From: YiFei Zhu <zhuyifei1999@gmail.com>
To: containers@lists.linux.dev, bpf@vger.kernel.org
Cc: YiFei Zhu <yifeifz2@illinois.edu>,
linux-security-module@vger.kernel.org,
Alexei Starovoitov <ast@kernel.org>,
Andrea Arcangeli <aarcange@redhat.com>,
Andy Lutomirski <luto@amacapital.net>,
Austin Kuo <hckuo2@illinois.edu>,
Claudio Canella <claudio.canella@iaik.tugraz.at>,
Daniel Borkmann <daniel@iogearbox.net>,
Daniel Gruss <daniel.gruss@iaik.tugraz.at>,
Dimitrios Skarlatos <dskarlat@cs.cmu.edu>,
Giuseppe Scrivano <gscrivan@redhat.com>,
Hubertus Franke <frankeh@us.ibm.com>,
Jann Horn <jannh@google.com>, Jinghao Jia <jinghao7@illinois.edu>,
Josep Torrellas <torrella@illinois.edu>,
Kees Cook <keescook@chromium.org>,
Sargun Dhillon <sargun@sargun.me>, Tianyin Xu <tyxu@illinois.edu>,
Tobin Feldman-Fitzthum <tobin@ibm.com>,
Tom Hromatka <tom.hromatka@oracle.com>,
Will Drewry <wad@chromium.org>
Subject: [RFC PATCH bpf-next seccomp 05/12] samples/bpf: Add eBPF seccomp sample programs
Date: Mon, 10 May 2021 12:22:42 -0500 [thread overview]
Message-ID: <5f7c10074e10f994f3984a564531d5d9285d53eb.1620499942.git.yifeifz2@illinois.edu> (raw)
In-Reply-To: <cover.1620499942.git.yifeifz2@illinois.edu>
From: Sargun Dhillon <sargun@sargun.me>
This adds a sample program that uses seccomp-eBPF, called
test_seccomp. It shows the simple ability to code seccomp filters
in C.
Signed-off-by: Sargun Dhillon <sargun@sargun.me>
Link: https://lists.linux-foundation.org/pipermail/containers/2018-February/038573.html
Co-developed-by: Jinghao Jia <jinghao7@illinois.edu>
Signed-off-by: Jinghao Jia <jinghao7@illinois.edu>
[YiFei: change from bpf_load to libbpf]
Co-developed-by: YiFei Zhu <yifeifz2@illinois.edu>
Signed-off-by: YiFei Zhu <yifeifz2@illinois.edu>
---
samples/bpf/Makefile | 3 ++
samples/bpf/test_seccomp_kern.c | 41 +++++++++++++++++++++++++++
samples/bpf/test_seccomp_user.c | 49 +++++++++++++++++++++++++++++++++
3 files changed, 93 insertions(+)
create mode 100644 samples/bpf/test_seccomp_kern.c
create mode 100644 samples/bpf/test_seccomp_user.c
diff --git a/samples/bpf/Makefile b/samples/bpf/Makefile
index 45ceca4e2c70..d49e7f91eba6 100644
--- a/samples/bpf/Makefile
+++ b/samples/bpf/Makefile
@@ -55,6 +55,7 @@ tprogs-y += task_fd_query
tprogs-y += xdp_sample_pkts
tprogs-y += ibumad
tprogs-y += hbm
+tprogs-y += test_seccomp
# Libbpf dependencies
LIBBPF = $(TOOLS_PATH)/lib/bpf/libbpf.a
@@ -113,6 +114,7 @@ task_fd_query-objs := task_fd_query_user.o $(TRACE_HELPERS)
xdp_sample_pkts-objs := xdp_sample_pkts_user.o
ibumad-objs := ibumad_user.o
hbm-objs := hbm.o $(CGROUP_HELPERS)
+test_seccomp-objs := test_seccomp_user.o
# Tell kbuild to always build the programs
always-y := $(tprogs-y)
@@ -174,6 +176,7 @@ always-y += ibumad_kern.o
always-y += hbm_out_kern.o
always-y += hbm_edt_kern.o
always-y += xdpsock_kern.o
+always-y += test_seccomp_kern.o
ifeq ($(ARCH), arm)
# Strip all except -D__LINUX_ARM_ARCH__ option needed to handle linux
diff --git a/samples/bpf/test_seccomp_kern.c b/samples/bpf/test_seccomp_kern.c
new file mode 100644
index 000000000000..efd42f47d9c4
--- /dev/null
+++ b/samples/bpf/test_seccomp_kern.c
@@ -0,0 +1,41 @@
+// SPDX-License-Identifier: GPL-2.0
+#include <uapi/linux/seccomp.h>
+#include <uapi/linux/bpf.h>
+#include <uapi/linux/unistd.h>
+#include <uapi/linux/errno.h>
+#include <bpf/bpf_helpers.h>
+#include <uapi/linux/audit.h>
+
+#if defined(__x86_64__)
+#define ARCH AUDIT_ARCH_X86_64
+#elif defined(__i386__)
+#define ARCH AUDIT_ARCH_I386
+#else
+#endif
+
+#ifdef ARCH
+/* Returns EPERM when trying to close fd 999 */
+SEC("seccomp")
+int bpf_prog1(struct seccomp_data *ctx)
+{
+ /*
+ * Make sure this BPF program is being run on the same architecture it
+ * was compiled on.
