Remove seccomp support.

It breaks with the existing whitelists on the latest glibc and is
just too much maintenance burden.  It also causes the most questions
for new users.

Something like openbsd's pledge() would be fine, but I have no
intention of maintaining such a thing.

Most of the value-gain would come from disallowing high-risk
syscalls like ptrace() and the perf syscalls, anyway.

ndhc already uses extensive defense-in-depth and wasn't using
seccomp on non-(x86|x86-64) platforms, so it's not a huge loss.
This commit is contained in:
Nicholas J. Kain 2018-02-09 03:33:04 -05:00
parent e8d97205e9
commit e08d3b15b5
8 changed files with 2 additions and 305 deletions

View File

@ -134,19 +134,6 @@ else()
set(MACHINENAME $ENV{CROSSCOMPILE_MACHINENAME})
endif()
if (${MACHINENAME} STREQUAL "x86_64")
message("Detected that the current host is x86_64. Enabling seccomp-filter.")
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DENABLE_SECCOMP_FILTER")
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DENABLE_SECCOMP_FILTER")
elseif ((${MACHINENAME} STREQUAL "i686") OR (${MACHINENAME} STREQUAL "i586") OR
(${MACHINENAME} STREQUAL "i486") OR (${MACHINENAME} STREQUAL "i386"))
message("Detected that the current host is x86. Enabling seccomp-filter.")
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DENABLE_SECCOMP_FILTER")
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DENABLE_SECCOMP_FILTER")
else()
message("Host machine type does not support seccomp-filter.")
endif()
include_directories("${PROJECT_SOURCE_DIR}/ncmlib")
add_subdirectory(ncmlib)

View File

@ -11,7 +11,6 @@
#include "ndhc.h"
#include "ifchd.h"
#include "sockd.h"
#include "seccomp.h"
#include "nk/log.h"
#include "nk/privilege.h"
#include "nk/copy_cmdarg.h"
@ -108,10 +107,8 @@ struct cfgparse {
copy_cmdarg(state_dir, ccfg.buf, sizeof state_dir, "state-dir");
}
action seccomp_enforce {
switch (ccfg.ternary) {
case 1: seccomp_enforce = true; break;
case -1: seccomp_enforce = false; default: break;
}
log_line("seccomp_enforce option is deprecated; please remove it");
log_line("In the meanwhile, it is ignored and seccomp is disabled.");
}
action relentless_defense {
switch (ccfg.ternary) {

View File

@ -45,7 +45,6 @@
#include "nk/signals.h"
#include "nk/io.h"
#include "seccomp.h"
#include "ifchd.h"
#include "ndhc.h"
#include "ifchd-parse.h"
@ -346,9 +345,6 @@ static void do_ifch_work(void)
if (epollfd < 0)
suicide("epoll_create1 failed");
if (enforce_seccomp_ifch())
log_line("ifch seccomp filter cannot be installed");
cl.state = STATE_NOTHING;
memset(cl.ibuf, 0, sizeof cl.ibuf);
memset(cl.namesvrs, 0, sizeof cl.namesvrs);

View File

@ -101,15 +101,6 @@ hostname option field provided by a remote DHCP server on the request of
a ndhc client. If this option is not specified, ndhc will never change
the system hostname.
.TP
.BI \-S ,\ \-\-seccomp\-enforce
Enforces seccomp-based syscall whitelisting. System calls that ndhc and
ndhc-ifch are not expected to need are prohibited from being called if this
flag is set. The lists of allowed syscalls are hardcoded, and attempts
to call a non-listed syscall will result in the ndhc process being
terminated. As systems vary, it cannot be guaranteed that these system
call lists are accurate for your system, and thus seccomp filtering will
not be used unless this flag is set.
.TP
.BI \-w\ TIMEMS ,\ \-\-arp\-probe\-wait= TIMEMS
Adjusts the time that we wait for an ARP response when checking to see if
our lease assignment is already taken by an existing host. Default is

