File: seccomp_filter.cpp

package info (click to toggle)
kscreenlocker 5.14.5-1
  • links: PTS, VCS
  • area: main
  • in suites: buster
  • size: 1,440 kB
  • sloc: cpp: 6,357; ansic: 897; xml: 87; sh: 43; perl: 29; makefile: 9
file content (142 lines) | stat: -rw-r--r-- 6,786 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
 
/********************************************************************
 KSld - the KDE Screenlocker Daemon
 This file is part of the KDE project.

Copyright (C) 2017 Martin Gräßlin <mgraesslin@kde.org>

This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License as
published by the Free Software Foundation; either version 2 of
the License or (at your option) version 3 or any later version
accepted by the membership of KDE e.V. (or its successor approved
by the membership of KDE e.V.), which shall act as a proxy
defined in Section 14 of version 3 of the license.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program.  If not, see <http://www.gnu.org/licenses/>.
*********************************************************************/
#include "seccomp_filter.h"
#include "kwinglplatform.h"

#include <KWindowSystem>

#include <QDBusConnection>
#include <QOpenGLContext>
#include <QOffscreenSurface>

#include <seccomp.h>
#include <sys/socket.h>
#include <fcntl.h>
#include <errno.h>

namespace ScreenLocker
{
namespace SecComp
{

void init()
{
    // trigger OpenGL context creation
    // we need this to ensure that all required files are opened for write
    // on NVIDIA we need to keep write around, otherwise BUG 384005 happens
    bool writeSupported = true;
    // Mesa's software renderers create buffers in $XDG_RUNTIME_DIR on wayland
    bool createSupported = true;
    QScopedPointer<QOffscreenSurface> dummySurface(new QOffscreenSurface);
    dummySurface->create();
    QOpenGLContext dummyGlContext;
    if (dummyGlContext.create()) {
        if (dummyGlContext.makeCurrent(dummySurface.data())) {
            auto gl = KWin::GLPlatform::instance();
            gl->detect();
            gl->printResults();
            if (gl->driver() == KWin::Driver_NVidia) {
                // BUG: 384005
                writeSupported = false;
            }
            else if (gl->isSoftwareEmulation() && KWindowSystem::isPlatformWayland()) {
                createSupported = writeSupported = false;
            }
        }
    }

    // access DBus to have the socket open
    QDBusConnection::sessionBus();

    // default action: allow
    // we cannot use a whitelist approach of syscalls
    // Qt, OpenGL, DBus just need to much and too broad
    auto context = seccomp_init(SCMP_ACT_ALLOW);
    if (!context) {
        return;
    }
    // add a filter to prevent that the password gets written to a file
    // we cannot disallow write syscall. That one is needed to wake up threads
    // Qt and OpenGL might create additional threads and then it would fail as we have an fd which
    // is not allowed to write to

    // instead disallow opening new files for writing
    // they should fail with EPERM error
    if (writeSupported) {
        seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(open), 1, SCMP_A1(SCMP_CMP_MASKED_EQ, O_WRONLY, O_WRONLY));
        seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(open), 1, SCMP_A1(SCMP_CMP_MASKED_EQ, O_RDWR, O_RDWR));

        seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(openat), 1, SCMP_A2(SCMP_CMP_MASKED_EQ, O_WRONLY, O_WRONLY));
        seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(openat), 1, SCMP_A2(SCMP_CMP_MASKED_EQ, O_RDWR, O_RDWR));
    }
    if (createSupported) {
        seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(openat), 1, SCMP_A2(SCMP_CMP_MASKED_EQ, O_CREAT, O_CREAT));
        seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(open), 1, SCMP_A1(SCMP_CMP_MASKED_EQ, O_CREAT, O_CREAT));
        seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(open_by_handle_at), 1, SCMP_A2(SCMP_CMP_MASKED_EQ, O_WRONLY, O_WRONLY));
        seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(open_by_handle_at), 1, SCMP_A2(SCMP_CMP_MASKED_EQ, O_RDWR, O_RDWR));
        seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(open_by_handle_at), 1, SCMP_A2(SCMP_CMP_MASKED_EQ, O_CREAT, O_CREAT));
        seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(creat), 0);
    }

    // Disallow everything which modifies the filesystem. An attacker could store the password as a directory name or encode it in chmod bits.
    // Also prevent deleting anything, to prevent an attacker from deleting the users files.
    seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(truncate), 0);
    seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(rename), 0);
    seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(renameat), 0);
    seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(renameat2), 0);
    seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(mkdir), 0);
    seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(mkdirat), 0);
    seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(rmdir), 0);
    seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(link), 0);
    seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(linkat), 0);
    seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(unlink), 0);
    seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(unlinkat), 0);
    seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(symlink), 0);
    seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(symlinkat), 0);
    seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(mknod), 0);
    seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(mknodat), 0);
    seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(chmod), 0);
    seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(fchmod), 0);
    seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(fchmodat), 0);

    // disallow going to a socket
    seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(socket), 0);

    // disallow fork+exec
    // note glibc seems to use clone which is allowed for threads
    seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(fork), 0);
    seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(vfork), 0);
    seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(execve), 0);
    seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(execveat), 0);

    // disallow pipe, that should destroy copy and paste on Wayland
    seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(pipe), 0);
    seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(pipe2), 0);

    // and activate our rules
    seccomp_load(context);
    seccomp_release(context);
}

}
}