[PATCH 0/5] seccomp: fix hole in blocking forks

[PATCH 0/5] seccomp: fix hole in blocking forks

[Daniel P. Berrangé]

Blocking the 'fork' syscall on Linux is not sufficient to block the
'fork' C library function, because the latter is essentially always
implemented using the 'clone' syscall these days.

Blocking 'clone' is difficult as that also blocks pthread creation,
so it needs careful filtering.

Daniel P. Berrangé (5):
  seccomp: allow action to be customized per syscall
  seccomp: add unit test for seccomp filtering
  seccomp: fix blocking of process spawning
  seccomp: block use of clone3 syscall
  seccomp: block setns, unshare and execveat syscalls

 MAINTAINERS               |   1 +
 softmmu/qemu-seccomp.c    | 282 +++++++++++++++++++++++++++++---------
 tests/unit/meson.build    |   4 +
 tests/unit/test-seccomp.c | 269 ++++++++++++++++++++++++++++++++++++
 4 files changed, 490 insertions(+), 66 deletions(-)
 create mode 100644 tests/unit/test-seccomp.c

-- 
2.31.1

[PATCH 1/5] seccomp: allow action to be customized per syscall

[Daniel P. Berrangé]

We're currently tailoring whether to use kill process or return EPERM
based on the syscall set. This is not flexible enough for future
requirements where we also need to be able to return a variety of
actions on a per-syscall granularity.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 softmmu/qemu-seccomp.c | 172 +++++++++++++++++++++++++----------------
 1 file changed, 106 insertions(+), 66 deletions(-)

diff --git a/softmmu/qemu-seccomp.c b/softmmu/qemu-seccomp.c
index f50026778c..9f6df8d033 100644
--- a/softmmu/qemu-seccomp.c
+++ b/softmmu/qemu-seccomp.c
@@ -38,6 +38,7 @@ struct QemuSeccompSyscall {
     uint8_t set;
     uint8_t narg;
     const struct scmp_arg_cmp *arg_cmp;
+    uint32_t action;
 };
 
 const struct scmp_arg_cmp sched_setscheduler_arg[] = {
@@ -47,61 +48,111 @@ const struct scmp_arg_cmp sched_setscheduler_arg[] = {
 
