From: "Dr. David Alan Gilbert (git)" <dgilbert@redhat.com>
To: qemu-devel@nongnu.org, renzhen@linux.alibaba.com,
eguan@linux.alibaba.com, ganesh.mahalingam@intel.com,
m.mizuma@jp.fujitsu.com, mszeredi@redhat.com,
misono.tomohiro@jp.fujitsu.com, tao.peng@linux.alibaba.com,
piaojun@huawei.com, stefanha@redhat.com, vgoyal@redhat.com,
mst@redhat.com, berrange@redhat.com
Subject: [PATCH 19/25] virtiofsd: add seccomp whitelist
Date: Thu, 24 Oct 2019 12:27:12 +0100 [thread overview]
Message-ID: <20191024112718.34657-20-dgilbert@redhat.com> (raw)
In-Reply-To: <20191024112718.34657-1-dgilbert@redhat.com>
From: Stefan Hajnoczi <stefanha@redhat.com>
Only allow system calls that are needed by virtiofsd. All other system
calls cause SIGSYS to be directed at the thread.
Restricting system calls reduces the kernel attack surface and limits
what the process can do when compromised.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
with additional entries by:
Signed-off-by: Ganesh Maharaj Mahalingam <ganesh.mahalingam@intel.com>
Signed-off-by: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com>
Signed-off-by: Misono Tomohiro <misono.tomohiro@jp.fujitsu.com>
Signed-off-by: piaojun <piaojun@huawei.com>
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Signed-off-by: Eric Ren <renzhen@linux.alibaba.com>
---
contrib/virtiofsd/Makefile.objs | 5 +-
contrib/virtiofsd/passthrough_ll.c | 2 +
contrib/virtiofsd/seccomp.c | 132 +++++++++++++++++++++++++++++
contrib/virtiofsd/seccomp.h | 14 +++
4 files changed, 152 insertions(+), 1 deletion(-)
create mode 100644 contrib/virtiofsd/seccomp.c
create mode 100644 contrib/virtiofsd/seccomp.h
diff --git a/contrib/virtiofsd/Makefile.objs b/contrib/virtiofsd/Makefile.objs
index 67be16332c..941b19f18e 100644
--- a/contrib/virtiofsd/Makefile.objs
+++ b/contrib/virtiofsd/Makefile.objs
@@ -6,5 +6,8 @@ virtiofsd-obj-y = buffer.o \
fuse_signals.o \
fuse_virtio.o \
helper.o \
- passthrough_ll.o
+ passthrough_ll.o \
+ seccomp.o
+seccomp.o-cflags := $(SECCOMP_CFLAGS)
+seccomp.o-libs := $(SECCOMP_LIBS)
diff --git a/contrib/virtiofsd/passthrough_ll.c b/contrib/virtiofsd/passthrough_ll.c
index c027db64e6..93873bf6f4 100644
--- a/contrib/virtiofsd/passthrough_ll.c
+++ b/contrib/virtiofsd/passthrough_ll.c
@@ -56,6 +56,7 @@
#include <sys/wait.h>
#include "passthrough_helpers.h"
+#include "seccomp.h"
#define HAVE_POSIX_FALLOCATE 1
@@ -1979,6 +1980,7 @@ static void setup_sandbox(struct lo_data *lo)
setup_proc_self_fd(lo);
setup_net_namespace();
setup_mount_namespace(lo->source);
+ setup_seccomp();
}
int main(int argc, char *argv[])
diff --git a/contrib/virtiofsd/seccomp.c b/contrib/virtiofsd/seccomp.c
new file mode 100644
index 0000000000..df1390d6be
--- /dev/null
+++ b/contrib/virtiofsd/seccomp.c
@@ -0,0 +1,132 @@
+/*
+ * Seccomp sandboxing for virtiofsd
+ *
+ * Copyright (C) 2019 Red Hat, Inc.
