Implement policy knitting

It is too hard to tweak bison / flex stuff to combine policies
targeting different architectures so I decided to generate a
separate policy for every target and companion architecture,
and knit them altogether following these rules:

 * The architecture check of each target policy passes the
   control to the next target policy if present, or returns KILL
   if no more architectures left. This ensures no target
   architecture can slip towards filter
   (see google#19)

 * The default action of each target architecture passes the
   control to the next companion architecture if present.

   This is sufficient assuming there can be only one companion
   architecture for any target architecture.

Signed-off-by: Vasyl Gello <[email protected]>

Author: basilgello

src/codegen.c

@@ -26,6 +26,7 @@
 #include <stddef.h>
 #include <stdint.h>
 #include <stdlib.h>
+#include <string.h>
 #include <sys/queue.h>
 
 #include "common.h"
@@ -113,6 +114,14 @@ struct codegen_ctxt {
   size_t max_stack_ptr;
 };
 
+void free_sock_program(struct sock_fprog* prog) {
+  ASSERT(prog);
+
+  if (prog->filter) free(prog->filter);
+  prog->filter = NULL;
+  prog->len = 0;
+}
+
 static struct codegen_ctxt *context_create(void) {
   struct codegen_ctxt *ctxt = calloc(1, sizeof(*ctxt));
   ctxt->buffer.capacity = CODEGEN_INITAL_BUFFER_SIZE;
@@ -288,6 +297,8 @@ static int add_jump_set(struct codegen_ctxt *ctxt, __u32 what, int tloc,
   BPF_STMT(BPF_LD + BPF_W + BPF_ABS, offsetof(struct seccomp_data, nr))
 #define BPF_LOAD_ARG_WORD(arg, high) \
   BPF_STMT(BPF_LD + BPF_W + BPF_ABS, ARG_WORD(arg, high))
+#define BPF_NEXT_ARCH_MARKER \
+  BPF_STMT(BPF_LD + BPF_W + BPF_ABS, 0x12345678)
 
 static bool is_const_value(struct expr_tree *expr, int word) {
   return word == HIGH_WORD ? expr->high.is_const : expr->low.is_const;
@@ -615,15 +626,23 @@ int compile_policy(struct kafel_ctxt *kafel_ctxt, struct sock_fprog *prog) {
   normalize_rules(rules, kafel_ctxt->default_action);
   int begin = CURRENT_LOC;
   int next = generate_rules(ctxt, rules->data, rules->len);
+  int next2 = 0;
   range_rules_destroy(&rules);
   if (next > begin) {
     begin = next = ADD_INSTR(BPF_LOAD_SYSCALL);
+    if (!kafel_ctxt->use_companion_arch) {
+      next2 = ADD_INSTR(BPF_NEXT_ARCH_MARKER);
+    } else {
+      next2 = next;
+    }
   } else {
-    next = -kafel_ctxt->default_action;
+    next2 = next = -kafel_ctxt->default_action;
   }
-  next = add_jump(ctxt, BPF_JEQ, kafel_ctxt->target_arch, next, -ACTION_KILL);
-  if (next > begin) {
-    begin = next = ADD_INSTR(BPF_LOAD_ARCH);
+  if (!kafel_ctxt->use_companion_arch) {
+    next = add_jump(ctxt, BPF_JEQ, kafel_ctxt->target_arch, next, next2);
+    if (next > begin) {
+      begin = next = ADD_INSTR(BPF_LOAD_ARCH);
+    }
   }
   if (next < 0) {
     resolve_location(ctxt, next);
@@ -639,3 +658,89 @@ int compile_policy(struct kafel_ctxt *kafel_ctxt, struct sock_fprog *prog) {
   context_destroy(&ctxt);
   return rv;
 }
+
+int knit_policy(struct kafel_ctxt* kafel_ctxt,
+                struct sock_fprog* target_programs,
+                struct sock_fprog* companion_programs,
+                int default_action,
+                struct sock_fprog* prog)
+{
+  unsigned char i = 0;
+  uint32_t j = 0;
+  uint32_t k = 0;
+  uint32_t cur_target_policy_start = 0;
+  uint32_t total_count = 1;
+
+  for (i = 0; i < MAX_TARGET_ARCHS; i++) {
+    if (!target_programs[i].len) continue;
+    total_count += target_programs[i].len;
+    if (!companion_programs[i].len) continue;
+    total_count += companion_programs[i].len;
+  }
+
+  struct sock_filter* filters = calloc(total_count, sizeof(struct sock_filter));
+  if (!filters) {
+    append_error(kafel_ctxt, "Cannot allocate %d bytes of memory",
+                 total_count * sizeof(struct sock_filter));
+
+    for (i = 0; i < MAX_TARGET_ARCHS; i++) {
+      free_sock_program(&target_programs[i]);
+      free_sock_program(&companion_programs[i]);
+    }
+
+    return -1;
+  }
+
+  for (i = 0; i < MAX_TARGET_ARCHS; i++) {
+    if (!target_programs[i].len) continue;
+
+    cur_target_policy_start = k;
+
+    memcpy(&filters[k], target_programs[i].filter,
+          target_programs[i].len * sizeof(struct sock_filter));
+    k += target_programs[i].len;
+
+    if (companion_programs[i].len) {
+      // In parent policy replace default action with JA
+      // to start of companion policy
+
+      for (j = k - 1; j > (k - target_programs[i].len); j--) {
+        if (filters[j].code == (BPF_RET | BPF_K) &&
+            filters[j].jt == 0 &&
+            filters[j].jf == 0 &&
+            filters[j].k == ACTION_TO_BPF(default_action)) {
+          filters[j].code = BPF_JMP | BPF_JA;
+          filters[j].k = k - j - 1;
+          break;
+        }
+      }
+
+      memcpy(&filters[k], companion_programs[i].filter,
+            companion_programs[i].len * sizeof(struct sock_filter));
+      k += companion_programs[i].len;
+    }
+
+    // Replace marker JA to next parent policy
+
+    for (j = cur_target_policy_start; j < k; j++) {
+        if (filters[j].code == (BPF_LD + BPF_W + BPF_ABS) &&
+            filters[j].jt == 0 &&
+            filters[j].jf == 0 &&
+            filters[j].k == 0x12345678) {
+          filters[j].code = BPF_JMP | BPF_JA;
+          filters[j].k = k - j - 1;
+          break;
+        }
+    }
+  }
+
+  // Finally, add one KILL statement to complete jumps
+
+  filters[total_count - 1].code = BPF_RET | BPF_K;
+  filters[total_count - 1].k = SECCOMP_RET_KILL;
+
+  prog->len = total_count;
+  prog->filter = filters;
+
+  return 0;
+}

