Modernize architectures and generate seccomp policy for all architectures supported by host OS #26
Conversation
|
@happyCoder92 @robertswiecki please review it and merge! This fixes a CVE used in many CTFs and also allows using nsjail as a Linux container replacement in fully rootless mode. |
tools/gen_syscalls/extract.py
Outdated
| @@ -19,6 +19,15 @@ | |||
|
|
|||
| import re | |||
|
|
|||
| # "xrange" was renamed to "range" in Python 3 | |||
There was a problem hiding this comment.
Just use range instead.
It will work also in python2 but will be less efficient (does not matter here though)
src/syscall.c
Outdated
| @@ -52,15 +52,18 @@ const struct syscall_list syscall_lists[] = { | |||
| #endif | |||
| #ifdef AUDIT_ARCH_AARCH64 | |||
| SYSCALL_LIST(AUDIT_ARCH_AARCH64, aarch64), | |||
| SYSCALL_LIST(AUDIT_ARCH_ARM, arm), | |||
There was a problem hiding this comment.
will result in duplicate entries
perhaps just verify that defined(AUDIT_ARCH_AARCH64) implies defined(AUDIT_ARCH_ARM) etc. else #error
There was a problem hiding this comment.
From what I see, AArch64 syscall list is not duplicating arm one because the extract.py script dumps syscall table and there is separate syscall table for every arch within kernel. This also applies to amd64/i386/x32, I had to expose SYSCALLTABLENAME environment variable to select the table I want to dump.
There was a problem hiding this comment.
I've meant duplicated entries in syscall_lists array.
Note above there is:
#ifdef AUDIT_ARCH_ARM
SYSCALL_LIST(AUDIT_ARCH_ARM, arm),
#endifThere was a problem hiding this comment.
I am not sure AUDIT_ARCH_AARCH64 implies AUDIT_ARCH_ARM: https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/audit.h#L389
Or do you want me to do:
#if defined(AUDIT_ARCH_AARCH64)
SYSCALL_LIST(AUDIT_ARCH_AARCH64, aarch64),
SYSCALL_LIST(AUDIT_ARCH_ARM, arm),
#elif defined(AUDIT_ARCH_ARM)
SYSCALL_LIST(AUDIT_ARCH_ARM, arm),
#elif defined(AUDIT_ARCH_X86_64)
…
#else
#error
#endifhere?
There was a problem hiding this comment.
I mean if AUDIT_ARCH_ARM is not defined while AUDIT_ARCH_AARCH64 is defined then the above will not compile anyhow.
There was a problem hiding this comment.
Uhm, I think I got what I did I do wrong here 👍 My intention was to check if KAFEL_DEFAULT_TARGET_ARCH contains the respective architecture to include what is only needed. Target i386 can not be executed on aarch64 stuff etc. I will checnge to #ifdef __x86-64__ etc here.
include/kafel.h
Outdated
| * Sets compilation target architecture for ctxt to target_archs | ||
| * target_arch must be a supported AUDIT_ARCH_* value (see <linux/audit.h>) | ||
| */ | ||
| void kafel_set_target_architectures(kafel_ctxt_t ctxt, uint32_t* target_archs, uint32_t size); |
There was a problem hiding this comment.
use int or size_t for size
or better just accept fixed number of KAFEL_MAX_TARGET_ARCHS entries
src/context.h
Outdated
| @@ -30,6 +30,8 @@ | |||
| #include "policy.h" | |||
| #include "syscall.h" | |||
|
|
|||
| #define MAX_TARGET_ARCHS 4 | |||
There was a problem hiding this comment.
prefix with KAFEL_ and expose in include/kafel.h
src/kafel.c
Outdated
| } | ||
|
|
||
| // Read YY_BUF_SIZE from file as string | ||
| filebuf = calloc(1, YY_BUF_SIZE); |
There was a problem hiding this comment.
this will not handle files larger than YY_BUF_SIZE
There was a problem hiding this comment.
https://github.com/google/kafel/blob/master/src/kafel.c#L46 I was in doubt how many bytes does this buffer have. I deduced that the buffer used internally is exactly YY_BUF_SIZE and followed that assumption. How big buffer do we really need here?
There was a problem hiding this comment.
The buffer is YY_BUF_SIZE bytes but it'll refill with more data from the file if needed.
src/syscall.c
Outdated
| @@ -87,6 +87,17 @@ const struct syscall_list* syscalls_lookup(uint32_t arch) { | |||
| return NULL; | |||
| } | |||
|
|
|||
| const struct syscall_list* companion_syscalls_lookup(uint32_t arch) { | |||
| for (size_t i = 0; | |||
| i < sizeof(companion_syscall_lists) / sizeof(companion_syscall_lists[0]); | |||
There was a problem hiding this comment.
