giuseppe / easyseccomp Goto Github PK

DSL language to write seccomp filters

License: GNU General Public License v2.0

Makefile 1.04% Shell 23.31% M4 0.78% C 63.33% Lex 1.88% Yacc 2.75% Python 4.07% Emacs Lisp 0.73% Go 2.11%

containers seccomp seccomp-bpf seccomp-filter security

easyseccomp's Introduction

easyseccomp

a domain specific language for defining seccomp profiles for containers in an easier way and having more control on the generated BPF that it is possible with libseccomp. This blog post explains more in detail why the project was started: https://www.scrivano.org/posts/2021-01-30-easyseccomp/

A seccomp profile can be defined as:

// Native support for comments without abusing JSON!

#ifdef DENY_MKDIR_WITH_EINVAL
$syscall in (@mkdir) => ERRNO(EINVAL);
#endif

#ifndef DENY_MKDIR_WITH_EINVAL
$syscall in (@mkdir) => ERRNO(EPERM);
#endif

=> ALLOW();

and generate the raw BPF as:

$ easyseccomp < profile.seccomp > seccomp.bpf
$ easyseccomp -d DENY_MKDIR_WITH_EINVAL < profile.seccomp > seccomp.bpf

Language

The policy is a list of CONDITION => STATEMENT; rules that are executed in the specified order. The program terminates performing the action specified STATEMENT for the first CONDITION that is true.

If the CONDITION is not specified (=> STATEMENT();), then the STATEMENT is always performed.

Supported variables

Name	Description
`$syscall`	The syscall number
`$arch`	Architecture
`$arg0`	1st argument to the syscall
`$arg1`	2nd argument to the syscall
`$arg2`	3rd argument to the syscall
`$arg3`	4th argument to the syscall
`$arg4`	5th argument to the syscall
`$arg5`	6th argument to the syscall

Actions

Name	Description
`ALLOW()`	Allow the syscall
`TRAP()`	Trap the syscall
`NOTIFY()`	Handle the syscall through a user space handler
`LOG()`	Log the syscall
`KILL()`	Kill the process
`KILL_PROCESS()`	Kill the process
`KILL_THREAD()`	Kill the thread
`ERRNO(ERRNO)`	Return the specified error code
`TRACE(ERRNO)`	Trace the syscall and return the error specified code

Comparison Operators

Name	Description
`$variable == VALUE`	Equality
`$variable != VALUE`	Disequality
`$variable < VALUE`	Less than
`$variable <= VALUE`	Less than or equal
`$variable > VALUE`	Greater than
`$variable >= VALUE`	Greater than or equal
`$variable & MASK == VALUE`	Bitwise AND
`$variable in (SET)`	The variable value is part of SET
`$variable not in (SET)`	The variable value is not part of SET
`$syscall in KERNEL(VERSION)`	The syscall is part of the specified kernel version

Lookups

When the variable $syscall is used the value can be specified in the form @name and name refers to a syscall name that is looked up using the current architecture.

It is possible to force the lookup for a specific architecture using the format @name@arch

Directives

It is possible to define some rules that are conditionally included in the final BPF:

#ifdef DIRECTIVE_NAME
# ifdef ANOTHER_DIRECTIVE
=> ALLOW();
# endif
#endif

The rules included between the #ifdef and the #endif are included only if both DIRECTIVE_NAME and ANOTHER_DIRECTIVE are specified at compile time.

It enables writing conditional policies such as:

#ifndef CAP_AUDIT_WRITE
$syscall == @socket && $arg0 == 16 && $arg2 == 9 => ERRNO(EINVAL);
#endif

$syscall == @socket => ALLOW();

A higher level tool, such as a container engine, can specify different profiles, In the example above it specifies whether a capability is not added to a container and define a different rule for handling the socket syscall.

