cooker: generate OCI seccomp profile

Generate the OCI seccomp profile instead of directly the BPF filter. The
seccomp profile will be used consquently by the container runtime as
input in order to generate the BPF filter.

Example with mknod:
$ seitan-cooker -g /tmp/gluten -p /tmp/scmp_prof.json -s seccomp.json -i demo/mknod.hjson
$ seitan -s /tmp/seitan.sock -i /tmp/gluten
$ podman run --cap-drop ALL
  --security-opt=seccomp=/tmp/scmp_prof.json  \
  --annotation run.oci.seccomp.receiver=/tmp/seitan.sock  \
  -ti fedora   \
  sh -c 'mknod /dev/lol c 1 7 && ls /dev/lol'
/dev/lol

Signed-off-by: Alice Frosi <afrosi@redhat.com>

1 files changed, 196 insertions, 0 deletions

diff --git a/cooker/seccomp_profile.h b/cooker/seccomp_profile.h
new file mode 100644
index 0000000..75e81dd
--- /dev/null
+++ b/cooker/seccomp_profile.h
@@ -0,0 +1,196 @@
+/* SPDX-License-Identifier: GPL-2.0-or-later
+* Copyright 2023 Red Hat GmbH
+* Author: Alice Frosi <afrosi@redhat.com>
+*/
+
+#ifndef SCMP_PROFILE_H_
+#define SCMP_PROFILE_H_
+
+#include <linux/limits.h>
+#include <stdint.h>
+#include <unistd.h>
+
+#include "parson.h"
+#include "util.h"
+#include "cooker.h"
+#include "gluten.h"
+
+#define STRING_MAX 2000
+#define COMMENT_MAX 1000
+/* TODO define it in a common place */
+#define SYSCALL_MAX 512
+#define MAX_SUB_ARCHES 3
+#define check_JSON_status(status)                          \
+	do {                                               \
+		if (status == JSONFailure)                 \
+			die("failing parsing JSON value"); \
+	} while (0)
+/*
+* Definition for the OCI Seccomp Specification:
+* https://github.com/opencontainers/runtime-spec/blob/main/config-linux.md#seccomp
+*/
+extern const char *scmp_act_str[];
+
+enum scmp_act_type {
+	ACT_KILLTHREAD,
+	ACT_TRAP,
+	ACT_ERRNO,
+	ACT_TRACE,
+	ACT_ALLOW,
+	ACT_LOG,
+	ACT_NOTIFY,
+};
+
+// Define operators for syscall arguments in Seccomp
+extern const char *scmp_op_str[];
+
+enum scmp_op_type {
+	OP_NO_CHECK,
+	OP_NOTEQUAL,
+	OP_LESSTHAN,
+	OP_LESSEQUAL,
+	OP_EQUALTO,
+	OP_GREATEREQUAL,
+	OP_GREATERTHAN,
+	OP_MASKEDEQUAL,
+};
+
+// Arg used for matching specific syscall arguments in Seccomp
+struct scmp_arg {
+	bool set;
+	uint32_t index;
+	uint64_t value;
+	uint64_t valueTwo;
+	enum scmp_op_type op;
+};
+
+extern const char *arch_str[];
+
+enum arch_type {
+	ARCH_NATIVE = 0,
+	ARCH_X86,
+	ARCH_X86_64,
+	ARCH_X32,
+	ARCH_ARM,
+	ARCH_AARCH64,
+	ARCH_MIPS,
+	ARCH_MIPS64,
+	ARCH_MIPS64N2,
+	ARCH_MIPSEL,
+	ARCH_MIPSEL6,
+	ARCH_MIPSEL6N32,
+	ARCH_PPC,
+	ARCH_PPC64,
+	ARCH_PPC64LE,
+	ARCH_S390,
+	ARCH_S390X,
+	ARCH_PARISC,
+	ARCH_PARISC6,
+	ARCH_RISCV64,
+	ARCH_MAX = ARCH_RISCV64,
+};
+
