seccomp: add support for seccomp notify

add support for seccomp notify and add a basic support for emulating
mknod and mknodat.  The handler implementation is likely going to
change, for now it is just a PoC to show how it would work.

Requires: containers/crun#438
Requires: libseccomp-2.5

Signed-off-by: Giuseppe Scrivano <[email protected]>

Author: giuseppe

src/conmon.c

@@ -124,6 +124,7 @@ int main(int argc, char *argv[])
 	}
 
 	_cleanup_free_ char *csname = NULL;
+	_cleanup_free_ char *seccomp_listener = NULL;
 	int workerfd_stdin = -1;
 	int workerfd_stdout = -1;
 	int workerfd_stderr = -1;
@@ -165,6 +166,8 @@ int main(int argc, char *argv[])
 		g_unix_fd_add(winsz_fd_r, G_IO_IN, ctrl_winsz_cb, NULL);
 	}
 
+	seccomp_listener = setup_seccomp_socket();
+
 	/* We always create a stderr pipe, because that way we can capture
 	   runc stderr messages before the tty is created */
 	if (pipe2(fds, O_CLOEXEC) < 0)
@@ -173,6 +176,8 @@ int main(int argc, char *argv[])
 	mainfd_stderr = fds[0];
 	workerfd_stderr = fds[1];
 
+	setenv("RUN_OCI_SECCOMP_RECEIVER", seccomp_listener, 1);
+
 	GPtrArray *runtime_argv = configure_runtime_args(csname);
 
 	/* Setup endpoint for attach */
@@ -307,6 +312,9 @@ int main(int argc, char *argv[])
 	if (workerfd_stderr > -1)
 		close(workerfd_stderr);
 
+	if (seccomp_listener != NULL)
+		g_unix_fd_add(seccomp_socket_fd, G_IO_IN, seccomp_accept_cb, csname);
+
 	if (csname != NULL) {
 		g_unix_fd_add(console_socket_fd, G_IO_IN, terminal_accept_cb, csname);
 		/* Process any SIGCHLD we may have missed before the signal handler was in place.  */

src/conn_sock.c

@@ -21,11 +21,14 @@ void conn_sock_shutdown(struct conn_sock_s *sock, int how);
 static void sock_try_write_to_mainfd_stdin(struct conn_sock_s *sock);
 static gboolean mainfd_write_cb(G_GNUC_UNUSED int fd, G_GNUC_UNUSED GIOCondition condition, G_GNUC_UNUSED gpointer user_data);
 
-char *setup_console_socket(void)
+static char *setup_socket(int *fd)
 {
 	struct sockaddr_un addr = {0};
-	_cleanup_free_ const char *tmpdir = g_get_tmp_dir();
-	_cleanup_free_ char *csname = g_build_filename(tmpdir, "conmon-term.XXXXXX", NULL);
+	const char *tmpdir = NULL;
+	_cleanup_free_ char *csname = NULL;
+
+	tmpdir = g_get_tmp_dir();
+	csname = g_build_filename(tmpdir, "conmon.XXXXXX", NULL);
 	/*
 	 * Generate a temporary name. Is this unsafe? Probably, but we can
 	 * replace it with a rename(2) setup if necessary.
@@ -42,22 +45,32 @@ char *setup_console_socket(void)
 	ninfof("addr{sun_family=AF_UNIX, sun_path=%s}", addr.sun_path);
 
 	/* Bind to the console socket path. */
-	console_socket_fd = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0);
-	if (console_socket_fd < 0)
-		pexit("Failed to create console-socket");
-	if (fchmod(console_socket_fd, 0700))
+	*fd = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0);
+	if (*fd < 0)
+		pexit("Failed to create socket");
+	if (fchmod(*fd, 0700))
 		pexit("Failed to change console-socket permissions");
 	/* XXX: This should be handled with a rename(2). */
 	if (unlink(csname) < 0)
 		pexit("Failed to unlink temporary random path");
-	if (bind(console_socket_fd, (struct sockaddr *)&addr, sizeof(addr)) < 0)
+	if (bind(*fd, (struct sockaddr *)&addr, sizeof(addr)) < 0)
 		pexit("Failed to bind to console-socket");
-	if (listen(console_socket_fd, 128) < 0)
+	if (listen(*fd, 128) < 0)
 		pexit("Failed to listen on console-socket");
 
 	return g_strdup(csname);
 }
 
+char *setup_console_socket(void)
+{
+	return setup_socket(&console_socket_fd);
+}
+
+char *setup_seccomp_socket(void)
+{
+	return setup_socket(&seccomp_socket_fd);
+}
+
 char *setup_attach_socket(void)
 {
 	struct sockaddr_un attach_addr = {0};

src/conn_sock.h

@@ -16,6 +16,7 @@ struct conn_sock_s {
 };
 
 char *setup_console_socket(void);
+char *setup_seccomp_socket(void);
 char *setup_attach_socket(void);
 void conn_sock_shutdown(struct conn_sock_s *sock, int how);
 void schedule_main_stdin_write();

