Commit c2c1e253 authored by Ondřej Surý's avatar Ondřej Surý

Remove libseccomp based system-call filtering.

parent 01d41d5b
/*
* Copyright (C) 2014, 2016, 2017 Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
#ifndef NAMED_SECCOMP_H
#define NAMED_SECCOMP_H 1
/*! \file */
#ifdef HAVE_LIBSECCOMP
#include <sys/types.h>
#include <sys/resource.h>
#include <unistd.h>
#include <seccomp.h>
#include <isc/platform.h>
/*%
* For each architecture, the scmp_syscalls and
* scmp_syscall_names arrays MUST be kept in sync.
*/
#ifdef __x86_64__
int scmp_syscalls[] = {
SCMP_SYS(access),
SCMP_SYS(open),
SCMP_SYS(openat),
SCMP_SYS(lseek),
SCMP_SYS(clock_gettime),
SCMP_SYS(time),
SCMP_SYS(read),
SCMP_SYS(write),
SCMP_SYS(close),
SCMP_SYS(brk),
SCMP_SYS(poll),
SCMP_SYS(select),
SCMP_SYS(madvise),
SCMP_SYS(mmap),
SCMP_SYS(munmap),
SCMP_SYS(exit_group),
SCMP_SYS(rt_sigprocmask),
SCMP_SYS(rt_sigaction),
SCMP_SYS(fsync),
SCMP_SYS(rt_sigreturn),
SCMP_SYS(setsid),
SCMP_SYS(chdir),
SCMP_SYS(futex),
SCMP_SYS(stat),
SCMP_SYS(rt_sigsuspend),
SCMP_SYS(fstat),
SCMP_SYS(epoll_ctl),
SCMP_SYS(gettimeofday),
SCMP_SYS(getpid),
#ifdef HAVE_GETRANDOM
SCMP_SYS(getrandom),
#endif
SCMP_SYS(rename),
SCMP_SYS(unlink),
SCMP_SYS(socket),
SCMP_SYS(sendto),
#ifndef ISC_PLATFORM_USETHREADS
SCMP_SYS(bind),
SCMP_SYS(accept),
SCMP_SYS(connect),
SCMP_SYS(listen),
SCMP_SYS(fcntl),
SCMP_SYS(sendmsg),
SCMP_SYS(recvmsg),
SCMP_SYS(uname),
SCMP_SYS(setrlimit),
SCMP_SYS(getrlimit),
SCMP_SYS(setsockopt),
SCMP_SYS(getsockopt),
SCMP_SYS(getsockname),
SCMP_SYS(lstat),
SCMP_SYS(getgid),
SCMP_SYS(getegid),
SCMP_SYS(getuid),
SCMP_SYS(geteuid),
SCMP_SYS(setresgid),
SCMP_SYS(setresuid),
SCMP_SYS(setgid),
SCMP_SYS(setuid),
SCMP_SYS(prctl),
SCMP_SYS(epoll_wait),
SCMP_SYS(getdents),
SCMP_SYS(utimes),
SCMP_SYS(dup),
#endif
};
const char *scmp_syscall_names[] = {
"access",
"open",
"openat",
"lseek",
"clock_gettime",
"time",
"read",
"write",
"close",
"brk",
"poll",
"select",
"madvise",
"mmap",
"munmap",
"exit_group",
"rt_sigprocmask",
"rt_sigaction",
"fsync",
"rt_sigreturn",
"setsid",
"chdir",
"futex",
"stat",
"rt_sigsuspend",
"fstat",
"epoll_ctl",
"gettimeofday",
"getpid",
#ifdef HAVE_GETRANDOM
"getrandom",
#endif
"rename",
"unlink",
"socket",
"sendto",
#ifndef ISC_PLATFORM_USETHREADS
"bind",
"accept",
"connect",
"listen",
"fcntl",
"sendmsg",
"recvmsg",
"uname",
"setrlimit",
"getrlimit",
"setsockopt",
"getsockopt",
"getsockname",
"lstat",
"getgid",
"getegid",
"getuid",
"geteuid",
"setresgid",
"setresuid",
"setgid",
"setuid",
"prctl",
"epoll_wait",
"getdents",
"utimes",
"dup",
#endif
};
#endif /* __x86_64__ */
#ifdef __i386__
int scmp_syscalls[] = {
SCMP_SYS(access),
SCMP_SYS(open),
SCMP_SYS(clock_gettime),
SCMP_SYS(time),
SCMP_SYS(read),
SCMP_SYS(write),
SCMP_SYS(close),
SCMP_SYS(brk),
SCMP_SYS(poll),
SCMP_SYS(_newselect),
SCMP_SYS(select),
SCMP_SYS(madvise),
SCMP_SYS(mmap2),
SCMP_SYS(mmap),
SCMP_SYS(munmap),
SCMP_SYS(exit_group),
SCMP_SYS(rt_sigprocmask),
SCMP_SYS(sigprocmask),
SCMP_SYS(rt_sigaction),
SCMP_SYS(socketcall),
SCMP_SYS(fsync),
