Skip to content

Commit

Permalink
api: add support for the SPEC_ALLOW flag
Browse files Browse the repository at this point in the history
Signed-off-by: Tycho Andersen <[email protected]>
  • Loading branch information
tych0 committed Apr 16, 2019
1 parent a692e7d commit 3385865
Show file tree
Hide file tree
Showing 9 changed files with 68 additions and 2 deletions.
3 changes: 3 additions & 0 deletions doc/man/man3/seccomp_api_get.3
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,9 @@ syscall to load the seccomp filter into the kernel.
.TP
.B 3
The SCMP_FLTATR_CTL_LOG filter attribute and the SCMP_ACT_LOG action are supported.
.TP
.B 4
The SCMP_FLTATR_SPEC_ALLOW filter attribute is supported.
.\" //////////////////////////////////////////////////////////////////////////
.SH RETURN VALUE
.\" //////////////////////////////////////////////////////////////////////////
Expand Down
6 changes: 6 additions & 0 deletions doc/man/man3/seccomp_attr_set.3
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,12 @@ the
action. Defaults to off (
.I value
== 0).
.TP
.B SCMP_FLTATR_SPEC_ALLOW
A flag to disable Speculative Store Bypass mitigations for this filter.
Defaults to off (
.I value
== 0).
.\" //////////////////////////////////////////////////////////////////////////
.SH RETURN VALUE
.\" //////////////////////////////////////////////////////////////////////////
Expand Down
2 changes: 2 additions & 0 deletions include/seccomp.h.in
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@ enum scmp_filter_attr {
SCMP_FLTATR_CTL_TSYNC = 4, /**< sync threads on filter load */
SCMP_FLTATR_API_TSKIP = 5, /**< allow rules with a -1 syscall */
SCMP_FLTATR_CTL_LOG = 6, /**< log not-allowed actions */
SCMP_FLTATR_SPEC_ALLOW = 7, /**< disable SSB mitigation */
_SCMP_FLTATR_MAX,
};

Expand Down Expand Up @@ -367,6 +368,7 @@ const struct scmp_version *seccomp_version(void);
* 3 : support for the SCMP_FLTATR_CTL_LOG filter attribute
* support for the SCMP_ACT_LOG action
* support for the SCMP_ACT_KILL_PROCESS action
* 4 : support for the SCMP_FLTATR_SPEC_ALLOW filter attrbute
*
*/
unsigned int seccomp_api_get(void);
Expand Down
12 changes: 12 additions & 0 deletions src/api.c
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,10 @@ static unsigned int _seccomp_api_update(void)
sys_chk_seccomp_action(SCMP_ACT_LOG) == 1)
level = 3;

if (level == 3 &&
sys_chk_seccomp_flag(SECCOMP_FILTER_FLAG_SPEC_ALLOW) == 1)
level = 4;

/* update the stored api level and return */
seccomp_api_level = level;
return seccomp_api_level;
Expand Down Expand Up @@ -151,6 +155,14 @@ API int seccomp_api_set(unsigned int level)
sys_set_seccomp_action(SCMP_ACT_LOG, true);
sys_set_seccomp_action(SCMP_ACT_KILL_PROCESS, true);
break;
case 4:
sys_set_seccomp_syscall(true);
sys_set_seccomp_flag(SECCOMP_FILTER_FLAG_TSYNC, true);
sys_set_seccomp_flag(SECCOMP_FILTER_FLAG_LOG, true);
sys_set_seccomp_action(SCMP_ACT_LOG, true);
sys_set_seccomp_action(SCMP_ACT_KILL_PROCESS, true);
sys_set_seccomp_flag(SECCOMP_FILTER_FLAG_SPEC_ALLOW, true);
break;
default:
return -EINVAL;
}
Expand Down
14 changes: 14 additions & 0 deletions src/db.c
Original file line number Diff line number Diff line change
Expand Up @@ -1280,6 +1280,9 @@ int db_col_attr_get(const struct db_filter_col *col,
case SCMP_FLTATR_CTL_LOG:
*value = col->attr.log_enable;
break;
case SCMP_FLTATR_SPEC_ALLOW:
*value = col->attr.spec_allow;
break;
default:
rc = -EEXIST;
break;
Expand Down Expand Up @@ -1341,6 +1344,17 @@ int db_col_attr_set(struct db_filter_col *col,
rc = -EOPNOTSUPP;
}
break;
case SCMP_FLTATR_SPEC_ALLOW:
rc = sys_chk_seccomp_flag(SECCOMP_FILTER_FLAG_SPEC_ALLOW);
if (rc == 1) {
/* supported */
rc = 0;
col->attr.spec_allow = (value ? 1 : 0);
} else if (rc == 0) {
/* unsupported */
rc = -EOPNOTSUPP;
}
break;
default:
rc = -EEXIST;
break;
Expand Down
2 changes: 2 additions & 0 deletions src/db.h
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,8 @@ struct db_filter_attr {
uint32_t api_tskip;
/* SECCOMP_FILTER_FLAG_LOG related attributes */
uint32_t log_enable;
/* SPEC_ALLOW related attributes */
uint32_t spec_allow;
};

