From 9fca752f05909f12edd32f619ec40d38a6c2b305 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= Date: Wed, 29 Mar 2017 01:30:33 +0200 Subject: [PATCH 12/12] bpf: Add a Landlock sandbox example MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add a basic sandbox tool to create a process isolated from some part of the system. This sandbox create a read-only environment. It is only allowed to write to a character device such as a TTY: # :> X # echo $? 0 # ./samples/bpf/landlock1 /bin/sh -i Launching a new sandboxed process. # :> Y cannot create Y: Operation not permitted Changes since v5: * cosmetic fixes * rebase Changes since v4: * write Landlock rule in C and compiled it with LLVM * remove cgroup handling * remove path handling: only handle a read-only environment * remove errno return codes Changes since v3: * remove seccomp and origin field: completely free from seccomp programs * handle more FS-related hooks * handle inode hooks and directory traversal * add faked but consistent view thanks to ENOENT * add /lib64 in the example * fix spelling * rename some types and definitions (e.g. SECCOMP_ADD_LANDLOCK_RULE) Changes since v2: * use BPF_PROG_ATTACH for cgroup handling Signed-off-by: Mickaël Salaün Cc: Alexei Starovoitov Cc: Andy Lutomirski Cc: Daniel Borkmann Cc: David S. Miller Cc: James Morris Cc: Kees Cook Cc: Serge E. Hallyn (cherry picked from commit 9c5c745d4c0640a96f30f072cb835c21e7bd3ca6) --- samples/bpf/Makefile | 4 ++ samples/bpf/bpf_load.c | 30 +++++++++++-- samples/bpf/landlock1_kern.c | 46 +++++++++++++++++++ samples/bpf/landlock1_user.c | 102 +++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 178 insertions(+), 4 deletions(-) create mode 100644 samples/bpf/landlock1_kern.c create mode 100644 samples/bpf/landlock1_user.c diff --git a/samples/bpf/Makefile b/samples/bpf/Makefile index 72c58675973e..c9ce3b2e7a7e 100644 --- a/samples/bpf/Makefile +++ b/samples/bpf/Makefile @@ -28,6 +28,7 @@ hostprogs-y += test_current_task_under_cgroup hostprogs-y += trace_event hostprogs-y += sampleip hostprogs-y += tc_l2_redirect +hostprogs-y += landlock1 test_verifier-objs := test_verifier.o libbpf.o test_maps-objs := test_maps.o libbpf.o @@ -58,6 +59,7 @@ test_current_task_under_cgroup-objs := bpf_load.o libbpf.o \ trace_event-objs := bpf_load.o libbpf.o trace_event_user.o sampleip-objs := bpf_load.o libbpf.o sampleip_user.o tc_l2_redirect-objs := bpf_load.o libbpf.o tc_l2_redirect_user.o +landlock1-objs := bpf_load.o libbpf.o landlock1_user.o # Tell kbuild to always build the programs always := $(hostprogs-y) @@ -88,6 +90,7 @@ always += xdp2_kern.o always += test_current_task_under_cgroup_kern.o always += trace_event_kern.o always += sampleip_kern.o +always += landlock1_kern.o HOSTCFLAGS += -I$(objtree)/usr/include @@ -115,6 +118,7 @@ HOSTLOADLIBES_test_current_task_under_cgroup += -lelf HOSTLOADLIBES_trace_event += -lelf HOSTLOADLIBES_sampleip += -lelf HOSTLOADLIBES_tc_l2_redirect += -l elf +HOSTLOADLIBES_landlock1 += -lelf # Allows pointing LLC/CLANG to a LLVM backend with bpf support, redefine on cmdline: # make samples/bpf/ LLC=~/git/llvm/build/bin/llc CLANG=~/git/llvm/build/bin/clang diff --git