Remove seccomp support.
It breaks with the existing whitelists on the latest glibc and is just too much maintenance burden. It also causes the most questions for new users. Something like openbsd's pledge() would be fine, but I have no intention of maintaining such a thing. Most of the value-gain would come from disallowing high-risk syscalls like ptrace() and the perf syscalls, anyway. ndhc already uses extensive defense-in-depth and wasn't using seccomp on non-(x86|x86-64) platforms, so it's not a huge loss.
This commit is contained in:
parent
e8d97205e9
commit
e08d3b15b5
@ -134,19 +134,6 @@ else()
|
||||
set(MACHINENAME $ENV{CROSSCOMPILE_MACHINENAME})
|
||||
endif()
|
||||
|
||||
if (${MACHINENAME} STREQUAL "x86_64")
|
||||
message("Detected that the current host is x86_64. Enabling seccomp-filter.")
|
||||
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DENABLE_SECCOMP_FILTER")
|
||||
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DENABLE_SECCOMP_FILTER")
|
||||
elseif ((${MACHINENAME} STREQUAL "i686") OR (${MACHINENAME} STREQUAL "i586") OR
|
||||
(${MACHINENAME} STREQUAL "i486") OR (${MACHINENAME} STREQUAL "i386"))
|
||||
message("Detected that the current host is x86. Enabling seccomp-filter.")
|
||||
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DENABLE_SECCOMP_FILTER")
|
||||
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DENABLE_SECCOMP_FILTER")
|
||||
else()
|
||||
message("Host machine type does not support seccomp-filter.")
|
||||
endif()
|
||||
|
||||
include_directories("${PROJECT_SOURCE_DIR}/ncmlib")
|
||||
add_subdirectory(ncmlib)
|
||||
|
||||
|
@ -11,7 +11,6 @@
|
||||
#include "ndhc.h"
|
||||
#include "ifchd.h"
|
||||
#include "sockd.h"
|
||||
#include "seccomp.h"
|
||||
#include "nk/log.h"
|
||||
#include "nk/privilege.h"
|
||||
#include "nk/copy_cmdarg.h"
|
||||
@ -108,10 +107,8 @@ struct cfgparse {
|
||||
copy_cmdarg(state_dir, ccfg.buf, sizeof state_dir, "state-dir");
|
||||
}
|
||||
action seccomp_enforce {
|
||||
switch (ccfg.ternary) {
|
||||
case 1: seccomp_enforce = true; break;
|
||||
case -1: seccomp_enforce = false; default: break;
|
||||
}
|
||||
log_line("seccomp_enforce option is deprecated; please remove it");
|
||||
log_line("In the meanwhile, it is ignored and seccomp is disabled.");
|
||||
}
|
||||
action relentless_defense {
|
||||
switch (ccfg.ternary) {
|
||||
|
@ -45,7 +45,6 @@
|
||||
#include "nk/signals.h"
|
||||
#include "nk/io.h"
|
||||
|
||||
#include "seccomp.h"
|
||||
#include "ifchd.h"
|
||||
#include "ndhc.h"
|
||||
#include "ifchd-parse.h"
|
||||
@ -346,9 +345,6 @@ static void do_ifch_work(void)
|
||||
if (epollfd < 0)
|
||||
suicide("epoll_create1 failed");
|
||||
|
||||
if (enforce_seccomp_ifch())
|
||||
log_line("ifch seccomp filter cannot be installed");
|
||||
|
||||
cl.state = STATE_NOTHING;
|
||||
memset(cl.ibuf, 0, sizeof cl.ibuf);
|
||||
memset(cl.namesvrs, 0, sizeof cl.namesvrs);
|
||||
|
@ -101,15 +101,6 @@ hostname option field provided by a remote DHCP server on the request of
|
||||
a ndhc client. If this option is not specified, ndhc will never change
|
||||
the system hostname.
|
||||
.TP
|
||||
.BI \-S ,\ \-\-seccomp\-enforce
|
||||
Enforces seccomp-based syscall whitelisting. System calls that ndhc and
|
||||
ndhc-ifch are not expected to need are prohibited from being called if this
|
||||
flag is set. The lists of allowed syscalls are hardcoded, and attempts
|
||||
to call a non-listed syscall will result in the ndhc process being
|
||||
terminated. As systems vary, it cannot be guaranteed that these system
|
||||
call lists are accurate for your system, and thus seccomp filtering will
|
||||
not be used unless this flag is set.
