Remove libseccomp based system-call filtering.

c2c1e253 · Ondřej Surý · 01d41d5b · 01d41d5b · c2c1e253 · c2c1e253
Commit c2c1e253 authored Feb 22, 2018 by Ondřej Surý
9 changed files
--- a/bin/named/include/named/seccomp.h
+++ b/bin/named/include/named/seccomp.h
-/*
- * Copyright (C) 2014, 2016, 2017  Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- */
-
-#ifndef NAMED_SECCOMP_H
-#define NAMED_SECCOMP_H 1
-
-/*! \file */
-
-#ifdef HAVE_LIBSECCOMP
-#include <sys/types.h>
-#include <sys/resource.h>
-#include <unistd.h>
-#include <seccomp.h>
-#include <isc/platform.h>
-
-/*%
- * For each architecture, the scmp_syscalls and
- * scmp_syscall_names arrays MUST be kept in sync.
- */
-#ifdef __x86_64__
-int scmp_syscalls[] = {
-	SCMP_SYS(access),
-	SCMP_SYS(open),
-	SCMP_SYS(openat),
-	SCMP_SYS(lseek),
-	SCMP_SYS(clock_gettime),
-	SCMP_SYS(time),
-	SCMP_SYS(read),
-	SCMP_SYS(write),
-	SCMP_SYS(close),
-	SCMP_SYS(brk),
-	SCMP_SYS(poll),
-	SCMP_SYS(select),
-	SCMP_SYS(madvise),
-	SCMP_SYS(mmap),
-	SCMP_SYS(munmap),
-	SCMP_SYS(exit_group),
-	SCMP_SYS(rt_sigprocmask),
-	SCMP_SYS(rt_sigaction),
-	SCMP_SYS(fsync),
-	SCMP_SYS(rt_sigreturn),
-	SCMP_SYS(setsid),
-	SCMP_SYS(chdir),
-	SCMP_SYS(futex),
-	SCMP_SYS(stat),
-	SCMP_SYS(rt_sigsuspend),
-	SCMP_SYS(fstat),
-	SCMP_SYS(epoll_ctl),
-	SCMP_SYS(gettimeofday),
-	SCMP_SYS(getpid),
-#ifdef HAVE_GETRANDOM
-	SCMP_SYS(getrandom),
-#endif
-	SCMP_SYS(rename),
-	SCMP_SYS(unlink),
-	SCMP_SYS(socket),
-	SCMP_SYS(sendto),
-#ifndef ISC_PLATFORM_USETHREADS
-	SCMP_SYS(bind),
-	SCMP_SYS(accept),
-	SCMP_SYS(connect),
-	SCMP_SYS(listen),
-	SCMP_SYS(fcntl),
-	SCMP_SYS(sendmsg),
-	SCMP_SYS(recvmsg),
-	SCMP_SYS(uname),
-	SCMP_SYS(setrlimit),
-	SCMP_SYS(getrlimit),
-	SCMP_SYS(setsockopt),
-	SCMP_SYS(getsockopt),
-	SCMP_SYS(getsockname),
-	SCMP_SYS(lstat),
-	SCMP_SYS(getgid),
-	SCMP_SYS(getegid),
-	SCMP_SYS(getuid),
-	SCMP_SYS(geteuid),
-	SCMP_SYS(setresgid),
-	SCMP_SYS(setresuid),
-	SCMP_SYS(setgid),
-	SCMP_SYS(setuid),
-	SCMP_SYS(prctl),
-	SCMP_SYS(epoll_wait),
-	SCMP_SYS(getdents),
-	SCMP_SYS(utimes),
-	SCMP_SYS(dup),
-#endif
-};
-const char *scmp_syscall_names[] = {
-	"access",
-	"open",
-	"openat",
-	"lseek",
-	"clock_gettime",
-	"time",
-	"read",
-	"write",
-	"close",
-	"brk",
-	"poll",
-	"select",
-	"madvise",
-	"mmap",
-	"munmap",
-	"exit_group",
-	"rt_sigprocmask",
-	"rt_sigaction",
-	"fsync",
-	"rt_sigreturn",
-	"setsid",
-	"chdir",
-	"futex",
-	"stat",
-	"rt_sigsuspend",
-	"fstat",
-	"epoll_ctl",
-	"gettimeofday",
-	"getpid",
-#ifdef HAVE_GETRANDOM
-	"getrandom",
-#endif
-	"rename",
-	"unlink",
-	"socket",
-	"sendto",
-#ifndef ISC_PLATFORM_USETHREADS
-	"bind",
-	"accept",
-	"connect",
-	"listen",
-	"fcntl",
-	"sendmsg",
-	"recvmsg",
-	"uname",
-	"setrlimit",
-	"getrlimit",
-	"setsockopt",
-	"getsockopt",
-	"getsockname",
-	"lstat",
-	"getgid",
-	"getegid",
-	"getuid",
-	"geteuid",
-	"setresgid",
-	"setresuid",
-	"setgid",
-	"setuid",
-	"prctl",
-	"epoll_wait",
-	"getdents",
-	"utimes",
-	"dup",
-#endif
-};
-#endif /* __x86_64__ */
-#ifdef __i386__
-int scmp_syscalls[] = {
-	SCMP_SYS(access),
-	SCMP_SYS(open),
-	SCMP_SYS(clock_gettime),
-	SCMP_SYS(time),
-	SCMP_SYS(read),
-	SCMP_SYS(write),
-	SCMP_SYS(close),
-	SCMP_SYS(brk),
-	SCMP_SYS(poll),
-	SCMP_SYS(_newselect),
-	SCMP_SYS(select),
-	SCMP_SYS(madvise),
-	SCMP_SYS(mmap2),
-	SCMP_SYS(mmap),
-	SCMP_SYS(munmap),
-	SCMP_SYS(exit_group),
-	SCMP_SYS(rt_sigprocmask),
-	SCMP_SYS(sigprocmask),
-	SCMP_SYS(rt_sigaction),
-	SCMP_SYS(socketcall),
-	SCMP_SYS(fsync),
-	SCMP_SYS(sigreturn),
-	SCMP_SYS(setsid),
-	SCMP_SYS(chdir),
-	SCMP_SYS(futex),
-	SCMP_SYS(stat64),
-	SCMP_SYS(rt_sigsuspend),
-	SCMP_SYS(fstat64),
-	SCMP_SYS(epoll_ctl),
-	SCMP_SYS(gettimeofday),
-	SCMP_SYS(getpid),
-#ifdef HAVE_GETRANDOM
-	SCMP_SYS(getrandom),
-#endif
-	SCMP_SYS(unlink),
-#ifndef ISC_PLATFORM_USETHREADS
-	SCMP_SYS(fcntl64),
-#endif
-};
-const char *scmp_syscall_names[] = {
-	"access",
-	"open",
-	"clock_gettime",
-	"time",
-	"read",
-	"write",
-	"close",
-	"brk",
-	"poll",
-	"_newselect",
-	"select",
-	"madvise",
-	"mmap2",
-	"mmap",
-	"munmap",
-	"exit_group",
-	"rt_sigprocmask",
-	"sigprocmask",
-	"rt_sigaction",
-	"socketcall",
-	"fsync",
-	"sigreturn",
-	"setsid",
-	"chdir",
-	"futex",
-	"stat64",
-	"rt_sigsuspend",
-	"fstat64",
-	"epoll_ctl",
-	"gettimeofday",
-	"getpid",
-#ifdef HAVE_GETRANDOM
-	"getrandom",
-#endif
-	"unlink",
-#ifndef ISC_PLATFORM_USETHREADS
-	"fcntl64",
-#endif
-};
-#endif /* __i386__ */
-#endif /* HAVE_LIBSECCOMP */
-
-#endif /* NAMED_SECCOMP_H */
--- a/bin/named/main.c
+++ b/bin/named/main.c
@@ -69,7 +69,6 @@
 #include <named/os.h>
 #include <named/server.h>
 #include <named/main.h>
-#include <named/seccomp.h>
 #ifdef HAVE_LIBSCF
 #include <named/smf_globals.h>
 #endif
@@ -908,60 +907,6 @@ dump_symboltable(void) {
 	}
 }