src/ctrl.c

@@ -14,12 +14,247 @@
 #include <sys/stat.h>
 #include <termios.h>
 
+#include <seccomp.h>
+#include <linux/seccomp.h>
+#include <sys/sysmacros.h>
+#include <sys/wait.h>
+#include <sys/mount.h>
+#include <signal.h>
+
+static struct seccomp_notif_sizes sizes;
+static struct seccomp_notif *req;
+static struct seccomp_notif_resp *resp;
+
 static void resize_winsz(int height, int width);
 static gboolean read_from_ctrl_buffer(int fd, gboolean (*line_process_func)(char *));
 static gboolean process_terminal_ctrl_line(char *line);
 static gboolean process_winsz_ctrl_line(char *line);
 static void setup_fifo(int *fifo_r, int *fifo_w, char *filename, char *error_var_name);
 
+static int seccomp(unsigned int op, unsigned int flags, void *args)
+{
+	errno = 0;
+	return syscall(__NR_seccomp, op, flags, args);
+}
+
+static ssize_t read_pid_memory(pid_t pid, char *to, off_t from, size_t len)
+{
+	int fd;
+	char p[32];
+	ssize_t ret;
+
+	sprintf(p, "/proc/%d/mem", pid);
+	fd = open(p, O_RDONLY|O_CLOEXEC);
+	if (fd < 0)
+		return -1;
+
+	ret = pread(fd, to, len, from);
+
+	close(fd);
+	return ret;
+}
+
+struct device_s
+{
+  const char *path;
+  bool block;
+  int major;
+  int minor;
+};
+
+struct device_s allowed_devs[] =
+  {
+   {"/dev/null", false, 1, 3},
+   {"/dev/zero", false, 1, 5},
+   {"/dev/full", false, 1, 7},
+   {"/dev/random", false, 1, 8},
+   {"/dev/urandom", false, 1, 9},
+   {NULL}
+  };
+
+static struct device_s *get_dev(bool block, uint64_t dev)
+{
+	size_t i;
+	int min = minor(dev);
+	int maj = major(dev);
+	for (i = 0; allowed_devs[i].path; i++) {
+		if (min == allowed_devs[i].minor
+		    && maj == allowed_devs[i].major
+		    && block == allowed_devs[i].block)
+			return &allowed_devs[i];
+	}
+	return NULL;
+}
+
+/* This is just a example handler for mknod and mknodat using the device
+ allow list above.  This is likely going to change in future.  */
+static int handle_req(struct seccomp_notif *sreq,
+		      struct seccomp_notif_resp *sresp, int listener)
+{
+	(void) listener;
+
+	sresp->id = sreq->id;
+	sresp->error = 0;
+	sresp->val = 0;
+
+	if (sreq->data.nr == __NR_mknod || sreq->data.nr == __NR_mknodat) {
+		char path[PATH_MAX+1];
+		int dirfd = AT_FDCWD;
+		struct device_s *d;
+		mode_t mode_arg;
+		int path_arg;
+		dev_t dev_arg;
+		pid_t p, pid;
+		ssize_t len;
+		int r;
+
+		sresp->flags = 0;
+
+		if (sreq->data.nr == __NR_mknod) {
+			path_arg = 0;
+			mode_arg = 1;
+			dev_arg = 2;
+		} else {
+			dirfd = sreq->data.args[0];
+			path_arg = 1;
+			mode_arg = 2;
+			dev_arg = 3;
+		}
+
+		len = read_pid_memory(sreq->pid, path, sreq->data.args[path_arg], sizeof(path));
+		if (len < 0) {
+			sresp->error = -errno;
+			return len;
+		}
+		path[len] = '\0';
+
+		d = get_dev((sreq->data.args[mode_arg] & S_IFMT) == S_IFBLK, sreq->data.args[dev_arg]);
+		if (d == NULL) {
+			sresp->error = -EPERM;
+			sresp->flags = 0;
+			return 0;
+		}
+
+		pid = fork();
+		if (pid < 0) {
+			sresp->error = -errno;
+			sresp->flags = 0;
+			return 0;
+		}
+		if (pid == 0) {
+			char proc_path[32];
+			sigset_t sigset;
+			int fd;
+
+			if (sigfillset(&sigset) < 0)
+				_exit(errno);
+			if (sigprocmask(SIG_BLOCK, &sigset, NULL) < 0)
+				_exit(errno);
+
+			if (dirfd == AT_FDCWD)
+				sprintf (proc_path, "/proc/%d/cwd", sreq->pid);
+			else
+				sprintf (proc_path, "/proc/%d/fd/%d", sreq->pid, dirfd);
+
+			dirfd = open(proc_path, O_PATH|O_CLOEXEC);
+			if (dirfd < 0)
+				_exit(errno);
+
+			sprintf (proc_path, "/proc/%d/ns/mnt", sreq->pid);
+			fd = open(proc_path, O_RDONLY|O_CLOEXEC);
+			if (fd < 0)
+				_exit(errno);
+
+			if (setns (fd, 0) < 0)
+				_exit(errno);
+			close(fd);
+
+			if (fchdir (dirfd) < 0)
+				_exit(errno);
+			close(dirfd);
+
+			fd = open(path, O_RDWR|O_EXCL|O_CREAT, sreq->data.args[mode_arg] & 01777);
+			if (fd < 0)
+				_exit(errno);
+
+			if (mount(d->path, path, NULL, MS_BIND|MS_SLAVE, NULL) < 0) {
+				unlink(path);
+				_exit(errno);
+			}
+			_exit(0);
+		}
+
+		do {
+			p = waitpid(pid, &r, 0);
+		}
+		while (p != pid);
+
+		if (WEXITSTATUS(r) != 0) {
+			sresp->error = -WEXITSTATUS(r);
+			sresp->flags = 0;
+			return 0;
+		}
+
+		sresp->error = 0;
+		sresp->flags = 0;
+	} else {
+		sresp->error = -ENOTSUP;
+		sresp->flags = 0;
+	}
+
+	return 0;
+}
+
+gboolean seccomp_accept_cb(int fd, G_GNUC_UNUSED GIOCondition condition, G_GNUC_UNUSED gpointer user_data)
+{
+	ninfof("about to accept from seccomp_socket_fd: %d", fd);
+	int connfd = accept4(fd, NULL, NULL, SOCK_CLOEXEC);
+	if (connfd < 0) {
+		nwarn("Failed to accept console-socket connection");
+		return G_SOURCE_CONTINUE;
+	}
+
+	struct file_t console = recvfd(connfd);
+	close(connfd);
+	if (req == NULL) {
+		if (seccomp(SECCOMP_GET_NOTIF_SIZES, 0, &sizes) < 0) {
+			pexitf("seccomp");
+		}
+		req = malloc(sizes.seccomp_notif);
+		if (!req)
+			pexitf("malloc");
+
+		resp = malloc(sizes.seccomp_notif_resp);
+		if (!resp)
+			pexitf("malloc");
+		memset(resp, 0, sizes.seccomp_notif_resp);
+	}
+	g_unix_fd_add(console.fd, G_IO_IN|G_IO_HUP, seccomp_cb, NULL);
+	return G_SOURCE_CONTINUE;
+}
+
+gboolean seccomp_cb(int fd, GIOCondition condition, G_GNUC_UNUSED gpointer user_data)
+{
+	(void) fd;
+	if (condition & G_IO_IN) {
+		memset(req, 0, sizes.seccomp_notif);
+		if (ioctl(fd, SECCOMP_IOCTL_NOTIF_RECV, req)) {
+			return G_SOURCE_CONTINUE;
+		}
+
+		if (handle_req(req, resp, fd) < 0) {
+			return G_SOURCE_CONTINUE;
+		}
+
+		if (ioctl(fd, SECCOMP_IOCTL_NOTIF_SEND, resp) < 0 &&
+		    errno != ENOENT) {
+			return G_SOURCE_CONTINUE;
+		}
+
+	}
+	return G_SOURCE_CONTINUE;
+}
+
 gboolean terminal_accept_cb(int fd, G_GNUC_UNUSED GIOCondition condition, G_GNUC_UNUSED gpointer user_data)
 {
 