SCMP_SYS(sigreturn),
SCMP_SYS(setsid),
SCMP_SYS(chdir),
SCMP_SYS(futex),
SCMP_SYS(stat64),
SCMP_SYS(rt_sigsuspend),
SCMP_SYS(fstat64),
SCMP_SYS(epoll_ctl),
SCMP_SYS(gettimeofday),
SCMP_SYS(getpid),
#ifdef HAVE_GETRANDOM
SCMP_SYS(getrandom),
#endif
SCMP_SYS(unlink),
#ifndef ISC_PLATFORM_USETHREADS
SCMP_SYS(fcntl64),
#endif
};
const char *scmp_syscall_names[] = {
"access",
"open",
"clock_gettime",
"time",
"read",
"write",
"close",
"brk",
"poll",
"_newselect",
"select",
"madvise",
"mmap2",
"mmap",
"munmap",
"exit_group",
"rt_sigprocmask",
"sigprocmask",
"rt_sigaction",
"socketcall",
"fsync",
"sigreturn",
"setsid",
"chdir",
"futex",
"stat64",
"rt_sigsuspend",
"fstat64",
"epoll_ctl",
"gettimeofday",
"getpid",
#ifdef HAVE_GETRANDOM
"getrandom",
#endif
"unlink",
#ifndef ISC_PLATFORM_USETHREADS
"fcntl64",
#endif
};
#endif /* __i386__ */
#endif /* HAVE_LIBSECCOMP */
#endif /* NAMED_SECCOMP_H */
......@@ -69,7 +69,6 @@
#include <named/os.h>
#include <named/server.h>
#include <named/main.h>
#include <named/seccomp.h>
#ifdef HAVE_LIBSCF
#include <named/smf_globals.h>
#endif
......@@ -908,60 +907,6 @@ dump_symboltable(void) {
}
}
#ifdef HAVE_LIBSECCOMP
static void
setup_seccomp() {
scmp_filter_ctx ctx;
unsigned int i;
int ret;
/* Make sure the lists are in sync */
INSIST((sizeof(scmp_syscalls) / sizeof(int)) ==
(sizeof(scmp_syscall_names) / sizeof(const char *)));
ctx = seccomp_init(SCMP_ACT_KILL);
if (ctx == NULL) {
isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
NAMED_LOGMODULE_MAIN, ISC_LOG_WARNING,
"libseccomp activation failed");
return;
}
for (i = 0 ; i < sizeof(scmp_syscalls)/sizeof(*(scmp_syscalls)); i++) {
ret = seccomp_rule_add(ctx, SCMP_ACT_ALLOW,
scmp_syscalls[i], 0);
if (ret < 0)
isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
NAMED_LOGMODULE_MAIN, ISC_LOG_WARNING,
"libseccomp rule failed: %s",
scmp_syscall_names[i]);
else
isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
NAMED_LOGMODULE_MAIN, ISC_LOG_DEBUG(9),
"added libseccomp rule: %s",
scmp_syscall_names[i]);
}
ret = seccomp_load(ctx);
if (ret < 0) {
isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
NAMED_LOGMODULE_MAIN, ISC_LOG_WARNING,
"libseccomp unable to load filter");
} else {
isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE,
"libseccomp sandboxing active");
}
/*
* Release filter in ctx. Filters already loaded are not
* affected.
*/
seccomp_release(ctx);
}
#endif /* HAVE_LIBSECCOMP */
static void
setup(void) {
isc_result_t result;
......@@ -1219,9 +1164,6 @@ setup(void) {
named_g_server->sctx->delay = delay;
#ifdef HAVE_LIBSECCOMP
setup_seccomp();
#endif /* HAVE_LIBSECCOMP */
}
static void
......
<?xml version="1.0" encoding="utf-8"?>
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
......@@ -99,9 +99,6 @@
<ClInclude Include="..\include\named\main.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="..\include\named\seccomp.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="..\include\named\server.h">
<Filter>Header Files</Filter>
</ClInclude>
......