 static const struct QemuSeccompSyscall denylist[] = {
     /* default set of syscalls that should get blocked */
-    { SCMP_SYS(reboot),                 QEMU_SECCOMP_SET_DEFAULT },
-    { SCMP_SYS(swapon),                 QEMU_SECCOMP_SET_DEFAULT },
-    { SCMP_SYS(swapoff),                QEMU_SECCOMP_SET_DEFAULT },
-    { SCMP_SYS(syslog),                 QEMU_SECCOMP_SET_DEFAULT },
-    { SCMP_SYS(mount),                  QEMU_SECCOMP_SET_DEFAULT },
-    { SCMP_SYS(umount),                 QEMU_SECCOMP_SET_DEFAULT },
-    { SCMP_SYS(kexec_load),             QEMU_SECCOMP_SET_DEFAULT },
-    { SCMP_SYS(afs_syscall),            QEMU_SECCOMP_SET_DEFAULT },
-    { SCMP_SYS(break),                  QEMU_SECCOMP_SET_DEFAULT },
-    { SCMP_SYS(ftime),                  QEMU_SECCOMP_SET_DEFAULT },
-    { SCMP_SYS(getpmsg),                QEMU_SECCOMP_SET_DEFAULT },
-    { SCMP_SYS(gtty),                   QEMU_SECCOMP_SET_DEFAULT },
-    { SCMP_SYS(lock),                   QEMU_SECCOMP_SET_DEFAULT },
-    { SCMP_SYS(mpx),                    QEMU_SECCOMP_SET_DEFAULT },
-    { SCMP_SYS(prof),                   QEMU_SECCOMP_SET_DEFAULT },
-    { SCMP_SYS(profil),                 QEMU_SECCOMP_SET_DEFAULT },
-    { SCMP_SYS(putpmsg),                QEMU_SECCOMP_SET_DEFAULT },
-    { SCMP_SYS(security),               QEMU_SECCOMP_SET_DEFAULT },
-    { SCMP_SYS(stty),                   QEMU_SECCOMP_SET_DEFAULT },
-    { SCMP_SYS(tuxcall),                QEMU_SECCOMP_SET_DEFAULT },
-    { SCMP_SYS(ulimit),                 QEMU_SECCOMP_SET_DEFAULT },
-    { SCMP_SYS(vserver),                QEMU_SECCOMP_SET_DEFAULT },
+    { SCMP_SYS(reboot),                 QEMU_SECCOMP_SET_DEFAULT,
+      0, NULL, SCMP_ACT_TRAP },
+    { SCMP_SYS(swapon),                 QEMU_SECCOMP_SET_DEFAULT,
+      0, NULL, SCMP_ACT_TRAP },
+    { SCMP_SYS(swapoff),                QEMU_SECCOMP_SET_DEFAULT,
+      0, NULL, SCMP_ACT_TRAP },
+    { SCMP_SYS(syslog),                 QEMU_SECCOMP_SET_DEFAULT,
+      0, NULL, SCMP_ACT_TRAP },
+    { SCMP_SYS(mount),                  QEMU_SECCOMP_SET_DEFAULT,
+      0, NULL, SCMP_ACT_TRAP },
+    { SCMP_SYS(umount),                 QEMU_SECCOMP_SET_DEFAULT,
+      0, NULL, SCMP_ACT_TRAP },
+    { SCMP_SYS(kexec_load),             QEMU_SECCOMP_SET_DEFAULT,
+      0, NULL, SCMP_ACT_TRAP },
+    { SCMP_SYS(afs_syscall),            QEMU_SECCOMP_SET_DEFAULT,
+      0, NULL, SCMP_ACT_TRAP },
+    { SCMP_SYS(break),                  QEMU_SECCOMP_SET_DEFAULT,
+      0, NULL, SCMP_ACT_TRAP },
+    { SCMP_SYS(ftime),                  QEMU_SECCOMP_SET_DEFAULT,
+      0, NULL, SCMP_ACT_TRAP },
+    { SCMP_SYS(getpmsg),                QEMU_SECCOMP_SET_DEFAULT,
+      0, NULL, SCMP_ACT_TRAP },
+    { SCMP_SYS(gtty),                   QEMU_SECCOMP_SET_DEFAULT,
+      0, NULL, SCMP_ACT_TRAP },
+    { SCMP_SYS(lock),                   QEMU_SECCOMP_SET_DEFAULT,
+      0, NULL, SCMP_ACT_TRAP },
+    { SCMP_SYS(mpx),                    QEMU_SECCOMP_SET_DEFAULT,
+      0, NULL, SCMP_ACT_TRAP },
+    { SCMP_SYS(prof),                   QEMU_SECCOMP_SET_DEFAULT,
+      0, NULL, SCMP_ACT_TRAP },
+    { SCMP_SYS(profil),                 QEMU_SECCOMP_SET_DEFAULT,
+      0, NULL, SCMP_ACT_TRAP },
+    { SCMP_SYS(putpmsg),                QEMU_SECCOMP_SET_DEFAULT,
+      0, NULL, SCMP_ACT_TRAP },
+    { SCMP_SYS(security),               QEMU_SECCOMP_SET_DEFAULT,
+      0, NULL, SCMP_ACT_TRAP },
+    { SCMP_SYS(stty),                   QEMU_SECCOMP_SET_DEFAULT,
+      0, NULL, SCMP_ACT_TRAP },
+    { SCMP_SYS(tuxcall),                QEMU_SECCOMP_SET_DEFAULT,
+      0, NULL, SCMP_ACT_TRAP },
+    { SCMP_SYS(ulimit),                 QEMU_SECCOMP_SET_DEFAULT,
+      0, NULL, SCMP_ACT_TRAP },
+    { SCMP_SYS(vserver),                QEMU_SECCOMP_SET_DEFAULT,
+      0, NULL, SCMP_ACT_TRAP },
     /* obsolete */
-    { SCMP_SYS(readdir),                QEMU_SECCOMP_SET_OBSOLETE },
-    { SCMP_SYS(_sysctl),                QEMU_SECCOMP_SET_OBSOLETE },
-    { SCMP_SYS(bdflush),                QEMU_SECCOMP_SET_OBSOLETE },
-    { SCMP_SYS(create_module),          QEMU_SECCOMP_SET_OBSOLETE },
-    { SCMP_SYS(get_kernel_syms),        QEMU_SECCOMP_SET_OBSOLETE },
-    { SCMP_SYS(query_module),           QEMU_SECCOMP_SET_OBSOLETE },
-    { SCMP_SYS(sgetmask),               QEMU_SECCOMP_SET_OBSOLETE },
-    { SCMP_SYS(ssetmask),               QEMU_SECCOMP_SET_OBSOLETE },
-    { SCMP_SYS(sysfs),                  QEMU_SECCOMP_SET_OBSOLETE },
-    { SCMP_SYS(uselib),                 QEMU_SECCOMP_SET_OBSOLETE },
-    { SCMP_SYS(ustat),                  QEMU_SECCOMP_SET_OBSOLETE },
+    { SCMP_SYS(readdir),                QEMU_SECCOMP_SET_OBSOLETE,
+      0, NULL, SCMP_ACT_TRAP },
+    { SCMP_SYS(_sysctl),                QEMU_SECCOMP_SET_OBSOLETE,
+      0, NULL, SCMP_ACT_TRAP },
+    { SCMP_SYS(bdflush),                QEMU_SECCOMP_SET_OBSOLETE,
+      0, NULL, SCMP_ACT_TRAP },
+    { SCMP_SYS(create_module),          QEMU_SECCOMP_SET_OBSOLETE,
+      0, NULL, SCMP_ACT_TRAP },
+    { SCMP_SYS(get_kernel_syms),        QEMU_SECCOMP_SET_OBSOLETE,
+      0, NULL, SCMP_ACT_TRAP },
+    { SCMP_SYS(query_module),           QEMU_SECCOMP_SET_OBSOLETE,
+      0, NULL, SCMP_ACT_TRAP },
+    { SCMP_SYS(sgetmask),               QEMU_SECCOMP_SET_OBSOLETE,
+      0, NULL, SCMP_ACT_TRAP },
+    { SCMP_SYS(ssetmask),               QEMU_SECCOMP_SET_OBSOLETE,
+      0, NULL, SCMP_ACT_TRAP },
+    { SCMP_SYS(sysfs),                  QEMU_SECCOMP_SET_OBSOLETE,
+      0, NULL, SCMP_ACT_TRAP },
+    { SCMP_SYS(uselib),                 QEMU_SECCOMP_SET_OBSOLETE,
+      0, NULL, SCMP_ACT_TRAP },
+    { SCMP_SYS(ustat),                  QEMU_SECCOMP_SET_OBSOLETE,
+      0, NULL, SCMP_ACT_TRAP },
     /* privileged */
-    { SCMP_SYS(setuid),                 QEMU_SECCOMP_SET_PRIVILEGED },
-    { SCMP_SYS(setgid),                 QEMU_SECCOMP_SET_PRIVILEGED },
-    { SCMP_SYS(setpgid),                QEMU_SECCOMP_SET_PRIVILEGED },
-    { SCMP_SYS(setsid),                 QEMU_SECCOMP_SET_PRIVILEGED },
-    { SCMP_SYS(setreuid),               QEMU_SECCOMP_SET_PRIVILEGED },
-    { SCMP_SYS(setregid),               QEMU_SECCOMP_SET_PRIVILEGED },
-    { SCMP_SYS(setresuid),              QEMU_SECCOMP_SET_PRIVILEGED },
-    { SCMP_SYS(setresgid),              QEMU_SECCOMP_SET_PRIVILEGED },
-    { SCMP_SYS(setfsuid),               QEMU_SECCOMP_SET_PRIVILEGED },
-    { SCMP_SYS(setfsgid),               QEMU_SECCOMP_SET_PRIVILEGED },
+    { SCMP_SYS(setuid),                 QEMU_SECCOMP_SET_PRIVILEGED,
+      0, NULL, SCMP_ACT_TRAP },
+    { SCMP_SYS(setgid),                 QEMU_SECCOMP_SET_PRIVILEGED,
+      0, NULL, SCMP_ACT_TRAP },
+    { SCMP_SYS(setpgid),                QEMU_SECCOMP_SET_PRIVILEGED,
+      0, NULL, SCMP_ACT_TRAP },
+    { SCMP_SYS(setsid),                 QEMU_SECCOMP_SET_PRIVILEGED,
+      0, NULL, SCMP_ACT_TRAP },
+    { SCMP_SYS(setreuid),               QEMU_SECCOMP_SET_PRIVILEGED,
+      0, NULL, SCMP_ACT_TRAP },
+    { SCMP_SYS(setregid),               QEMU_SECCOMP_SET_PRIVILEGED,
+      0, NULL, SCMP_ACT_TRAP },
+    { SCMP_SYS(setresuid),              QEMU_SECCOMP_SET_PRIVILEGED,
+      0, NULL, SCMP_ACT_TRAP },
+    { SCMP_SYS(setresgid),              QEMU_SECCOMP_SET_PRIVILEGED,
+      0, NULL, SCMP_ACT_TRAP },
+    { SCMP_SYS(setfsuid),               QEMU_SECCOMP_SET_PRIVILEGED,
+      0, NULL, SCMP_ACT_TRAP },
+    { SCMP_SYS(setfsgid),               QEMU_SECCOMP_SET_PRIVILEGED,
+      0, NULL, SCMP_ACT_TRAP },
     /* spawn */
-    { SCMP_SYS(fork),                   QEMU_SECCOMP_SET_SPAWN },
-    { SCMP_SYS(vfork),                  QEMU_SECCOMP_SET_SPAWN },
-    { SCMP_SYS(execve),                 QEMU_SECCOMP_SET_SPAWN },
+    { SCMP_SYS(fork),                   QEMU_SECCOMP_SET_SPAWN,
+      0, NULL, SCMP_ACT_TRAP },
+    { SCMP_SYS(vfork),                  QEMU_SECCOMP_SET_SPAWN,
+      0, NULL, SCMP_ACT_TRAP },
+    { SCMP_SYS(execve),                 QEMU_SECCOMP_SET_SPAWN,
+      0, NULL, SCMP_ACT_TRAP },
     /* resource control */
-    { SCMP_SYS(setpriority),            QEMU_SECCOMP_SET_RESOURCECTL },
-    { SCMP_SYS(sched_setparam),         QEMU_SECCOMP_SET_RESOURCECTL },
+    { SCMP_SYS(setpriority),            QEMU_SECCOMP_SET_RESOURCECTL,
+      0, NULL, SCMP_ACT_ERRNO(EPERM) },
+    { SCMP_SYS(sched_setparam),         QEMU_SECCOMP_SET_RESOURCECTL,
+      0, NULL, SCMP_ACT_ERRNO(EPERM) },
     { SCMP_SYS(sched_setscheduler),     QEMU_SECCOMP_SET_RESOURCECTL,
-      ARRAY_SIZE(sched_setscheduler_arg), sched_setscheduler_arg },
-    { SCMP_SYS(sched_setaffinity),      QEMU_SECCOMP_SET_RESOURCECTL },
+      ARRAY_SIZE(sched_setscheduler_arg), sched_setscheduler_arg,
+      SCMP_ACT_ERRNO(EPERM) },
+    { SCMP_SYS(sched_setaffinity),      QEMU_SECCOMP_SET_RESOURCECTL,
+      0, NULL, SCMP_ACT_ERRNO(EPERM) },
 };
 
