seccomp

package
v0.0.0-...-4bf4b70 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 24, 2021 License: Apache-2.0, MIT Imports: 8 Imported by: 0

Documentation

Overview

Package seccomp provides generation of basic seccomp filters. Currently, only little endian systems are supported.

Index

Constants

View Source
const (
	LINUX_AUDIT_ARCH = linux.AUDIT_ARCH_X86_64
	SYS_SECCOMP      = 317
)
View Source
const RuleIP = 6

RuleIP indicates what rules in the Rule array have to be applied to instruction pointer.

Variables

View Source
var SyscallName = func(sysno uintptr) string {
	return fmt.Sprintf("syscall_%d", sysno)
}

SyscallName gives names to system calls. It is used purely for debugging purposes.

An alternate namer can be provided to the package at initialization time.

Functions

func BuildProgram

func BuildProgram(rules []RuleSet, defaultAction, badArchAction linux.BPFAction) ([]linux.BPFInstruction, error)

BuildProgram builds a BPF program from the given map of actions to matching SyscallRules. The single generated program covers all provided RuleSets.

func Install

func Install(rules SyscallRules) error

Install generates BPF code based on the set of syscalls provided. It only allows syscalls that conform to the specification. Syscalls that violate the specification will trigger RET_KILL_PROCESS, except for the cases below.

RET_TRAP is used in violations, instead of RET_KILL_PROCESS, in the following cases:

  1. Kernel doesn't support RET_KILL_PROCESS: RET_KILL_THREAD only kills the offending thread and often keeps the sentry hanging.
  2. Debug: RET_TRAP generates a panic followed by a stack trace which is much easier to debug then RET_KILL_PROCESS which can't be caught.

Be aware that RET_TRAP sends SIGSYS to the process and it may be ignored, making it possible for the process to continue running after a violation. However, it will leave a SECCOMP audit event trail behind. In any case, the syscall is still blocked from executing.

func MaskedEqual

func MaskedEqual(mask, value uintptr) interface{}

MaskedEqual specifies a value that matches the input after the input is masked (bitwise &) against the given mask. Can be used to verify that input only includes certain approved flags.

func SetFilter

func SetFilter(instrs []linux.BPFInstruction) syscall.Errno

SetFilter installs the given BPF program.

This is safe to call from an afterFork context.

Types

type EqualTo

type EqualTo uintptr

EqualTo specifies a value that needs to be strictly matched.

func (EqualTo) String

func (a EqualTo) String() (s string)

type GreaterThan

type GreaterThan uintptr

GreaterThan specifies a value that needs to be strictly smaller.

func (GreaterThan) String

func (a GreaterThan) String() (s string)

type GreaterThanOrEqual

type GreaterThanOrEqual uintptr

GreaterThanOrEqual specifies a value that needs to be smaller or equal.

func (GreaterThanOrEqual) String

func (a GreaterThanOrEqual) String() (s string)

type LessThan

type LessThan uintptr

LessThan specifies a value that needs to be strictly greater.

func (LessThan) String

func (a LessThan) String() (s string)

type LessThanOrEqual

type LessThanOrEqual uintptr

LessThanOrEqual specifies a value that needs to be greater or equal.

func (LessThanOrEqual) String

func (a LessThanOrEqual) String() (s string)

type MatchAny

type MatchAny struct{}

MatchAny is marker to indicate any value will be accepted.

func (MatchAny) String

func (a MatchAny) String() (s string)

type NotEqual

type NotEqual uintptr

NotEqual specifies a value that is strictly not equal.

func (NotEqual) String

func (a NotEqual) String() (s string)

type Rule

type Rule [7]interface{} // 6 arguments + RIP

Rule stores the allowed syscall arguments.

For example:

rule := Rule {
      EqualTo(linux.ARCH_GET_FS | linux.ARCH_SET_FS), // arg0
}

func (Rule) String

func (r Rule) String() (s string)

type RuleSet

type RuleSet struct {
	Rules  SyscallRules
	Action linux.BPFAction

	// Vsyscall indicates that a check is made for a function being called
	// from kernel mappings. This is where the vsyscall page is located
	// (and typically) emulated, so this RuleSet will not match any
	// functions not dispatched from the vsyscall page.
	Vsyscall bool
}

RuleSet is a set of rules and associated action.

type SyscallRules

type SyscallRules map[uintptr][]Rule

SyscallRules stores a map of OR'ed argument rules indexed by the syscall number. If the 'Rules' is empty, we treat it as any argument is allowed.

For example:

 rules := SyscallRules{
        syscall.SYS_FUTEX: []Rule{
                {
                        MatchAny{},
                        EqualTo(linux.FUTEX_WAIT | linux.FUTEX_PRIVATE_FLAG),
                }, // OR
                {
                        MatchAny{},
                        EqualTo(linux.FUTEX_WAKE | linux.FUTEX_PRIVATE_FLAG),
                },
        },
        syscall.SYS_GETPID: []Rule{},
}

func NewSyscallRules

func NewSyscallRules() SyscallRules

NewSyscallRules returns a new SyscallRules.

func (SyscallRules) AddRule

func (sr SyscallRules) AddRule(sysno uintptr, r Rule)

AddRule adds the given rule. It will create a new entry for a new syscall, otherwise it will append to the existing rules.

func (SyscallRules) Merge

func (sr SyscallRules) Merge(rules SyscallRules)

Merge merges the given SyscallRules.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL