kore/misc/linux-platform.sh

#!/bin/sh
#
# Linux specific defines and system call maps.

if [ -z "$TARGET_PLATFORM" ]; then
	PLATFORM=$(uname -m)
else
	PLATFORM=$TARGET_PLATFORM
fi

BASE=$(dirname $0)

case "$PLATFORM" in
	x86_64*)
		seccomp_audit_arch=AUDIT_ARCH_X86_64
		syscall_file=$BASE/linux/x86_64_syscall.h.in
		;;
	i*86*)
		>&2 echo "i386 not supported"
		exit 1
		;;
	arm*)
		seccomp_audit_arch=AUDIT_ARCH_ARM
		syscall_file=$BASE/linux/arm_syscall.h.in
		;;
	aarch64*)
		seccomp_audit_arch=AUDIT_ARCH_AARCH64
		syscall_file=$BASE/linux/aarch64_syscall.h.in
		;;
esac

cat << __EOF
/* Auto generated by linux-platform.sh - DO NOT EDIT */

#include <sys/syscall.h>

#define SECCOMP_AUDIT_ARCH $seccomp_audit_arch

struct {
  const char *name;
  int  nr;
} kore_syscall_map [] = {
__EOF

sed 's/__NR_//' $syscall_file | awk '/#define/ { syscall = $2; number = $3; printf "  { \"%s\", %d },\n", syscall, number }'

cat << __EOF
  { NULL, 0 }
};
__EOF
Add seccomp syscall filtering to kore. With this commit all Kore processes (minus the parent) are running under seccomp. The worker processes get the bare minimum allowed syscalls while each module like curl, pgsql, etc will add their own filters to allow what they require. New API functions: int kore_seccomp_filter(const char name, void filter, size_t len); Adds a filter into the seccomp system (must be called before seccomp is enabled). New helpful macro: define KORE_SYSCALL_ALLOW(name) Allow the syscall with a given name, should be used in a sock_filter data structure. New hooks: void kore_seccomp_hook(void); Called before seccomp is enabled, allows developers to add their own BPF filters into seccomp. 2019-09-25 12:25:49 +00:00			`#!/bin/sh`
Generate syscall maps from kernel tbl files if available. If no tbl syscall files are available, fallback to using the dirty /proc/kallsym trick that may or may not work. 2019-10-23 13:39:25 +02:00			`#`
Change the way the linux syscall maps are made. Use the syscall.h.in files from musl and generate the syscall maps from there. Now we have proper support for x86_64, i386, arm and aarch64 to have syscall maps. 2019-11-06 11:57:25 +01:00			`# Linux specific defines and system call maps.`
Add seccomp syscall filtering to kore. With this commit all Kore processes (minus the parent) are running under seccomp. The worker processes get the bare minimum allowed syscalls while each module like curl, pgsql, etc will add their own filters to allow what they require. New API functions: int kore_seccomp_filter(const char name, void filter, size_t len); Adds a filter into the seccomp system (must be called before seccomp is enabled). New helpful macro: define KORE_SYSCALL_ALLOW(name) Allow the syscall with a given name, should be used in a sock_filter data structure. New hooks: void kore_seccomp_hook(void); Called before seccomp is enabled, allows developers to add their own BPF filters into seccomp. 2019-09-25 12:25:49 +00:00
Allow setting of TARGET_PLATFORM. This overrides the linux seccomp building, useful for cross compiling Kore to other linux architectures. 2021-11-29 15:43:43 +01:00			`if [ -z "$TARGET_PLATFORM" ]; then`
			`PLATFORM=$(uname -m)`
			`else`
			`PLATFORM=$TARGET_PLATFORM`
			`fi`

