seccomp

package
v0.0.0-...-e4c45ee Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 20, 2024 License: Apache-2.0, MIT Imports: 11 Imported by: 0

Documentation

Overview

Package seccomp provides generation of basic seccomp filters. Currently, only little endian systems are supported.

Index

Constants

View Source 
const (
	LINUX_AUDIT_ARCH = linux.AUDIT_ARCH_X86_64
	SYS_SECCOMP      = 317
)
View Source 
const RuleIP = 6

RuleIP indicates what rules in the Rule array have to be applied to instruction pointer.

Variables

View Source 
var DenyNewExecMappings = MakeSyscallRules(map[uintptr]SyscallRule{
	unix.SYS_MMAP: PerArg{
		AnyValue{},
		AnyValue{},
		MaskedEqual(unix.PROT_EXEC, unix.PROT_EXEC),
	},
	unix.SYS_MPROTECT: PerArg{
		AnyValue{},
		AnyValue{},
		MaskedEqual(unix.PROT_EXEC, unix.PROT_EXEC),
	},
})

DenyNewExecMappings is a set of rules that denies creating new executable mappings and converting existing ones.

View Source 
var SyscallName = func(sysno uintptr) string {
	return fmt.Sprintf("syscall_%d", sysno)
}

SyscallName gives names to system calls. It is used purely for debugging purposes.

An alternate namer can be provided to the package at initialization time.

Functions

func Install 

func Install(rules SyscallRules, denyRules SyscallRules) error

Install generates BPF code based on the set of syscalls provided. It only allows syscalls that conform to the specification. Syscalls that violate the specification will trigger RET_KILL_PROCESS. If RET_KILL_PROCESS is not supported, violations will trigger RET_TRAP instead. RET_KILL_THREAD is not used because it only kills the offending thread and often keeps the sentry hanging.

denyRules describes forbidden syscalls. rules describes allowed syscalls. denyRules is executed before rules.

Be aware that RET_TRAP sends SIGSYS to the process and it may be ignored, making it possible for the process to continue running after a violation. However, it will leave a SECCOMP audit event trail behind. In any case, the syscall is still blocked from executing.

func MaskedEqual 

func MaskedEqual(mask, value uintptr) any

MaskedEqual specifies a value that matches the input after the input is masked (bitwise &) against the given mask. Can be used to verify that input only includes certain approved flags.

func SetFilter 

func SetFilter(instrs []bpf.Instruction) error

SetFilter installs the given BPF program.

func SetFilterInChild 

func SetFilterInChild(instrs []bpf.Instruction) unix.Errno

SetFilterInChild is equivalent to SetFilter, but:

  • It is safe to call after runtime.syscall_runtime_AfterForkInChild.

  • It requires that the calling goroutine cannot be moved to another thread, which either requires that runtime.LockOSThread() is in effect or that the caller is in fact in a fork()ed child process.

  • Since fork()ed child processes cannot perform heap allocation, it returns a unix.Errno rather than an error.

  • The race instrumentation has to be disabled for all functions that are called in a forked child.

Types

type AnyValue 

type AnyValue struct{}

AnyValue is marker to indicate any value will be accepted.

func (AnyValue) String 

func (AnyValue) String() string

type BuildStats 

type BuildStats struct {
	// SizeBeforeOptimizations and SizeAfterOptimizations correspond to the
	// number of instructions in the program before vs after optimization.
	SizeBeforeOptimizations, SizeAfterOptimizations int

	// BuildDuration is the amount of time it took to build the program (before
	// BPF bytecode optimizations).
	BuildDuration time.Duration

	// OptimizeDuration is the amount of time it took to run BPF bytecode
	// optimizations.
	OptimizeDuration time.Duration
}

BuildStats contains information about seccomp program generation.

func BuildProgram 

func BuildProgram(rules []RuleSet, defaultAction, badArchAction linux.BPFAction) ([]bpf.Instruction, BuildStats, error)

BuildProgram builds a BPF program from the given map of actions to matching SyscallRules. The single generated program covers all provided RuleSets.

type EqualTo 

type EqualTo uintptr

EqualTo specifies a value that needs to be strictly matched.

func (EqualTo) String 

func (a EqualTo) String() string

type GreaterThan 

type GreaterThan uintptr

GreaterThan specifies a value that needs to be strictly smaller.

func (GreaterThan) String 

func (a GreaterThan) String() string

type GreaterThanOrEqual 

type GreaterThanOrEqual uintptr

GreaterThanOrEqual specifies a value that needs to be smaller or equal.

func (GreaterThanOrEqual) String 

func (a GreaterThanOrEqual) String() string

type LessThan 

type LessThan uintptr

LessThan specifies a value that needs to be strictly greater.

func (LessThan) String 

func (a LessThan) String() string

type LessThanOrEqual 

type LessThanOrEqual uintptr

LessThanOrEqual specifies a value that needs to be greater or equal.

func NonNegativeFDCheck 

func NonNegativeFDCheck() LessThanOrEqual

NonNegativeFDCheck ensures an FD argument is a non-negative int.