View File

@ -57,7 +57,6 @@
#include "ndhc.h"
#include "ndhc-defines.h"
#include "cfg.h"
#include "seccomp.h"
#include "state.h"
#include "options.h"
#include "dhcp.h"
@ -145,9 +144,6 @@ void show_usage(void)
" -D, --sockd-user=USER Change ndhc-sockd privileges to this user\n"
" -C, --chroot=DIR Chroot to this directory\n"
" -s, --state-dir=DIR State storage dir (default: /etc/ndhc)\n"
#ifdef ENABLE_SECCOMP_FILTER
" -S, --seccomp-enforce Enforce seccomp syscall restrictions\n"
#endif
" -d, --relentless-defense Never back off in defending IP against\n"
" conflicting hosts (servers only)\n"
" -w, --arp-probe-wait Time to delay before first ARP probe\n"
@ -270,9 +266,6 @@ static void do_ndhc_work(void)
if (cs.epollFd < 0)
suicide("epoll_create1 failed");
if (enforce_seccomp_ndhc())
log_line("ndhc seccomp filter cannot be installed");
setup_signals_ndhc();
epoll_add(cs.epollFd, cs.nlFd);

View File

@ -1,224 +0,0 @@
/* seccomp.h - seccomp syscall filters for ndhc
*
* Copyright (c) 2012-2017 Nicholas J. Kain <njkain at gmail dot com>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* - Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* - Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include <stdbool.h>
#include "seccomp.h"
#include "nk/log.h"
#include "nk/seccomp-bpf.h"
bool seccomp_enforce = false;
int enforce_seccomp_ndhc(void)
{
#ifdef ENABLE_SECCOMP_FILTER
if (!seccomp_enforce)
return 0;
struct sock_filter filter[] = {
VALIDATE_ARCHITECTURE,
EXAMINE_SYSCALL,
ALLOW_SYSCALL(epoll_wait),
ALLOW_SYSCALL(epoll_ctl),
ALLOW_SYSCALL(read),
ALLOW_SYSCALL(write),
ALLOW_SYSCALL(close),
#if defined(__x86_64__) || (defined(__arm__) && defined(__ARM_EABI__))
ALLOW_SYSCALL(sendto), // used for glibc syslog routines
ALLOW_SYSCALL(recvmsg),
ALLOW_SYSCALL(sendmsg),
ALLOW_SYSCALL(recvfrom),
ALLOW_SYSCALL(connect),
#elif defined(__i386__)
ALLOW_SYSCALL(socketcall),
#else
#error Target platform does not support seccomp-filter.
#endif
ALLOW_SYSCALL(open),
// Allowed by vDSO
ALLOW_SYSCALL(getcpu),
ALLOW_SYSCALL(time),
ALLOW_SYSCALL(gettimeofday),
ALLOW_SYSCALL(clock_gettime),
// These are for 'write_leasefile()'
ALLOW_SYSCALL(ftruncate),
ALLOW_SYSCALL(lseek),
ALLOW_SYSCALL(fsync),
// These are for 'background()'
ALLOW_SYSCALL(clone),
ALLOW_SYSCALL(set_robust_list),
ALLOW_SYSCALL(setsid),
ALLOW_SYSCALL(chdir),
ALLOW_SYSCALL(fstat),
ALLOW_SYSCALL(dup2),
ALLOW_SYSCALL(rt_sigprocmask),
ALLOW_SYSCALL(signalfd4),
ALLOW_SYSCALL(mmap),
ALLOW_SYSCALL(munmap),
ALLOW_SYSCALL(rt_sigreturn),
#ifdef __NR_sigreturn
ALLOW_SYSCALL(sigreturn),
#endif
ALLOW_SYSCALL(exit_group),
ALLOW_SYSCALL(exit),
KILL_PROCESS,
};
struct sock_fprog prog = {
.len = (unsigned short)(sizeof filter / sizeof filter[0]),
.filter = filter,
};
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0))
return -1;
if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog))
return -1;
log_line("ndhc seccomp filter installed. Please disable seccomp if you encounter problems.");
#endif
return 0;
}
int enforce_seccomp_ifch(void)
{
#ifdef ENABLE_SECCOMP_FILTER
if (!seccomp_enforce)
return 0;
struct sock_filter filter[] = {
VALIDATE_ARCHITECTURE,
EXAMINE_SYSCALL,
ALLOW_SYSCALL(read),
ALLOW_SYSCALL(write),
ALLOW_SYSCALL(epoll_wait),
ALLOW_SYSCALL(epoll_ctl),
ALLOW_SYSCALL(close),
#if defined(__x86_64__) || (defined(__arm__) && defined(__ARM_EABI__))
ALLOW_SYSCALL(sendto), // used for glibc syslog routines
