security/hakurei
security/hakurei
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity
hakurei/sandbox/seccomp/presets.go
Ophestra 1a8840bebc
All checks were successful
Test / Create distribution (push) Successful in 32s
Details
Test / Sandbox (push) Successful in 1m45s
Details
Test / Hakurei (push) Successful in 2m49s
Details
Test / Sandbox (race detector) (push) Successful in 3m1s
Details
Test / Planterette (push) Successful in 3m31s
Details
Test / Hakurei (race detector) (push) Successful in 4m18s
Details
Test / Flake checks (push) Successful in 1m6s
Details
sandbox/seccomp: resolve rules natively 
This enables loading syscall filter policies from external cross-platform config files.

This also removes a significant amount of C code.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-07-01 22:11:32 +09:00

231 lines
7.5 KiB
Go
Raw Blame History

package seccomp
/* flatpak commit 4c3bf179e2e4a2a298cd1db1d045adaf3f564532 */
import "C"
import (
. "syscall"
)
type FilterPreset int
const (
// PresetExt are project-specific extensions.
PresetExt FilterPreset = 1 << iota
// PresetDenyNS denies namespace setup syscalls.
PresetDenyNS
// PresetDenyTTY denies faking input.
PresetDenyTTY
// PresetDenyDevel denies development-related syscalls.
PresetDenyDevel
// PresetLinux32 sets PER_LINUX32.
PresetLinux32
)
func preparePreset(fd int, presets FilterPreset, flags PrepareFlag) error {
allowedPersonality := PER_LINUX
if presets&PresetLinux32 != 0 {
allowedPersonality = PER_LINUX32
}
presetDevelFinal := presetDevel(ScmpDatum(allowedPersonality))
l := len(presetCommon)
if presets&PresetDenyNS != 0 {
l += len(presetNamespace)
}
if presets&PresetDenyTTY != 0 {
l += len(presetTTY)
}
if presets&PresetDenyDevel != 0 {
l += len(presetDevelFinal)
}
if flags&AllowMultiarch == 0 {
l += len(presetEmu)
}
if presets&PresetExt != 0 {
l += len(presetCommonExt)
if presets&PresetDenyNS != 0 {
l += len(presetNamespaceExt)
}
if flags&AllowMultiarch == 0 {
l += len(presetEmuExt)
}
}
rules := make([]NativeRule, 0, l)
rules = append(rules, presetCommon...)
if presets&PresetDenyNS != 0 {
rules = append(rules, presetNamespace...)
}
if presets&PresetDenyTTY != 0 {
rules = append(rules, presetTTY...)
}
if presets&PresetDenyDevel != 0 {
rules = append(rules, presetDevelFinal...)
}
if flags&AllowMultiarch == 0 {
rules = append(rules, presetEmu...)
}
if presets&PresetExt != 0 {
rules = append(rules, presetCommonExt...)
if presets&PresetDenyNS != 0 {
rules = append(rules, presetNamespaceExt...)
}
if flags&AllowMultiarch == 0 {
rules = append(rules, presetEmuExt...)
}
}
return Prepare(fd, rules, flags)
}
var (
presetCommon = []NativeRule{
/* Block dmesg */
{C.int(SYS_SYSLOG), C.int(EPERM), nil},
/* Useless old syscall */
{C.int(SYS_USELIB), C.int(EPERM), nil},
/* Don't allow disabling accounting */
{C.int(SYS_ACCT), C.int(EPERM), nil},
/* Don't allow reading current quota use */
{C.int(SYS_QUOTACTL), C.int(EPERM), nil},
/* Don't allow access to the kernel keyring */
{C.int(SYS_ADD_KEY), C.int(EPERM), nil},
{C.int(SYS_KEYCTL), C.int(EPERM), nil},
{C.int(SYS_REQUEST_KEY), C.int(EPERM), nil},
/* Scary VM/NUMA ops */
{C.int(SYS_MOVE_PAGES), C.int(EPERM), nil},
{C.int(SYS_MBIND), C.int(EPERM), nil},
{C.int(SYS_GET_MEMPOLICY), C.int(EPERM), nil},
{C.int(SYS_SET_MEMPOLICY), C.int(EPERM), nil},
{C.int(SYS_MIGRATE_PAGES), C.int(EPERM), nil},
}
/* hakurei: project-specific extensions */
presetCommonExt = []NativeRule{
/* system calls for changing the system clock */
{C.int(SYS_ADJTIMEX), C.int(EPERM), nil},
{C.int(SYS_CLOCK_ADJTIME), C.int(EPERM), nil},
{C.int(SYS_CLOCK_ADJTIME64), C.int(EPERM), nil},
{C.int(SYS_CLOCK_SETTIME), C.int(EPERM), nil},
{C.int(SYS_CLOCK_SETTIME64), C.int(EPERM), nil},
{C.int(SYS_SETTIMEOFDAY), C.int(EPERM), nil},
/* loading and unloading of kernel modules */
{C.int(SYS_DELETE_MODULE), C.int(EPERM), nil},
{C.int(SYS_FINIT_MODULE), C.int(EPERM), nil},
{C.int(SYS_INIT_MODULE), C.int(EPERM), nil},
/* system calls for rebooting and reboot preparation */
{C.int(SYS_KEXEC_FILE_LOAD), C.int(EPERM), nil},
{C.int(SYS_KEXEC_LOAD), C.int(EPERM), nil},