 static inline __attribute__((unused)) int
@@ -115,15 +166,11 @@ qemu_seccomp(unsigned int operation, unsigned int flags, void *args)
 #endif
 }
 
-static uint32_t qemu_seccomp_get_action(int set)
+static uint32_t qemu_seccomp_update_action(uint32_t action)
 {
-    switch (set) {
-    case QEMU_SECCOMP_SET_DEFAULT:
-    case QEMU_SECCOMP_SET_OBSOLETE:
-    case QEMU_SECCOMP_SET_PRIVILEGED:
-    case QEMU_SECCOMP_SET_SPAWN: {
 #if defined(SECCOMP_GET_ACTION_AVAIL) && defined(SCMP_ACT_KILL_PROCESS) && \
     defined(SECCOMP_RET_KILL_PROCESS)
+    if (action == SCMP_ACT_TRAP) {
         static int kill_process = -1;
         if (kill_process == -1) {
             uint32_t action = SECCOMP_RET_KILL_PROCESS;
@@ -137,16 +184,9 @@ static uint32_t qemu_seccomp_get_action(int set)
         if (kill_process == 1) {
             return SCMP_ACT_KILL_PROCESS;
         }
-#endif
-        return SCMP_ACT_TRAP;
-    }
-
-    case QEMU_SECCOMP_SET_RESOURCECTL:
-        return SCMP_ACT_ERRNO(EPERM);
-
-    default:
-        g_assert_not_reached();
     }
+#endif
+    return action;
 }
 
 
@@ -175,7 +215,7 @@ static int seccomp_start(uint32_t seccomp_opts, Error **errp)
             continue;
         }
 
-        action = qemu_seccomp_get_action(denylist[i].set);
+        action = qemu_seccomp_update_action(denylist[i].action);
         rc = seccomp_rule_add_array(ctx, action, denylist[i].num,
                                     denylist[i].narg, denylist[i].arg_cmp);
         if (rc < 0) {
-- 
2.31.1

[PATCH 2/5] seccomp: add unit test for seccomp filtering

[Daniel P. Berrangé]

The handling of some syscalls / libc function is quite subtle. For
example, 'fork' at a libc level doesn't always correspond to 'fork'
at a syscall level, since the 'clone' syscall is preferred usually.

The unit test will help to detect these kind of problems. A point of
difficulty in writing a test though is that the QEMU build process may
already be confined by seccomp. For example, if running inside a
container. Since we can't predict what filtering might have been applied
already, we are quite conservative and skip all tests if we see any kind
of seccomp filter active.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 MAINTAINERS               |   1 +
 tests/unit/meson.build    |   4 +
 tests/unit/test-seccomp.c | 270 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 275 insertions(+)
 create mode 100644 tests/unit/test-seccomp.c

diff --git a/MAINTAINERS b/MAINTAINERS
index 6831978d2c..de98e4933f 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -2799,6 +2799,7 @@ M: Eduardo Otubo <otubo@redhat.com>
 S: Supported
 F: softmmu/qemu-seccomp.c
 F: include/sysemu/seccomp.h
+F: tests/unit/test-seccomp.c
 
 Cryptography
 M: Daniel P. Berrange <berrange@redhat.com>
diff --git a/tests/unit/meson.build b/tests/unit/meson.build
index 5736d285b2..64bce201d7 100644
--- a/tests/unit/meson.build
+++ b/tests/unit/meson.build
@@ -51,6 +51,10 @@ if have_system or have_tools
   tests += {
     'test-qmp-event': [testqapi],
   }
+
+  if seccomp.found()
+    tests += {'test-seccomp': ['../../softmmu/qemu-seccomp.c', seccomp]}
+  endif
 endif
 