struct db_filter {
Expand Down
1 change: 1 addition & 0 deletions src/python/libseccomp.pxd
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,7 @@ cdef extern from "seccomp.h":
SCMP_FLTATR_CTL_TSYNC
SCMP_FLTATR_API_TSKIP
SCMP_FLTATR_CTL_LOG
SCMP_FLTATR_SPEC_ALLOW

cdef enum scmp_compare:
SCMP_CMP_NE
Expand Down
11 changes: 11 additions & 0 deletions src/system.c
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ static int _support_seccomp_flag_tsync = -1;
static int _support_seccomp_flag_log = -1;
static int _support_seccomp_action_log = -1;
static int _support_seccomp_kill_process = -1;
static int _support_seccomp_flag_spec_allow = -1;

/**
* Check to see if the seccomp() syscall is supported
Expand Down Expand Up @@ -221,6 +222,11 @@ int sys_chk_seccomp_flag(int flag)
_support_seccomp_flag_log = _sys_chk_seccomp_flag_kernel(flag);

return _support_seccomp_flag_log;
case SECCOMP_FILTER_FLAG_SPEC_ALLOW:
if (_support_seccomp_flag_spec_allow < 0)
_support_seccomp_flag_spec_allow = _sys_chk_seccomp_flag_kernel(flag);

return _support_seccomp_flag_spec_allow;
}

return -EOPNOTSUPP;
Expand All @@ -244,6 +250,9 @@ void sys_set_seccomp_flag(int flag, bool enable)
case SECCOMP_FILTER_FLAG_LOG:
_support_seccomp_flag_log = (enable ? 1 : 0);
break;
case SECCOMP_FILTER_FLAG_SPEC_ALLOW:
_support_seccomp_flag_spec_allow = (enable ? 1 : 0);
break;
}
}

Expand Down Expand Up @@ -280,6 +289,8 @@ int sys_filter_load(const struct db_filter_col *col)
flgs |= SECCOMP_FILTER_FLAG_TSYNC;
if (col->attr.log_enable)
flgs |= SECCOMP_FILTER_FLAG_LOG;
if (col->attr.spec_allow)
flgs |= SECCOMP_FILTER_FLAG_SPEC_ALLOW;
rc = syscall(_nr_seccomp, SECCOMP_SET_MODE_FILTER, flgs, prgm);
if (rc > 0 && col->attr.tsync_enable)
/* always return -ESRCH if we fail to sync threads */
Expand Down
19 changes: 17 additions & 2 deletions tests/13-basic-attrs.c
Original file line number Diff line number Diff line change
Expand Up @@ -28,11 +28,11 @@

int main(int argc, char *argv[])
{
int rc;
int rc, expected;
uint32_t val = (uint32_t)(-1);
scmp_filter_ctx ctx = NULL;

rc = seccomp_api_set(3);
rc = seccomp_api_set(4);
if (rc != 0)
return EOPNOTSUPP;

Expand Down Expand Up @@ -108,6 +108,21 @@ int main(int argc, char *argv[])
goto out;
}


expected = 1;
rc = seccomp_attr_set(ctx, SCMP_FLTATR_SPEC_ALLOW, expected);
if (rc == -EOPNOTSUPP)
expected = 0;
else if (rc != 0)
goto out;
rc = seccomp_attr_get(ctx, SCMP_FLTATR_SPEC_ALLOW, &val);
if (rc != 0)
goto out;
if (val != expected) {
rc = -1;
goto out;
}

rc = 0;
out:
seccomp_release(ctx);
Expand Down

0 comments on commit 3385865

Please sign in to comment.