2 * linux/kernel/seccomp.c
4 * Copyright 2004-2005 Andrea Arcangeli <andrea@cpushare.com>
6 * Copyright (C) 2012 Google, Inc.
7 * Will Drewry <wad@chromium.org>
9 * This defines a simple but solid secure-computing facility.
11 * Mode 1 uses a fixed list of allowed system calls.
12 * Mode 2 allows user-defined system call filters in the form
13 * of Berkeley Packet Filters/Linux Socket Filters.
16 #include <linux/atomic.h>
17 #include <linux/audit.h>
18 #include <linux/compat.h>
19 #include <linux/sched.h>
20 #include <linux/seccomp.h>
22 /* #define SECCOMP_DEBUG 1 */
24 #ifdef CONFIG_SECCOMP_FILTER
25 #include <asm/syscall.h>
26 #include <linux/filter.h>
27 #include <linux/security.h>
28 #include <linux/slab.h>
29 #include <linux/tracehook.h>
30 #include <linux/uaccess.h>
33 * struct seccomp_filter - container for seccomp BPF programs
35 * @usage: reference count to manage the object lifetime.
36 * get/put helpers should be used when accessing an instance
37 * outside of a lifetime-guarded section. In general, this
38 * is only needed for handling filters shared across tasks.
39 * @prev: points to a previously installed, or inherited, filter
40 * @len: the number of instructions in the program
41 * @insns: the BPF program instructions to evaluate
43 * seccomp_filter objects are organized in a tree linked via the @prev
44 * pointer. For any task, it appears to be a singly-linked list starting
45 * with current->seccomp.filter, the most recently attached or inherited filter.
46 * However, multiple filters may share a @prev node, by way of fork(), which
47 * results in a unidirectional tree existing in memory. This is similar to
48 * how namespaces work.
50 * seccomp_filter objects should never be modified after being attached
51 * to a task_struct (other than @usage).
53 struct seccomp_filter {
55 struct seccomp_filter *prev;
56 unsigned short len; /* Instruction count */
57 struct sock_filter insns[];
60 /* Limit any path through the tree to 256KB worth of instructions. */
61 #define MAX_INSNS_PER_PATH ((1 << 18) / sizeof(struct sock_filter))
63 static void seccomp_filter_log_failure(int syscall)
67 compat = is_compat_task();
69 pr_info("%s[%d]: %ssystem call %d blocked at 0x%lx\n",
70 current->comm, task_pid_nr(current),
71 (compat ? "compat " : ""),
72 syscall, KSTK_EIP(current));
76 * get_u32 - returns a u32 offset into data
77 * @data: a unsigned 64 bit value
78 * @index: 0 or 1 to return the first or second 32-bits
80 * This inline exists to hide the length of unsigned long. If a 32-bit
81 * unsigned long is passed in, it will be extended and the top 32-bits will be
82 * 0. If it is a 64-bit unsigned long, then whatever data is resident will be
85 * Endianness is explicitly ignored and left for BPF program authors to manage
86 * as per the specific architecture.
88 static inline u32 get_u32(u64 data, int index)
90 return ((u32 *)&data)[index];
93 /* Helper for bpf_load below. */
94 #define BPF_DATA(_name) offsetof(struct seccomp_data, _name)
96 * bpf_load: checks and returns a pointer to the requested offset
97 * @off: offset into struct seccomp_data to load from
99 * Returns the requested 32-bits of data.
100 * seccomp_check_filter() should assure that @off is 32-bit aligned
101 * and not out of bounds. Failure to do so is a BUG.
103 u32 seccomp_bpf_load(int off)
105 struct pt_regs *regs = task_pt_regs(current);
106 if (off == BPF_DATA(nr))
107 return syscall_get_nr(current, regs);
108 if (off == BPF_DATA(arch))
109 return syscall_get_arch(current, regs);
110 if (off >= BPF_DATA(args[0]) && off < BPF_DATA(args[6])) {
112 int arg = (off - BPF_DATA(args[0])) / sizeof(u64);
113 int index = !!(off % sizeof(u64));
114 syscall_get_arguments(current, regs, arg, 1, &value);
115 return get_u32(value, index);
117 if (off == BPF_DATA(instruction_pointer))
118 return get_u32(KSTK_EIP(current), 0);
119 if (off == BPF_DATA(instruction_pointer) + sizeof(u32))
120 return get_u32(KSTK_EIP(current), 1);
121 /* seccomp_check_filter should make this impossible. */
126 * seccomp_check_filter - verify seccomp filter code
127 * @filter: filter to verify
128 * @flen: length of filter
130 * Takes a previously checked filter (by sk_chk_filter) and
131 * redirects all filter code that loads struct sk_buff data
132 * and related data through seccomp_bpf_load. It also
133 * enforces length and alignment checking of those loads.