+ */
+ if (ctx->arch != ARCH)
+ return SECCOMP_RET_ERRNO | EPERM;
+ if (ctx->nr == __NR_close && ctx->args[0] == 999)
+ return SECCOMP_RET_ERRNO | EPERM;
+
+ return SECCOMP_RET_ALLOW;
+}
+#else
+#warning Architecture not supported -- Blocking all syscalls
+SEC("seccomp")
+int bpf_prog1(struct seccomp_data *ctx)
+{
+ return SECCOMP_RET_ERRNO | EPERM;
+}
+#endif
+
+char _license[] SEC("license") = "GPL";
diff --git a/samples/bpf/test_seccomp_user.c b/samples/bpf/test_seccomp_user.c
new file mode 100644
index 000000000000..ba17e18666b9
--- /dev/null
+++ b/samples/bpf/test_seccomp_user.c
@@ -0,0 +1,49 @@
+// SPDX-License-Identifier: GPL-2.0
+#include <assert.h>
+#include <bpf/libbpf.h>
+#include <errno.h>
+#include <linux/bpf.h>
+#include <linux/seccomp.h>
+#include <linux/unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <strings.h>
+#include <sys/prctl.h>
+#include <unistd.h>
+
+int main(int argc, char **argv)
+{
+ struct bpf_object *obj;
+ char filename[256];
+ int prog_fd;
+
+ snprintf(filename, sizeof(filename), "%s_kern.o", argv[0]);
+
+ if (bpf_prog_load(filename, BPF_PROG_TYPE_SECCOMP, &obj, &prog_fd))
+ exit(EXIT_FAILURE);
+ if (prog_fd < 0) {
+ fprintf(stderr, "ERROR: no program found: %s\n",
+ strerror(prog_fd));
+ exit(EXIT_FAILURE);
+ }
+
+ /* set new_new_privs so non-privileged users can attach filters */
+ if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
+ perror("prctl(NO_NEW_PRIVS)");
+ exit(EXIT_FAILURE);
+ }
+
+ if (syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER,
+ SECCOMP_FILTER_FLAG_EXTENDED, &prog_fd)) {
+ perror("seccomp");
+ exit(EXIT_FAILURE);
+ }
+
+ close(111);
+ assert(errno == EBADF);
+ close(999);
+ assert(errno == EPERM);
+
+ printf("close syscall successfully filtered\n");
+ return 0;
+}
--
2.31.1
next prev parent reply other threads:[~2021-05-10 17:23 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-10 17:22 [RFC PATCH bpf-next seccomp 00/12] eBPF seccomp filters YiFei Zhu
2021-05-10 17:22 ` [RFC PATCH bpf-next seccomp 01/12] seccomp: Move no_new_privs check to after prepare_filter YiFei Zhu
2021-05-10 17:22 ` [RFC PATCH bpf-next seccomp 02/12] bpf, seccomp: Add eBPF filter capabilities YiFei Zhu
2021-05-10 17:22 ` [RFC PATCH bpf-next seccomp 03/12] seccomp, ptrace: Add a mechanism to retrieve attached eBPF seccomp filters YiFei Zhu
2021-05-10 17:22 ` [RFC PATCH bpf-next seccomp 04/12] libbpf: recognize section "seccomp" YiFei Zhu
2021-05-10 17:22 ` YiFei Zhu [this message]
2021-05-10 17:22 ` [RFC PATCH bpf-next seccomp 06/12] lsm: New hook seccomp_extended YiFei Zhu
2021-05-10 17:22 ` [RFC PATCH bpf-next seccomp 07/12] bpf/verifier: allow restricting direct map access YiFei Zhu