a/samples/bpf/bpf_load.c b/samples/bpf/bpf_load.c index 40cf828a37c7..1a461afb1d82 100644 --- a/samples/bpf/bpf_load.c +++ b/samples/bpf/bpf_load.c @@ -25,6 +25,8 @@ static char license[128]; static int kern_version; +static union bpf_prog_subtype subtype = {}; +static bool has_subtype; static bool processed_sec[128]; int map_fd[MAX_MAPS]; int prog_fd[MAX_PROGS]; @@ -52,6 +54,7 @@ static int load_and_attach(const char *event, struct bpf_insn *prog, int size) bool is_tracepoint = strncmp(event, "tracepoint/", 11) == 0; bool is_xdp = strncmp(event, "xdp", 3) == 0; bool is_perf_event = strncmp(event, "perf_event", 10) == 0; + bool is_landlock = strncmp(event, "landlock", 8) == 0; enum bpf_prog_type prog_type; char buf[256]; int fd, efd, err, id; @@ -73,6 +76,13 @@ static int load_and_attach(const char *event, struct bpf_insn *prog, int size) prog_type = BPF_PROG_TYPE_XDP; } else if (is_perf_event) { prog_type = BPF_PROG_TYPE_PERF_EVENT; + } else if (is_landlock) { + prog_type = BPF_PROG_TYPE_LANDLOCK; + if (!has_subtype) { + printf("No subtype\n"); + return -1; + } + st = &subtype; } else { printf("Unknown event '%s'\n", event); return -1; @@ -86,7 +96,7 @@ static int load_and_attach(const char *event, struct bpf_insn *prog, int size) prog_fd[prog_cnt++] = fd; - if (is_xdp || is_perf_event) + if (is_xdp || is_perf_event || is_landlock) return 0; if (is_socket) { @@ -261,6 +271,7 @@ int load_bpf_file(char *path) kern_version = 0; memset(license, 0, sizeof(license)); memset(processed_sec, 0, sizeof(processed_sec)); + has_subtype = false; if (elf_version(EV_CURRENT) == EV_NONE) return 1; @@ -306,6 +317,16 @@ int load_bpf_file(char *path) processed_sec[i] = true; if (load_maps(data->d_buf, data->d_size)) return 1; + } else if (strcmp(shname, "subtype") == 0) { + processed_sec[i] = true; + if (data->d_size != sizeof(union bpf_prog_subtype)) { + printf("invalid size of subtype section %zd\n", + data->d_size); + return 1; + } + memcpy(&subtype, data->d_buf, + sizeof(union bpf_prog_subtype)); + has_subtype = true; } else if (shdr.sh_type == SHT_SYMTAB) { symbols = data; } @@ -338,14 +359,14 @@ int load_bpf_file(char *path) memcmp(shname_prog, "tracepoint/", 11) == 0 || memcmp(shname_prog, "xdp", 3) == 0 || memcmp(shname_prog, "perf_event", 10) == 0 || - memcmp(shname_prog, "socket", 6) == 0) + memcmp(shname_prog, "socket", 6) == 0 || + memcmp(shname_prog, "landlock", 8) == 0) load_and_attach(shname_prog, insns, data_prog->d_size); } } /* load programs that don't use maps */ for (i = 1; i < ehdr.e_shnum; i++) { - if (processed_sec[i]) continue; @@ -357,7 +378,8 @@ int load_bpf_file(char *path) memcmp(shname, "tracepoint/", 11) == 0 || memcmp(shname, "xdp", 3) == 0 || memcmp(shname, "perf_event", 10) == 0 || - memcmp(shname, "socket", 6) == 0) + memcmp(shname, "socket", 6) == 0 || + memcmp(shname, "landlock", 8) == 0) load_and_attach(shname, data->d_buf, data->d_size); } diff --git a/samples/bpf/landlock1_kern.c b/samples/bpf/landlock1_kern.c new file mode 100644 index 000000000000..b8a9b0ca84c9 --- /dev/null +++ b/samples/bpf/landlock1_kern.c @@ -0,0 +1,46 @@ +/* + * Landlock rule - partial read-only filesystem + * + * Copyright © 2017 Mickaël Salaün + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2, as + * published by the Free Software Foundation. + */ + +#define KBUILD_MODNAME "foo" +#include +#include /* S_ISCHR() */ +#include "bpf_helpers.h" + +SEC("landlock1") +static int landlock_fs_prog1(struct landlock_context *ctx) +{ + char fmt_error[] = "landlock1: error: get_mode:%lld\n"; + char fmt_name[] = "landlock1: syscall:%d\n"; + long long ret; + + if (!