<?xml version="1.0" encoding="utf-8"?>
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|@PLATFORM@">
......@@ -132,7 +132,6 @@
<ClInclude Include="..\include\named\log.h" />
<ClInclude Include="..\include\named\logconf.h" />
<ClInclude Include="..\include\named\main.h" />
<ClInclude Include="..\include\named\seccomp.h" />
<ClInclude Include="..\include\named\server.h" />
<ClInclude Include="..\include\named\statschannel.h" />
<ClInclude Include="..\include\named\tkeyconf.h" />
......
......@@ -325,9 +325,6 @@ int sigwait(const unsigned int *set, int *sig);
/* Define to 1 if you have the `scf' library (-lscf). */
#undef HAVE_LIBSCF
/* Define to use libseccomp system call filtering. */
#undef HAVE_LIBSECCOMP
/* Define to 1 if you have the `socket' library (-lsocket). */
#undef HAVE_LIBSOCKET
......
......@@ -989,7 +989,6 @@ enable_warn_shadow
enable_warn_error
enable_developer
enable_afl
enable_seccomp
with_python
with_python_install_dir
enable_kqueue
......@@ -1699,8 +1698,6 @@ Optional Features:
--enable-warn-error turn on -Werror when compiling
--enable-developer enable developer build settings
--enable-afl enable American Fuzzy Lop test harness [default=no]
--enable-seccomp enable support for libseccomp system call filtering
[default=no]
--enable-kqueue use BSD kqueue when available [default=yes]
--enable-epoll use Linux epoll when available [default=auto]
--enable-devpoll use /dev/poll when available [default=yes]
......@@ -12014,8 +12011,6 @@ yes)
;;
esac
#libseccomp sandboxing
for ac_func in getrandom
do :
ac_fn_c_check_func "$LINENO" "getrandom" "ac_cv_func_getrandom"
......@@ -12027,141 +12022,6 @@ _ACEOF
fi
done
# Check whether --enable-seccomp was given.
if test "${enable_seccomp+set}" = set; then :
enableval=$enable_seccomp;
fi
case "$enable_seccomp" in
yes)
case $host_os in
linux*)
;;
*)
{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: seccomp is not supported on non-linux platforms; disabling it" >&5
$as_echo "$as_me: WARNING: seccomp is not supported on non-linux platforms; disabling it" >&2;}
enable_seccomp=no
;;
esac
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing seccomp_init" >&5
$as_echo_n "checking for library containing seccomp_init... " >&6; }
if ${ac_cv_search_seccomp_init+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_func_search_save_LIBS=$LIBS
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
/* Override any GCC internal prototype to avoid an error.
Use char because int might match the return type of a GCC
builtin and then its argument prototype would still apply. */
#ifdef __cplusplus
extern "C"
#endif
char seccomp_init ();
int
main ()
{
return seccomp_init ();
;
return 0;
}
_ACEOF
for ac_lib in '' seccomp; do
if test -z "$ac_lib"; then
ac_res="none required"
else
ac_res=-l$ac_lib
LIBS="-l$ac_lib $ac_func_search_save_LIBS"
fi
if ac_fn_c_try_link "$LINENO"; then :
ac_cv_search_seccomp_init=$ac_res
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext
if ${ac_cv_search_seccomp_init+:} false; then :
break
fi
done
if ${ac_cv_search_seccomp_init+:} false; then :
else
ac_cv_search_seccomp_init=no
fi
rm conftest.$ac_ext
LIBS=$ac_func_search_save_LIBS
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_seccomp_init" >&5
$as_echo "$ac_cv_search_seccomp_init" >&6; }
ac_res=$ac_cv_search_seccomp_init
if test "$ac_res" != no; then :
test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
fi
if test "X$ac_cv_search_seccomp_init" = "X-lseccomp" ; then
if test "$cross_compiling" = yes; then :
{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
as_fn_error $? "cannot run test program while cross compiling
See \`config.log' for more details" "$LINENO" 5; }
else
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <sys/prctl.h>
#include <linux/seccomp.h>
int main(void)
{
int ret;
ret = prctl(PR_GET_SECCOMP, 0, 0, 0, 0);
if (ret < 0) {
switch (errno) {
case ENOSYS:
return 1;
case EINVAL:
return 1;
default:
return 1;
}
}
ret =
prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
if (ret < 0) {
switch (errno) {
case EINVAL:
return 1;
case EFAULT:
return 0;
default:
return 1;
}
}
return 1;
}
_ACEOF
if ac_fn_c_try_run "$LINENO"; then :
$as_echo "#define HAVE_LIBSECCOMP 1" >>confdefs.h
fi
rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
conftest.$ac_objext conftest.beam conftest.$ac_ext
fi
fi
;;
*)
;;
esac
#
# Make very sure that these are the first files processed by
......@@ -26725,8 +26585,6 @@ report() {
echo " DNS Response Policy Service interface (--enable-dnsrps)"
test "yes" = "$enable_fixed" && \
echo " Allow 'fixed' rrset-order (--enable-fixed-rrset)"
test "yes" = "$enable_seccomp" && \
echo " Use libseccomp system call filtering (--enable-seccomp)"
test "yes" = "$want_backtrace" && \
echo " Print backtrace on crash (--enable-backtrace)"
test "minimal" = "$want_symtable" && \
......@@ -26793,8 +26651,6 @@ report() {
test "yes" = "$want_crypto_rand" || \
echo " Crypto provider entropy source (--enable-crypto-rand)"
test "yes" = "$enable_seccomp" || \
echo " Use libseccomp system call filtering (--enable-seccomp)"
test "yes" = "$want_backtrace" || \
echo " Print backtrace on crash (--enable-backtrace)"
test "yes" = "$want_querytrace" || \
......
