2 * linux/kernel/seccomp.c
4 * Copyright 2004-2005 Andrea Arcangeli <andrea@cpushare.com>
6 * Copyright (C) 2012 Google, Inc.
7 * Will Drewry <wad@chromium.org>
9 * This defines a simple but solid secure-computing facility.
11 * Mode 1 uses a fixed list of allowed system calls.
12 * Mode 2 allows user-defined system call filters in the form
13 * of Berkeley Packet Filters/Linux Socket Filters.
16 #include <linux/atomic.h>
17 #include <linux/audit.h>
18 #include <linux/compat.h>
19 #include <linux/sched.h>
20 #include <linux/seccomp.h>
22 /* #define SECCOMP_DEBUG 1 */
24 #ifdef CONFIG_SECCOMP_FILTER
25 #include <asm/syscall.h>
26 #include <linux/filter.h>
27 #include <linux/security.h>
28 #include <linux/slab.h>
29 #include <linux/tracehook.h>
30 #include <linux/uaccess.h>
33 * struct seccomp_filter - container for seccomp BPF programs
35 * @usage: reference count to manage the object lifetime.
36 * get/put helpers should be used when accessing an instance
37 * outside of a lifetime-guarded section. In general, this
38 * is only needed for handling filters shared across tasks.
39 * @prev: points to a previously installed, or inherited, filter
40 * @len: the number of instructions in the program
41 * @insns: the BPF program instructions to evaluate
43 * seccomp_filter objects are organized in a tree linked via the @prev
44 * pointer. For any task, it appears to be a singly-linked list starting
45 * with current->seccomp.filter, the most recently attached or inherited filter.
46 * However, multiple filters may share a @prev node, by way of fork(), which
47 * results in a unidirectional tree existing in memory. This is similar to
48 * how namespaces work.
50 * seccomp_filter objects should never be modified after being attached
51 * to a task_struct (other than @usage).
53 struct seccomp_filter {
55 struct seccomp_filter *prev;
56 unsigned short len; /* Instruction count */
57 struct sock_filter insns[];
60 /* Limit any path through the tree to 256KB worth of instructions. */
61 #define MAX_INSNS_PER_PATH ((1 << 18) / sizeof(struct sock_filter))
64 * get_u32 - returns a u32 offset into data
65 * @data: a unsigned 64 bit value
66 * @index: 0 or 1 to return the first or second 32-bits
68 * This inline exists to hide the length of unsigned long. If a 32-bit
69 * unsigned long is passed in, it will be extended and the top 32-bits will be
70 * 0. If it is a 64-bit unsigned long, then whatever data is resident will be
73 * Endianness is explicitly ignored and left for BPF program authors to manage
74 * as per the specific architecture.
76 static inline u32 get_u32(u64 data, int index)
78 return ((u32 *)&data)[index];
81 /* Helper for bpf_load below. */
82 #define BPF_DATA(_name) offsetof(struct seccomp_data, _name)
84 * bpf_load: checks and returns a pointer to the requested offset
85 * @off: offset into struct seccomp_data to load from
87 * Returns the requested 32-bits of data.
88 * seccomp_check_filter() should assure that @off is 32-bit aligned
89 * and not out of bounds. Failure to do so is a BUG.
91 u32 seccomp_bpf_load(int off)
93 struct pt_regs *regs = task_pt_regs(current);
94 if (off == BPF_DATA(nr))
95 return syscall_get_nr(current, regs);
96 if (off == BPF_DATA(arch))
97 return syscall_get_arch(current, regs);
98 if (off >= BPF_DATA(args[0]) && off < BPF_DATA(args[6])) {
100 int arg = (off - BPF_DATA(args[0])) / sizeof(u64);
101 int index = !!(off % sizeof(u64));
102 syscall_get_arguments(current, regs, arg, 1, &value);
103 return get_u32(value, index);
105 if (off == BPF_DATA(instruction_pointer))
106 return get_u32(KSTK_EIP(current), 0);
107 if (off == BPF_DATA(instruction_pointer) + sizeof(u32))
108 return get_u32(KSTK_EIP(current), 1);
109 /* seccomp_check_filter should make this impossible. */
114 * seccomp_check_filter - verify seccomp filter code
115 * @filter: filter to verify
116 * @flen: length of filter
118 * Takes a previously checked filter (by sk_chk_filter) and
119 * redirects all filter code that loads struct sk_buff data
120 * and related data through seccomp_bpf_load. It also
121 * enforces length and alignment checking of those loads.
123 * Returns 0 if the rule set is legal or -EINVAL if not.
