From patchwork Mon Aug 13 19:01:07 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eduardo Otubo X-Patchwork-Id: 177029 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by ozlabs.org (Postfix) with ESMTPS id 3C49E2C008C for ; Tue, 14 Aug 2012 05:02:24 +1000 (EST) Received: from localhost ([::1]:49038 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1T0zuA-0001Pz-9r for incoming@patchwork.ozlabs.org; Mon, 13 Aug 2012 15:02:22 -0400 Received: from eggs.gnu.org ([208.118.235.92]:56337) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1T0ztw-0001L7-SD for qemu-devel@nongnu.org; Mon, 13 Aug 2012 15:02:10 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1T0ztt-0006o7-Ic for qemu-devel@nongnu.org; Mon, 13 Aug 2012 15:02:08 -0400 Received: from e24smtp02.br.ibm.com ([32.104.18.86]:34148) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1T0ztt-0006nv-39 for qemu-devel@nongnu.org; Mon, 13 Aug 2012 15:02:05 -0400 Received: from /spool/local by e24smtp02.br.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 13 Aug 2012 16:02:03 -0300 Received: from d24dlp01.br.ibm.com (9.18.248.204) by e24smtp02.br.ibm.com (10.172.0.142) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 13 Aug 2012 16:01:31 -0300 Received: from d24relay03.br.ibm.com (d24relay03.br.ibm.com [9.13.184.25]) by d24dlp01.br.ibm.com (Postfix) with ESMTP id 8AB8D352004B for ; Mon, 13 Aug 2012 15:01:27 -0400 (EDT) Received: from d24av03.br.ibm.com (d24av03.br.ibm.com [9.8.31.95]) by d24relay03.br.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id q7DJ0bqF16515318 for ; Mon, 13 Aug 2012 16:00:37 -0300 Received: from d24av03.br.ibm.com (loopback [127.0.0.1]) by d24av03.br.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id q7DH1lJX026844 for ; Mon, 13 Aug 2012 14:01:48 -0300 Received: from oc2381481656.ibm.com (dhcp-9-18-235-60.br.ibm.com [9.18.235.60]) by d24av03.br.ibm.com (8.14.4/8.13.1/NCO v10.0 AVin) with ESMTP id q7DH1lkx026777; Mon, 13 Aug 2012 14:01:47 -0300 From: Eduardo Otubo To: qemu-devel@nongnu.org Date: Mon, 13 Aug 2012 16:01:07 -0300 Message-Id: <1344884468-11065-3-git-send-email-otubo@linux.vnet.ibm.com> X-Mailer: git-send-email 1.7.1 In-Reply-To: <1344884468-11065-1-git-send-email-otubo@linux.vnet.ibm.com> References: <1344884468-11065-1-git-send-email-otubo@linux.vnet.ibm.com> X-Content-Scanned: Fidelis XPS MAILER x-cbid: 12081319-2194-0000-0000-000002C3DF97 X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 32.104.18.86 Cc: pmoore@redhat.com, aliguori@us.ibm.com, wad@chromium.org, coreyb@linux.vnet.ibm.com, blauwirbel@gmail.com, Eduardo Otubo Subject: [Qemu-devel] [PATCH v6 2/3] Adding qemu-seccomp.[ch] X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org v1: * I added a syscall struct using priority levels as described in the libseccomp man page. The priority numbers are based to the frequency they appear in a sample strace from a regular qemu guest run under libvirt. Libseccomp generates linear BPF code to filter system calls, those rules are read one after another. The priority system places the most common rules first in order to reduce the overhead when processing them. v2: * Fixed some style issues * Removed code from vl.c and created qemu-seccomp.[ch] * Now using ARRAY_SIZE macro * Added more syscalls without priority/frequency set yet v3: * Adding copyright and license information * Replacing seccomp_whitelist_count just by ARRAY_SIZE * Adding header protection to qemu-seccomp.h * Moving QemuSeccompSyscall definition to qemu-seccomp.c * Negative return from seccomp_start is fatal now. * Adding open() and execve() to the whitelis v4: * Tests revealed a bigger set of syscalls. * seccomp_start() now has an argument to set the mode according to the configure option trap or kill. v5: * Tests on x86_64 required a new specific set of system calls. * libseccomp release 1.0.0: part of the API have changed in this last release, had to adapt to the new function signatures. Signed-off-by: Eduardo Otubo --- qemu-seccomp.c | 139 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ qemu-seccomp.h | 22 +++++++++ 2 files changed, 161 insertions(+), 0 deletions(-) create mode 100644 qemu-seccomp.c create mode 100644 qemu-seccomp.h diff --git a/qemu-seccomp.c b/qemu-seccomp.c new file mode 100644 index 0000000..cb8016c --- /dev/null +++ b/qemu-seccomp.c @@ -0,0 +1,139 @@ +/* + * QEMU