make sure we can run this outside the tree 2019-10-23 13:50:51 +02:00			`BASE=$(dirname $0)`
Add seccomp syscall filtering to kore. With this commit all Kore processes (minus the parent) are running under seccomp. The worker processes get the bare minimum allowed syscalls while each module like curl, pgsql, etc will add their own filters to allow what they require. New API functions: int kore_seccomp_filter(const char name, void filter, size_t len); Adds a filter into the seccomp system (must be called before seccomp is enabled). New helpful macro: define KORE_SYSCALL_ALLOW(name) Allow the syscall with a given name, should be used in a sock_filter data structure. New hooks: void kore_seccomp_hook(void); Called before seccomp is enabled, allows developers to add their own BPF filters into seccomp. 2019-09-25 12:25:49 +00:00
			`case "$PLATFORM" in`
			`x86_64*)`
			`seccomp_audit_arch=AUDIT_ARCH_X86_64`
Change the way the linux syscall maps are made. Use the syscall.h.in files from musl and generate the syscall maps from there. Now we have proper support for x86_64, i386, arm and aarch64 to have syscall maps. 2019-11-06 11:57:25 +01:00			`syscall_file=$BASE/linux/x86_64_syscall.h.in`
Add seccomp syscall filtering to kore. With this commit all Kore processes (minus the parent) are running under seccomp. The worker processes get the bare minimum allowed syscalls while each module like curl, pgsql, etc will add their own filters to allow what they require. New API functions: int kore_seccomp_filter(const char name, void filter, size_t len); Adds a filter into the seccomp system (must be called before seccomp is enabled). New helpful macro: define KORE_SYSCALL_ALLOW(name) Allow the syscall with a given name, should be used in a sock_filter data structure. New hooks: void kore_seccomp_hook(void); Called before seccomp is enabled, allows developers to add their own BPF filters into seccomp. 2019-09-25 12:25:49 +00:00			`;;`
nicer warning 2020-09-03 19:24:26 +02:00			`i86)`
			`>&2 echo "i386 not supported"`
			`exit 1`
			`;;`
Add seccomp syscall filtering to kore. With this commit all Kore processes (minus the parent) are running under seccomp. The worker processes get the bare minimum allowed syscalls while each module like curl, pgsql, etc will add their own filters to allow what they require. New API functions: int kore_seccomp_filter(const char name, void filter, size_t len); Adds a filter into the seccomp system (must be called before seccomp is enabled). New helpful macro: define KORE_SYSCALL_ALLOW(name) Allow the syscall with a given name, should be used in a sock_filter data structure. New hooks: void kore_seccomp_hook(void); Called before seccomp is enabled, allows developers to add their own BPF filters into seccomp. 2019-09-25 12:25:49 +00:00			`arm*)`
			`seccomp_audit_arch=AUDIT_ARCH_ARM`
Change the way the linux syscall maps are made. Use the syscall.h.in files from musl and generate the syscall maps from there. Now we have proper support for x86_64, i386, arm and aarch64 to have syscall maps. 2019-11-06 11:57:25 +01:00			`syscall_file=$BASE/linux/arm_syscall.h.in`
Add seccomp syscall filtering to kore. With this commit all Kore processes (minus the parent) are running under seccomp. The worker processes get the bare minimum allowed syscalls while each module like curl, pgsql, etc will add their own filters to allow what they require. New API functions: int kore_seccomp_filter(const char name, void filter, size_t len); Adds a filter into the seccomp system (must be called before seccomp is enabled). New helpful macro: define KORE_SYSCALL_ALLOW(name) Allow the syscall with a given name, should be used in a sock_filter data structure. New hooks: void kore_seccomp_hook(void); Called before seccomp is enabled, allows developers to add their own BPF filters into seccomp. 2019-09-25 12:25:49 +00:00			`;;`
			`aarch64*)`
			`seccomp_audit_arch=AUDIT_ARCH_AARCH64`
Change the way the linux syscall maps are made. Use the syscall.h.in files from musl and generate the syscall maps from there. Now we have proper support for x86_64, i386, arm and aarch64 to have syscall maps. 2019-11-06 11:57:25 +01:00			`syscall_file=$BASE/linux/aarch64_syscall.h.in`
Add seccomp syscall filtering to kore. With this commit all Kore processes (minus the parent) are running under seccomp. The worker processes get the bare minimum allowed syscalls while each module like curl, pgsql, etc will add their own filters to allow what they require. New API functions: int kore_seccomp_filter(const char name, void filter, size_t len); Adds a filter into the seccomp system (must be called before seccomp is enabled). New helpful macro: define KORE_SYSCALL_ALLOW(name) Allow the syscall with a given name, should be used in a sock_filter data structure. New hooks: void kore_seccomp_hook(void); Called before seccomp is enabled, allows developers to add their own BPF filters into seccomp. 2019-09-25 12:25:49 +00:00			`;;`
			`esac`