-#ifdef HAVE_LIBSECCOMP
-static void
-setup_seccomp() {
-	scmp_filter_ctx ctx;
-	unsigned int i;
-	int ret;
-
-	/* Make sure the lists are in sync */
-	INSIST((sizeof(scmp_syscalls) / sizeof(int)) ==
-	       (sizeof(scmp_syscall_names) / sizeof(const char *)));
-
-	ctx = seccomp_init(SCMP_ACT_KILL);
-	if (ctx == NULL) {
-		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
-			      NAMED_LOGMODULE_MAIN, ISC_LOG_WARNING,
-			      "libseccomp activation failed");
-		return;
-	}
-
-	for (i = 0 ; i < sizeof(scmp_syscalls)/sizeof(*(scmp_syscalls)); i++) {
-		ret = seccomp_rule_add(ctx, SCMP_ACT_ALLOW,
-				       scmp_syscalls[i], 0);
-		if (ret < 0)
-			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
-				      NAMED_LOGMODULE_MAIN, ISC_LOG_WARNING,
-				      "libseccomp rule failed: %s",
-				      scmp_syscall_names[i]);
-
-		else
-			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
-				      NAMED_LOGMODULE_MAIN, ISC_LOG_DEBUG(9),
-				      "added libseccomp rule: %s",
-				      scmp_syscall_names[i]);
-	}
-
-	ret = seccomp_load(ctx);
-	if (ret < 0) {
-		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
-			      NAMED_LOGMODULE_MAIN, ISC_LOG_WARNING,
-			      "libseccomp unable to load filter");
-	} else {
-		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
-			      NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE,
-			      "libseccomp sandboxing active");
-	}
-
-	/*
-	 * Release filter in ctx. Filters already loaded are not
-	 * affected.
-	 */
-	seccomp_release(ctx);
-}
-#endif /* HAVE_LIBSECCOMP */
-
 static void
 setup(void) {
 	isc_result_t result;
@@ -1219,9 +1164,6 @@ setup(void) {