This commit is not self-contained.
companion_syscall_lists is undefined.
There was a problem hiding this comment.
Ack, will declare companion_syscall_lists there and populate it with x32 using the x32 commit as fixup.
src/context.c
Outdated
| uint32_t KAFEL_DEFAULT_TARGET_ARCH[4] = | ||
|
|
||
| #if defined(__x86_64__) | ||
| { AUDIT_ARCH_X86_64, AUDIT_ARCH_I386, 0, 0 }; |
There was a problem hiding this comment.
"pay only for what you use".
include just AUDIT_ARCH_X86_64 there to preserve existing behavior (same for other archs).
There was a problem hiding this comment.
Include just AUDIT_ARCH_X86_64 there to preserve existing behavior (same for other archs).
And to enable new target architectures in, say, nsjail i will need a new CLI switch invoking kafel_set_target_architectures, right?
There was a problem hiding this comment.
Yes, interaction with nsjail will be a bit inconvenient.
I see 2 solutions:
- make the generated archs depend on default action (the mentioned bypass applies only to allowlists):
- generate all if the action is
ALLOW/LOG - otherwise generate just for native arch by default
- generate all if the action is
- introduce to kafel a language construct to change options, e.g.
#option ARCH amd64,x32,i386
There was a problem hiding this comment.
introduce to kafel a language construct to change option
I think it is the best option! Can you please help me with it as I am still not very familiar with lexer?
src/syscalls/mipso32_syscalls.c
Outdated
| @@ -33,15 +33,15 @@ | |||
|
|
|||
| const struct syscall_descriptor mipso32_syscall_list[] = { | |||
| {"accept", | |||
| 4168, | |||
| 168, | |||
There was a problem hiding this comment.
Seems all syscall numbers here differ by 4000.
Similary for MIPS64 the difference is 5000.
I have no experience with MIPS but I looked up syscall tables online and seems they all list 4xxx and 5xxx syscalls.
There was a problem hiding this comment.
This is the most doubtful commit. Do you know by chance which kernel sources were used to build kernels later dumped with extract.py? Debian kernels have syscall numbers changed and I really don't like it. I'd like to dump syscalls following the initial procedure to get the closest possible result.
There was a problem hiding this comment.
MIPS support was contributed by another user.
I don't know the procedure used there, but seems the syscall list was compiled partly by hand.
There was a problem hiding this comment.
I don't know the procedure used there, but seems the syscall list was compiled partly by hand
If we know whetger the kernel built was vanilla one and toolchains used, I can build all these vanilla kernels using the same toolchains and run gdb extractor. Then making syscall argument names the same - and I hope we get an extended but not repkaced syscall list.
src/codegen.c
Outdated
| @@ -615,15 +626,23 @@ int compile_policy(struct kafel_ctxt *kafel_ctxt, struct sock_fprog *prog) { | |||
| normalize_rules(rules, kafel_ctxt->default_action); | |||
There was a problem hiding this comment.
for companion arch just issue another add_policy_rules here (with another kafel_ctxt containing policy parsed using the companion arch).
Companion policy generation should be turned off by default and this should be configurable.
There was a problem hiding this comment.
So should expose kafel_set_use_companion_architecture to the public API and use it to control add_policy_rules added, right? And filter companion architectures in nsjail CLI switch, too?
There was a problem hiding this comment.
Correct, just perhaps drop the set, kafel_use_companion_architecture(kafel_ctxt_t*, bool) sounds better.
For the nsjail interaction see my other comment.
src/codegen.c
Outdated
| @@ -615,15 +626,23 @@ int compile_policy(struct kafel_ctxt *kafel_ctxt, struct sock_fprog *prog) { | |||
| normalize_rules(rules, kafel_ctxt->default_action); | |||
| int begin = CURRENT_LOC; | |||
| int next = generate_rules(ctxt, rules->data, rules->len); | |||
| int next2 = 0; | |||
There was a problem hiding this comment.
This will not work as it will skip the marker and target arch check if the resulting policy is a constant action.
There are cases where a policy is a constant action on one arch and is not a constant action on another arch due to e.g. different argument sizes:
KILL { some_syscall { arg1 > 65535 } } DEFAULT ALLOW
will result in just ALLOW when arg1 is 16-bit and a more complex policy otherwise.
Arch checks should be added after all per arch generation is done.
ctxt should be reused when generating policies for all the archs.