			`cat << __EOF`
			`/* Auto generated by linux-platform.sh - DO NOT EDIT */`
Allow configuring seccomp on Linux via the python api. A new hook in the koreapp class is called right before seccomp is enabled. This hook receives a Kore seccomp object which has the following methods: seccomp.allow("syscall") seccomp.allow_arg("syscall", arg, value) seccomp.allow_flag("syscall", arg, flag) seccomp.allow_mask("syscall", arg, mask) seccomp.deny("syscall") seccomp.deny_arg("syscall", arg, value, errno=EACCES) seccomp.deny_flag("syscall", arg, flag, errno=EACCES) seccomp.deny_mask("syscall", arg, mask, errno=EACCES) This allows you to finetune the seccomp filters for your application from inside your koreapp. 2019-10-04 10:59:48 +02:00
			`#include <sys/syscall.h>`

Add seccomp syscall filtering to kore. With this commit all Kore processes (minus the parent) are running under seccomp. The worker processes get the bare minimum allowed syscalls while each module like curl, pgsql, etc will add their own filters to allow what they require. New API functions: int kore_seccomp_filter(const char name, void filter, size_t len); Adds a filter into the seccomp system (must be called before seccomp is enabled). New helpful macro: define KORE_SYSCALL_ALLOW(name) Allow the syscall with a given name, should be used in a sock_filter data structure. New hooks: void kore_seccomp_hook(void); Called before seccomp is enabled, allows developers to add their own BPF filters into seccomp. 2019-09-25 12:25:49 +00:00			`#define SECCOMP_AUDIT_ARCH $seccomp_audit_arch`
Allow configuring seccomp on Linux via the python api. A new hook in the koreapp class is called right before seccomp is enabled. This hook receives a Kore seccomp object which has the following methods: seccomp.allow("syscall") seccomp.allow_arg("syscall", arg, value) seccomp.allow_flag("syscall", arg, flag) seccomp.allow_mask("syscall", arg, mask) seccomp.deny("syscall") seccomp.deny_arg("syscall", arg, value, errno=EACCES) seccomp.deny_flag("syscall", arg, flag, errno=EACCES) seccomp.deny_mask("syscall", arg, mask, errno=EACCES) This allows you to finetune the seccomp filters for your application from inside your koreapp. 2019-10-04 10:59:48 +02:00
			`struct {`
			`const char *name;`
			`int nr;`
			`} kore_syscall_map [] = {`
			`__EOF`

Change the way the linux syscall maps are made. Use the syscall.h.in files from musl and generate the syscall maps from there. Now we have proper support for x86_64, i386, arm and aarch64 to have syscall maps. 2019-11-06 11:57:25 +01:00			`sed 's/__NR_//' $syscall_file \| awk '/#define/ { syscall = $2; number = $3; printf " { \"%s\", %d },\n", syscall, number }'`
Allow configuring seccomp on Linux via the python api. A new hook in the koreapp class is called right before seccomp is enabled. This hook receives a Kore seccomp object which has the following methods: seccomp.allow("syscall") seccomp.allow_arg("syscall", arg, value) seccomp.allow_flag("syscall", arg, flag) seccomp.allow_mask("syscall", arg, mask) seccomp.deny("syscall") seccomp.deny_arg("syscall", arg, value, errno=EACCES) seccomp.deny_flag("syscall", arg, flag, errno=EACCES) seccomp.deny_mask("syscall", arg, mask, errno=EACCES) This allows you to finetune the seccomp filters for your application from inside your koreapp. 2019-10-04 10:59:48 +02:00
			`cat << __EOF`
			`{ NULL, 0 }`
			`};`
Add seccomp syscall filtering to kore. With this commit all Kore processes (minus the parent) are running under seccomp. The worker processes get the bare minimum allowed syscalls while each module like curl, pgsql, etc will add their own filters to allow what they require. New API functions: int kore_seccomp_filter(const char name, void filter, size_t len); Adds a filter into the seccomp system (must be called before seccomp is enabled). New helpful macro: define KORE_SYSCALL_ALLOW(name) Allow the syscall with a given name, should be used in a sock_filter data structure. New hooks: void kore_seccomp_hook(void); Called before seccomp is enabled, allows developers to add their own BPF filters into seccomp. 2019-09-25 12:25:49 +00:00			`__EOF`