seccomp_policy.c 5.2 KB
Newer Older
X
<feat>  
xiacong 已提交
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
/*
 * Copyright (c) 2022 Huawei Device Co., Ltd.
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

#include "seccomp_policy.h"
X
<feat>  
xiacong 已提交
17
#include "plugin_adapter.h"
X
<fix>  
xiacong 已提交
18
#include "securec.h"
X
<feat>  
xiacong 已提交
19

X
<fix>  
xiacong 已提交
20
#include <dlfcn.h>
X
<feat>  
xiacong 已提交
21 22 23 24 25 26 27 28
#include <sys/syscall.h>
#include <unistd.h>
#include <ctype.h>
#include <errno.h>
#include <assert.h>
#include <linux/audit.h>
#include <linux/seccomp.h>
#include <linux/filter.h>
X
<fix>  
xiacong 已提交
29
#include <limits.h>
X
<feat>  
xiacong 已提交
30 31 32 33 34

#ifndef SECCOMP_SET_MODE_FILTER
#define SECCOMP_SET_MODE_FILTER  (1)
#endif

X
<fix>  
xiacong 已提交
35 36 37 38 39 40 41 42
#ifdef __aarch64__
#define FILTER_LIB_PATH_FORMAT "/system/lib64/lib%s_filter.z.so"
#else
#define FILTER_LIB_PATH_FORMAT "/system/lib/lib%s_filter.z.so"
#endif
#define FILTER_NAME_FORMAT "g_%sSeccompFilter"
#define FILTER_SIZE_STRING "Size"

X
<fix>  
xiacong 已提交
43 44 45 46 47 48 49
typedef enum {
    SECCOMP_SUCCESS,
    INPUT_ERROR,
    RETURN_NULL,
    RETURN_ERROR
} SeccompErrorCode;

X
<feat>  
xiacong 已提交
50 51 52
static bool IsSupportFilterFlag(unsigned int filterFlag)
{
    errno = 0;
C
codex  
chengjinsong 已提交
53
    long ret = syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER, filterFlag, NULL);
X
<feat>  
xiacong 已提交
54
    if (ret != -1 || errno != EFAULT) {
X
<feat>  
xiacong 已提交
55
        PLUGIN_LOGE("not support  seccomp flag %u", filterFlag);
X
<feat>  
xiacong 已提交
56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78
        return false;
    }

    return true;
}

static bool InstallSeccompPolicy(const struct sock_filter* filter, size_t filterSize, unsigned int filterFlag)
{
    unsigned int flag = 0;
    struct sock_fprog prog = {
        (unsigned short)filterSize,
        (struct sock_filter*)filter
    };

    if (IsSupportFilterFlag(SECCOMP_FILTER_FLAG_TSYNC) && (filterFlag & SECCOMP_FILTER_FLAG_TSYNC)) {
        flag |= SECCOMP_FILTER_FLAG_TSYNC;
    }

    if (IsSupportFilterFlag(SECCOMP_FILTER_FLAG_LOG) && (filterFlag & SECCOMP_FILTER_FLAG_LOG)) {
        flag |= SECCOMP_FILTER_FLAG_LOG;
    }

    if (syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER, flag, &prog) != 0) {
X
<feat>  
xiacong 已提交
79
        PLUGIN_LOGE("SetSeccompFilter failed");
X
<feat>  
xiacong 已提交
80 81 82 83 84 85
        return false;
    }

    return true;
}

X
<fix>  
xiacong 已提交
86
static char *GetFilterFileByName(const char *filterName)
X
<feat>  
xiacong 已提交
87
{
X
<fix>  
xiacong 已提交
88
    size_t maxFilterNameLen = PATH_MAX - strlen(FILTER_LIB_PATH_FORMAT) + strlen("%s") - 1;
X
<fix>  
xiacong 已提交
89
    if (filterName == NULL || strlen(filterName) > maxFilterNameLen) {
X
<fix>  
xiacong 已提交
90 91 92 93
        return NULL;
    }