 if have_block
diff --git a/tests/unit/test-seccomp.c b/tests/unit/test-seccomp.c
new file mode 100644
index 0000000000..10ab3e8fe5
--- /dev/null
+++ b/tests/unit/test-seccomp.c
@@ -0,0 +1,270 @@
+/*
+ * QEMU seccomp test suite
+ *
+ * Copyright (c) 2021 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include "qemu/osdep.h"
+#include "qemu/config-file.h"
+#include "qemu/option.h"
+#include "sysemu/seccomp.h"
+#include "qapi/error.h"
+#include "qemu/module.h"
+
+#include <unistd.h>
+#include <sys/syscall.h>
+
+static void test_seccomp_helper(const char *args, bool killed,
+                                int errnum, int (*doit)(void))
+{
+    if (g_test_subprocess()) {
+        QemuOptsList *olist;
+        QemuOpts *opts;
+        int ret;
+
+        module_call_init(MODULE_INIT_OPTS);
+        olist = qemu_find_opts("sandbox");
+        g_assert(olist != NULL);
+
+        opts = qemu_opts_parse_noisily(olist, args, true);
+        g_assert(opts != NULL);
+
+        parse_sandbox(NULL, opts, &error_abort);
+
+        /* Running in a child process */
+        ret = doit();
+
+        if (errnum != 0) {
+            g_assert(ret != 0);
+            g_assert(errno == errnum);
+        } else {
+            g_assert(ret == 0);
+        }
+
+        _exit(0);
+    } else {
+        /* Running in main test process, spawning the child */
+        g_test_trap_subprocess(NULL, 0, 0);
+        if (killed) {
+            g_test_trap_assert_failed();
+        } else {
+            g_test_trap_assert_passed();
+        }
+    }
+}
+
+
+static void test_seccomp_killed(const char *args, int (*doit)(void))
+{
+    test_seccomp_helper(args, true, 0, doit);
+}
+
+static void test_seccomp_errno(const char *args, int errnum, int (*doit)(void))
+{
+    test_seccomp_helper(args, false, errnum, doit);
+}
+
+static void test_seccomp_passed(const char *args, int (*doit)(void))
+{
+    test_seccomp_helper(args, false, 0, doit);
+}
+
+#ifdef SYS_fork
+static int doit_sys_fork(void)
+{
+    int ret = syscall(SYS_fork);
+    if (ret < 0) {
+        return ret;
+    }
+    if (ret == 0) {
+        _exit(0);
+    }
+    return 0;
+}
+
+static void test_seccomp_sys_fork_on_nospawn(void)
+{
+    test_seccomp_killed("on,spawn=deny", doit_sys_fork);
+}
+
+static void test_seccomp_sys_fork_on(void)
+{
+    test_seccomp_passed("on", doit_sys_fork);
+}
+
+static void test_seccomp_sys_fork_off(void)
+{
+    test_seccomp_passed("off", doit_sys_fork);
+}
+#endif
+
+static int doit_fork(void)
+{
+    int ret = fork();
+    if (ret < 0) {
+        return ret;
+    }
+    if (ret == 0) {
+        _exit(0);
+    }
+    return 0;
+}
+
+static void test_seccomp_fork_on_nospawn(void)
+{
+    /* XXX fixme - should be killed */
+    test_seccomp_passed("on,spawn=deny", doit_fork);
+}
+
+static void test_seccomp_fork_on(void)
+{
+    test_seccomp_passed("on", doit_fork);
+}
+
+static void test_seccomp_fork_off(void)
+{
+    test_seccomp_passed("off", doit_fork);
+}
+
+static void *noop(void *arg)
+{
+    return arg;
+}
+
+static int doit_thread(void)
+{
+    pthread_t th;
+    int ret = pthread_create(&th, NULL, noop, NULL);
+    if (ret != 0) {
+        errno = ret;
+        return -1;
+    } else {
+        pthread_join(th, NULL);
+        return 0;
+    }
+}
+
+static void test_seccomp_thread_on(void)
+{
+    test_seccomp_passed("on", doit_thread);
+}
+
+static void test_seccomp_thread_on_nospawn(void)
+{
+    test_seccomp_passed("on,spawn=deny", doit_thread);
+}
+
+static void test_seccomp_thread_off(void)
+{
+    test_seccomp_passed("off", doit_thread);
+}
+
+static int doit_sched(void)
+{
+    struct sched_param param = { .sched_priority = 0 };
+    return sched_setscheduler(getpid(), SCHED_OTHER, &param);
+}
+
+static void test_seccomp_sched_on_nores(void)
+{
+    test_seccomp_errno("on,resourcecontrol=deny", EPERM, doit_sched);
+}
+
+static void test_seccomp_sched_on(void)
+{
+    test_seccomp_passed("on", doit_sched);
+}
+
+static void test_seccomp_sched_off(void)
+{
+    test_seccomp_passed("off", doit_sched);
+}
+
+static bool can_play_with_seccomp(void)
+{
+    g_autofree char *status = NULL;
+    g_auto(GStrv) lines = NULL;
+    size_t i;
+
+    if (!g_file_get_contents("/proc/self/status", &status, NULL, NULL)) {
+        return false;
+    }
+
+    lines = g_strsplit(status, "\n", 0);
+
+    for (i = 0; lines[i] != NULL; i++) {
+        if (g_str_has_prefix(lines[i], "Seccomp:")) {
+            /*
+             * "Seccomp: 1" or "Seccomp: 2" indicate we're already
+             * confined, probably as we're inside a container. In
+             * this case our tests might get unexpected results,
+             * so we can't run reliably
+             */
+            if (!strchr(lines[i], '0')) {
+                return false;
+            }
+
+            return true;
+        }
+    }
+
+    /* Doesn't look like seccomp is enabled in the kernel */
+    return false;
+}
+
+int main(int argc, char **argv)
+{
+    g_test_init(&argc, &argv, NULL);
+    if (can_play_with_seccomp()) {
+#ifdef SYS_fork
+        g_test_add_func("/softmmu/seccomp/sys-fork/on",
+                        test_seccomp_sys_fork_on);
+        g_test_add_func("/softmmu/seccomp/sys-fork/on-nospawn",
+                        test_seccomp_sys_fork_on_nospawn);
+        g_test_add_func("/softmmu/seccomp/sys-fork/off",
+                        test_seccomp_sys_fork_off);
+#endif
+
+        g_test_add_func("/softmmu/seccomp/fork/on",
+                        test_seccomp_fork_on);
+        g_test_add_func("/softmmu/seccomp/fork/on-nospawn",
+                        test_seccomp_fork_on_nospawn);
+        g_test_add_func("/softmmu/seccomp/fork/off",
+                        test_seccomp_fork_off);
+
+        g_test_add_func("/softmmu/seccomp/thread/on",
+                        test_seccomp_thread_on);
+        g_test_add_func("/softmmu/seccomp/thread/on-nospawn",
+                        test_seccomp_thread_on_nospawn);
+        g_test_add_func("/softmmu/seccomp/thread/off",
+                        test_seccomp_thread_off);
+
+        if (doit_sched() == 0) {
+            /*
+             * musl doesn't impl sched_setscheduler, hence
+             * we check above if it works first
+             */
+            g_test_add_func("/softmmu/seccomp/sched/on",
+                            test_seccomp_sched_on);
+            g_test_add_func("/softmmu/seccomp/sched/on-nores",
+                            test_seccomp_sched_on_nores);
+            g_test_add_func("/softmmu/seccomp/sched/off",
+                            test_seccomp_sched_off);
+        }
+    }
+    return g_test_run();
+}
-- 
2.31.1

[PATCH 3/5] seccomp: fix blocking of process spawning

[Daniel P. Berrangé]

When '-sandbox on,spawn=deny' is given, we are supposed to block the
ability to spawn processes. We naively blocked the 'fork' syscall,
forgetting that any modern libc will use the 'clone' syscall instead.