 	named_g_server->sctx->delay = delay;

-#ifdef HAVE_LIBSECCOMP
-	setup_seccomp();
-#endif /* HAVE_LIBSECCOMP */
 }

 static void

--- a/bin/named/win32/named.vcxproj.filters.in
+++ b/bin/named/win32/named.vcxproj.filters.in
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <ItemGroup>
    <Filter Include="Source Files">
@@ -99,9 +99,6 @@
    <ClInclude Include="..\include\named\main.h">
      <Filter>Header Files</Filter>
    </ClInclude>
-    <ClInclude Include="..\include\named\seccomp.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
    <ClInclude Include="..\include\named\server.h">
      <Filter>Header Files</Filter>
    </ClInclude>

--- a/bin/named/win32/named.vcxproj.in
+++ b/bin/named/win32/named.vcxproj.in
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <ItemGroup Label="ProjectConfigurations">
    <ProjectConfiguration Include="Debug|@PLATFORM@">
@@ -132,7 +132,6 @@
    <ClInclude Include="..\include\named\log.h" />
    <ClInclude Include="..\include\named\logconf.h" />
    <ClInclude Include="..\include\named\main.h" />
-    <ClInclude Include="..\include\named\seccomp.h" />
    <ClInclude Include="..\include\named\server.h" />
    <ClInclude Include="..\include\named\statschannel.h" />
    <ClInclude Include="..\include\named\tkeyconf.h" />

--- a/config.h.in
+++ b/config.h.in
@@ -325,9 +325,6 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define to 1 if you have the `scf' library (-lscf). */
 #undef HAVE_LIBSCF

-/* Define to use libseccomp system call filtering. */
-#undef HAVE_LIBSECCOMP
-
 /* Define to 1 if you have the `socket' library (-lsocket). */
 #undef HAVE_LIBSOCKET


--- a/configure
+++ b/configure
@@ -989,7 +989,6 @@ enable_warn_shadow
 enable_warn_error
 enable_developer
 enable_afl
-enable_seccomp
 with_python
 with_python_install_dir
 enable_kqueue
@@ -1699,8 +1698,6 @@ Optional Features:
  --enable-warn-error     turn on -Werror when compiling
  --enable-developer      enable developer build settings
  --enable-afl            enable American Fuzzy Lop test harness [default=no]
-  --enable-seccomp        enable support for libseccomp system call filtering
-                          [default=no]
  --enable-kqueue         use BSD kqueue when available [default=yes]
  --enable-epoll          use Linux epoll when available [default=auto]
  --enable-devpoll        use /dev/poll when available [default=yes]
@@ -12014,8 +12011,6 @@ yes)
 	;;
 esac