|
||||
.TP
|
||||
.BI \-w\ TIMEMS ,\ \-\-arp\-probe\-wait= TIMEMS
|
||||
Adjusts the time that we wait for an ARP response when checking to see if
|
||||
our lease assignment is already taken by an existing host. Default is
|
||||
|
@ -57,7 +57,6 @@
|
||||
#include "ndhc.h"
|
||||
#include "ndhc-defines.h"
|
||||
#include "cfg.h"
|
||||
#include "seccomp.h"
|
||||
#include "state.h"
|
||||
#include "options.h"
|
||||
#include "dhcp.h"
|
||||
@ -145,9 +144,6 @@ void show_usage(void)
|
||||
" -D, --sockd-user=USER Change ndhc-sockd privileges to this user\n"
|
||||
" -C, --chroot=DIR Chroot to this directory\n"
|
||||
" -s, --state-dir=DIR State storage dir (default: /etc/ndhc)\n"
|
||||
#ifdef ENABLE_SECCOMP_FILTER
|
||||
" -S, --seccomp-enforce Enforce seccomp syscall restrictions\n"
|
||||
#endif
|
||||
" -d, --relentless-defense Never back off in defending IP against\n"
|
||||
" conflicting hosts (servers only)\n"
|
||||
" -w, --arp-probe-wait Time to delay before first ARP probe\n"
|
||||
@ -270,9 +266,6 @@ static void do_ndhc_work(void)
|
||||
if (cs.epollFd < 0)
|
||||
suicide("epoll_create1 failed");
|
||||
|
||||
if (enforce_seccomp_ndhc())
|
||||
log_line("ndhc seccomp filter cannot be installed");
|
||||
|
||||
setup_signals_ndhc();
|
||||
|
||||
epoll_add(cs.epollFd, cs.nlFd);
|
||||
|
224
src/seccomp.c
224
src/seccomp.c
@ -1,224 +0,0 @@
|
||||
/* seccomp.h - seccomp syscall filters for ndhc
|
||||
*
|
||||
* Copyright (c) 2012-2017 Nicholas J. Kain <njkain at gmail dot com>
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions are met:
|
||||
*
|
||||
* - Redistributions of source code must retain the above copyright notice,
|
||||
* this list of conditions and the following disclaimer.
|
||||
*
|
||||
* - Redistributions in binary form must reproduce the above copyright notice,
|
||||
* this list of conditions and the following disclaimer in the documentation
|
||||
* and/or other materials provided with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
||||
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
|
||||
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
||||
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
||||
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
||||
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
||||
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
* POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
#include <stdbool.h>
|
||||
#include "seccomp.h"
|
||||
#include "nk/log.h"
|
||||
#include "nk/seccomp-bpf.h"
|
||||
|
||||
bool seccomp_enforce = false;
|
||||
|
||||
int enforce_seccomp_ndhc(void)
|
||||
{
|
||||
#ifdef ENABLE_SECCOMP_FILTER
|
||||
if (!seccomp_enforce)
|
||||
return 0;
|
||||
struct sock_filter filter[] = {
|
||||
VALIDATE_ARCHITECTURE,
|
||||
EXAMINE_SYSCALL,
|
||||
ALLOW_SYSCALL(epoll_wait),
|
||||
ALLOW_SYSCALL(epoll_ctl),
|
||||
ALLOW_SYSCALL(read),
|
||||
ALLOW_SYSCALL(write),
|
||||
ALLOW_SYSCALL(close),
|
||||
|
||||
#if defined(__x86_64__) || (defined(__arm__) && defined(__ARM_EABI__))
|
||||
ALLOW_SYSCALL(sendto), // used for glibc syslog routines
|
||||
ALLOW_SYSCALL(recvmsg),
|
||||
ALLOW_SYSCALL(sendmsg),
|
||||
ALLOW_SYSCALL(recvfrom),
|
||||
ALLOW_SYSCALL(connect),
|
||||
#elif defined(__i386__)
|
||||
ALLOW_SYSCALL(socketcall),
|
||||
#else
|
||||
#error Target platform does not support seccomp-filter.
|
||||
#endif
|
||||
|
||||
ALLOW_SYSCALL(open),
|
||||
|
||||
// Allowed by vDSO
|
||||
ALLOW_SYSCALL(getcpu),
|
||||
ALLOW_SYSCALL(time),
|
||||
ALLOW_SYSCALL(gettimeofday),
|
||||
ALLOW_SYSCALL(clock_gettime),
|
||||
|
||||
// These are for 'write_leasefile()'
|
||||
ALLOW_SYSCALL(ftruncate),
|
||||
ALLOW_SYSCALL(lseek),
|
||||
ALLOW_SYSCALL(fsync),
|
||||
|
||||
// These are for 'background()'
|
||||
ALLOW_SYSCALL(clone),
|
||||
ALLOW_SYSCALL(set_robust_list),
|
||||
ALLOW_SYSCALL(setsid),
|
||||
ALLOW_SYSCALL(chdir),
|
||||
ALLOW_SYSCALL(fstat),
|
||||
ALLOW_SYSCALL(dup2),
|
||||
ALLOW_SYSCALL(rt_sigprocmask),
|
||||
ALLOW_SYSCALL(signalfd4),
|
||||
ALLOW_SYSCALL(mmap),
|
||||
ALLOW_SYSCALL(munmap),
|
||||
|
||||
ALLOW_SYSCALL(rt_sigreturn),
|
||||
#ifdef __NR_sigreturn
|
||||
ALLOW_SYSCALL(sigreturn),
|
||||
#endif
|
||||
ALLOW_SYSCALL(exit_group),
|
||||
ALLOW_SYSCALL(exit),
|
||||
KILL_PROCESS,
|
||||
};
|
||||
struct sock_fprog prog = {
|
||||
.len = (unsigned short)(sizeof filter / sizeof filter[0]),
|
||||
.filter = filter,
|
||||
};
|
||||
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0))
|
||||
return -1;
|
||||
if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog))
|
||||
return -1;
|
||||
log_line("ndhc seccomp filter installed. Please disable seccomp if you encounter problems.");
|
||||
#endif
|
||||
return 0;
|
||||
}
|
||||
|
||||
int enforce_seccomp_ifch(void)
|
||||
{
|
||||
#ifdef ENABLE_SECCOMP_FILTER
|
||||
if (!seccomp_enforce)
|
||||
return 0;
|
||||
struct sock_filter filter[] = {
|
||||
VALIDATE_ARCHITECTURE,
|
||||
EXAMINE_SYSCALL,
|
||||
ALLOW_SYSCALL(read),
|
||||
ALLOW_SYSCALL(write),
|
||||
ALLOW_SYSCALL(epoll_wait),
|
||||
ALLOW_SYSCALL(epoll_ctl),
|
||||
ALLOW_SYSCALL(close),
|
||||
|
||||
#if defined(__x86_64__) || (defined(__arm__) && defined(__ARM_EABI__))
|
||||
ALLOW_SYSCALL(sendto), // used for glibc syslog routines
|
||||
ALLOW_SYSCALL(recvmsg),
|
||||
ALLOW_SYSCALL(sendmsg),
|
||||
ALLOW_SYSCALL(recvfrom),
|
||||
ALLOW_SYSCALL(socket),
|
||||
#elif defined(__i386__)
|
||||
ALLOW_SYSCALL(socketcall),
|
||||
#else
|
||||
#error Target platform does not support seccomp-filter.
|
||||
#endif
|
||||
|
||||
ALLOW_SYSCALL(open),
|
||||
ALLOW_SYSCALL(fstat),
|
||||
ALLOW_SYSCALL(fsync),
|
||||
ALLOW_SYSCALL(lseek),
|
||||
ALLOW_SYSCALL(truncate),
|
||||
|
||||
ALLOW_SYSCALL(rt_sigreturn),
|
||||
#ifdef __NR_sigreturn
|
||||
ALLOW_SYSCALL(sigreturn),
|
||||
#endif
|
||||
// Allowed by vDSO
|
||||
ALLOW_SYSCALL(getcpu),
|
||||
ALLOW_SYSCALL(time),
|
||||
ALLOW_SYSCALL(gettimeofday),
|
||||
ALLOW_SYSCALL(clock_gettime),
|
||||
|
||||
ALLOW_SYSCALL(exit_group),
|
||||
ALLOW_SYSCALL(exit),
|
||||
KILL_PROCESS,
|
||||
};
|
||||
struct sock_fprog prog = {
|
||||
.len = (unsigned short)(sizeof filter / sizeof filter[0]),
|
||||
.filter = filter,
|
||||
};
|
||||
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0))
|
||||
return -1;
|
||||
if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog))
|
||||
return -1;
|
||||
log_line("ndhc-ifch seccomp filter installed. Please disable seccomp if you encounter problems.");
|
||||
#endif
|
||||
return 0;
|
||||
}
|
||||
|
||||
int enforce_seccomp_sockd(void)
|
||||
{
|
||||
#ifdef ENABLE_SECCOMP_FILTER
|
||||
if (!seccomp_enforce)
|
||||
return 0;
|
||||
struct sock_filter filter[] = {
|
||||
VALIDATE_ARCHITECTURE,
|
||||
EXAMINE_SYSCALL,
|
||||
ALLOW_SYSCALL(epoll_wait),
|
||||
ALLOW_SYSCALL(epoll_ctl),
|
||||
ALLOW_SYSCALL(read),
|
||||
ALLOW_SYSCALL(write),
|
||||
ALLOW_SYSCALL(close),
|
||||
|
||||
#if defined(__x86_64__) || (defined(__arm__) && defined(__ARM_EABI__))
|
||||
ALLOW_SYSCALL(sendto), // used for glibc syslog routines
|
||||
ALLOW_SYSCALL(recvmsg),
|
||||
ALLOW_SYSCALL(sendmsg),
|
||||
ALLOW_SYSCALL(recvfrom),
|
||||
ALLOW_SYSCALL(socket),
|
||||
ALLOW_SYSCALL(setsockopt),
|
||||
ALLOW_SYSCALL(bind),
|
||||
#elif defined(__i386__)
|
||||
ALLOW_SYSCALL(socketcall),
|
||||
ALLOW_SYSCALL(fcntl64),
|
||||
#else
|
||||
#error Target platform does not support seccomp-filter.