src/codegen.h

@@ -26,5 +26,11 @@
 #include "context.h"
 
 int compile_policy(struct kafel_ctxt *kafel_ctxt, struct sock_fprog *prog);
+void free_sock_program(struct sock_fprog* prog);
+int knit_policy(struct kafel_ctxt* kafel_ctxt,
+                struct sock_fprog* target_programs,
+                struct sock_fprog* companion_programs,
+                int default_action,
+                struct sock_fprog* prog);
 
 #endif /* KAFEL_CODEGEN_H */

src/context.h

@@ -21,6 +21,8 @@
 #ifndef KAFEL_CONTEXT_H
 #define KAFEL_CONTEXT_H
 
+#include <linux/audit.h>
+
 #include <stdbool.h>
 #include <stddef.h>
 #include <stdint.h>

src/kafel.c

@@ -163,14 +163,74 @@ KAFEL_API int kafel_compile(kafel_ctxt_t ctxt, struct sock_fprog* prog) {
     return -EINVAL;
   }
 
-  kafel_ctxt_reset(ctxt);
+  struct sock_fprog target_programs[MAX_TARGET_ARCHS] = { 0 };
+  struct sock_fprog companion_programs[MAX_TARGET_ARCHS] = { 0 };
+  unsigned char i = 0;
+  int default_action = 0;
+
+  for (i = 0; i < MAX_TARGET_ARCHS; i++) {
+    if (!ctxt->all_architectures[i]) continue;
+
+    kafel_ctxt_reset(ctxt);
+    set_target_arch(ctxt, ctxt->all_architectures[i]);
+    set_use_companion_arch(ctxt, false);
+
+    int rv = parse(ctxt);
+    if (rv) {
+      for (i = 0; i < MAX_TARGET_ARCHS; i++) {
+        free_sock_program(&target_programs[i]);
+        free_sock_program(&companion_programs[i]);
+      }
+
+      return rv;
+    }
+
+    default_action = ctxt->default_action;
+
+    rv = compile_policy(ctxt, &target_programs[i]);
+    if (rv) {
+      for (i = 0; i < MAX_TARGET_ARCHS; i++) {
+        free_sock_program(&target_programs[i]);
+        free_sock_program(&companion_programs[i]);
+      }
+
+      return rv;
+    }
+
+    if (!rv && target_programs[0].len == 1) {
+      *prog = target_programs[0];
+      return rv;
+    }
 
-  int rv = parse(ctxt);
-  if (rv) {
-    return rv;
+    kafel_ctxt_reset(ctxt);
+    set_target_arch(ctxt, ctxt->all_architectures[i]);
+    set_use_companion_arch(ctxt, true);
+
+    rv = parse(ctxt);
+    if (rv) {
+      if (rv == -2) continue;
+
+      for (i = 0; i < MAX_TARGET_ARCHS; i++) {
+        free_sock_program(&target_programs[i]);
+        free_sock_program(&companion_programs[i]);
+      }
+
+      return rv;
+    }
+
+    rv = compile_policy(ctxt, &companion_programs[i]);
+    if (rv) {
+      for (i = 0; i < MAX_TARGET_ARCHS; i++) {
+        free_sock_program(&target_programs[i]);
+        free_sock_program(&companion_programs[i]);
+      }
+
+      return rv;
+    }
   }
 
-  return compile_policy(ctxt, prog);
+  return knit_policy(ctxt, target_programs, companion_programs,
+                     default_action, prog);
 }
 
 KAFEL_API int kafel_compile_file(FILE* file, struct sock_fprog* prog) {