2021-05-10 17:22 ` [RFC PATCH bpf-next seccomp 08/12] seccomp-ebpf: restrict filter to almost cBPF if LSM request such YiFei Zhu
2021-05-10 17:22 ` [RFC PATCH bpf-next seccomp 09/12] yama: (concept) restrict seccomp-eBPF with ptrace_scope YiFei Zhu
2021-05-10 17:22 ` [RFC PATCH bpf-next seccomp 10/12] seccomp-ebpf: Add ability to read user memory YiFei Zhu
2021-05-11 2:04 ` Alexei Starovoitov
2021-05-11 7:14 ` YiFei Zhu
2021-05-12 22:36 ` Alexei Starovoitov
2021-05-13 5:26 ` YiFei Zhu
2021-05-13 14:53 ` Andy Lutomirski
2021-05-13 17:12 ` YiFei Zhu
2021-05-13 17:15 ` Andy Lutomirski
2021-05-10 17:22 ` [RFC PATCH bpf-next seccomp 11/12] bpf/verifier: support NULL-able ptr to BTF ID as helper argument YiFei Zhu
2021-05-10 17:22 ` [RFC PATCH bpf-next seccomp 12/12] seccomp-ebpf: support task storage from BPF-LSM, defaulting to group leader YiFei Zhu
2021-05-11 1:58 ` Alexei Starovoitov
2021-05-11 5:44 ` YiFei Zhu
2021-05-12 21:56 ` Alexei Starovoitov
2021-05-10 17:47 ` [RFC PATCH bpf-next seccomp 00/12] eBPF seccomp filters Andy Lutomirski
2021-05-11 5:21 ` YiFei Zhu
2021-05-15 15:49 ` Andy Lutomirski
2021-05-20 9:05 ` Christian Brauner
[not found] ` <fffbea8189794a8da539f6082af3de8e@DM5PR11MB1692.namprd11.prod.outlook.com>
2021-05-16 8:38 ` Tianyin Xu
2021-05-17 15:40 ` Tycho Andersen
2021-05-17 17:07 ` Sargun Dhillon
[not found] ` <108b4b9c2daa4123805d2b92cf51374b@DM5PR11MB1692.namprd11.prod.outlook.com>
2021-05-20 8:16 ` Tianyin Xu
2021-05-20 8:56 ` Christian Brauner
2021-05-20 9:37 ` Christian Brauner
2021-06-01 19:55 ` Kees Cook
2021-06-09 6:32 ` Jinghao Jia
2021-06-09 6:27 ` Jinghao Jia
[not found] ` <00fe481c572d486289bc88780f48e88f@DM5PR11MB1692.namprd11.prod.outlook.com>
2021-05-20 22:13 ` Tianyin Xu
[not found] ` <eae2a0e5038b41c4af87edcb3d4cdc13@DM5PR11MB1692.namprd11.prod.outlook.com>
2021-05-20 8:22 ` Tianyin Xu
2021-05-24 18:55 ` Sargun Dhillon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5f7c10074e10f994f3984a564531d5d9285d53eb.1620499942.git.yifeifz2@illinois.edu \
--to=zhuyifei1999@gmail.com \
--cc=aarcange@redhat.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=claudio.canella@iaik.tugraz.at \
--cc=containers@lists.linux.dev \
--cc=daniel.gruss@iaik.tugraz.at \
--cc=daniel@iogearbox.net \
--cc=dskarlat@cs.cmu.edu \
--cc=frankeh@us.ibm.com \
--cc=gscrivan@redhat.com \
--cc=hckuo2@illinois.edu \
--cc=jannh@google.com \
--cc=jinghao7@illinois.edu \
--cc=keescook@chromium.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=sargun@sargun.me \
--cc=tobin@ibm.com \
--cc=tom.hromatka@oracle.com \
--cc=torrella@illinois.edu \
--cc=tyxu@illinois.edu \
--cc=wad@chromium.org \
--cc=yifeifz2@illinois.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).