src/ctrl.h

@@ -3,8 +3,10 @@
 
 #include <glib.h> /* gpointer */
 
+gboolean seccomp_accept_cb(int fd, G_GNUC_UNUSED GIOCondition condition, G_GNUC_UNUSED gpointer user_data);
 gboolean terminal_accept_cb(int fd, G_GNUC_UNUSED GIOCondition condition, G_GNUC_UNUSED gpointer user_data);
 gboolean ctrl_winsz_cb(int fd, G_GNUC_UNUSED GIOCondition condition, G_GNUC_UNUSED gpointer user_data);
+gboolean seccomp_cb(int fd, GIOCondition condition, G_GNUC_UNUSED gpointer user_data);
 gboolean ctrl_cb(int fd, G_GNUC_UNUSED GIOCondition condition, G_GNUC_UNUSED gpointer user_data);
 void setup_console_fifo();
 int setup_terminal_control_fifo();

src/globals.c

@@ -11,6 +11,7 @@ GPtrArray *conn_socks = NULL;
 
 int attach_socket_fd = -1;
 int console_socket_fd = -1;
+int seccomp_socket_fd = -1;
 int terminal_ctrl_fd = -1;
 int inotify_fd = -1;
 int winsz_fd_w = -1;

src/globals.h

@@ -16,6 +16,7 @@ extern GPtrArray *conn_socks;
 
 extern int attach_socket_fd;
 extern int console_socket_fd;
+extern int seccomp_socket_fd;
 extern int terminal_ctrl_fd;
 extern int inotify_fd;
 extern int winsz_fd_w;