-
-#libseccomp sandboxing
 for ac_func in getrandom
 do :
  ac_fn_c_check_func "$LINENO" "getrandom" "ac_cv_func_getrandom"
@@ -12027,141 +12022,6 @@ _ACEOF
 fi
 done

-# Check whether --enable-seccomp was given.
-if test "${enable_seccomp+set}" = set; then :
-  enableval=$enable_seccomp;
-fi
-
-case "$enable_seccomp" in
-	yes)
-	case $host_os in
-	linux*)
-		;;
-	*)
-		{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: seccomp is not supported on non-linux platforms; disabling it" >&5
-$as_echo "$as_me: WARNING: seccomp is not supported on non-linux platforms; disabling it" >&2;}
-		enable_seccomp=no
-		;;
-	esac
-	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing seccomp_init" >&5
-$as_echo_n "checking for library containing seccomp_init... " >&6; }
-if ${ac_cv_search_seccomp_init+:} false; then :
-  $as_echo_n "(cached) " >&6
-else
-  ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
-
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char seccomp_init ();
-int
-main ()
-{
-return seccomp_init ();
-  ;
-  return 0;
-}
-_ACEOF
-for ac_lib in '' seccomp; do
-  if test -z "$ac_lib"; then
-    ac_res="none required"
-  else
-    ac_res=-l$ac_lib
-    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
-  fi
-  if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_search_seccomp_init=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
-    conftest$ac_exeext
-  if ${ac_cv_search_seccomp_init+:} false; then :
-  break
-fi
-done
-if ${ac_cv_search_seccomp_init+:} false; then :
-
-else
-  ac_cv_search_seccomp_init=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_seccomp_init" >&5
-$as_echo "$ac_cv_search_seccomp_init" >&6; }
-ac_res=$ac_cv_search_seccomp_init
-if test "$ac_res" != no; then :
-  test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-
-fi
-
-	if test "X$ac_cv_search_seccomp_init" = "X-lseccomp" ; then
-		if test "$cross_compiling" = yes; then :
-  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
-$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-as_fn_error $? "cannot run test program while cross compiling
-See \`config.log' for more details" "$LINENO" 5; }
-else
-  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
-
-		#include <stdio.h>
-		#include <stdlib.h>
-		#include <errno.h>
-		#include <sys/prctl.h>
-		#include <linux/seccomp.h>
-
-		int main(void)
-		{
-			int ret;
-
-			ret = prctl(PR_GET_SECCOMP, 0, 0, 0, 0);
-			if (ret < 0) {
-				switch (errno) {
-				case ENOSYS:
-					return 1;
-				case EINVAL:
-					return 1;
-				default:
-					return 1;
-				}
-			}
-			ret =
-			prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
-			if (ret < 0) {
-				switch (errno) {
-				case EINVAL:
-					return 1;
-				case EFAULT:
-					return 0;
-				default:
-					return 1;
-			}
-		}
-	return 1;
-	}
-
-
-_ACEOF
-if ac_fn_c_try_run "$LINENO"; then :
-
-$as_echo "#define HAVE_LIBSECCOMP 1" >>confdefs.h
-
-
-fi
-rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
-  conftest.$ac_objext conftest.beam conftest.$ac_ext
-fi
-
-	fi
-		;;
-	*)
-		;;
-esac

 #
 # Make very sure that these are the first files processed by
@@ -26725,8 +26585,6 @@ report() {
 	echo "    DNS Response Policy Service interface (--enable-dnsrps)"
    test "yes" = "$enable_fixed" && \
 	echo "    Allow 'fixed' rrset-order (--enable-fixed-rrset)"
-    test "yes" = "$enable_seccomp" && \
-	echo "    Use libseccomp system call filtering (--enable-seccomp)"
    test "yes" = "$want_backtrace" && \
 	echo "    Print backtrace on crash (--enable-backtrace)"
    test "minimal" = "$want_symtable" && \
@@ -26793,8 +26651,6 @@ report() {
    test "yes" = "$want_crypto_rand" || \
 	echo "    Crypto provider entropy source (--enable-crypto-rand)"

-    test "yes" = "$enable_seccomp" || \
-	echo "    Use libseccomp system call filtering (--enable-seccomp)"
    test "yes" = "$want_backtrace" || \
 	echo "    Print backtrace on crash (--enable-backtrace)"
    test "yes" = "$want_querytrace" || \