We can't simply block the 'clone' syscall though, as that will break
thread creation. We thus list the set of flags used to create threads
and block anything that doesn't match this exactly.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 softmmu/qemu-seccomp.c    | 101 ++++++++++++++++++++++++++++++++++++++
 tests/unit/test-seccomp.c |   3 +-
 2 files changed, 102 insertions(+), 2 deletions(-)

diff --git a/softmmu/qemu-seccomp.c b/softmmu/qemu-seccomp.c
index 9f6df8d033..57139cc9ce 100644
--- a/softmmu/qemu-seccomp.c
+++ b/softmmu/qemu-seccomp.c
@@ -46,6 +46,82 @@ const struct scmp_arg_cmp sched_setscheduler_arg[] = {
     { .arg = 1, .op = SCMP_CMP_NE, .datum_a = SCHED_IDLE }
 };
 
+/*
+ * See 'NOTES' in 'man 2 clone' - s390 & cross have 'flags' in
+ *  different position to other architectures
+ */
+#if defined(HOST_S390X) || defined(HOST_S390) || defined(HOST_CRIS)
+#define CLONE_FLAGS_ARG 1
+#else
+#define CLONE_FLAGS_ARG 0
+#endif
+
+#ifndef CLONE_PIDFD
+# define CLONE_PIDFD 0x00001000
+#endif
+
+#define REQUIRE_CLONE_FLAG(flag) \
+    const struct scmp_arg_cmp clone_arg ## flag[] = { \
+    { .arg = CLONE_FLAGS_ARG, \
+      .op = SCMP_CMP_MASKED_EQ, \
+      .datum_a = flag, .datum_b = 0 } }
+
+#define FORBID_CLONE_FLAG(flag) \
+    const struct scmp_arg_cmp clone_arg ## flag[] = { \
+    { .arg = CLONE_FLAGS_ARG, \
+      .op = SCMP_CMP_MASKED_EQ, \
+      .datum_a = flag, .datum_b = flag } }
+
+#define RULE_CLONE_FLAG(flag) \
+    { SCMP_SYS(clone),                  QEMU_SECCOMP_SET_SPAWN, \
+      ARRAY_SIZE(clone_arg ## flag), clone_arg ## flag, SCMP_ACT_TRAP }
+
+/* If no CLONE_* flags are set, except CSIGNAL, deny */
+const struct scmp_arg_cmp clone_arg_none[] = {
+    { .arg = CLONE_FLAGS_ARG,
+      .op = SCMP_CMP_MASKED_EQ,
+      .datum_a = ~(CSIGNAL), .datum_b = 0 }
+};
+
+/*
+ * pthread_create should always set all of these.
+ */
+REQUIRE_CLONE_FLAG(CLONE_VM);
+REQUIRE_CLONE_FLAG(CLONE_FS);
+REQUIRE_CLONE_FLAG(CLONE_FILES);
+REQUIRE_CLONE_FLAG(CLONE_SIGHAND);
+REQUIRE_CLONE_FLAG(CLONE_THREAD);
+REQUIRE_CLONE_FLAG(CLONE_SYSVSEM);
+REQUIRE_CLONE_FLAG(CLONE_SETTLS);
+REQUIRE_CLONE_FLAG(CLONE_PARENT_SETTID);
+REQUIRE_CLONE_FLAG(CLONE_CHILD_CLEARTID);
+/*
+ * Musl sets this in pthread_create too, but it is
+ * obsolete and harmless since its behaviour is
+ * subsumed under CLONE_THREAD
+ */
+/*REQUIRE_CLONE_FLAG(CLONE_DETACHED);*/
+
+
+/*
+ * These all indicate an attempt to spawn a process
+ * instead of a thread, or other undesirable scenarios
+ */
+FORBID_CLONE_FLAG(CLONE_PIDFD);
+FORBID_CLONE_FLAG(CLONE_PTRACE);
+FORBID_CLONE_FLAG(CLONE_VFORK);
+FORBID_CLONE_FLAG(CLONE_PARENT);
+FORBID_CLONE_FLAG(CLONE_NEWNS);
+FORBID_CLONE_FLAG(CLONE_UNTRACED);
+FORBID_CLONE_FLAG(CLONE_NEWCGROUP);
+FORBID_CLONE_FLAG(CLONE_NEWUTS);
+FORBID_CLONE_FLAG(CLONE_NEWIPC);
+FORBID_CLONE_FLAG(CLONE_NEWUSER);
+FORBID_CLONE_FLAG(CLONE_NEWPID);
+FORBID_CLONE_FLAG(CLONE_NEWNET);
+FORBID_CLONE_FLAG(CLONE_IO);
+
+
 static const struct QemuSeccompSyscall denylist[] = {
     /* default set of syscalls that should get blocked */
     { SCMP_SYS(reboot),                 QEMU_SECCOMP_SET_DEFAULT,
@@ -143,6 +219,31 @@ static const struct QemuSeccompSyscall denylist[] = {
       0, NULL, SCMP_ACT_TRAP },
     { SCMP_SYS(execve),                 QEMU_SECCOMP_SET_SPAWN,
       0, NULL, SCMP_ACT_TRAP },
+    { SCMP_SYS(clone),                  QEMU_SECCOMP_SET_SPAWN,
+      ARRAY_SIZE(clone_arg_none), clone_arg_none, SCMP_ACT_TRAP },
+    RULE_CLONE_FLAG(CLONE_VM),
+    RULE_CLONE_FLAG(CLONE_FS),
+    RULE_CLONE_FLAG(CLONE_FILES),
+    RULE_CLONE_FLAG(CLONE_SIGHAND),
+    RULE_CLONE_FLAG(CLONE_THREAD),
+    RULE_CLONE_FLAG(CLONE_SYSVSEM),
+    RULE_CLONE_FLAG(CLONE_SETTLS),
+    RULE_CLONE_FLAG(CLONE_PARENT_SETTID),
+    RULE_CLONE_FLAG(CLONE_CHILD_CLEARTID),
+    /*RULE_CLONE_FLAG(CLONE_DETACHED),*/
+    RULE_CLONE_FLAG(CLONE_PIDFD),
+    RULE_CLONE_FLAG(CLONE_PTRACE),
+    RULE_CLONE_FLAG(CLONE_VFORK),
+    RULE_CLONE_FLAG(CLONE_PARENT),
+    RULE_CLONE_FLAG(CLONE_NEWNS),
+    RULE_CLONE_FLAG(CLONE_UNTRACED),
+    RULE_CLONE_FLAG(CLONE_NEWCGROUP),
+    RULE_CLONE_FLAG(CLONE_NEWUTS),
+    RULE_CLONE_FLAG(CLONE_NEWIPC),
+    RULE_CLONE_FLAG(CLONE_NEWUSER),
+    RULE_CLONE_FLAG(CLONE_NEWPID),
+    RULE_CLONE_FLAG(CLONE_NEWNET),
+    RULE_CLONE_FLAG(CLONE_IO),
     /* resource control */
     { SCMP_SYS(setpriority),            QEMU_SECCOMP_SET_RESOURCECTL,
       0, NULL, SCMP_ACT_ERRNO(EPERM) },
diff --git a/tests/unit/test-seccomp.c b/tests/unit/test-seccomp.c
index 10ab3e8fe5..3d7771e46c 100644
--- a/tests/unit/test-seccomp.c
+++ b/tests/unit/test-seccomp.c
@@ -126,8 +126,7 @@ static int doit_fork(void)
 