......@@ -106,71 +106,7 @@ yes)
;;
esac
#libseccomp sandboxing
AC_CHECK_FUNCS(getrandom)
AC_ARG_ENABLE(seccomp,
AS_HELP_STRING([--enable-seccomp],
[enable support for libseccomp system call
filtering [default=no]]))
case "$enable_seccomp" in
yes)
case $host_os in
linux*)
;;
*)
AC_MSG_WARN([seccomp is not supported on non-linux platforms; disabling it])
enable_seccomp=no
;;
esac
AC_SEARCH_LIBS(seccomp_init, [seccomp])
if test "X$ac_cv_search_seccomp_init" = "X-lseccomp" ; then
AC_TRY_RUN([
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <sys/prctl.h>
#include <linux/seccomp.h>
int main(void)
{
int ret;
ret = prctl(PR_GET_SECCOMP, 0, 0, 0, 0);
if (ret < 0) {
switch (errno) {
case ENOSYS:
return 1;
case EINVAL:
return 1;
default:
return 1;
}
}
ret =
prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
if (ret < 0) {
switch (errno) {
case EINVAL:
return 1;
case EFAULT:
return 0;
default:
return 1;
}
}
return 1;
}
]
, AC_DEFINE([HAVE_LIBSECCOMP], 1,
[Define to use libseccomp system call filtering.])
, []
)
fi
;;
*)
;;
esac
#
# Make very sure that these are the first files processed by
......@@ -5580,8 +5516,6 @@ report() {
echo " DNS Response Policy Service interface (--enable-dnsrps)"
test "yes" = "$enable_fixed" && \
echo " Allow 'fixed' rrset-order (--enable-fixed-rrset)"
test "yes" = "$enable_seccomp" && \
echo " Use libseccomp system call filtering (--enable-seccomp)"
test "yes" = "$want_backtrace" && \
echo " Print backtrace on crash (--enable-backtrace)"
test "minimal" = "$want_symtable" && \
......@@ -5648,8 +5582,6 @@ report() {
test "yes" = "$want_crypto_rand" || \
echo " Crypto provider entropy source (--enable-crypto-rand)"
test "yes" = "$enable_seccomp" || \
echo " Use libseccomp system call filtering (--enable-seccomp)"
test "yes" = "$want_backtrace" || \
echo " Print backtrace on crash (--enable-backtrace)"
test "yes" = "$want_querytrace" || \
......
......@@ -191,7 +191,6 @@
./bin/named/include/named/log.h C 1999,2000,2001,2002,2004,2005,2007,2009,2015,2016,2017
./bin/named/include/named/logconf.h C 1999,2000,2001,2004,2005,2006,2007,2016,2017
./bin/named/include/named/main.h C 1999,2000,2001,2002,2004,2005,2007,2009,2013,2015,2016,2017
./bin/named/include/named/seccomp.h C 2014,2016,2017
./bin/named/include/named/server.h C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017
./bin/named/include/named/smf_globals.h C 2017
./bin/named/include/named/statschannel.h C 2008,2016,2017
......
......@@ -3445,7 +3445,6 @@ exit 0;
# --disable-rpz-nsdname supported
# --enable-full-report supported by verbose
# --enable-dnstap not supported (requires libfstrm support on WIN32)
# --enable-seccomp not supported (Linux specific)
# --enable-afl not supported (not yet available on Visual Studio C++)
# --with-python supported
# --with-openssl supported
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment