| #!/usr/bin/env python3 |
| # Copyright 2020 The ChromiumOS Authors |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| """A linter for the Minijail seccomp policy file.""" |
| |
| import argparse |
| import re |
| import sys |
| from typing import List, NamedTuple, Optional, Set |
| |
| |
| # The syscalls we have determined are more dangerous and need justification |
| # for inclusion in a policy. |
| DANGEROUS_SYSCALLS = ( |
| "clone", |
| "mount", |
| "setns", |
| "kill", |
| "execve", |
| "execveat", |
| "getrandom", |
| "bpf", |
| "socket", |
| "ptrace", |
| "swapon", |
| "swapoff", |
| # TODO(b/193169195): Add argument granularity for the below syscalls. |
| "prctl", |
| "ioctl", |
| "mmap", |
| "mmap2", |
| "mprotect", |
| ) |
| |
| |
| # If a dangerous syscall uses these rules, then it's considered safe. |
| SYSCALL_SAFE_RULES = { |
| "getrandom": ("arg2 in ~GRND_RANDOM",), |
| "mmap": ( |
| "arg2 == PROT_READ || arg2 == PROT_NONE", |
| "arg2 in ~PROT_EXEC", |
| "arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE", |
| ), |
| "mmap2": ( |
| "arg2 == PROT_READ || arg2 == PROT_NONE", |
| "arg2 in ~PROT_EXEC", |
| "arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE", |
| ), |
| "mprotect": ( |
| "arg2 == PROT_READ || arg2 == PROT_NONE", |
| "arg2 in ~PROT_EXEC", |
| "arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE", |
| ), |
| } |
| |
| GLOBAL_SAFE_RULES = ( |
| "kill", |
| "kill-process", |
| "kill-thread", |
| "return 1", |
| ) |
| |
| |
| class CheckPolicyReturn(NamedTuple): |
| """Represents a return value from check_seccomp_policy |
| |
| Contains a message to print to the user and a list of errors that were |
| found in the file. |
| """ |
| |
| message: str |
| errors: List[str] |
| |
| |
| def parse_args(argv): |
| """Return the parsed CLI arguments for this tool.""" |
| parser = argparse.ArgumentParser(description=__doc__) |
| parser.add_argument( |
| "--denylist", |
| action="store_true", |
| help="Check as a denylist policy rather than the default allowlist.", |
| ) |
| parser.add_argument( |
| "--dangerous-syscalls", |
| action="store", |
| default=",".join(DANGEROUS_SYSCALLS), |
| help="Comma-separated list of dangerous sycalls (overrides default).", |
| ) |
| parser.add_argument( |
| "--assume-filename", |
| help="The filename when parsing stdin.", |
| ) |
| parser.add_argument( |
| "policy", |
| help="The seccomp policy.", |
| type=argparse.FileType("r", encoding="utf-8"), |
| ) |
| return parser.parse_args(argv), parser |
| |
| |
| def check_seccomp_policy( |
| check_file, dangerous_syscalls: Set[str], filename: Optional[str] = None |
| ): |
| """Fail if the seccomp policy file has dangerous, undocumented syscalls. |
| |
| Takes in a file object and a set of dangerous syscalls as arguments. |
| """ |
| |
| if filename is None: |
| filename = check_file.name |
| found_syscalls = set() |
| errors = [] |
| msg = "" |
| contains_dangerous_syscall = False |
| prev_line_comment = False |
| |
| for line_num, line in enumerate(check_file): |
| if re.match(r"^\s*#", line): |
| prev_line_comment = True |
| elif re.match(r"^\s*$", line): |
| # Empty lines shouldn't reset prev_line_comment. |
| continue |
| else: |
| match = re.match(r"^\s*(\w*)\s*:\s*(.*)\s*", line) |
| if match: |
| syscall = match.group(1) |
| rule = match.group(2) |
| err_prefix = f"{filename}:{line_num}:{syscall}:" |
| if syscall in found_syscalls: |
| errors.append(f"{err_prefix} duplicate entry found") |
| else: |
| found_syscalls.add(syscall) |
| if syscall in dangerous_syscalls: |
| contains_dangerous_syscall = True |
| if not prev_line_comment: |
| # Dangerous syscalls must be commented. |
| safe_rules = SYSCALL_SAFE_RULES.get(syscall, ()) |
| if rule in GLOBAL_SAFE_RULES or rule in safe_rules: |
| pass |
| elif safe_rules: |
| # Dangerous syscalls with known safe rules must |
| # use those rules. |
| errors.append( |
| f"{err_prefix} syscall is dangerous and " |
| f"should use one of the rules: {safe_rules}" |
| ) |
| else: |
| errors.append( |
| f"{err_prefix} syscall is dangerous and " |
| "requires a comment on the preceding line" |
| ) |
| prev_line_comment = False |
| else: |
| # This line is probably a continuation from the previous line. |
| # TODO(b/203216289): Support line breaks. |
| pass |
| |
| if contains_dangerous_syscall: |
| msg = ( |
| f"seccomp: {filename} contains dangerous syscalls, so" |
| " requires review from chromeos-security@" |
| ) |
| else: |
| msg = ( |
| f"seccomp: {filename} does not contain any dangerous" |
| " syscalls, so does not require review from" |
| " chromeos-security@" |
| ) |
| |
| if errors: |
| return CheckPolicyReturn(msg, errors) |
| |
| return CheckPolicyReturn(msg, errors) |
| |
| |
| def main(argv=None): |
| """Main entrypoint.""" |
| |
| if argv is None: |
| argv = sys.argv[1:] |
| |
| opts, _arg_parser = parse_args(argv) |
| |
| filename = opts.assume_filename if opts.assume_filename else opts.policy |
| check = check_seccomp_policy( |
| opts.policy, set(opts.dangerous_syscalls.split(",")), filename=filename |
| ) |
| |
| formatted_items = "" |
| if check.errors: |
| item_prefix = "\n * " |
| formatted_items = item_prefix + item_prefix.join(check.errors) |
| |
| print("* " + check.message + formatted_items) |
| |
| return 1 if check.errors else 0 |
| |
| |
| if __name__ == "__main__": |
| sys.exit(main(sys.argv[1:])) |