Examples

=> ALLOW();: Allow the syscall.
$syscall in (@read, @write) => ALLOW();: The syscall is one of read or write.
$syscall not in (4, 5) => ALLOW();: The syscall value is not included in the set (4, 5).
$syscall == @read && $arg0 == 2 => ALLOW(); The syscall is read and the first argument is 2.
$syscall ==@write && $arg0 > 2 => ALLOW();: Write to a fd bigger than 2.
$syscall == @renameat2@aarch64 => ALLOW();: The syscall is value renameat2 as defined for the aarch64 architecture.
$syscall in KERNEL(5.3): The syscall is present in the kernel 5.3

Dependencies for OCI containers

it currently requires this feature in crun: containers/crun#578

It enables to load a custom raw bpf filter instead of the seccomp configuration specified in the container configuration file.

With that feature in crun, it is possible to create a container using the seccomp profile as:

$ easyseccomp < profile.seccomp > seccomp.bpf
$ podman run --annotation run.oci.seccomp_bpf_file=/tmp/seccomp.bpf --rm fedora mkdir /tmp/foo
mkdir: cannot create directory '/tmp/foo': Operation not permitted

$ easyseccomp DENY_MKDIR_WITH_EINVAL < profile.seccomp > seccomp.bpf
$ podman run --annotation run.oci.seccomp_bpf_file=/tmp/seccomp.bpf --rm fedora mkdir /tmp/foo
mkdir: cannot create directory '/tmp/foo': Invalid argument

BPF generator

easyseccomp uses libseccomp only for the syscall number lookup. It is not used for generating the bpf bytecode as libseccomp internally rewrites the rules.

easyseccomp's People

Contributors

Stargazers

Watchers

Forkers

gh-fork-dump adfernandes

easyseccomp's Issues

extraneous line at end of default policy

The last line of the default policy generates an error. Perhaps either the initial condition is missing or is just a typo leftover from something else:

=> ERRNO(ENOSYS);

$ ./easyseccomp <contrib/default-policy.easyseccomp >default.bpf
syntax error, unexpected EOL, expecting end of file

some SECCOMP_RET_ values do not exist in older kernels

Some of the definitions assumed in the code don't exist on older systems (e.g. kernel 3.10.0). Had to remove them from generator.c and sim/sim.c. Would be nice if they were only used when available...

$ make
CC src/libeasyseccomp_a-libeasyseccomp_a-parser.o
CC src/libeasyseccomp_a-libeasyseccomp_a-lexer.o
CC src/libeasyseccomp_a-generator.o
src/generator.c: In function 'generate_action':
src/generator.c:385:36: error: 'SECCOMP_RET_USER_NOTIF' undeclared (first use in this function)
emit_stmt (ctx, BPF_RET|BPF_K, SECCOMP_RET_USER_NOTIF);
^
src/generator.c:385:36: note: each undeclared identifier is reported only once for each function it appears in
src/generator.c:387:36: error: 'SECCOMP_RET_LOG' undeclared (first use in this function)
emit_stmt (ctx, BPF_RET|BPF_K, SECCOMP_RET_LOG);
^
src/generator.c:391:36: error: 'SECCOMP_RET_KILL_THREAD' undeclared (first use in this function)
emit_stmt (ctx, BPF_RET|BPF_K, SECCOMP_RET_KILL_THREAD);
^
src/generator.c:393:36: error: 'SECCOMP_RET_KILL_PROCESS' undeclared (first use in this function)
emit_stmt (ctx, BPF_RET|BPF_K, SECCOMP_RET_KILL_PROCESS);
^
src/generator.c: In function 'generate_condition_and_action':
src/generator.c:795:9: warning: empty declaration [enabled by default]
attribute ((fallthrough));
^
make: *** [src/libeasyseccomp_a-generator.o] Error 1

make
CC src/libeasyseccomp_a-generator.o
src/generator.c: In function 'generate_condition_and_action':
src/generator.c:795:9: warning: empty declaration [enabled by default]
attribute ((fallthrough));
^
CC src/libeasyseccomp_a-types.o
CC src/syscall-versions/libeasyseccomp_a-syscall-versions.o
AR libeasyseccomp.a
CC src/main.o
CCLD easyseccomp
CC src/sim/sim.o
In file included from src/sim/bpf.h:59:0,
from src/sim/sim.c:31:
src/sim/glue.h:11:0: warning: "__bounded" redefined [enabled by default]

define __bounded(args)

