seccomp: Filter flag to log all actions except SECCOMP_RET_ALLOW

#include <uapi/linux/seccomp.h>

#define SECCOMP_FILTER_FLAG_MASK	(SECCOMP_FILTER_FLAG_TSYNC)

#define SECCOMP_FILTER_FLAG_MASK	(SECCOMP_FILTER_FLAG_TSYNC | \

					 SECCOMP_FILTER_FLAG_LOG)

#ifdef CONFIG_SECCOMP

/* Valid flags for SECCOMP_SET_MODE_FILTER */

#define SECCOMP_FILTER_FLAG_TSYNC	1

#define SECCOMP_FILTER_FLAG_LOG		2

/*

 * All BPF programs must return a 32-bit value.

 *         get/put helpers should be used when accessing an instance

 *         outside of a lifetime-guarded section.  In general, this

 *         is only needed for handling filters shared across tasks.

 * @log: true if all actions except for SECCOMP_RET_ALLOW should be logged

 * @prev: points to a previously installed, or inherited, filter

 * @prog: the BPF program to evaluate

 *

 */

struct seccomp_filter {

	refcount_t usage;

	bool log;

	struct seccomp_filter *prev;

	struct bpf_prog *prog;

};

			return ret;

	}

	/* Set log flag, if present. */

	if (flags & SECCOMP_FILTER_FLAG_LOG)

		filter->log = true;

	/*

	 * If there is an existing filter, make it the prev and don't drop its

	 * task reference.

static u32 seccomp_actions_logged = SECCOMP_LOG_KILL  | SECCOMP_LOG_TRAP  |

				    SECCOMP_LOG_ERRNO | SECCOMP_LOG_TRACE;

static inline void seccomp_log(unsigned long syscall, long signr, u32 action)

static inline void seccomp_log(unsigned long syscall, long signr, u32 action,

			       bool requested)

{

	bool log = false;

	switch (action) {

	case SECCOMP_RET_ALLOW:

		break;

	case SECCOMP_RET_TRAP:

		log = requested && seccomp_actions_logged & SECCOMP_LOG_TRAP;

		break;

	case SECCOMP_RET_ERRNO:

		log = requested && seccomp_actions_logged & SECCOMP_LOG_ERRNO;

		break;

	case SECCOMP_RET_TRACE:

		log = requested && seccomp_actions_logged & SECCOMP_LOG_TRACE;

		break;

	case SECCOMP_RET_KILL:

	default:

	}

	/*

	 * Force an audit message to be emitted when the action is RET_KILL and

	 * the action is allowed to be logged by the admin.

	 * Force an audit message to be emitted when the action is RET_KILL or

	 * the FILTER_FLAG_LOG bit was set and the action is allowed to be

	 * logged by the admin.

	 */

	if (log)

		return __audit_seccomp(syscall, signr, action);

#ifdef SECCOMP_DEBUG

	dump_stack();

#endif

	seccomp_log(this_syscall, SIGKILL, SECCOMP_RET_KILL);

	seccomp_log(this_syscall, SIGKILL, SECCOMP_RET_KILL, true);

	do_exit(SIGKILL);

}

	case SECCOMP_RET_KILL:

	default:

		seccomp_log(this_syscall, SIGSYS, action);

		seccomp_log(this_syscall, SIGSYS, action, true);

		/* Dump core only if this is the last remaining thread. */

		if (get_nr_threads(current) == 1) {

			siginfo_t info;

	unreachable();

skip:

	seccomp_log(this_syscall, 0, action);

	seccomp_log(this_syscall, 0, action, match ? match->log : false);

	return -1;

}

#else

#define SECCOMP_FILTER_FLAG_TSYNC 1

#endif

#ifndef SECCOMP_FILTER_FLAG_LOG

#define SECCOMP_FILTER_FLAG_LOG 2

#endif

#ifndef seccomp

int seccomp(unsigned int op, unsigned int flags, void *args)

{

 */

TEST(detect_seccomp_filter_flags)

{

	unsigned int flags[] = { SECCOMP_FILTER_FLAG_TSYNC };

	unsigned int flags[] = { SECCOMP_FILTER_FLAG_TSYNC,

				 SECCOMP_FILTER_FLAG_LOG };

	unsigned int flag, all_flags;

	int i;

	long ret;

		_metadata->passed = 0;

}

TEST_SIGNAL(filter_flag_log, SIGSYS)

{

	struct sock_filter allow_filter[] = {

		BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),

	};

	struct sock_filter kill_filter[] = {

		BPF_STMT(BPF_LD|BPF_W|BPF_ABS,

			offsetof(struct seccomp_data, nr)),

		BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 0, 1),

		BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),

		BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),

	};

	struct sock_fprog allow_prog = {

		.len = (unsigned short)ARRAY_SIZE(allow_filter),

		.filter = allow_filter,

	};

	struct sock_fprog kill_prog = {

		.len = (unsigned short)ARRAY_SIZE(kill_filter),

		.filter = kill_filter,

	};

	long ret;

	pid_t parent = getppid();

	ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);

	ASSERT_EQ(0, ret);

	/* Verify that the FILTER_FLAG_LOG flag isn't accepted in strict mode */

	ret = seccomp(SECCOMP_SET_MODE_STRICT, SECCOMP_FILTER_FLAG_LOG,

		      &allow_prog);

	ASSERT_NE(ENOSYS, errno) {

		TH_LOG("Kernel does not support seccomp syscall!");

	}

	EXPECT_NE(0, ret) {

		TH_LOG("Kernel accepted FILTER_FLAG_LOG flag in strict mode!");

	}

	EXPECT_EQ(EINVAL, errno) {

		TH_LOG("Kernel returned unexpected errno for FILTER_FLAG_LOG flag in strict mode!");

	}

	/* Verify that a simple, permissive filter can be added with no flags */

	ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &allow_prog);

	EXPECT_EQ(0, ret);

	/* See if the same filter can be added with the FILTER_FLAG_LOG flag */

	ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_LOG,

		      &allow_prog);

	ASSERT_NE(EINVAL, errno) {

		TH_LOG("Kernel does not support the FILTER_FLAG_LOG flag!");

	}

	EXPECT_EQ(0, ret);

	/* Ensure that the kill filter works with the FILTER_FLAG_LOG flag */

	ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_LOG,

		      &kill_prog);

	EXPECT_EQ(0, ret);

	EXPECT_EQ(parent, syscall(__NR_getppid));

	/* getpid() should never return. */

	EXPECT_EQ(0, syscall(__NR_getpid));

}

TEST(get_action_avail)

{

	__u32 actions[] = { SECCOMP_RET_KILL,  SECCOMP_RET_TRAP,

 * - endianness checking when appropriate

 * - 64-bit arg prodding

 * - arch value testing (x86 modes especially)

 * - verify that FILTER_FLAG_LOG filters generate log messages

 * - ...

 */