 static void test_seccomp_fork_on_nospawn(void)
 {
-    /* XXX fixme - should be killed */
-    test_seccomp_passed("on,spawn=deny", doit_fork);
+    test_seccomp_killed("on,spawn=deny", doit_fork);
 }
 
 static void test_seccomp_fork_on(void)
-- 
2.31.1

[PATCH 4/5] seccomp: block use of clone3 syscall

[Daniel P. Berrangé]

Modern glibc will use clone3 instead of clone, when it detects that it
is available. We need to compare flags in order to decide whether to
allow clone (thread create vs process fork), but in clone3 the flags
are hidden inside a struct. Seccomp can't currently match on data inside
a struct, so our only option is to block clone3 entirely. If we use
ENOSYS to block it, then glibc transparently falls back to clone.

This may need to be revisited if Linux adds a new architecture in
future and only provides clone3, without clone.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 softmmu/qemu-seccomp.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/softmmu/qemu-seccomp.c b/softmmu/qemu-seccomp.c
index 57139cc9ce..a7bb5c350f 100644
--- a/softmmu/qemu-seccomp.c
+++ b/softmmu/qemu-seccomp.c
@@ -244,6 +244,10 @@ static const struct QemuSeccompSyscall denylist[] = {
     RULE_CLONE_FLAG(CLONE_NEWPID),
     RULE_CLONE_FLAG(CLONE_NEWNET),
     RULE_CLONE_FLAG(CLONE_IO),
+#ifdef __SNR_clone3
+    { SCMP_SYS(clone3),                 QEMU_SECCOMP_SET_SPAWN,
+      0, NULL, SCMP_ACT_ERRNO(ENOSYS) },
+#endif
     /* resource control */
     { SCMP_SYS(setpriority),            QEMU_SECCOMP_SET_RESOURCECTL,
       0, NULL, SCMP_ACT_ERRNO(EPERM) },
-- 
2.31.1

[PATCH 5/5] seccomp: block setns, unshare and execveat syscalls

[Daniel P. Berrangé]

setns/unshare are used to change namespaces which is not something QEMU
needs to be able todo.

execveat is a new variant of execve so should be blocked just like
execve already is.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 softmmu/qemu-seccomp.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/softmmu/qemu-seccomp.c b/softmmu/qemu-seccomp.c
index a7bb5c350f..deaf8a4ef5 100644
--- a/softmmu/qemu-seccomp.c
+++ b/softmmu/qemu-seccomp.c
@@ -248,6 +248,11 @@ static const struct QemuSeccompSyscall denylist[] = {
     { SCMP_SYS(clone3),                 QEMU_SECCOMP_SET_SPAWN,
       0, NULL, SCMP_ACT_ERRNO(ENOSYS) },
 #endif
+#ifdef __SNR_execveat
+    { SCMP_SYS(execveat),               QEMU_SECCOMP_SET_SPAWN },
+#endif
+    { SCMP_SYS(setns),                  QEMU_SECCOMP_SET_SPAWN },
+    { SCMP_SYS(unshare),                QEMU_SECCOMP_SET_SPAWN },
     /* resource control */
     { SCMP_SYS(setpriority),            QEMU_SECCOMP_SET_RESOURCECTL,
       0, NULL, SCMP_ACT_ERRNO(EPERM) },
-- 
2.31.1

Re: [PATCH 0/5] seccomp: fix hole in blocking forks

[Eduardo Terrell Ferrari Otubo]

[-- Attachment #1: Type: text/plain, Size: 1124 bytes --]