Something like:
struct codegen_ctxt *ctxt = context_create();
for (int i = 0; i < num_target_archs; ++i) {
struct kafel_ctxt* target_ctxt = copy_kafel_ctxt(kafel_ctxt);
kafel_set_target_arch(target_archs[i]);
parse(target_ctxt); // TODO: error handling
policy_for_arch[i] = generate_policy_without_arch_check(ctxt, target_ctxt);
kafel_ctxt_destroy(target_ctxt);
}
int begin = CURRENT_LOC;
int next = -ACTION_KILL;
for (int i = 0; i < num_target_archs; ++i) {
next = add_jump(ctxt, BPF_JEQ, target_archs[i], policy_for_arch[i], next);
}
if (next > begin) {
begin = next = ADD_INSTR(BPF_LOAD_ARCH);
}
if (next < 0) {
resolve_location(ctxt, next);
}There was a problem hiding this comment.
Yeah, this seems the better approach. It will probably not eliminate the need to cache policy read from file (we simply cannot rewind stdin) but overall the code looks cleaner.
There was a problem hiding this comment.
What I really don't understand now is what is wrong with your example.
I tried:
/tmp/kafel$ echo 'KILL { ptrace { addr > 0xFFFFFFFE } } DEFAULT ALLOW' | tools/dump_policy_bpf/dump_policy_bpf
BPF program with 32 instructions
0: A := architecture
1: if A == 0xc000003e goto 3
2: jump to 21
3: A := syscall number
4: if A < 0x65 goto 10
5: if A >= 0x66 goto 10
6: A := arg 2 high
7: if A > 0 goto 11
8: A := arg 2 low
9: if A > 0xfffffffe goto 11
10: jump to 12
11: KILL
12: A := syscall number
13: if A < 0x40000209 goto 19
14: if A >= 0x4000020a goto 19
15: A := arg 2 high
16: if A > 0 goto 20
17: A := arg 2 low
18: if A > 0xfffffffe goto 20
19: ALLOW
20: KILL
21: A := architecture
22: if A == 0x40000003 goto 24
23: jump to 31
24: A := syscall number
25: if A < 0x1a goto 29
26: if A >= 0x1b goto 29
27: A := arg 2 low
28: if A > 0xfffffffe goto 30
29: ALLOW
30: KILL
31: KILL/tmp/kafel$ echo 'KILL { ptrace { addr > 0xFFFFFFFE } } DEFAULT ALLOW' | tools/dump_policy_bpf/dump_policy_bpf -c
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, arch)),
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 0xc000003eu, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JA, 0x12u, 0, 0),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, nr)),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 0x65u, 0, 5),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 0x66u, 4, 0),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, args[2]) + sizeof(__u32)),
BPF_JUMP(BPF_JMP | BPF_JGT | BPF_K, 0u, 3, 0),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, args[2])),
BPF_JUMP(BPF_JMP | BPF_JGT | BPF_K, 0xfffffffeu, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JA, 0x1u, 0, 0),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, nr)),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 0x40000209u, 0, 5),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 0x4000020au, 4, 0),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, args[2]) + sizeof(__u32)),
BPF_JUMP(BPF_JMP | BPF_JGT | BPF_K, 0u, 3, 0),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, args[2])),
BPF_JUMP(BPF_JMP | BPF_JGT | BPF_K, 0xfffffffeu, 1, 0),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, arch)),
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 0x40000003u, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JA, 0x7u, 0, 0),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, nr)),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 0x1au, 0, 3),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 0x1bu, 2, 0),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, args[2])),
BPF_JUMP(BPF_JMP | BPF_JGT | BPF_K, 0xfffffffeu, 1, 0),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL),/tmp/kafel$ echo 'KILL { ptrace { addr > 0x1FFFFFFFE } } DEFAULT ALLOW' | tools/dump_policy_bpf/dump_policy_bpf
BPF program with 37 instructions
0: A := architecture
1: if A == 0xc000003e goto 3
2: jump to 23
3: A := syscall number
4: if A < 0x65 goto 11
5: if A >= 0x66 goto 11
6: A := arg 2 high
7: if A > 0x1 goto 12
8: if A < 0x1 goto 11
9: A := arg 2 low
10: if A > 0xfffffffe goto 12
11: jump to 13
12: KILL
13: A := syscall number
14: if A < 0x40000209 goto 21
15: if A >= 0x4000020a goto 21
16: A := arg 2 high
17: if A > 0x1 goto 22
18: if A < 0x1 goto 21
19: A := arg 2 low
20: if A > 0xfffffffe goto 22
21: ALLOW
22: KILL
23: A := architecture
24: if A == 0x40000003 goto 26
25: jump to 36
26: A := syscall number
27: if A < 0x1a goto 34
28: if A >= 0x1b goto 34
29: A := arg 2 high
30: if A > 0x1 goto 35
31: if A < 0x1 goto 34
32: A := arg 2 low
33: if A > 0xfffffffe goto 35
34: ALLOW
35: KILL
36: KILL/tmp/kafel$ echo 'KILL { ptrace { addr > 0x1FFFFFFFE } } DEFAULT ALLOW' | tools/dump_policy_bpf/dump_policy_bpf -c
