From: Sargun Dhillon <sargun@xxxxxxxxx> This adds a sample program that uses seccomp-eBPF, called test_seccomp. It shows the simple ability to code seccomp filters in C. Signed-off-by: Sargun Dhillon <sargun@xxxxxxxxx> Link: https://lists.linux-foundation.org/pipermail/containers/2018-February/038573.html Co-developed-by: Jinghao Jia <jinghao7@xxxxxxxxxxxx> Signed-off-by: Jinghao Jia <jinghao7@xxxxxxxxxxxx> [YiFei: change from bpf_load to libbpf] Co-developed-by: YiFei Zhu <yifeifz2@xxxxxxxxxxxx> Signed-off-by: YiFei Zhu <yifeifz2@xxxxxxxxxxxx> --- samples/bpf/Makefile | 3 ++ samples/bpf/test_seccomp_kern.c | 41 +++++++++++++++++++++++++++ samples/bpf/test_seccomp_user.c | 49 +++++++++++++++++++++++++++++++++ 3 files changed, 93 insertions(+) create mode 100644 samples/bpf/test_seccomp_kern.c create mode 100644 samples/bpf/test_seccomp_user.c diff --git a/samples/bpf/Makefile b/samples/bpf/Makefile index 45ceca4e2c70..d49e7f91eba6 100644 --- a/samples/bpf/Makefile +++ b/samples/bpf/Makefile @@ -55,6 +55,7 @@ tprogs-y += task_fd_query tprogs-y += xdp_sample_pkts tprogs-y += ibumad tprogs-y += hbm +tprogs-y += test_seccomp # Libbpf dependencies LIBBPF = $(TOOLS_PATH)/lib/bpf/libbpf.a @@ -113,6 +114,7 @@ task_fd_query-objs := task_fd_query_user.o $(TRACE_HELPERS) xdp_sample_pkts-objs := xdp_sample_pkts_user.o ibumad-objs := ibumad_user.o hbm-objs := hbm.o $(CGROUP_HELPERS) +test_seccomp-objs := test_seccomp_user.o # Tell kbuild to always build the programs always-y := $(tprogs-y) @@ -174,6 +176,7 @@ always-y += ibumad_kern.o always-y += hbm_out_kern.o always-y += hbm_edt_kern.o always-y += xdpsock_kern.o +always-y += test_seccomp_kern.o ifeq ($(ARCH), arm) # Strip all except -D__LINUX_ARM_ARCH__ option needed to handle linux diff --git a/samples/bpf/test_seccomp_kern.c b/samples/bpf/test_seccomp_kern.c new file mode 100644 index 000000000000..efd42f47d9c4 --- /dev/null +++ b/samples/bpf/test_seccomp_kern.c @@ -0,0 +1,41 @@ +// SPDX-License-Identifier: GPL-2.0 +#include <uapi/linux/seccomp.h> +#include <uapi/linux/bpf.h> +#include <uapi/linux/unistd.h> +#include <uapi/linux/errno.h> +#include <bpf/bpf_helpers.h> +#include <uapi/linux/audit.h> + +#if defined(__x86_64__) +#define ARCH AUDIT_ARCH_X86_64 +#elif defined(__i386__) +#define ARCH AUDIT_ARCH_I386 +#else +#endif + +#ifdef ARCH +/* Returns EPERM when trying to close fd 999 */ +SEC("seccomp") +int bpf_prog1(struct seccomp_data *ctx) +{ + /* + * Make sure this BPF program is being run on the same architecture it + * was compiled on. + */ + if (ctx->arch != ARCH) + return SECCOMP_RET_ERRNO | EPERM; + if (ctx->nr == __NR_close && ctx->args[0] == 999) + return SECCOMP_RET_ERRNO | EPERM; + + return SECCOMP_RET_ALLOW; +} +#else +#warning Architecture not supported -- Blocking all syscalls +SEC("seccomp") +int bpf_prog1(struct seccomp_data *ctx) +{ + return SECCOMP_RET_ERRNO | EPERM; +} +#endif + +char _license[] SEC("license") = "GPL"; diff --git a/samples/bpf/test_seccomp_user.c b/samples/bpf/test_seccomp_user.c new file mode 100644 index 000000000000..ba17e18666b9 --- /dev/null +++ b/samples/bpf/test_seccomp_user.c @@ -0,0 +1,49 @@ +// SPDX-License-Identifier: GPL-2.0 +#include <assert.h> +#include <bpf/libbpf.h> +#include <errno.h> +#include <linux/bpf.h> +#include <linux/seccomp.h> +#include <linux/unistd.h> +#include <stdio.h> +#include <stdlib.h> +#include <strings.h> +#include <sys/prctl.h> +#include <unistd.h> + +int main(int argc, char **argv) +{ + struct bpf_object *obj; + char filename[256]; + int prog_fd; + + snprintf(filename, sizeof(filename), "%s_kern.o", argv[0]); + + if (bpf_prog_load(filename, BPF_PROG_TYPE_SECCOMP, &obj, &prog_fd)) + exit(EXIT_FAILURE); + if (prog_fd < 0) { + fprintf(stderr, "ERROR: no program found: %s\n", + strerror(prog_fd)); + exit(EXIT_FAILURE); + } + + /* set new_new_privs so non-privileged users can attach filters */ + if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { + perror("prctl(NO_NEW_PRIVS)"); + exit(EXIT_FAILURE); + } + + if (syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER, + SECCOMP_FILTER_FLAG_EXTENDED, &prog_fd)) { + perror("seccomp"); + exit(EXIT_FAILURE); + } + + close(111); + assert(errno == EBADF); + close(999); + assert(errno == EPERM); + + printf("close syscall successfully filtered\n"); + return 0; +} -- 2.31.1