135 * Returns 0 if the rule set is legal or -EINVAL if not.
137 static int seccomp_check_filter(struct sock_filter *filter, unsigned int flen)
140 for (pc = 0; pc < flen; pc++) {
141 struct sock_filter *ftest = &filter[pc];
142 u16 code = ftest->code;
147 ftest->code = BPF_S_ANC_SECCOMP_LD_W;
148 /* 32-bit aligned and not out of bounds. */
149 if (k >= sizeof(struct seccomp_data) || k & 3)
153 ftest->code = BPF_S_LD_IMM;
154 ftest->k = sizeof(struct seccomp_data);
156 case BPF_S_LDX_W_LEN:
157 ftest->code = BPF_S_LDX_IMM;
158 ftest->k = sizeof(struct seccomp_data);
160 /* Explicitly include allowed calls. */
163 case BPF_S_ALU_ADD_K:
164 case BPF_S_ALU_ADD_X:
165 case BPF_S_ALU_SUB_K:
166 case BPF_S_ALU_SUB_X:
167 case BPF_S_ALU_MUL_K:
168 case BPF_S_ALU_MUL_X:
169 case BPF_S_ALU_DIV_X:
170 case BPF_S_ALU_AND_K:
171 case BPF_S_ALU_AND_X:
174 case BPF_S_ALU_LSH_K:
175 case BPF_S_ALU_LSH_X:
176 case BPF_S_ALU_RSH_K:
177 case BPF_S_ALU_RSH_X:
183 case BPF_S_ALU_DIV_K:
189 case BPF_S_JMP_JEQ_K:
190 case BPF_S_JMP_JEQ_X:
191 case BPF_S_JMP_JGE_K:
192 case BPF_S_JMP_JGE_X:
193 case BPF_S_JMP_JGT_K:
194 case BPF_S_JMP_JGT_X:
195 case BPF_S_JMP_JSET_K:
196 case BPF_S_JMP_JSET_X:
206 * seccomp_run_filters - evaluates all seccomp filters against @syscall
207 * @syscall: number of the current system call
209 * Returns valid seccomp BPF response codes.
211 static u32 seccomp_run_filters(int syscall)
213 struct seccomp_filter *f;
214 u32 ret = SECCOMP_RET_KILL;
216 * All filters in the list are evaluated and the lowest BPF return
217 * value always takes priority.
219 for (f = current->seccomp.filter; f; f = f->prev) {
220 ret = sk_run_filter(NULL, f->insns);
221 if (ret != SECCOMP_RET_ALLOW)
228 * seccomp_attach_filter: Attaches a seccomp filter to current.
229 * @fprog: BPF program to install
231 * Returns 0 on success or an errno on failure.
233 static long seccomp_attach_filter(struct sock_fprog *fprog)
235 struct seccomp_filter *filter;
236 unsigned long fp_size = fprog->len * sizeof(struct sock_filter);
237 unsigned long total_insns = fprog->len;
240 if (fprog->len == 0 || fprog->len > BPF_MAXINSNS)
243 for (filter = current->seccomp.filter; filter; filter = filter->prev)
244 total_insns += filter->len + 4; /* include a 4 instr penalty */
245 if (total_insns > MAX_INSNS_PER_PATH)
249 * Installing a seccomp filter requires that the task have
250 * CAP_SYS_ADMIN in its namespace or be running with no_new_privs.
251 * This avoids scenarios where unprivileged tasks can affect the
252 * behavior of privileged children.