func (LessThanOrEqual) String 

func (a LessThanOrEqual) String() string

type MatchAll 

type MatchAll struct{}

MatchAll implements `SyscallRule` and matches everything.

func (MatchAll) Render 

func (MatchAll) Render(program *syscallProgram, labelSet *labelSet)

Render implements `SyscallRule.Render`.

func (MatchAll) String 

func (MatchAll) String() string

String implements `SyscallRule.String`.

type NotEqual 

type NotEqual uintptr

NotEqual specifies a value that is strictly not equal.

func (NotEqual) String 

func (a NotEqual) String() string

type Or 

type Or []SyscallRule

Or expresses an "OR" (a disjunction) over a set of `SyscallRule`s. If an Or is empty, it will not match anything.

func (Or) Render 

func (or Or) Render(program *syscallProgram, labelSet *labelSet)

Render implements `SyscallRule.Render`.

func (Or) String 

func (or Or) String() string

String implements `SyscallRule.String`.

type PerArg 

type PerArg [7]any // 6 arguments + RIP

PerArg implements SyscallRule and verifies the syscall arguments and RIP.

For example: 

rule := PerArg{
	EqualTo(linux.ARCH_GET_FS | linux.ARCH_SET_FS), // arg0
}

func (PerArg) Render 

func (pa PerArg) Render(program *syscallProgram, labelSet *labelSet)

Render implements `SyscallRule.Render`.

func (PerArg) String 

func (pa PerArg) String() (s string)

String implements `SyscallRule.String`.

type RuleSet 

type RuleSet struct {
	Rules  SyscallRules
	Action linux.BPFAction

	// Vsyscall indicates that a check is made for a function being called
	// from kernel mappings. This is where the vsyscall page is located
	// (and typically) emulated, so this RuleSet will not match any
	// functions not dispatched from the vsyscall page.
	Vsyscall bool
}

RuleSet is a set of rules and associated action.

type SyscallRule 

type SyscallRule interface {
	// Render renders the syscall rule in the given `program`.
	// The emitted instructions **must** end up jumping to either
	// `labelSet.Matched()` or `labelSet.Mismatched()`; they may
	// not "fall through" to whatever instructions will be added
	// next into the program.
	Render(program *syscallProgram, labelSet *labelSet)

	// String returns a human-readable string representing what the rule does.
	String() string
}

SyscallRule expresses a set of rules to verify the arguments of a specific syscall.

type SyscallRules 

type SyscallRules struct {
	// contains filtered or unexported fields
}

SyscallRules maps syscall numbers to their corresponding rules.

For example: 

rules := MakeSyscallRules(map[uintptr]SyscallRule{
	syscall.SYS_FUTEX: Or{
		PerArg{
			AnyValue{},
			EqualTo(linux.FUTEX_WAIT | linux.FUTEX_PRIVATE_FLAG),
		},
		PerArg{
			AnyValue{},
			EqualTo(linux.FUTEX_WAKE | linux.FUTEX_PRIVATE_FLAG),
		},
	},
	syscall.SYS_GETPID: MatchAll{},
})

func MakeSyscallRules 

func MakeSyscallRules(rules map[uintptr]SyscallRule) SyscallRules

MakeSyscallRules returns a new SyscallRules with the given set of rules.

func NewSyscallRules 

func NewSyscallRules() SyscallRules

NewSyscallRules returns a new SyscallRules.

func (SyscallRules) Add 

func (sr SyscallRules) Add(sysno uintptr, r SyscallRule) SyscallRules

Add adds the given rule. It will create a new entry for a new syscall, otherwise it will append to the existing rules. Returns itself for chainability.

func (SyscallRules) Copy 

func (sr SyscallRules) Copy() SyscallRules

Copy returns a copy of these SyscallRules.

func (SyscallRules) Get 

func (sr SyscallRules) Get(sysno uintptr) SyscallRule

Get returns the rule defined for the given syscall number.

func (SyscallRules) Has 

func (sr SyscallRules) Has(sysno uintptr) bool

Has returns whether there is a rule defined for the given syscall number.

func (SyscallRules) Merge 

func (sr SyscallRules) Merge(other SyscallRules) SyscallRules

Merge merges the given SyscallRules. Returns itself for chainability.

func (SyscallRules) Remove 

func (sr SyscallRules) Remove(sysno uintptr)

Remove clears the syscall rule for the given syscall number. It will panic if there is no syscall rule for this syscall number.

func (SyscallRules) Set 

func (sr SyscallRules) Set(sysno uintptr, r SyscallRule) SyscallRules

Set sets the rule for the given syscall number. Panics if there is already a rule for this syscall number. This is useful for deterministic rules where the set of syscall rules is added in multiple chunks but is known to never overlap by syscall number. Returns itself for chainability.

func (SyscallRules) Size 

func (sr SyscallRules) Size() int

Size returns the number of syscall numbers for which a rule is defined.

func (SyscallRules) String 

func (sr SyscallRules) String() string

String returns a string representation of the syscall rules, one syscall per line.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.