(ctx->arg2 & LANDLOCK_ACTION_FS_WRITE)) + return 0; + ret = bpf_handle_fs_get_mode((void *)ctx->arg1); + if (ret < 0) { + bpf_trace_printk(fmt_error, sizeof(fmt_error), ret); + return 1; + } + if (S_ISCHR(ret)) + return 0; + bpf_trace_printk(fmt_name, sizeof(fmt_name), ctx->syscall_nr); + return 1; +} + +SEC("subtype") +static union bpf_prog_subtype _subtype = { + .landlock_rule = { + .version = 1, + .event = LANDLOCK_SUBTYPE_EVENT_FS, + .ability = LANDLOCK_SUBTYPE_ABILITY_DEBUG, + } +}; + +SEC("license") +static const char _license[] = "GPL"; diff --git a/samples/bpf/landlock1_user.c b/samples/bpf/landlock1_user.c new file mode 100644 index 000000000000..6f79eb0ee6db --- /dev/null +++ b/samples/bpf/landlock1_user.c @@ -0,0 +1,102 @@ +/* + * Landlock sandbox - partial read-only filesystem + * + * Copyright © 2017 Mickaël Salaün + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2, as + * published by the Free Software Foundation. + */ + +#include "bpf_load.h" +#include "libbpf.h" + +#define _GNU_SOURCE +#include +#include /* open() */ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#ifndef seccomp +static int seccomp(unsigned int op, unsigned int flags, void *args) +{ + errno = 0; + return syscall(__NR_seccomp, op, flags, args); +} +#endif + +#define ARRAY_SIZE(a) (sizeof(a) / sizeof(a[0])) +#define MAX_ERRNO 4095 + + +struct landlock_rule { + enum landlock_subtype_event event; + struct bpf_insn *bpf; + size_t size; +}; + +static int apply_sandbox(int prog_fd) +{ + int ret = 0; + + /* set up the test sandbox */ + if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { + perror("prctl(no_new_priv)"); + return 1; + } + if (seccomp(SECCOMP_APPEND_LANDLOCK_RULE, 0, &prog_fd)) { + perror("seccomp(set_hook)"); + ret = 1; + } + close(prog_fd); + + return ret; +} + +int main(int argc, char * const argv[], char * const *envp) +{ + char filename[256]; + char *cmd_path; + char * const *cmd_argv; + + if (argc < 2) { + fprintf(stderr, "usage: %s [args]...\n\n", argv[0]); + fprintf(stderr, "Launch a command in a read-only environment " + "(except for character devices).\n"); + fprintf(stderr, "Display debug with: " + "cat /sys/kernel/debug/tracing/trace_pipe &\n"); + return 1; + } + + snprintf(filename, sizeof(filename), "%s_kern.o", argv[0]); + if (load_bpf_file(filename)) { + printf("%s", bpf_log_buf); + return 1; + } + if (!prog_fd[0]) { + if (errno) { + printf("load_bpf_file: %s\n", strerror(errno)); + } else { + printf("load_bpf_file: Error\n"); + } + return 1; + } + + if (apply_sandbox(prog_fd[0])) + return 1; + cmd_path = argv[1]; + cmd_argv = argv + 1; + fprintf(stderr, "Launching a new sandboxed process.\n"); + execve(cmd_path, cmd_argv, envp); + perror("execve"); + return 1; +} -- 2.11.0