+// Architecture is used to represent a specific architecture
+// and its sub-architectures
+struct architecture {
+	enum arch_type arch;
+	enum arch_type subArches[MAX_SUB_ARCHES];
+};
+
+enum caps_type {
+	CAP_CHOWN = 0,
+	CAP_DAC_OVERRIDE = 1,
+	CAP_DAC_READ_SEARCH = 2,
+	CAP_FOWNER = 3,
+	CAP_FSETID = 4,
+	CAP_KILL = 5,
+	CAP_SETGID = 6,
+	CAP_SETUID = 7,
+	CAP_SETPCAP = 8,
+	CAP_LINUX_IMMUTABLE = 9,
+	CAP_NET_BIND_SERVICE = 10,
+	CAP_NET_BROADCAST = 11,
+	CAP_NET_ADMIN = 12,
+	CAP_NET_RAW = 13,
+	CAP_IPC_LOCK = 14,
+	CAP_IPC_OWNER = 15,
+	CAP_SYS_MODULE = 16,
+	CAP_SYS_RAWIO = 17,
+	CAP_SYS_CHROOT = 18,
+	CAP_SYS_PTRACE = 19,
+	CAP_SYS_PACCT = 20,
+	CAP_SYS_ADMIN = 21,
+	CAP_SYS_BOOT = 22,
+	CAP_SYS_NICE = 23,
+	CAP_SYS_RESOURCE = 24,
+	CAP_SYS_TIME = 25,
+	CAP_SYS_TTY_CONFIG = 26,
+	CAP_MKNOD = 27,
+	CAP_LEASE = 28,
+	CAP_AUDIT_WRITE = 29,
+	CAP_AUDIT_CONTROL = 30,
+	CAP_SETFCAP = 31,
+	CAP_MAC_OVERRIDE = 32,
+	CAP_MAC_ADMIN = 33,
+	CAP_SYSLOG = 34,
+	CAP_WAKE_ALARM = 35,
+	CAP_BLOCK_SUSPEND = 36,
+	CAP_AUDIT_READ = 37,
+	CAP_PERFMON = 38,
+	CAP_BPF = 39,
+	CAP_CHECKPOINT_RESTORE = 40,
+	CAP_LAST_CAP = 41,
+	CAPS_MAX = CAP_LAST_CAP,
+};
+
+// Filter is used to conditionally apply Seccomp rules
+struct scmp_filter {
+	enum caps_type caps[CAPS_MAX];
+	enum arch_type arches[ARCH_MAX];
+};
+
+extern const char *scmp_filter_str[];
+
+enum scmp_filter_type {
+	SCMP_FILT_FLAG_TSYNC,
+	SCMP_FILT_FLAG_LOG,
+	SCMP_FILT_FLAG_SPEC_ALLOW,
+	SCMP_FILT_FLAG_WAIT_KILLABLE_RECV,
+	SCMP_FILT_FLAG_MAX = SCMP_FILT_FLAG_WAIT_KILLABLE_RECV,
+};
+
+// Syscall is used to match a group of syscalls in Seccomp
+struct syscall {
+	/* here we use a single syscall per entry*/
+	char names[STRING_MAX];
+	enum scmp_act_type action;
+	struct scmp_arg args[6];
+	char comment[COMMENT_MAX];
+	enum scmp_filter_type includes;
+	enum scmp_filter_type excludes;
+	char err[STRING_MAX];
+};
+
+// Seccomp represents the config for a seccomp profile for syscall restriction.
+struct seccomp {
+	enum scmp_act_type default_action;
+
+	char defaultErrno[STRING_MAX];
+
+	// Architectures is kept to maintain backward compatibility with the old
+	// seccomp profile.
+	enum arch_type architectures[ARCH_MAX];
+	struct architecture archMap[ARCH_MAX];
+	struct syscall syscalls[SYSCALL_MAX];
+	enum scmp_filter_type flags[SCMP_FILT_FLAG_MAX];
+	char listenerPath[PATH_MAX];
+	char listenerMetadata[PATH_MAX];
+};
+
+void scmp_profile_init();
+void scmp_profile_notify(const char *name);
+void scmp_profile_add_check(int index, union value v, union value mask,
+			    enum op_cmp_type cmp);
+void scmp_profile_write(const char *file);
+void scmp_profile_flush_args();
+#endif