[PATCH v2 1/3] seccomp: Add SECCOMP_RET_INFO return value

[PATCH v2 1/3] seccomp: Add SECCOMP_RET_INFO return value

[Corey Bryant]

Adds a new return value to seccomp filters that causes an
informational kernel message to be printed.  The message
includes the system call number and architecture.

This can be used to learn the system calls that a process
is using.

Signed-off-by: Corey Bryant <coreyb@linux.vnet.ibm.com>
---
v2:
  - Add arch to message (wad@chromium.org)

 include/uapi/linux/seccomp.h | 1 +
 kernel/seccomp.c             | 6 ++++++
 2 files changed, 7 insertions(+)

diff --git a/include/uapi/linux/seccomp.h b/include/uapi/linux/seccomp.h
index ac2dc9f..0086626 100644
--- a/include/uapi/linux/seccomp.h
+++ b/include/uapi/linux/seccomp.h
@@ -22,6 +22,7 @@
 #define SECCOMP_RET_TRAP	0x00030000U /* disallow and force a SIGSYS */
 #define SECCOMP_RET_ERRNO	0x00050000U /* returns an errno */
 #define SECCOMP_RET_TRACE	0x7ff00000U /* pass to a tracer or disallow */
+#define SECCOMP_RET_INFO	0x7ff70000U /* print info message and allow */
 #define SECCOMP_RET_ALLOW	0x7fff0000U /* allow */
 
 /* Masks for the return value sections. */
diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index 5af44b5..954bb40 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -433,6 +433,12 @@ int __secure_computing(int this_syscall)
 				goto skip;  /* Explicit request to skip. */
 
 			return 0;
+		case SECCOMP_RET_INFO:
+			if (printk_ratelimit())
+				pr_info("seccomp: syscall=%d, arch=0x%X\n",
+					this_syscall,
+					syscall_get_arch(current, regs));
+			return 0;
 		case SECCOMP_RET_ALLOW:
 			return 0;
 		case SECCOMP_RET_KILL:
-- 
1.7.11.7

[PATCH v2 2/3] Documentation: SECCOMP_RET_INFO return value

[Corey Bryant]

Adds documentation describing the SECCOMP_RET_INFO return value.

Signed-off-by: Corey Bryant <coreyb@linux.vnet.ibm.com>
---
v2:
 - Add arch to message (wad@chromium.org)

 Documentation/prctl/seccomp_filter.txt | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/Documentation/prctl/seccomp_filter.txt b/Documentation/prctl/seccomp_filter.txt
index 1e469ef..88d6882 100644
--- a/Documentation/prctl/seccomp_filter.txt
+++ b/Documentation/prctl/seccomp_filter.txt
@@ -49,6 +49,7 @@ CONFIG_HAVE_ARCH_SECCOMP_FILTER, then filters may be added as below:
 PR_SET_SECCOMP:
 	Now takes an additional argument which specifies a new filter
 	using a BPF program.
+
 	The BPF program will be executed over struct seccomp_data
 	reflecting the system call number, arguments, and other
 	metadata.  The BPF program must then return one of the
@@ -138,6 +139,13 @@ SECCOMP_RET_TRACE:
 	allow use of ptrace, even of other sandboxed processes, without
 	extreme care; ptracers can use this mechanism to escape.)
 
+SECCOMP_RET_INFO:
+	Results in a rate-limited informational kernel message that
+	includes the system call number and architecture, and the
+	system call is executed.  The message format is:
+	"seccomp: syscall=x, arch=y", where x is the system call number
+	and y is the architecture.
+
 SECCOMP_RET_ALLOW:
 	Results in the system call being executed.
 
-- 
1.7.11.7

[PATCH v2 3/3] samples: Add sample using SECCOMP_RET_INFO

[Corey Bryant]

Adds a sample that demonstrates use of the SECCOMP_RET_INFO return value.

Signed-off-by: Corey Bryant <coreyb@linux.vnet.ibm.com>
---
v2:
 - Modify test to use fprintf and add arch hints

 samples/seccomp/Makefile     |  8 ++++++-
 samples/seccomp/bpf-logger.c | 50 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 57 insertions(+), 1 deletion(-)
 create mode 100644 samples/seccomp/bpf-logger.c

diff --git a/samples/seccomp/Makefile b/samples/seccomp/Makefile
index bbbd276..ee769bb 100644
--- a/samples/seccomp/Makefile
+++ b/samples/seccomp/Makefile
@@ -1,7 +1,7 @@
 # kbuild trick to avoid linker error. Can be omitted if a module is built.
 obj- := dummy.o
 
-hostprogs-$(CONFIG_SECCOMP_FILTER) := bpf-fancy dropper bpf-direct
+hostprogs-$(CONFIG_SECCOMP_FILTER) := bpf-fancy dropper bpf-direct bpf-logger
 