seccomp mode 2 support with libseccomp + * + * Copyright IBM, Corp. 2012 + * + * Authors: + * Eduardo Otubo + * + * This work is licensed under the terms of the GNU GPL, version 2. See + * the COPYING file in the top-level directory. + * + * Contributions after 2012-01-13 are licensed under the terms of the + * GNU GPL, version 2 or (at your option) any later version. + */ +#include +#include +#include "qemu-seccomp.h" + +struct QemuSeccompSyscall { + int32_t num; + uint8_t priority; +}; + +static const struct QemuSeccompSyscall seccomp_whitelist[] = { + { SCMP_SYS(timer_settime), 255 }, + { SCMP_SYS(timer_gettime), 254 }, + { SCMP_SYS(futex), 253 }, + { SCMP_SYS(select), 252 }, + { SCMP_SYS(recvfrom), 251 }, + { SCMP_SYS(sendto), 250 }, + { SCMP_SYS(read), 249 }, + { SCMP_SYS(brk), 248 }, + { SCMP_SYS(clone), 247 }, + { SCMP_SYS(mmap), 247 }, + { SCMP_SYS(mprotect), 246 }, + { SCMP_SYS(execve), 245 }, + { SCMP_SYS(open), 245 }, + { SCMP_SYS(ioctl), 245 }, + { SCMP_SYS(recvmsg), 245 }, + { SCMP_SYS(sendmsg), 245 }, + { SCMP_SYS(accept), 245 }, + { SCMP_SYS(connect), 245 }, + { SCMP_SYS(gettimeofday), 245 }, + { SCMP_SYS(readlink), 245 }, + { SCMP_SYS(access), 245 }, + { SCMP_SYS(prctl), 245 }, + { SCMP_SYS(signalfd), 245 }, +#if defined(__i386__) + { SCMP_SYS(fcntl64), 245 }, + { SCMP_SYS(fstat64), 245 }, + { SCMP_SYS(stat64), 245 }, + { SCMP_SYS(getgid32), 245 }, + { SCMP_SYS(getegid32), 245 }, + { SCMP_SYS(getuid32), 245 }, + { SCMP_SYS(geteuid32), 245 }, + { SCMP_SYS(sigreturn), 245 }, + { SCMP_SYS(_newselect), 245 }, + { SCMP_SYS(_llseek), 245 }, + { SCMP_SYS(mmap2), 245}, + { SCMP_SYS(sigprocmask), 245 }, +#elif defined(__x86_64__) + { SCMP_SYS(sched_getparam), 245}, + { SCMP_SYS(sched_getscheduler), 245}, + { SCMP_SYS(fstat), 245}, + { SCMP_SYS(clock_getres), 245}, + { SCMP_SYS(sched_get_priority_min), 245}, + { SCMP_SYS(sched_get_priority_max), 245}, + { SCMP_SYS(stat), 245}, + { SCMP_SYS(socket), 245}, + { SCMP_SYS(setsockopt), 245}, +#endif + { SCMP_SYS(eventfd2), 245 }, + { SCMP_SYS(dup), 245 }, + { SCMP_SYS(gettid), 245 }, + { SCMP_SYS(timer_create), 245 }, + { SCMP_SYS(exit), 245 }, + { SCMP_SYS(clock_gettime), 245 }, + { SCMP_SYS(time), 245 }, + { SCMP_SYS(restart_syscall), 245 }, + { SCMP_SYS(pwrite64), 245 }, + { SCMP_SYS(chown), 245 }, + { SCMP_SYS(openat), 245 }, + { SCMP_SYS(getdents), 245 }, + { SCMP_SYS(timer_delete), 245 }, + { SCMP_SYS(exit_group), 245 }, + { SCMP_SYS(rt_sigreturn), 245 }, + { SCMP_SYS(sync), 245 }, + { SCMP_SYS(pread64), 245 }, + { SCMP_SYS(madvise), 245 }, + { SCMP_SYS(set_robust_list), 245 }, + { SCMP_SYS(lseek), 245 }, + { SCMP_SYS(pselect6), 245 }, + { SCMP_SYS(fork), 245 }, + { SCMP_SYS(bind), 245 }, + { SCMP_SYS(listen), 245 }, + { SCMP_SYS(eventfd), 245 }, + { SCMP_SYS(rt_sigprocmask), 245 }, + { SCMP_SYS(write), 244 }, + { SCMP_SYS(fcntl), 243 }, + { SCMP_SYS(tgkill), 242 }, + { SCMP_SYS(rt_sigaction), 242 }, + { SCMP_SYS(pipe2), 242 }, + { SCMP_SYS(munmap), 242 }, + { SCMP_SYS(mremap), 242 }, + { SCMP_SYS(getsockname), 242 }, + { SCMP_SYS(getpeername), 242 }, + { SCMP_SYS(fdatasync), 242 }, + { SCMP_SYS(close), 242 } +}; + +int seccomp_start(void) +{ + int rc = 0; + unsigned int i = 0; + scmp_filter_ctx ctx; + + ctx = seccomp_init(SCMP_ACT_KILL); + if (ctx == NULL) { + goto seccomp_return; + } + + for (i = 0; i < ARRAY_SIZE(seccomp_whitelist); i++) { + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, seccomp_whitelist[i].num, 0); + if (rc < 0) { + goto seccomp_return; + } + rc = seccomp_syscall_priority(ctx, seccomp_whitelist[i].num, + seccomp_whitelist[i].priority); + if (rc < 0) { + goto seccomp_return; + } + } + + rc = seccomp_load(ctx); + + seccomp_return: + seccomp_release(ctx); + return rc; +} diff --git a/qemu-seccomp.h b/qemu-seccomp.h new file mode 100644 index 0000000..b2fc3f8 --- /dev/null +++ b/qemu-seccomp.h @@ -0,0 +1,22 @@ +/* + * QEMU seccomp mode 2 support with libseccomp + * + * Copyright IBM, Corp. 2012 + * + * Authors: + * Eduardo Otubo + * + * This work is licensed under the terms of the GNU GPL, version 2. See + * the COPYING file in the top-level directory. + * + * Contributions after 2012-01-13 are licensed under the terms of the + * GNU GPL, version 2 or (at your option) any later version. + */ +#ifndef QEMU_SECCOMP_H +#define QEMU_SECCOMP_H + +#include +#include "osdep.h" + +int seccomp_start(void); +#endif