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include "seccomp.h"
+#include "fuse_i.h"
+#include "fuse_log.h"
+#include <errno.h>
+#include <glib.h>
+#include <seccomp.h>
+#include <stdlib.h>
+
+static const int syscall_whitelist[] = {
+ /* TODO ireg sem*() syscalls */
+ SCMP_SYS(brk),
+ SCMP_SYS(capget), /* For CAP_FSETID */
+ SCMP_SYS(capset),
+ SCMP_SYS(clock_gettime),
+ SCMP_SYS(clone),
+ SCMP_SYS(close),
+ SCMP_SYS(copy_file_range),
+ SCMP_SYS(dup),
+ SCMP_SYS(eventfd2),
+ SCMP_SYS(exit),
+ SCMP_SYS(exit_group),
+ SCMP_SYS(fallocate),
+ SCMP_SYS(fchmodat),
+ SCMP_SYS(fchownat),
+ SCMP_SYS(fcntl),
+ SCMP_SYS(fdatasync),
+ SCMP_SYS(fgetxattr),
+ SCMP_SYS(flistxattr),
+ SCMP_SYS(flock),
+ SCMP_SYS(fremovexattr),
+ SCMP_SYS(fsetxattr),
+ SCMP_SYS(fstat),
+ SCMP_SYS(fstatfs),
+ SCMP_SYS(fsync),
+ SCMP_SYS(ftruncate),
+ SCMP_SYS(futex),
+ SCMP_SYS(getdents),
+ SCMP_SYS(getdents64),
+ SCMP_SYS(getegid),
+ SCMP_SYS(geteuid),
+ SCMP_SYS(getpid),
+ SCMP_SYS(gettid),
+ SCMP_SYS(gettimeofday),
+ SCMP_SYS(linkat),
+ SCMP_SYS(lseek),
+ SCMP_SYS(madvise),
+ SCMP_SYS(mkdirat),
+ SCMP_SYS(mknodat),
+ SCMP_SYS(mmap),
+ SCMP_SYS(mprotect),
+ SCMP_SYS(mremap),
+ SCMP_SYS(munmap),
+ SCMP_SYS(newfstatat),
+ SCMP_SYS(open),
+ SCMP_SYS(openat),
+ SCMP_SYS(ppoll),
+ SCMP_SYS(prctl), /* TODO restrict to just PR_SET_NAME? */
+ SCMP_SYS(preadv),
+ SCMP_SYS(pread64),
+ SCMP_SYS(pwritev),
+ SCMP_SYS(pwrite64),
+ SCMP_SYS(read),
+ SCMP_SYS(readlinkat),
+ SCMP_SYS(recvmsg),
+ SCMP_SYS(renameat),
+ SCMP_SYS(renameat2),
+ SCMP_SYS(rt_sigaction),
+ SCMP_SYS(rt_sigprocmask),
+ SCMP_SYS(rt_sigreturn),
+ SCMP_SYS(sendmsg),
+ SCMP_SYS(setresgid),
+ SCMP_SYS(setresuid),
+ SCMP_SYS(set_robust_list),
+ SCMP_SYS(symlinkat),
+ SCMP_SYS(time), /* Rarely needed, except on static builds */
+ SCMP_SYS(tgkill),
+ SCMP_SYS(unlinkat),
+ SCMP_SYS(utimensat),
+ SCMP_SYS(write),
+ SCMP_SYS(writev),
+};
+
+void setup_seccomp(void)
+{
+ scmp_filter_ctx ctx;
+ size_t i;
+
+#ifdef SCMP_ACT_KILL_PROCESS
+ ctx = seccomp_init(SCMP_ACT_KILL_PROCESS);
+ /* Handle a newer libseccomp but an older kernel */
+ if (!ctx && errno == EOPNOTSUPP) {
+ ctx = seccomp_init(SCMP_ACT_KILL);
+ }
+#else
+ ctx = seccomp_init(SCMP_ACT_KILL);
+#endif
+ if (!ctx) {
+ fuse_log(FUSE_LOG_ERR, "seccomp_init() failed\n");
+ exit(1);
+ }
+
+ for (i = 0; i < G_N_ELEMENTS(syscall_whitelist); i++) {
+ if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW,
+ syscall_whitelist[i], 0) != 0) {
+ fuse_log(FUSE_LOG_ERR, "seccomp_rule_add syscall %d",
+ syscall_whitelist[i]);
+ exit(1);
+ }
+ }
+
+ /* libvhost-user calls this for post-copy migration, we don't need it */
+ if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS),
+ SCMP_SYS(userfaultfd), 0) != 0) {
+ fuse_log(FUSE_LOG_ERR, "seccomp_rule_add userfaultfd failed\n");
+ exit(1);
+ }
+
+ if (seccomp_load(ctx) < 0) {
+ fuse_log(FUSE_LOG_ERR, "seccomp_load() failed\n");
+ exit(1);
+ }
+
+ seccomp_release(ctx);
+}
diff --git a/contrib/virtiofsd/seccomp.h b/contrib/virtiofsd/seccomp.h
new file mode 100644
index 0000000000..86bce72652
--- /dev/null
+++ b/contrib/virtiofsd/seccomp.h
@@ -0,0 +1,14 @@
+/*
+ * Seccomp sandboxing for virtiofsd
+ *
+ * Copyright (C) 2019 Red Hat, Inc.
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#ifndef VIRTIOFSD_SECCOMP_H
+#define VIRTIOFSD_SECCOMP_H
+
+void setup_seccomp(void);
+
+#endif /* VIRTIOFSD_SECCOMP_H */
--
2.23.0
next prev parent reply other threads:[~2019-10-24 12:31 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-24 11:26 [PATCH 00/25] virtiofs daemon (security) Dr. David Alan Gilbert (git)
2019-10-24 11:26 ` [PATCH 01/25] virtiofsd: passthrough_ll: create new files in caller's context Dr. David Alan Gilbert (git)
2019-10-24 11:26 ` [PATCH 02/25] virtiofsd: passthrough_ll: add lo_map for ino/fh indirection Dr. David Alan Gilbert (git)
2019-10-24 11:26 ` [PATCH 03/25] virtiofsd: passthrough_ll: add ino_map to hide lo_inode pointers Dr. David Alan Gilbert (git)
2019-10-24 11:26 ` [PATCH 04/25] virtiofsd: passthrough_ll: add dirp_map to hide lo_dirp pointers Dr. David Alan Gilbert (git)
2019-10-24 11:26 ` [PATCH 05/25] virtiofsd: passthrough_ll: add fd_map to hide file descriptors Dr. David Alan Gilbert (git)
2019-10-24 11:26 ` [PATCH 06/25] virtiofsd: passthrough_ll: add fallback for racy ops Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 07/25] virtiofsd: validate path components Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 08/25] virtiofsd: Plumb fuse_bufvec through to do_write_buf Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 09/25] virtiofsd: Pass write iov's all the way through Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 10/25] virtiofsd: add fuse_mbuf_iter API Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 11/25] virtiofsd: validate input buffer sizes in do_write_buf() Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 12/25] virtiofsd: check input buffer size in fuse_lowlevel.c ops Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 13/25] virtiofsd: prevent ".." escape in lo_do_lookup() Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 14/25] virtiofsd: prevent ".." escape in lo_do_readdir() Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 15/25] virtiofsd: use /proc/self/fd/ O_PATH file descriptor Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 16/25] virtiofsd: sandbox mount namespace Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 17/25] virtiofsd: move to an empty network namespace Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 18/25] virtiofsd: move to a new pid namespace Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` Dr. David Alan Gilbert (git) [this message]
2019-10-24 11:27 ` [PATCH 20/25] virtiofsd: Parse flag FUSE_WRITE_KILL_PRIV Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 21/25] virtiofsd: Drop CAP_FSETID if client asked for it Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 22/25] virtiofsd: set maximum RLIMIT_NOFILE limit Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 23/25] virtiofsd: add security guide document Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 24/25] virtiofsd: add --syslog command-line option Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 25/25] virtiofsd: print log only when priority is high enough Dr. David Alan Gilbert (git)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191024112718.34657-20-dgilbert@redhat.com \
--to=dgilbert@redhat.com \
--cc=berrange@redhat.com \
--cc=eguan@linux.alibaba.com \
--cc=ganesh.mahalingam@intel.com \
--cc=m.mizuma@jp.fujitsu.com \
--cc=misono.tomohiro@jp.fujitsu.com \
--cc=mst@redhat.com \
--cc=mszeredi@redhat.com \
--cc=piaojun@huawei.com \
--cc=qemu-devel@nongnu.org \
--cc=renzhen@linux.alibaba.com \
--cc=stefanha@redhat.com \
--cc=tao.peng@linux.alibaba.com \
--cc=vgoyal@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).