On Mon, 2021-08-02 at 14:02 +0100, Daniel P. Berrangé wrote:
> Blocking the 'fork' syscall on Linux is not sufficient to block the
> 'fork' C library function, because the latter is essentially always
> implemented using the 'clone' syscall these days.
> 
> Blocking 'clone' is difficult as that also blocks pthread creation,
> so it needs careful filtering.
> 
> Daniel P. Berrangé (5):
>   seccomp: allow action to be customized per syscall
>   seccomp: add unit test for seccomp filtering
>   seccomp: fix blocking of process spawning
>   seccomp: block use of clone3 syscall
>   seccomp: block setns, unshare and execveat syscalls
> 
>  MAINTAINERS               |   1 +
>  softmmu/qemu-seccomp.c    | 282 +++++++++++++++++++++++++++++-------
> --
>  tests/unit/meson.build    |   4 +
>  tests/unit/test-seccomp.c | 269 ++++++++++++++++++++++++++++++++++++
>  4 files changed, 490 insertions(+), 66 deletions(-)
>  create mode 100644 tests/unit/test-seccomp.c
> 
> -- 
> 2.31.1
> 
> 

Acked-by: Eduardo Otubo <otubo@redhat.com>

-- 
Eduardo Otubo



[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 516 bytes --]

Re: [PATCH 0/5] seccomp: fix hole in blocking forks

[Daniel P. Berrangé]

Hi Eduardo,

You acked this series, but going through my old git branches I
just discovered that this never got merged. I guess I was assuming
you had queued it for a future PULL when you acked it.

I don't mind sending a pull request myself if you've no objections.

On Wed, Aug 04, 2021 at 10:05:38AM +0200, Eduardo Terrell Ferrari Otubo wrote:
> On Mon, 2021-08-02 at 14:02 +0100, Daniel P. Berrangé wrote:
> > Blocking the 'fork' syscall on Linux is not sufficient to block the
> > 'fork' C library function, because the latter is essentially always
> > implemented using the 'clone' syscall these days.
> > 
> > Blocking 'clone' is difficult as that also blocks pthread creation,
> > so it needs careful filtering.
> > 
> > Daniel P. Berrangé (5):
> >   seccomp: allow action to be customized per syscall
> >   seccomp: add unit test for seccomp filtering
> >   seccomp: fix blocking of process spawning
> >   seccomp: block use of clone3 syscall
> >   seccomp: block setns, unshare and execveat syscalls
> > 
> >  MAINTAINERS               |   1 +
> >  softmmu/qemu-seccomp.c    | 282 +++++++++++++++++++++++++++++-------
> > --
> >  tests/unit/meson.build    |   4 +
> >  tests/unit/test-seccomp.c | 269 ++++++++++++++++++++++++++++++++++++
> >  4 files changed, 490 insertions(+), 66 deletions(-)
> >  create mode 100644 tests/unit/test-seccomp.c
> > 
> > -- 
> > 2.31.1
> > 
> > 
> 
> Acked-by: Eduardo Otubo <otubo@redhat.com>
> 
> -- 
> Eduardo Otubo
> 
> 



Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Re: [PATCH 0/5] seccomp: fix hole in blocking forks

[Eduardo Otubo]

On Fri, Jan 28, 2022 at 4:42 PM Daniel P. Berrangé <berrange@redhat.com> wrote:
>
> Hi Eduardo,
>
> You acked this series, but going through my old git branches I
> just discovered that this never got merged. I guess I was assuming
> you had queued it for a future PULL when you acked it.
>
> I don't mind sending a pull request myself if you've no objections.

I don't mind at all. Thanks for letting me know! I might have missed it somehow.

Thank you!

>
> On Wed, Aug 04, 2021 at 10:05:38AM +0200, Eduardo Terrell Ferrari Otubo wrote:
> > On Mon, 2021-08-02 at 14:02 +0100, Daniel P. Berrangé wrote:
> > > Blocking the 'fork' syscall on Linux is not sufficient to block the
> > > 'fork' C library function, because the latter is essentially always
> > > implemented using the 'clone' syscall these days.
> > >
> > > Blocking 'clone' is difficult as that also blocks pthread creation,
> > > so it needs careful filtering.
> > >
> > > Daniel P. Berrangé (5):
> > >   seccomp: allow action to be customized per syscall
> > >   seccomp: add unit test for seccomp filtering
> > >   seccomp: fix blocking of process spawning
> > >   seccomp: block use of clone3 syscall
> > >   seccomp: block setns, unshare and execveat syscalls
> > >
> > >  MAINTAINERS               |   1 +
> > >  softmmu/qemu-seccomp.c    | 282 +++++++++++++++++++++++++++++-------
> > > --
> > >  tests/unit/meson.build    |   4 +
> > >  tests/unit/test-seccomp.c | 269 ++++++++++++++++++++++++++++++++++++
> > >  4 files changed, 490 insertions(+), 66 deletions(-)
> > >  create mode 100644 tests/unit/test-seccomp.c
> > >
> > > --
> > > 2.31.1
> > >
> > >
> >
> > Acked-by: Eduardo Otubo <otubo@redhat.com>
> >
> > --
> > Eduardo Otubo
> >
> >
>
>
>
> Regards,
> Daniel
> --
> |: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
> |: https://libvirt.org         -o-            https://fstop138.berrange.com :|
> |: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
>

Re: [PATCH 0/5] seccomp: fix hole in blocking forks

[Daniel P. Berrangé]

On Mon, Jan 31, 2022 at 10:07:43AM +0100, Eduardo Otubo wrote:
> On Fri, Jan 28, 2022 at 4:42 PM Daniel P. Berrangé <berrange@redhat.com> wrote:
> >
> > Hi Eduardo,
> >
> > You acked this series, but going through my old git branches I
> > just discovered that this never got merged. I guess I was assuming
> > you had queued it for a future PULL when you acked it.
> >
> > I don't mind sending a pull request myself if you've no objections.
> 
> I don't mind at all. Thanks for letting me know! I might have missed it somehow.

Ok, I'll send it, since I have some other unrelated stuff needing sending
too.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|