path: root/demo/iptables.hjson

// SPDX-License-Identifier: GPL-2.0-or-later

/* seitan - Syscall Expressive Interpreter, Transformer and Notifier
 *
 * demo/iptables.hjson - Example for iptables-nft: fetch ruleset, add rules
 *
 * Copyright (c) 2024 Red Hat GmbH
 * Author: Stefano Brivio <sbrivio@redhat.com>
 *
 * Example of stand-alone usage:
 *
 *   ./seitan-cooker \
 *       -i demo/iptables.hjson -g demo/iptables.gluten -f demo/iptables.bpf
 *   ./seitan-eater \
 *       -i demo/iptables.bpf -- /sbin/iptables -t mangle -A FORWARD -j LOG
 *   # blocks
 *
 *   ./seitan -p $(pgrep seitan-eater) -i demo/iptables.gluten
 *   # as root or with CAP_NET_ADMIN: adds rule on behalf of caller
 *
 *   ./seitan-eater \
 *       -i demo/iptables.bpf -- /sbin/iptables -t mangle -D FORWARD -j LOG
 *   # blocks
 *
 *   ./seitan -p $(pgrep seitan-eater) -i demo/iptables.gluten
 *   # as root or with CAP_NET_ADMIN: deletes rule on behalf of caller
 */

[
  /* When the target process tries to open a netlink socket for netfilter, open
   * one on behalf of the caller, owned by us, and replace it in the caller.
   *
   * For netlink operations, there's always a double permission check:
   * both opener of the socket and sender of the messages need to have matching
   * capabilities, see netlink_ns_capable() in net/netlink/af_netlink.c.
   *
   * This block takes care of the first part.
   */
  {
    "match": {
      "socket": {
        "family"	: "netlink",
        "type"		: "raw",
        "protocol"	: "nl_netfilter"
      }
      /* socket(2) doesn't point to memory, so we can safely let any unrelated
       * system calls proceed, directly in the caller, without replaying it
       * ourselves.
       */
    },
    "call": {
      "socket": {
        "family"	: "netlink",
        "type"		: "raw",
        "flags"		: 0,
        "protocol"	: "nl_netfilter"
      },
      "ret": "fd"
    },
    "fd": {
      "src": { "get": "fd" },
      "close_on_exec": true,
      "return": true
    }
  },

  /* Second part: send messages on behalf of the target process.
   *
   * First, the ones iptables needs to check for nftables compatibility, and to
   * fetch tables, chains, rules and sets, including their generation (version)
   * identifier.
   *
   * These are simple messages, without batches, using sendto().
   */
  {
    "match": {
      "sendto": {
        "fd": {
          "set": "fd"
        },
        "buf": {
          "set": "buf",
          "value": {
            "netlink": {
              "type": {
                "in": [
                  "nf_compat_get",
                  "nf_getgen",
                  "nf_gettable",
                  "nf_getchain",
                  "nf_getrule",
                  "nf_getset"
                ]
              }
            }
          }
        },
        "len" : { "set": "len" },
        "addr": { "set": "addr" }
      }
    },
    "call": {
      "sendto": {
          "fd": { "get": "fd" },
          "buf": { "get": "buf" },
          "len": { "get": "len" },
          "addr": { "get": "addr" },
          "flags": 0
      },
      "ret": "rc"
    },
    "return": { "value": "rc", "error": "rc" }
  },

  /* sendto(2) points to memory, so we need to match on any unrelated sendto()
   * call and replay it ourselves, but pretending we're the original process
   * (see "context" below). Otherwise, a thread of the target process can fool
   * us into sending other messages with our capability set.
   */
  {
    "match": {
      "sendto": {
        "fd": { "set": "fd" },
        "buf": { "set": "buf" },
        "len": { "set": "len" },
        "addr": { "set": "addr" },
        "flags": { "set": "flags" }
      }
    },
    "call": {
      "sendto": {
        "fd": { "get": "fd" },
        "buf": { "get": "buf" },
        "len": { "get": "len" },
        "addr": { "get": "addr" },
        "flags": { "get": "flags" }
      },
      "context": { "uid": "caller", "gid": "caller" }
    }
  },

  /* Now deal with the actual rule insertion or deletion: those are batched
   * messages, using sendmsg(). Replay the message and relay return code and any
   * error back.
   */
  {
    "match": {
      "sendmsg": {
        "fd": { "set": "fd" },
        "msg": {
          "iov": {
            "set": "buf",
            "value": {
              "netlink": {
                "type": { "in": [ "nf_newrule", "nf_delrule" ] }
              }
            }
          }
        }
      }
    },
    "call": {
      "sendmsg": {
        "fd": { "get": "fd" },
        "msg": {
          "name": {
            "family": "netlink",
            "pid": 0,
            "groups": 0
          },
          "iovlen": 1,
          "iov": { "get": "buf" }
        },
        "flags": 0
      },
      "ret": "rc"
    },
    "return": { "value": "rc", "error": "rc" }
  },

  /* Same as sendto(2): sendmsg(2) points to memory. Replay any unrelated system
   * call with the credentials from the target process.
   */
  {
    "match": {
      "sendmsg": {
        "fd": { "set": "fd" },
        "msg": {
          "name": { "set": "name" },
          "namelen": { "set": "namelen" },
          "iov": { "set": "buf" },
          "control": { "set": "control" },
          "controllen": { "set": "controllen" }
        },
        "flags": { "set": "flags" }
      }
    },
    "call": {
      "sendmsg": {
        "fd": { "get": "fd" },
        "msg": {
          "name": { "get": "name" },
          "namelen": { "get": "namelen" },
          "iov": { "get": "buf" },
          "iovlen": 1,
          "control": { "get": "control" },
          "controllen": { "get": "controllen" }
        },
        "flags": { "get": "flags" }
      },
      "context": { "uid": "caller", "gid": "caller" }
    }
  }
]