \
+        },
+#else
+# define INIT_SECCOMP_FILTER(tsk)
+#endif
+
+
 /*
  *  INIT_TASK is used to set up the first task table, touch at
  * your own risk!. Base=0, limit=0x1fffff (=2MB)
@@ -188,6 +199,7 @@ extern struct cred init_cred;
         .dirties = INIT_PROP_LOCAL_SINGLE(dirties),                     \
         INIT_IDS                                                        \
         INIT_PERF_EVENTS(tsk)                                           \
+        INIT_SECCOMP_FILTER(tsk)                                        \
         INIT_TRACE_IRQFLAGS                                             \
         INIT_LOCKDEP                                                    \
         INIT_FTRACE_GRAPH                                               \
diff --git a/include/linux/prctl.h b/include/linux/prctl.h
index da7837bbd2c..74deeb717c6 100644
--- a/include/linux/prctl.h
+++ b/include/linux/prctl.h
@@ -64,6 +64,13 @@
 #define PR_GET_SECCOMP  21
 #define PR_SET_SECCOMP  22
 
+/* Get/set process seccomp filters */
+#define PR_GET_SECCOMP_FILTER   35
+#define PR_SET_SECCOMP_FILTER   36
+#define PR_CLEAR_SECCOMP_FILTER 37
+#  define PR_SECCOMP_FILTER_SYSCALL     0
+#  define PR_SECCOMP_FILTER_EVENT       1
+
 /* Get/set the capability bounding set (as per security/commoncap.c) */
 #define PR_CAPBSET_READ 23
 #define PR_CAPBSET_DROP 24
diff --git a/include/linux/sched.h b/include/linux/sched.h
index 7badc5d9f07..9cdfbf4a97a 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -1411,7 +1411,7 @@ struct task_struct {
         uid_t loginuid;
         unsigned int sessionid;
 #endif
-        seccomp_t seccomp;
+        struct seccomp_struct seccomp;
 
 /* Thread group tracking */
         u32 parent_exec_id;
diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h
index 167c33361d9..f81a9827334 100644
--- a/include/linux/seccomp.h
+++ b/include/linux/seccomp.h
@@ -1,13 +1,35 @@
 #ifndef _LINUX_SECCOMP_H
 #define _LINUX_SECCOMP_H
 
+struct seq_file;
 
 #ifdef CONFIG_SECCOMP
 
+#include <linux/errno.h>
 #include <linux/thread_info.h>
+#include <linux/types.h>
+#include <linux/mutex.h>
 #include <asm/seccomp.h>
 
-typedef struct { int mode; } seccomp_t;
+struct seccomp_filters;
+/**
+ * struct seccomp_struct - the state of a seccomp'ed process
+ *
+ * @mode:
+ *     if this is 1, the process is under standard seccomp rules
+ *             is 13, the process is only allowed to make system calls where
+ *                    associated filters evaluate successfully.
+ * @filters: Metadata for filters if using CONFIG_SECCOMP_FILTER.
+ *           @filters assignment and use should always be guarded by
+ *           @filters_guard.
+ */
+struct seccomp_struct {
+        int mode;
+#ifdef CONFIG_SECCOMP_FILTER
+        struct mutex filters_guard;
+        struct seccomp_filters *filters;
+#endif
+};
 
 extern void __secure_computing(int);
 static inline void secure_computing(int this_syscall)
@@ -23,8 +45,7 @@ extern long prctl_set_seccomp(unsigned long);
 
 #include <linux/errno.h>
 
-typedef struct { } seccomp_t;
-
+struct seccomp_struct { };
 #define secure_computing(x) do { } while (0)
 
 static inline long prctl_get_seccomp(void)
@@ -39,4 +60,96 @@ static inline long prctl_set_seccomp(unsigned long arg2)
 
 #endif /* CONFIG_SECCOMP */
 
+#ifdef CONFIG_SECCOMP_FILTER
+
+#define seccomp_filter_init_task(_tsk) do { \
+        mutex_init(&(_tsk)->seccomp.filters_guard); \
+        (_tsk)->seccomp.filters = NULL; \
+} while (0);
+
+/* Do nothing unless seccomp filtering is active. If not, the execve boundary
+ * can not be cleanly enforced and preset filters may leak across execve calls.
+ */
+#define seccomp_filter_fork(_tsk, _orig) do { \
+        if ((_tsk)->seccomp.mode) { \
+                (_tsk)->seccomp.mode = (_orig)->seccomp.mode; \
+                mutex_lock(&(_orig)->seccomp.filters_guard); \
+                (_tsk)->seccomp.filters = \
+                        get_seccomp_filters((_orig)->seccomp.filters); \
+                mutex_unlock(&(_orig)->seccomp.filters_guard); \
+        } \
+} while (0);
+
+/* No locking is needed here because the task_struct will
+ * have no parallel consumers.
+ */
+#define seccomp_filter_free_task(_tsk) do { \
+        put_seccomp_filters((_tsk)->seccomp.filters); \
+} while (0);
+
+extern int seccomp_show_filters(struct seccomp_filters *filters,
+                                struct seq_file *);
+extern long seccomp_set_filter(int, char *);
+extern long seccomp_clear_filter(int);
+extern long seccomp_get_filter(int, char *, unsigned long);
+
+extern long prctl_set_seccomp_filter(unsigned long, unsigned long,
+                                     char __user *);
+extern long prctl_get_seccomp_filter(unsigned long, unsigned long,
+                                     char __user *, unsigned long);
+extern long prctl_clear_seccomp_filter(unsigned long, unsigned long);
+
+extern struct seccomp_filters *get_seccomp_filters(struct seccomp_filters *);
+extern void put_seccomp_filters(struct seccomp_filters *);
+
+extern int seccomp_test_filters(int);
+extern void seccomp_filter_log_failure(int);
+
+#else  /* CONFIG_SECCOMP_FILTER */
+
+struct seccomp_filters { };
+#define seccomp_filter_init_task(_tsk) do { } while (0);
+#define seccomp_filter_fork(_tsk, _orig) do { } while (0);
+#define seccomp_filter_free_task(_tsk) do { } while (0);
+
+static inline int seccomp_show_filters(struct seccomp_filters *filters,
+                                       struct seq_file *m)
+{
+        return -ENOSYS;
+}
+
+static inline long seccomp_set_filter(int syscall_nr, char *filter)
+{
+        return -ENOSYS;
+}
+
+static inline long seccomp_clear_filter(int syscall_nr)
+{
+        return -ENOSYS;
+}
+
+static inline long seccomp_get_filter(int syscall_nr,
+                                      char *buf, unsigned long available)
+{
+        return -ENOSYS;
+}
+
+static inline long prctl_set_seccomp_filter(unsigned long a2, unsigned long a3,
+                                            char __user *a4)
+{
+        return -ENOSYS;
+}
+
+static inline long prctl_clear_seccomp_filter(unsigned long a2,
+                                              unsigned long a3)
+{
+        return -ENOSYS;
+}
+
+static inline long prctl_get_seccomp_filter(unsigned long a2, unsigned long a3,
+                                            char __user *a4, unsigned long a5)
+{
+        return -ENOSYS;
+}
+#endif  /* CONFIG_SECCOMP_FILTER */
 #endif /* _LINUX_SECCOMP_H */