 HOSTCFLAGS_bpf-fancy.o += -I$(objtree)/usr/include
 HOSTCFLAGS_bpf-fancy.o += -idirafter $(objtree)/include
@@ -17,6 +17,10 @@ HOSTCFLAGS_bpf-direct.o += -I$(objtree)/usr/include
 HOSTCFLAGS_bpf-direct.o += -idirafter $(objtree)/include
 bpf-direct-objs := bpf-direct.o
 
+HOSTCFLAGS_bpf-logger.o += -I$(objtree)/usr/include
+HOSTCFLAGS_bpf-logger.o += -idirafter $(objtree)/include
+bpf-logger-objs := bpf-logger.o
+
 # Try to match the kernel target.
 ifndef CONFIG_64BIT
 
@@ -31,9 +35,11 @@ HOSTCFLAGS_bpf-direct.o += $(MFLAG)
 HOSTCFLAGS_dropper.o += $(MFLAG)
 HOSTCFLAGS_bpf-helper.o += $(MFLAG)
 HOSTCFLAGS_bpf-fancy.o += $(MFLAG)
+HOSTCFLAGS_bpf-logger.o += $(MFLAG)
 HOSTLOADLIBES_bpf-direct += $(MFLAG)
 HOSTLOADLIBES_bpf-fancy += $(MFLAG)
 HOSTLOADLIBES_dropper += $(MFLAG)
+HOSTLOADLIBES_bpf-logger += $(MFLAG)
 endif
 
 # Tell kbuild to always build the programs
diff --git a/samples/seccomp/bpf-logger.c b/samples/seccomp/bpf-logger.c
new file mode 100644
index 0000000..4580417
--- /dev/null
+++ b/samples/seccomp/bpf-logger.c
@@ -0,0 +1,50 @@
+/*
+ * System call logger built on seccomp_filter.
+ *
+ * Copyright (c) 2012 The Chromium OS Authors <chromium-os-dev@chromium.org>
+ * Copyright (C) IBM Corporation, 2012
+ * Authors: Will Drewry <wad@chromium.org>
+ *          Corey Bryant <coreyb@linux.vnet.ibm.com>
+ *
+ * The code may be used by anyone for any purpose,
+ * and can serve as a starting point for developing
+ * applications using prctl(PR_SET_SECCOMP, 2, ...).
+ *
+ * Prints rate-limited informational kernel messages for
+ * each system call that the process executes.
+ *
+ * Run this one as root as PR_SET_NO_NEW_PRIVS is not called.
+ */
+
+#include <linux/audit.h>
+#include <linux/filter.h>
+#include <linux/seccomp.h>
+#include <sys/prctl.h>
+#include <stdio.h>
+
+static int install_filter()
+{
+	struct sock_filter filter[] = {
+		BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_INFO),
+	};
+	struct sock_fprog prog = {
+		.len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
+		.filter = filter,
+	};
+	if (prctl(PR_SET_SECCOMP, 2, &prog)) {
+		perror("prctl");
+		return 1;
+	}
+	return 0;
+}
+
+int main(int argc, char **argv)
+{
+	if (install_filter())
+		return 1;
+	fprintf(stdout, "To examine syscalls type: dmesg | grep seccomp\n"
+			"Hint:  AUDIT_ARCH_I386: 0x%X\n"
+			"       AUDIT_ARCH_X86_64: 0x%X\n",
+			AUDIT_ARCH_I386, AUDIT_ARCH_X86_64);
+	return 0;
+}
-- 
1.7.11.7

Re: [PATCH v2 1/3] seccomp: Add SECCOMP_RET_INFO return value

[Paul Moore]

On Monday, January 07, 2013 12:09:03 PM Corey Bryant wrote:
> Adds a new return value to seccomp filters that causes an
> informational kernel message to be printed.  The message
> includes the system call number and architecture.
> 
> This can be used to learn the system calls that a process
> is using.
> 
> Signed-off-by: Corey Bryant <coreyb@linux.vnet.ibm.com>

Were do things currently stand with this patchset?  It still seems like a 
reasonable addition to me.

-- 
paul moore
security and virtualization @ redhat

Re: [PATCH v2 1/3] seccomp: Add SECCOMP_RET_INFO return value

[Corey Bryant]

On 01/14/2013 04:45 PM, Paul Moore wrote:
> On Monday, January 07, 2013 12:09:03 PM Corey Bryant wrote:
>> Adds a new return value to seccomp filters that causes an
>> informational kernel message to be printed.  The message
>> includes the system call number and architecture.
>>
>> This can be used to learn the system calls that a process
>> is using.
>>
>> Signed-off-by: Corey Bryant <coreyb@linux.vnet.ibm.com>
>
> Were do things currently stand with this patchset?  It still seems like a
> reasonable addition to me.
>

Thanks for asking.  I haven't heard anything in response to the v2 
patches.  Does anyone have any comments/thoughts?

-- 
Regards,
Corey Bryant