ALLOW_SYSCALL(recvmsg),
ALLOW_SYSCALL(sendmsg),
ALLOW_SYSCALL(recvfrom),
ALLOW_SYSCALL(socket),
#elif defined(__i386__)
ALLOW_SYSCALL(socketcall),
#else
#error Target platform does not support seccomp-filter.
#endif
ALLOW_SYSCALL(open),
ALLOW_SYSCALL(fstat),
ALLOW_SYSCALL(fsync),
ALLOW_SYSCALL(lseek),
ALLOW_SYSCALL(truncate),
ALLOW_SYSCALL(rt_sigreturn),
#ifdef __NR_sigreturn
ALLOW_SYSCALL(sigreturn),
#endif
// Allowed by vDSO
ALLOW_SYSCALL(getcpu),
ALLOW_SYSCALL(time),
ALLOW_SYSCALL(gettimeofday),
ALLOW_SYSCALL(clock_gettime),
ALLOW_SYSCALL(exit_group),
ALLOW_SYSCALL(exit),
KILL_PROCESS,
};
struct sock_fprog prog = {
.len = (unsigned short)(sizeof filter / sizeof filter[0]),
.filter = filter,
};
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0))
return -1;
if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog))
return -1;
log_line("ndhc-ifch seccomp filter installed. Please disable seccomp if you encounter problems.");
#endif
return 0;
}
int enforce_seccomp_sockd(void)
{
#ifdef ENABLE_SECCOMP_FILTER
if (!seccomp_enforce)
return 0;
struct sock_filter filter[] = {
VALIDATE_ARCHITECTURE,
EXAMINE_SYSCALL,
ALLOW_SYSCALL(epoll_wait),
ALLOW_SYSCALL(epoll_ctl),
ALLOW_SYSCALL(read),
ALLOW_SYSCALL(write),
ALLOW_SYSCALL(close),
#if defined(__x86_64__) || (defined(__arm__) && defined(__ARM_EABI__))
ALLOW_SYSCALL(sendto), // used for glibc syslog routines
ALLOW_SYSCALL(recvmsg),
ALLOW_SYSCALL(sendmsg),
ALLOW_SYSCALL(recvfrom),
ALLOW_SYSCALL(socket),
ALLOW_SYSCALL(setsockopt),
ALLOW_SYSCALL(bind),
#elif defined(__i386__)
ALLOW_SYSCALL(socketcall),
ALLOW_SYSCALL(fcntl64),
#else
#error Target platform does not support seccomp-filter.
#endif
ALLOW_SYSCALL(fcntl),
ALLOW_SYSCALL(open),
// Allowed by vDSO
ALLOW_SYSCALL(getcpu),
ALLOW_SYSCALL(time),
ALLOW_SYSCALL(gettimeofday),
ALLOW_SYSCALL(clock_gettime),
ALLOW_SYSCALL(rt_sigreturn),
#ifdef __NR_sigreturn
ALLOW_SYSCALL(sigreturn),
#endif
ALLOW_SYSCALL(exit_group),
ALLOW_SYSCALL(exit),
KILL_PROCESS,
};
struct sock_fprog prog = {
.len = (unsigned short)(sizeof filter / sizeof filter[0]),
.filter = filter,
};
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0))
return -1;
if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog))
return -1;
log_line("ndhc-sockd seccomp filter installed. Please disable seccomp if you encounter problems.");
#endif
return 0;
}

View File

@ -1,39 +0,0 @@
/* seccomp.h - seccomp syscall filters for ndhc
*
* Copyright (c) 2012-2017 Nicholas J. Kain <njkain at gmail dot com>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* - Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* - Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef NJK_NDHC_SECCOMP_H_
#define NJK_NDHC_SECCOMP_H_
#include <stdbool.h>
extern bool seccomp_enforce;
int enforce_seccomp_ndhc(void);
int enforce_seccomp_ifch(void);
int enforce_seccomp_sockd(void);
#endif /* NJK_NDHC_SECCOMP_H_ */

View File

@ -57,7 +57,6 @@
#include "ndhc.h"
#include "dhcp.h"
#include "sys.h"
#include "seccomp.h"
static int epollfd, signalFd;
/* Slots are for signalFd and the ndhc -> ifchd socket. */
@ -555,9 +554,6 @@ static void do_sockd_work(void)
if (epollfd < 0)
suicide("epoll_create1 failed");
if (enforce_seccomp_sockd())
log_line("sockd seccomp filter cannot be installed");
epoll_add(epollfd, sockdSock[1]);
epoll_add(epollfd, sockdStream[1]);
epoll_add(epollfd, signalFd);