^
In file included from /usr/include/features.h:375:0,
from /usr/include/sys/types.h:25,
from /usr/include/sys/param.h:25,
from src/sim/sim.c:19:
/usr/include/sys/cdefs.h:134:0: note: this is the location of the previous definition

define __bounded /* nothing */

^
src/sim/sim.c: In function 'get_seccomp_action':
src/sim/sim.c:167:17: error: 'SECCOMP_RET_USER_NOTIF' undeclared (first use in this function)
if (action == SECCOMP_RET_USER_NOTIF)
^
src/sim/sim.c:167:17: note: each undeclared identifier is reported only once for each function it appears in
src/sim/sim.c:171:17: error: 'SECCOMP_RET_KILL_THREAD' undeclared (first use in this function)
if (action == SECCOMP_RET_KILL_THREAD)
^
src/sim/sim.c:173:17: error: 'SECCOMP_RET_KILL_PROCESS' undeclared (first use in this function)
if (action == SECCOMP_RET_KILL_PROCESS)
^
make: *** [src/sim/sim.o] Error 1

Non-obvious build failure when lex not installed

configure succeeds even when there is no lex installed. However, it does mention it:

...
checking for flex... no
checking for lex... no
...

After the successful configure, make fails like this:

  CC       src/main.o
  LEX      src/libeasyseccomp_a-lexer.c
  CC       src/libeasyseccomp_a-libeasyseccomp_a-lexer.o
gcc: error: ./src/libeasyseccomp_a-lexer.c: No such file or directory
gcc: fatal error: no input files
compilation terminated.
make: *** [Makefile:765: src/libeasyseccomp_a-libeasyseccomp_a-lexer.o] Error 1

It took some figuring out to learn that I had to install flex. (I'm using Ubuntu 20.04.)

error: %define variable 'parse.error' is not used

Get an error when using an older bison (2.7.12-4996). Ok with bison 3.7.6.

$ ./configure
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /usr/bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking whether UID '9828' is supported by ustar format... yes
checking whether GID '1179' is supported by ustar format... yes
checking how to create a ustar tar archive... gnutar
checking whether to enable maintainer-specific portions of Makefiles... yes
checking whether make supports nested variables... (cached) yes
checking for bison... bison -y
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking for style of include used by make... GNU
checking dependency style of gcc... gcc3
checking for flex... flex
checking lex output file root... lex.yy
checking lex library... none needed
checking whether yytext is a pointer... no
checking for ranlib... ranlib
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking seccomp.h usability... yes
checking seccomp.h presence... yes
checking for seccomp.h... yes
checking for library containing seccomp_rule_add... -lseccomp
checking for library containing seccomp_arch_resolve_name... none required
checking stddef.h usability... yes
checking stddef.h presence... yes
checking for stddef.h... yes
checking for stdlib.h... (cached) yes
checking for string.h... (cached) yes
checking for unistd.h... (cached) yes
checking for size_t... yes
checking for error_at_line... yes
checking for memset... yes
checking for strdup... yes
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating Makefile
config.status: creating src/config.h
config.status: executing depfiles commands

$ make
YACC src/libeasyseccomp_a-parser.c
easyseccomp-main/src/parser.y:42.9-19: error: %define variable 'parse.error' is not used
make: *** [src/libeasyseccomp_a-parser.c] Error 1

unknown syscall pidfd_open

Can't compile default policy due to missing syscalls (likely because I'm on older 3.10 kernel). Don't know if this is a fatal message or just a warning, but the default policy doesn't even mention pidfd_open so it's strange that there is a message about it.

$ ./easyseccomp <contrib/default-policy.easyseccomp >default.bpf
unknown syscall pidfd_open

Why not libseccomp?

I love seeing new seccomp projects!

What is the use-case here? Since this uses libseccomp internally, it must meet some requirement(s) that the library doesn't fulfill.

It would be good to explain this in the README.md file.