254 if (!current->no_new_privs &&
255 security_capable_noaudit(current_cred(), current_user_ns(),
259 /* Allocate a new seccomp_filter */
260 filter = kzalloc(sizeof(struct seccomp_filter) + fp_size,
261 GFP_KERNEL|__GFP_NOWARN);
264 atomic_set(&filter->usage, 1);
265 filter->len = fprog->len;
267 /* Copy the instructions from fprog. */
269 if (copy_from_user(filter->insns, fprog->filter, fp_size))
272 /* Check and rewrite the fprog via the skb checker */
273 ret = sk_chk_filter(filter->insns, filter->len);
277 /* Check and rewrite the fprog for seccomp use */
278 ret = seccomp_check_filter(filter->insns, filter->len);
283 * If there is an existing filter, make it the prev and don't drop its
286 filter->prev = current->seccomp.filter;
287 current->seccomp.filter = filter;
295 * seccomp_attach_user_filter - attaches a user-supplied sock_fprog
296 * @user_filter: pointer to the user data containing a sock_fprog.
298 * Returns 0 on success and non-zero otherwise.
300 long seccomp_attach_user_filter(char __user *user_filter)
302 struct sock_fprog fprog;
306 if (is_compat_task()) {
307 struct compat_sock_fprog fprog32;
308 if (copy_from_user(&fprog32, user_filter, sizeof(fprog32)))
310 fprog.len = fprog32.len;
311 fprog.filter = compat_ptr(fprog32.filter);
312 } else /* falls through to the if below. */
314 if (copy_from_user(&fprog, user_filter, sizeof(fprog)))
316 ret = seccomp_attach_filter(&fprog);
321 /* get_seccomp_filter - increments the reference count of the filter on @tsk */
322 void get_seccomp_filter(struct task_struct *tsk)
324 struct seccomp_filter *orig = tsk->seccomp.filter;
327 /* Reference count is bounded by the number of total processes. */
328 atomic_inc(&orig->usage);
331 /* put_seccomp_filter - decrements the ref count of tsk->seccomp.filter */
332 void put_seccomp_filter(struct task_struct *tsk)
334 struct seccomp_filter *orig = tsk->seccomp.filter;
335 /* Clean up single-reference branches iteratively. */
336 while (orig && atomic_dec_and_test(&orig->usage)) {
337 struct seccomp_filter *freeme = orig;
342 #endif /* CONFIG_SECCOMP_FILTER */
345 * Secure computing mode 1 allows only read/write/exit/sigreturn.
346 * To be fully secure this must be combined with rlimit
347 * to limit the stack allocations too.
349 static int mode1_syscalls[] = {
350 __NR_seccomp_read, __NR_seccomp_write, __NR_seccomp_exit, __NR_seccomp_sigreturn,
351 0, /* null terminated */
355 static int mode1_syscalls_32[] = {
356 __NR_seccomp_read_32, __NR_seccomp_write_32, __NR_seccomp_exit_32, __NR_seccomp_sigreturn_32,
357 0, /* null terminated */
361 void __secure_computing(int this_syscall)
363 int mode = current->seccomp.mode;
368 case SECCOMP_MODE_STRICT:
369 syscall = mode1_syscalls;
371 if (is_compat_task())
372 syscall = mode1_syscalls_32;
375 if (*syscall == this_syscall)
377 } while (*++syscall);
380 #ifdef CONFIG_SECCOMP_FILTER
381 case SECCOMP_MODE_FILTER:
382 if (seccomp_run_filters(this_syscall) == SECCOMP_RET_ALLOW)
384 seccomp_filter_log_failure(this_syscall);
395 audit_seccomp(this_syscall);
399 long prctl_get_seccomp(void)
401 return current->seccomp.mode;
405 * prctl_set_seccomp: configures current->seccomp.mode
406 * @seccomp_mode: requested mode to use
407 * @filter: optional struct sock_fprog for use with SECCOMP_MODE_FILTER
409 * This function may be called repeatedly with a @seccomp_mode of
410 * SECCOMP_MODE_FILTER to install additional filters. Every filter
411 * successfully installed will be evaluated (in reverse order) for each system
412 * call the task makes.
414 * Once current->seccomp.mode is non-zero, it may not be changed.
416 * Returns 0 on success or -EINVAL on failure.
418 long prctl_set_seccomp(unsigned long seccomp_mode, char __user *filter)
422 if (current->seccomp.mode &&
423 current->seccomp.mode != seccomp_mode)
426 switch (seccomp_mode) {
427 case SECCOMP_MODE_STRICT:
433 #ifdef CONFIG_SECCOMP_FILTER
434 case SECCOMP_MODE_FILTER:
435 ret = seccomp_attach_user_filter(filter);
444 current->seccomp.mode = seccomp_mode;
445 set_thread_flag(TIF_SECCOMP);