{C.int(SYS_REBOOT), C.int(EPERM), nil},
/* system calls for enabling/disabling swap devices */
{C.int(SYS_SWAPOFF), C.int(EPERM), nil},
{C.int(SYS_SWAPON), C.int(EPERM), nil},
}
presetNamespace = []NativeRule{
/* Don't allow subnamespace setups: */
{C.int(SYS_UNSHARE), C.int(EPERM), nil},
{C.int(SYS_SETNS), C.int(EPERM), nil},
{C.int(SYS_MOUNT), C.int(EPERM), nil},
{C.int(SYS_UMOUNT), C.int(EPERM), nil},
{C.int(SYS_UMOUNT2), C.int(EPERM), nil},
{C.int(SYS_PIVOT_ROOT), C.int(EPERM), nil},
{C.int(SYS_CHROOT), C.int(EPERM), nil},
{C.int(SYS_CLONE), C.int(EPERM),
&ScmpArgCmp{cloneArg, SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER}},
/* seccomp can't look into clone3()'s struct clone_args to check whether
* the flags are OK, so we have no choice but to block clone3().
* Return ENOSYS so user-space will fall back to clone().
* (CVE-2021-41133; see also https://github.com/moby/moby/commit/9f6b562d)
*/
{C.int(SYS_CLONE3), C.int(ENOSYS), nil},
/* New mount manipulation APIs can also change our VFS. There's no
* legitimate reason to do these in the sandbox, so block all of them
* rather than thinking about which ones might be dangerous.
* (CVE-2021-41133) */
{C.int(SYS_OPEN_TREE), C.int(ENOSYS), nil},
{C.int(SYS_MOVE_MOUNT), C.int(ENOSYS), nil},
{C.int(SYS_FSOPEN), C.int(ENOSYS), nil},
{C.int(SYS_FSCONFIG), C.int(ENOSYS), nil},
{C.int(SYS_FSMOUNT), C.int(ENOSYS), nil},
{C.int(SYS_FSPICK), C.int(ENOSYS), nil},
{C.int(SYS_MOUNT_SETATTR), C.int(ENOSYS), nil},
}
/* hakurei: project-specific extensions */
presetNamespaceExt = []NativeRule{
/* changing file ownership */
{C.int(SYS_CHOWN), C.int(EPERM), nil},
{C.int(SYS_CHOWN32), C.int(EPERM), nil},
{C.int(SYS_FCHOWN), C.int(EPERM), nil},
{C.int(SYS_FCHOWN32), C.int(EPERM), nil},
{C.int(SYS_FCHOWNAT), C.int(EPERM), nil},
{C.int(SYS_LCHOWN), C.int(EPERM), nil},
{C.int(SYS_LCHOWN32), C.int(EPERM), nil},
/* system calls for changing user ID and group ID credentials */
{C.int(SYS_SETGID), C.int(EPERM), nil},
{C.int(SYS_SETGID32), C.int(EPERM), nil},
{C.int(SYS_SETGROUPS), C.int(EPERM), nil},
{C.int(SYS_SETGROUPS32), C.int(EPERM), nil},
{C.int(SYS_SETREGID), C.int(EPERM), nil},
{C.int(SYS_SETREGID32), C.int(EPERM), nil},
{C.int(SYS_SETRESGID), C.int(EPERM), nil},
{C.int(SYS_SETRESGID32), C.int(EPERM), nil},
{C.int(SYS_SETRESUID), C.int(EPERM), nil},
{C.int(SYS_SETRESUID32), C.int(EPERM), nil},
{C.int(SYS_SETREUID), C.int(EPERM), nil},
{C.int(SYS_SETREUID32), C.int(EPERM), nil},
{C.int(SYS_SETUID), C.int(EPERM), nil},
{C.int(SYS_SETUID32), C.int(EPERM), nil},
}
presetTTY = []NativeRule{
/* Don't allow faking input to the controlling tty (CVE-2017-5226) */
{C.int(SYS_IOCTL), C.int(EPERM),
&ScmpArgCmp{1, SCMP_CMP_MASKED_EQ, 0xFFFFFFFF, TIOCSTI}},
/* In the unlikely event that the controlling tty is a Linux virtual
* console (/dev/tty2 or similar), copy/paste operations have an effect
* similar to TIOCSTI (CVE-2023-28100) */
{C.int(SYS_IOCTL), C.int(EPERM),
&ScmpArgCmp{1, SCMP_CMP_MASKED_EQ, 0xFFFFFFFF, TIOCLINUX}},
}
presetEmu = []NativeRule{
/* modify_ldt is a historic source of interesting information leaks,
* so it's disabled as a hardening measure.
* However, it is required to run old 16-bit applications
* as well as some Wine patches, so it's allowed in multiarch. */
{C.int(SYS_MODIFY_LDT), C.int(EPERM), nil},
}
/* hakurei: project-specific extensions */
presetEmuExt = []NativeRule{
{C.int(SYS_SUBPAGE_PROT), C.int(ENOSYS), nil},
{C.int(SYS_SWITCH_ENDIAN), C.int(ENOSYS), nil},
{C.int(SYS_VM86), C.int(ENOSYS), nil},
{C.int(SYS_VM86OLD), C.int(ENOSYS), nil},
}
)
func presetDevel(allowedPersonality ScmpDatum) []NativeRule {
return []NativeRule{
/* Profiling operations; we expect these to be done by tools from outside
* the sandbox. In particular perf has been the source of many CVEs. */
{C.int(SYS_PERF_EVENT_OPEN), C.int(EPERM), nil},
/* Don't allow you to switch to bsd emulation or whatnot */
{C.int(SYS_PERSONALITY), C.int(EPERM),
&ScmpArgCmp{0, SCMP_CMP_NE, allowedPersonality, 0}},
{C.int(SYS_PTRACE), C.int(EPERM), nil},
}
}
Reference in New Issue View Git Blame Copy Permalink