--- a/configure.in
+++ b/configure.in
@@ -106,71 +106,7 @@ yes)
 	;;
 esac

-
-#libseccomp sandboxing
 AC_CHECK_FUNCS(getrandom)
-AC_ARG_ENABLE(seccomp,
-	      AS_HELP_STRING([--enable-seccomp],
-			     [enable support for libseccomp system call
-				 filtering [default=no]]))
-case "$enable_seccomp" in
-	yes)
-	case $host_os in
-	linux*)
-		;;
-	*)
-		AC_MSG_WARN([seccomp is not supported on non-linux platforms; disabling it])
-		enable_seccomp=no
-		;;
-	esac
-	AC_SEARCH_LIBS(seccomp_init, [seccomp])
-	if test "X$ac_cv_search_seccomp_init" = "X-lseccomp" ; then
-		AC_TRY_RUN([
-		#include <stdio.h>
-		#include <stdlib.h>
-		#include <errno.h>
-		#include <sys/prctl.h>
-		#include <linux/seccomp.h>
-
-		int main(void)
-		{
-			int ret;
-
-			ret = prctl(PR_GET_SECCOMP, 0, 0, 0, 0);
-			if (ret < 0) {
-				switch (errno) {
-				case ENOSYS:
-					return 1;
-				case EINVAL:
-					return 1;
-				default:
-					return 1;
-				}
-			}
-			ret = 
-			prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
-			if (ret < 0) {
-				switch (errno) {
-				case EINVAL:
-					return 1;
-				case EFAULT:
-					return 0;
-				default:
-					return 1;
-			}
-		}
-	return 1;
-	}
-	]
-	, AC_DEFINE([HAVE_LIBSECCOMP], 1, 
-	[Define to use libseccomp system call filtering.])   
-	, []
-	)
-	fi
-		;;
-	*)
-		;;
-esac

 #
 # Make very sure that these are the first files processed by
@@ -5580,8 +5516,6 @@ report() {
 	echo "    DNS Response Policy Service interface (--enable-dnsrps)"
    test "yes" = "$enable_fixed" && \
 	echo "    Allow 'fixed' rrset-order (--enable-fixed-rrset)"
-    test "yes" = "$enable_seccomp" && \
-	echo "    Use libseccomp system call filtering (--enable-seccomp)"
    test "yes" = "$want_backtrace" && \
 	echo "    Print backtrace on crash (--enable-backtrace)"
    test "minimal" = "$want_symtable" && \
@@ -5648,8 +5582,6 @@ report() {
    test "yes" = "$want_crypto_rand" || \
 	echo "    Crypto provider entropy source (--enable-crypto-rand)"

-    test "yes" = "$enable_seccomp" || \
-	echo "    Use libseccomp system call filtering (--enable-seccomp)"
    test "yes" = "$want_backtrace" || \
 	echo "    Print backtrace on crash (--enable-backtrace)"
    test "yes" = "$want_querytrace" || \

--- a/util/copyrights
+++ b/util/copyrights
@@ -191,7 +191,6 @@
 ./bin/named/include/named/log.h			C	1999,2000,2001,2002,2004,2005,2007,2009,2015,2016,2017
 ./bin/named/include/named/logconf.h		C	1999,2000,2001,2004,2005,2006,2007,2016,2017
 ./bin/named/include/named/main.h		C	1999,2000,2001,2002,2004,2005,2007,2009,2013,2015,2016,2017
-./bin/named/include/named/seccomp.h		C	2014,2016,2017
 ./bin/named/include/named/server.h		C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017
 ./bin/named/include/named/smf_globals.h		C	2017
 ./bin/named/include/named/statschannel.h	C	2008,2016,2017

--- a/win32utils/Configure
+++ b/win32utils/Configure
@@ -3445,7 +3445,6 @@ exit 0;
 #  --disable-rpz-nsdname supported
 #  --enable-full-report supported by verbose
 #  --enable-dnstap not supported (requires libfstrm support on WIN32)
-#  --enable-seccomp not supported (Linux specific)
 #  --enable-afl not supported (not yet available on Visual Studio C++)
 #  --with-python supported
 #  --with-openssl supported