From 66d5930ec77caed942404ceef4829f2c4ca431bd Mon Sep 17 00:00:00 2001
From: Stefano Brivio <sbrivio@redhat.com>
Date: Wed, 13 Oct 2021 22:25:03 +0200
Subject: passt, pasta: Add seccomp support

List of allowed syscalls comes from comments in the form:
	#syscalls <list>

for syscalls needed both in passt and pasta mode, and:
	#syscalls:pasta <list>
	#syscalls:passt <list>

for syscalls specifically needed in pasta or passt mode only.

seccomp.sh builds a list of BPF statements from those comments,
prefixed by a binary search tree to keep lookup fast.

While at it, clean up a bit the Makefile using wildcards.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
 passt.c | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

(limited to 'passt.c')

diff --git a/passt.c b/passt.c
index b411657..0628d8c 100644
--- a/passt.c
+++ b/passt.c
@@ -51,7 +51,12 @@
 #include <time.h>
 #include <syslog.h>
 #include <sys/stat.h>
+#include <seccomp.h>
+#include <sys/prctl.h>
+#include <linux/filter.h>
+#include <stddef.h>
 
+#include "seccomp.h"
 #include "util.h"
 #include "passt.h"
 #include "dhcp.h"
@@ -157,12 +162,41 @@ void proto_update_l2_buf(unsigned char *eth_d, unsigned char *eth_s,
 	udp_update_l2_buf(eth_d, eth_s, ip_da);
 }
 
+/**
+ * seccomp() - Set up seccomp filters depending on mode, won't return on failure
+ * @c:		Execution context
+ */
+static void seccomp(struct ctx *c)
+{
+	struct sock_fprog prog;
+
+	if (c->mode == MODE_PASST) {
+		prog.len = (unsigned short)ARRAY_SIZE(filter_passt);
+		prog.filter = filter_passt;
+	} else {
+		prog.len = (unsigned short)ARRAY_SIZE(filter_pasta);
+		prog.filter = filter_pasta;
+	}
+
+	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) ||
+	    prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
+		perror("prctl");
+		exit(EXIT_FAILURE);
+	}
+}
+
 /**
  * main() - Entry point and main loop
  * @argc:	Argument count
  * @argv:	Options, plus optional target PID for pasta mode
  *
  * Return: 0 once interrupted, non-zero on failure
+ *
+ * #syscalls read write open close fork dup2 exit chdir brk ioctl writev syslog
+ * #syscalls prlimit64 epoll_ctl epoll_create1 epoll_wait accept4 accept listen
+ * #syscalls socket bind connect getsockopt setsockopt recvfrom sendto shutdown
+ * #syscalls openat fstat fcntl lseek
+ * #syscalls:pasta rt_sigreturn
  */
 int main(int argc, char **argv)
 {
@@ -198,6 +232,8 @@ int main(int argc, char **argv)
 
 	conf(&c, argc, argv);
 
+	seccomp(&c);
+
 	if (!c.debug && (c.stderr || isatty(fileno(stdout))))
 		openlog(log_name, LOG_PERROR, LOG_DAEMON);
 
-- 
cgit v1.2.3