125 static int seccomp_check_filter(struct sock_filter *filter, unsigned int flen)
128 for (pc = 0; pc < flen; pc++) {
129 struct sock_filter *ftest = &filter[pc];
130 u16 code = ftest->code;
135 ftest->code = BPF_S_ANC_SECCOMP_LD_W;
136 /* 32-bit aligned and not out of bounds. */
137 if (k >= sizeof(struct seccomp_data) || k & 3)
141 ftest->code = BPF_S_LD_IMM;
142 ftest->k = sizeof(struct seccomp_data);
144 case BPF_S_LDX_W_LEN:
145 ftest->code = BPF_S_LDX_IMM;
146 ftest->k = sizeof(struct seccomp_data);
148 /* Explicitly include allowed calls. */
151 case BPF_S_ALU_ADD_K:
152 case BPF_S_ALU_ADD_X:
153 case BPF_S_ALU_SUB_K:
154 case BPF_S_ALU_SUB_X:
155 case BPF_S_ALU_MUL_K:
156 case BPF_S_ALU_MUL_X:
157 case BPF_S_ALU_DIV_X:
158 case BPF_S_ALU_AND_K:
159 case BPF_S_ALU_AND_X:
162 case BPF_S_ALU_LSH_K:
163 case BPF_S_ALU_LSH_X:
164 case BPF_S_ALU_RSH_K:
165 case BPF_S_ALU_RSH_X:
171 case BPF_S_ALU_DIV_K:
177 case BPF_S_JMP_JEQ_K:
178 case BPF_S_JMP_JEQ_X:
179 case BPF_S_JMP_JGE_K:
180 case BPF_S_JMP_JGE_X:
181 case BPF_S_JMP_JGT_K:
182 case BPF_S_JMP_JGT_X:
183 case BPF_S_JMP_JSET_K:
184 case BPF_S_JMP_JSET_X:
194 * seccomp_run_filters - evaluates all seccomp filters against @syscall
195 * @syscall: number of the current system call
197 * Returns valid seccomp BPF response codes.
199 static u32 seccomp_run_filters(int syscall)
201 struct seccomp_filter *f;
202 u32 ret = SECCOMP_RET_ALLOW;
204 /* Ensure unexpected behavior doesn't result in failing open. */
205 if (WARN_ON(current->seccomp.filter == NULL))
206 return SECCOMP_RET_KILL;
209 * All filters in the list are evaluated and the lowest BPF return
210 * value always takes priority (ignoring the DATA).
212 for (f = current->seccomp.filter; f; f = f->prev) {
213 u32 cur_ret = sk_run_filter(NULL, f->insns);
214 if ((cur_ret & SECCOMP_RET_ACTION) < (ret & SECCOMP_RET_ACTION))
221 * seccomp_attach_filter: Attaches a seccomp filter to current.
222 * @fprog: BPF program to install
224 * Returns 0 on success or an errno on failure.
226 static long seccomp_attach_filter(struct sock_fprog *fprog)
228 struct seccomp_filter *filter;
229 unsigned long fp_size = fprog->len * sizeof(struct sock_filter);
230 unsigned long total_insns = fprog->len;
233 if (fprog->len == 0 || fprog->len > BPF_MAXINSNS)
236 for (filter = current->seccomp.filter; filter; filter = filter->prev)
237 total_insns += filter->len + 4; /* include a 4 instr penalty */
238 if (total_insns > MAX_INSNS_PER_PATH)
242 * Installing a seccomp filter requires that the task have
243 * CAP_SYS_ADMIN in its namespace or be running with no_new_privs.
244 * This avoids scenarios where unprivileged tasks can affect the
245 * behavior of privileged children.
247 if (!current->no_new_privs &&
248 security_capable_noaudit(current_cred(), current_user_ns(),
252 /* Allocate a new seccomp_filter */
253 filter = kzalloc(sizeof(struct seccomp_filter) + fp_size,
254 GFP_KERNEL|__GFP_NOWARN);
257 atomic_set(&filter->usage, 1);
258 filter->len = fprog->len;
260 /* Copy the instructions from fprog. */
262 if (copy_from_user(filter->insns, fprog->filter, fp_size))
265 /* Check and rewrite the fprog via the skb checker */
266 ret = sk_chk_filter(filter->insns, filter->len);
270 /* Check and rewrite the fprog for seccomp use */
271 ret = seccomp_check_filter(filter->insns, filter->len);
276 * If there is an existing filter, make it the prev and don't drop its
279 filter->prev = current->seccomp.filter;
280 current->seccomp.filter = filter;
288 * seccomp_attach_user_filter - attaches a user-supplied sock_fprog
289 * @user_filter: pointer to the user data containing a sock_fprog.
291 * Returns 0 on success and non-zero otherwise.
293 long seccomp_attach_user_filter(char __user *user_filter)
295 struct sock_fprog fprog;
299 if (is_compat_task()) {
300 struct compat_sock_fprog fprog32;
301 if (copy_from_user(&fprog32, user_filter, sizeof(fprog32)))
303 fprog.len = fprog32.len;
304 fprog.filter = compat_ptr(fprog32.filter);
305 } else /* falls through to the if below. */
307 if (copy_from_user(&fprog, user_filter, sizeof(fprog)))
309 ret = seccomp_attach_filter(&fprog);
314 /* get_seccomp_filter - increments the reference count of the filter on @tsk */
315 void get_seccomp_filter(struct task_struct *tsk)
317 struct seccomp_filter *orig = tsk->seccomp.filter;
320 /* Reference count is bounded by the number of total processes. */
321 atomic_inc(&orig->usage);
324 /* put_seccomp_filter - decrements the ref count of tsk->seccomp.filter */
325 void put_seccomp_filter(struct task_struct *tsk)
327 struct seccomp_filter *orig = tsk->seccomp.filter;
328 /* Clean up single-reference branches iteratively. */
329 while (orig && atomic_dec_and_test(&orig->usage)) {
330 struct seccomp_filter *freeme = orig;
337 * seccomp_send_sigsys - signals the task to allow in-process syscall emulation
338 * @syscall: syscall number to send to userland
339 * @reason: filter-supplied reason code to send to userland (via si_errno)
341 * Forces a SIGSYS with a code of SYS_SECCOMP and related sigsys info.
343 static void seccomp_send_sigsys(int syscall, int reason)
346 memset(&info, 0, sizeof(info));
347 info.si_signo = SIGSYS;
348 info.si_code = SYS_SECCOMP;
349 info.si_call_addr = (void __user *)KSTK_EIP(current);
350 info.si_errno = reason;
351 info.si_arch = syscall_get_arch(current, task_pt_regs(current));
352 info.si_syscall = syscall;
353 force_sig_info(SIGSYS, &info, current);
355 #endif /* CONFIG_SECCOMP_FILTER */
358 * Secure computing mode 1 allows only read/write/exit/sigreturn.
359 * To be fully secure this must be combined with rlimit
360 * to limit the stack allocations too.
362 static int mode1_syscalls[] = {
363 __NR_seccomp_read, __NR_seccomp_write, __NR_seccomp_exit, __NR_seccomp_sigreturn,
364 0, /* null terminated */
368 static int mode1_syscalls_32[] = {
369 __NR_seccomp_read_32, __NR_seccomp_write_32, __NR_seccomp_exit_32, __NR_seccomp_sigreturn_32,
370 0, /* null terminated */
374 int __secure_computing(int this_syscall)
376 int mode = current->seccomp.mode;
379 u32 ret = SECCOMP_RET_KILL;
383 case SECCOMP_MODE_STRICT:
384 syscall = mode1_syscalls;
386 if (is_compat_task())
387 syscall = mode1_syscalls_32;
390 if (*syscall == this_syscall)
392 } while (*++syscall);
395 #ifdef CONFIG_SECCOMP_FILTER
396 case SECCOMP_MODE_FILTER:
397 ret = seccomp_run_filters(this_syscall);
398 data = ret & SECCOMP_RET_DATA;
399 switch (ret & SECCOMP_RET_ACTION) {
400 case SECCOMP_RET_ERRNO:
401 /* Set the low-order 16-bits as a errno. */
402 syscall_set_return_value(current, task_pt_regs(current),
405 case SECCOMP_RET_TRAP:
406 /* Show the handler the original registers. */
407 syscall_rollback(current, task_pt_regs(current));
408 /* Let the filter pass back 16 bits of data. */
409 seccomp_send_sigsys(this_syscall, data);
411 case SECCOMP_RET_ALLOW:
413 case SECCOMP_RET_KILL:
427 audit_seccomp(this_syscall, exit_sig, ret);
430 audit_seccomp(this_syscall, exit_sig, ret);
434 long prctl_get_seccomp(void)
436 return current->seccomp.mode;
440 * prctl_set_seccomp: configures current->seccomp.mode
441 * @seccomp_mode: requested mode to use
442 * @filter: optional struct sock_fprog for use with SECCOMP_MODE_FILTER
444 * This function may be called repeatedly with a @seccomp_mode of
445 * SECCOMP_MODE_FILTER to install additional filters. Every filter
446 * successfully installed will be evaluated (in reverse order) for each system
447 * call the task makes.
449 * Once current->seccomp.mode is non-zero, it may not be changed.
451 * Returns 0 on success or -EINVAL on failure.
453 long prctl_set_seccomp(unsigned long seccomp_mode, char __user *filter)
457 if (current->seccomp.mode &&
458 current->seccomp.mode != seccomp_mode)
461 switch (seccomp_mode) {
462 case SECCOMP_MODE_STRICT:
468 #ifdef CONFIG_SECCOMP_FILTER
469 case SECCOMP_MODE_FILTER:
470 ret = seccomp_attach_user_filter(filter);
479 current->seccomp.mode = seccomp_mode;
480 set_thread_flag(TIF_SECCOMP);