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, arch)),
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 0xc000003eu, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JA, 0x14u, 0, 0),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, nr)),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 0x65u, 0, 6),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 0x66u, 5, 0),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, args[2]) + sizeof(__u32)),
BPF_JUMP(BPF_JMP | BPF_JGT | BPF_K, 0x1u, 4, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 0x1u, 0, 2),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, args[2])),
BPF_JUMP(BPF_JMP | BPF_JGT | BPF_K, 0xfffffffeu, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JA, 0x1u, 0, 0),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, nr)),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 0x40000209u, 0, 6),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 0x4000020au, 5, 0),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, args[2]) + sizeof(__u32)),
BPF_JUMP(BPF_JMP | BPF_JGT | BPF_K, 0x1u, 4, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 0x1u, 0, 2),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, args[2])),
BPF_JUMP(BPF_JMP | BPF_JGT | BPF_K, 0xfffffffeu, 1, 0),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, arch)),
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 0x40000003u, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JA, 0xau, 0, 0),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, nr)),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 0x1au, 0, 6),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 0x1bu, 5, 0),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, args[2]) + sizeof(__u32)),
BPF_JUMP(BPF_JMP | BPF_JGT | BPF_K, 0x1u, 4, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 0x1u, 0, 2),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, args[2])),
BPF_JUMP(BPF_JMP | BPF_JGT | BPF_K, 0xfffffffeu, 1, 0),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL),There was a problem hiding this comment.
kafel_reset should not reset target architectures to default.
Otherwise it is impossible to set different architectures for compilation.
Then after that is fixed if the user sets architectures like this:
uint32_t archs[4] = {AUDIT_ARCH_I386, AUDIT_ARCH_X86_64, 0, 0};
kafel_set_target_architectures(ctxt, archs, 4);then compilation of KILL { open { filename > 0xFFFFFFFF } } DEFAULT ALLOW' will result in
BPF program with 1 instructions
0: ALLOW
There was a problem hiding this comment.
I think I will rewrite this part as you suggested and drop the commits updating syscall lists and the commit introducing file caching. You will add the lexer modifications and the PR will be ready for merge.
There was a problem hiding this comment.
I just pushed 46ae6b8
For multi-target_archs it will require changes in validate_references - check that syscall is present in all the syscall tables and validate used arguments for all architectures.
There was a problem hiding this comment.
Great! Sorry for the delay, I will rebase the PR and complete what I have started :)
|
Hi! Are you still going to work on this one? |
|
Hi! Yes, I noticed the request! Let me wrap around Android ASB & get back to it this weekend.
|
|
Hi! I had a while to work on it and just commited multi-arch support. |
|
Just a note: we're thankful someone's looked into this and it would be a shame if it stalled. Compiler Explorer relies on nsjail and thus kafel and we currently can't enable seccomp stuff without this PR. which would be nice! |
|
oh! OK @mattgodbolt I will resurrect this. |
* Use LANG=C everywhere to make readelf happy on non-English systems Signed-off-by: Vasyl Gello <vasek.gello@gmail.com>
basilgello
force-pushed
the
modernize-architectures
branch
from
5b58e5d
to
0ffeda5
Compare
Make the extractor configurable to extract {amd64,i386,x32}
from amd64 and other companion architecture syscalls if needed.
Also introduce "GDB" environment variable allowing invocation
of custom GDB, i.e:
GDB=gdb-multiarch ./gen_syscalls.sh /tmp/vmlinux-armmp
Signed-off-by: Vasyl Gello <vasek.gello@gmail.com>
basilgello
force-pushed
the
modernize-architectures
branch
from
0ffeda5
to
d40625d
Compare
|
|
||
| cat output_syscalls.c | sort -k1,1 --unique --stable -t',' >> "$outname" | ||
| rm output_syscalls.c | ||
| if [ -f "missing/${arch,,}.c" ]; then |
There was a problem hiding this comment.
would prefer that missing/{arch}.c takes precedence over automatically extracted as it was before
Fixes #19