    char filterLibPath[PATH_MAX] = {0};
X
<feat>  
xiacong 已提交
94

X
<fix>  
xiacong 已提交
95
    int rc = snprintf_s(filterLibPath, sizeof(filterLibPath), \
X
<fix>  
xiacong 已提交
96 97 98 99 100 101 102 103
                            strlen(filterName) + strlen(FILTER_LIB_PATH_FORMAT) - strlen("%s"), \
                            FILTER_LIB_PATH_FORMAT, filterName);
    if (rc == -1) {
        return NULL;
    }

    return realpath(filterLibPath, NULL);
}
X
<feat>  
xiacong 已提交
104

X
<fix>  
xiacong 已提交
105 106 107 108 109 110 111 112 113 114
static int GetSeccompPolicy(const char *filterName, int **handler,
                            char *filterLibRealPath, struct sock_fprog *prog)
{
    char filterVaribleName[PATH_MAX] = {0};
    struct sock_filter *filter = NULL;
    size_t *filterSize = NULL;
    void *policyHanlder = NULL;
    int ret = SECCOMP_SUCCESS;
    do {
        int rc = snprintf_s(filterVaribleName, sizeof(filterVaribleName), \
X
<fix>  
xiacong 已提交
115 116
                    strlen(filterName) + strlen(FILTER_NAME_FORMAT) - strlen("%s"), \
                    FILTER_NAME_FORMAT, filterName);
X
<fix>  
xiacong 已提交
117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152
        if (rc == -1) {
            ret = RETURN_ERROR;
            break;
        }

        policyHanlder = dlopen(filterLibRealPath, RTLD_LAZY);
        if (policyHanlder == NULL) {
            ret = RETURN_NULL;
            break;
        }

        filter = (struct sock_filter *)dlsym(policyHanlder, filterVaribleName);
        if (filter == NULL) {
            ret = RETURN_NULL;
            break;
        }

        rc = strcat_s(filterVaribleName, strlen(filterVaribleName) + \
                      strlen(FILTER_SIZE_STRING) + 1, FILTER_SIZE_STRING);
        if (rc != 0) {
            ret = RETURN_ERROR;
            break;
        }

        filterSize = (size_t *)dlsym(policyHanlder, filterVaribleName);
        if (filterSize == NULL) {
            ret = RETURN_NULL;
            break;
        }
    } while (0);

    *handler = (int *)policyHanlder;
    prog->filter = filter;
    if (filterSize != NULL) {
        prog->len = (unsigned short)(*filterSize);
    }
X
<feat>  
xiacong 已提交
153

X
<fix>  
xiacong 已提交
154 155
    return ret;
}
X
<feat>  
xiacong 已提交
156

X
<fix>  
xiacong 已提交
157 158 159 160
bool SetSeccompPolicyWithName(const char *filterName)
{
    void *handler = NULL;
    char *filterLibRealPath = NULL;
X
<fix>  
xiacong 已提交
161
    struct sock_fprog prog;
X
<fix>  
xiacong 已提交
162 163 164 165 166 167 168 169 170 171 172
    bool ret = false;

    filterLibRealPath = GetFilterFileByName(filterName);
    PLUGIN_CHECK(filterLibRealPath != NULL, return false, "get filter file name faield");

    int retCode = GetSeccompPolicy(filterName, (int **)&handler, filterLibRealPath, &prog);
    if (retCode == SECCOMP_SUCCESS) {
        ret = InstallSeccompPolicy(prog.filter, prog.len, SECCOMP_FILTER_FLAG_LOG);
    } else {
        PLUGIN_LOGE("GetSeccompPolicy failed return is %d", retCode);
    }
X
<feat>  
xiacong 已提交
173

X
<fix>  
xiacong 已提交
174 175 176
    if (handler != NULL) {
        dlclose(handler);
    }
X
<feat>  
xiacong 已提交
177

X
<fix>  
xiacong 已提交
178 179 180
    if (filterLibRealPath != NULL) {
        free(filterLibRealPath);
    }
X
<fix>  
xiacong 已提交
181 182

    return ret;
X
<feat>  
xiacong 已提交
183
}