/* SPDX-License-Identifier: GPL-2.0-or-later * Copyright 2023 Red Hat GmbH * Author: Alice Frosi */ #ifndef SCMP_PROFILE_H_ #define SCMP_PROFILE_H_ #include #include #include #include "parson.h" #include "util.h" #include "cooker.h" #include "gluten.h" #define STRING_MAX 2000 #define COMMENT_MAX 1000 /* TODO define it in a common place */ #define SYSCALL_MAX 512 #define MAX_SUB_ARCHES 3 #define check_JSON_status(status) \ do { \ if (status == JSONFailure) \ die("failing parsing JSON value"); \ } while (0) /* * Definition for the OCI Seccomp Specification: * https://github.com/opencontainers/runtime-spec/blob/main/config-linux.md#seccomp */ extern const char *scmp_act_str[]; enum scmp_act_type { ACT_KILLTHREAD, ACT_TRAP, ACT_ERRNO, ACT_TRACE, ACT_ALLOW, ACT_LOG, ACT_NOTIFY, }; // Define operators for syscall arguments in Seccomp extern const char *scmp_op_str[]; enum scmp_op_type { OP_NO_CHECK, OP_NOTEQUAL, OP_LESSTHAN, OP_LESSEQUAL, OP_EQUALTO, OP_GREATEREQUAL, OP_GREATERTHAN, OP_MASKEDEQUAL, }; // Arg used for matching specific syscall arguments in Seccomp struct scmp_arg { bool set; uint32_t index; uint64_t value; uint64_t valueTwo; enum scmp_op_type op; }; extern const char *arch_str[]; enum arch_type { ARCH_NATIVE = 0, ARCH_X86, ARCH_X86_64, ARCH_X32, ARCH_ARM, ARCH_AARCH64, ARCH_MIPS, ARCH_MIPS64, ARCH_MIPS64N2, ARCH_MIPSEL, ARCH_MIPSEL6, ARCH_MIPSEL6N32, ARCH_PPC, ARCH_PPC64, ARCH_PPC64LE, ARCH_S390, ARCH_S390X, ARCH_PARISC, ARCH_PARISC6, ARCH_RISCV64, ARCH_MAX = ARCH_RISCV64, }; // Architecture is used to represent a specific architecture // and its sub-architectures struct architecture { enum arch_type arch; enum arch_type subArches[MAX_SUB_ARCHES]; }; enum caps_type { CAP_CHOWN = 0, CAP_DAC_OVERRIDE = 1, CAP_DAC_READ_SEARCH = 2, CAP_FOWNER = 3, CAP_FSETID = 4, CAP_KILL = 5, CAP_SETGID = 6, CAP_SETUID = 7, CAP_SETPCAP = 8, CAP_LINUX_IMMUTABLE = 9, CAP_NET_BIND_SERVICE = 10, CAP_NET_BROADCAST = 11, CAP_NET_ADMIN = 12, CAP_NET_RAW = 13, CAP_IPC_LOCK = 14, CAP_IPC_OWNER = 15, CAP_SYS_MODULE = 16, CAP_SYS_RAWIO = 17, CAP_SYS_CHROOT = 18, CAP_SYS_PTRACE = 19, CAP_SYS_PACCT = 20, CAP_SYS_ADMIN = 21, CAP_SYS_BOOT = 22, CAP_SYS_NICE = 23, CAP_SYS_RESOURCE = 24, CAP_SYS_TIME = 25, CAP_SYS_TTY_CONFIG = 26, CAP_MKNOD = 27, CAP_LEASE = 28, CAP_AUDIT_WRITE = 29, CAP_AUDIT_CONTROL = 30, CAP_SETFCAP = 31, CAP_MAC_OVERRIDE = 32, CAP_MAC_ADMIN = 33, CAP_SYSLOG = 34, CAP_WAKE_ALARM = 35, CAP_BLOCK_SUSPEND = 36, CAP_AUDIT_READ = 37, CAP_PERFMON = 38, CAP_BPF = 39, CAP_CHECKPOINT_RESTORE = 40, CAP_LAST_CAP = 41, CAPS_MAX = CAP_LAST_CAP, }; // Filter is used to conditionally apply Seccomp rules struct scmp_filter { enum caps_type caps[CAPS_MAX]; enum arch_type arches[ARCH_MAX]; }; extern const char *scmp_filter_str[]; enum scmp_filter_type { SCMP_FILT_FLAG_TSYNC, SCMP_FILT_FLAG_LOG, SCMP_FILT_FLAG_SPEC_ALLOW, SCMP_FILT_FLAG_WAIT_KILLABLE_RECV, SCMP_FILT_FLAG_MAX = SCMP_FILT_FLAG_WAIT_KILLABLE_RECV, }; // Syscall is used to match a group of syscalls in Seccomp struct syscall { /* here we use a single syscall per entry*/ char names[STRING_MAX]; enum scmp_act_type action; struct scmp_arg args[6]; char comment[COMMENT_MAX]; enum scmp_filter_type includes; enum scmp_filter_type excludes; char err[STRING_MAX]; }; // Seccomp represents the config for a seccomp profile for syscall restriction. struct seccomp { enum scmp_act_type default_action; char defaultErrno[STRING_MAX]; // Architectures is kept to maintain backward compatibility with the old // seccomp profile. enum arch_type architectures[ARCH_MAX]; struct architecture archMap[ARCH_MAX]; struct syscall syscalls[SYSCALL_MAX]; enum scmp_filter_type flags[SCMP_FILT_FLAG_MAX]; char listenerPath[PATH_MAX]; char listenerMetadata[PATH_MAX]; }; void scmp_profile_init(); void scmp_profile_notify(const char *name); void scmp_profile_add_check(int index, union value v, union value mask, enum op_cmp_type cmp); void scmp_profile_write(const char *file); void scmp_profile_flush_args(); #endif