|
||||
#endif
|
||||
|
||||
ALLOW_SYSCALL(fcntl),
|
||||
ALLOW_SYSCALL(open),
|
||||
|
||||
// Allowed by vDSO
|
||||
ALLOW_SYSCALL(getcpu),
|
||||
ALLOW_SYSCALL(time),
|
||||
ALLOW_SYSCALL(gettimeofday),
|
||||
ALLOW_SYSCALL(clock_gettime),
|
||||
|
||||
ALLOW_SYSCALL(rt_sigreturn),
|
||||
#ifdef __NR_sigreturn
|
||||
ALLOW_SYSCALL(sigreturn),
|
||||
#endif
|
||||
ALLOW_SYSCALL(exit_group),
|
||||
ALLOW_SYSCALL(exit),
|
||||
KILL_PROCESS,
|
||||
};
|
||||
struct sock_fprog prog = {
|
||||
.len = (unsigned short)(sizeof filter / sizeof filter[0]),
|
||||
.filter = filter,
|
||||
};
|
||||
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0))
|
||||
return -1;
|
||||
if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog))
|
||||
return -1;
|
||||
log_line("ndhc-sockd seccomp filter installed. Please disable seccomp if you encounter problems.");
|
||||
#endif
|
||||
return 0;
|
||||
}
|
||||
|
@ -1,39 +0,0 @@
|
||||
/* seccomp.h - seccomp syscall filters for ndhc
|
||||
*
|
||||
* Copyright (c) 2012-2017 Nicholas J. Kain <njkain at gmail dot com>
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions are met:
|
||||
*
|
||||
* - Redistributions of source code must retain the above copyright notice,
|
||||
* this list of conditions and the following disclaimer.
|
||||
*
|
||||
* - Redistributions in binary form must reproduce the above copyright notice,
|
||||
* this list of conditions and the following disclaimer in the documentation
|
||||
* and/or other materials provided with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
||||
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
|
||||
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
||||
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
||||
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
||||
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
||||
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
* POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
#ifndef NJK_NDHC_SECCOMP_H_
|
||||
#define NJK_NDHC_SECCOMP_H_
|
||||
|
||||
#include <stdbool.h>
|
||||
|
||||
extern bool seccomp_enforce;
|
||||
|
||||
int enforce_seccomp_ndhc(void);
|
||||
int enforce_seccomp_ifch(void);
|
||||
int enforce_seccomp_sockd(void);
|
||||
|
||||
#endif /* NJK_NDHC_SECCOMP_H_ */
|
@ -57,7 +57,6 @@
|
||||
#include "ndhc.h"
|
||||
#include "dhcp.h"
|
||||
#include "sys.h"
|
||||
#include "seccomp.h"
|
||||
|
||||
static int epollfd, signalFd;
|
||||
/* Slots are for signalFd and the ndhc -> ifchd socket. */
|
||||
@ -555,9 +554,6 @@ static void do_sockd_work(void)
|
||||
if (epollfd < 0)
|
||||
suicide("epoll_create1 failed");
|
||||
|
||||
if (enforce_seccomp_sockd())
|
||||
log_line("sockd seccomp filter cannot be installed");
|
||||
|
||||
epoll_add(epollfd, sockdSock[1]);
|
||||
epoll_add(epollfd, sockdStream[1]);
|
||||
epoll_add(epollfd, signalFd);
|
||||
|
Loading…
Reference in New Issue
Block a user