diff options
Diffstat (limited to 'cooker/seccomp_profile.h')
-rw-r--r-- | cooker/seccomp_profile.h | 196 |
1 files changed, 196 insertions, 0 deletions
diff --git a/cooker/seccomp_profile.h b/cooker/seccomp_profile.h new file mode 100644 index 0000000..75e81dd --- /dev/null +++ b/cooker/seccomp_profile.h @@ -0,0 +1,196 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later +* Copyright 2023 Red Hat GmbH +* Author: Alice Frosi <afrosi@redhat.com> +*/ + +#ifndef SCMP_PROFILE_H_ +#define SCMP_PROFILE_H_ + +#include <linux/limits.h> +#include <stdint.h> +#include <unistd.h> + +#include "parson.h" +#include "util.h" +#include "cooker.h" +#include "gluten.h" + +#define STRING_MAX 2000 +#define COMMENT_MAX 1000 +/* TODO define it in a common place */ +#define SYSCALL_MAX 512 +#define MAX_SUB_ARCHES 3 +#define check_JSON_status(status) \ + do { \ + if (status == JSONFailure) \ + die("failing parsing JSON value"); \ + } while (0) +/* +* Definition for the OCI Seccomp Specification: +* https://github.com/opencontainers/runtime-spec/blob/main/config-linux.md#seccomp +*/ +extern const char *scmp_act_str[]; + +enum scmp_act_type { + ACT_KILLTHREAD, + ACT_TRAP, + ACT_ERRNO, + ACT_TRACE, + ACT_ALLOW, + ACT_LOG, + ACT_NOTIFY, +}; + +// Define operators for syscall arguments in Seccomp +extern const char *scmp_op_str[]; + +enum scmp_op_type { + OP_NO_CHECK, + OP_NOTEQUAL, + OP_LESSTHAN, + OP_LESSEQUAL, + OP_EQUALTO, + OP_GREATEREQUAL, + OP_GREATERTHAN, + OP_MASKEDEQUAL, +}; + +// Arg used for matching specific syscall arguments in Seccomp +struct scmp_arg { + bool set; + uint32_t index; + uint64_t value; + uint64_t valueTwo; + enum scmp_op_type op; +}; + +extern const char *arch_str[]; + +enum arch_type { + ARCH_NATIVE = 0, + ARCH_X86, + ARCH_X86_64, + ARCH_X32, + ARCH_ARM, + ARCH_AARCH64, + ARCH_MIPS, + ARCH_MIPS64, + ARCH_MIPS64N2, + ARCH_MIPSEL, + ARCH_MIPSEL6, + ARCH_MIPSEL6N32, + ARCH_PPC, + ARCH_PPC64, + ARCH_PPC64LE, + ARCH_S390, + ARCH_S390X, + ARCH_PARISC, + ARCH_PARISC6, + ARCH_RISCV64, + ARCH_MAX = ARCH_RISCV64, +}; + +// Architecture is used to represent a specific architecture +// and its sub-architectures +struct architecture { + enum arch_type arch; + enum arch_type subArches[MAX_SUB_ARCHES]; +}; + +enum caps_type { + CAP_CHOWN = 0, + CAP_DAC_OVERRIDE = 1, + CAP_DAC_READ_SEARCH = 2, + CAP_FOWNER = 3, + CAP_FSETID = 4, + CAP_KILL = 5, + CAP_SETGID = 6, + CAP_SETUID = 7, + CAP_SETPCAP = 8, + CAP_LINUX_IMMUTABLE = 9, + CAP_NET_BIND_SERVICE = 10, + CAP_NET_BROADCAST = 11, + CAP_NET_ADMIN = 12, + CAP_NET_RAW = 13, + CAP_IPC_LOCK = 14, + CAP_IPC_OWNER = 15, + CAP_SYS_MODULE = 16, + CAP_SYS_RAWIO = 17, + CAP_SYS_CHROOT = 18, + CAP_SYS_PTRACE = 19, + CAP_SYS_PACCT = 20, + CAP_SYS_ADMIN = 21, + CAP_SYS_BOOT = 22, + CAP_SYS_NICE = 23, + CAP_SYS_RESOURCE = 24, + CAP_SYS_TIME = 25, + CAP_SYS_TTY_CONFIG = 26, + CAP_MKNOD = 27, + CAP_LEASE = 28, + CAP_AUDIT_WRITE = 29, + CAP_AUDIT_CONTROL = 30, + CAP_SETFCAP = 31, + CAP_MAC_OVERRIDE = 32, + CAP_MAC_ADMIN = 33, + CAP_SYSLOG = 34, + CAP_WAKE_ALARM = 35, + CAP_BLOCK_SUSPEND = 36, + CAP_AUDIT_READ = 37, + CAP_PERFMON = 38, + CAP_BPF = 39, + CAP_CHECKPOINT_RESTORE = 40, + CAP_LAST_CAP = 41, + CAPS_MAX = CAP_LAST_CAP, +}; + +// Filter is used to conditionally apply Seccomp rules +struct scmp_filter { + enum caps_type caps[CAPS_MAX]; + enum arch_type arches[ARCH_MAX]; +}; + +extern const char *scmp_filter_str[]; + +enum scmp_filter_type { + SCMP_FILT_FLAG_TSYNC, + SCMP_FILT_FLAG_LOG, + SCMP_FILT_FLAG_SPEC_ALLOW, + SCMP_FILT_FLAG_WAIT_KILLABLE_RECV, + SCMP_FILT_FLAG_MAX = SCMP_FILT_FLAG_WAIT_KILLABLE_RECV, +}; + +// Syscall is used to match a group of syscalls in Seccomp +struct syscall { + /* here we use a single syscall per entry*/ + char names[STRING_MAX]; + enum scmp_act_type action; + struct scmp_arg args[6]; + char comment[COMMENT_MAX]; + enum scmp_filter_type includes; + enum scmp_filter_type excludes; + char err[STRING_MAX]; +}; + +// Seccomp represents the config for a seccomp profile for syscall restriction. +struct seccomp { + enum scmp_act_type default_action; + + char defaultErrno[STRING_MAX]; + + // Architectures is kept to maintain backward compatibility with the old + // seccomp profile. + enum arch_type architectures[ARCH_MAX]; + struct architecture archMap[ARCH_MAX]; + struct syscall syscalls[SYSCALL_MAX]; + enum scmp_filter_type flags[SCMP_FILT_FLAG_MAX]; + char listenerPath[PATH_MAX]; + char listenerMetadata[PATH_MAX]; +}; + +void scmp_profile_init(); +void scmp_profile_notify(const char *name); +void scmp_profile_add_check(int index, union value v, union value mask, + enum op_cmp_type cmp); +void scmp_profile_write(const char *file); +void scmp_profile_flush_args(); +#endif |