base-linux: enabled seccomp

base-linux uses seccomp to reduce the available system calls
to the minimum set needed to run base-linux. There are still
some syscalls that allow accessing global state which should
be further reduced.

The combination of seccomp and socket descriptor caps should
provide an intermediate level of security for base-linux
thereby enabling base-linux as a migration path from using
the Linux kernel to the use of microkernel-based Genode.

Fixes #3581

repos/base-linux/src/lib/base/platform.cc

@@ -12,9 +12,51 @@
  * under the terms of the GNU Affero General Public License version 3.
  */
 
+/* Genode includes */
+#include <base/log.h>
 
 /* base-internal includes */
 #include <base/internal/globals.h>
+#include <linux_syscalls.h>
+#include <errno.h>
+#include <sys/prctl.h>     /* prctl */
+#include <linux/seccomp.h> /* seccomp's constants */
 
-void Genode::binary_ready_hook_for_platform() { }
+using namespace Genode;
+
+extern char _binary_seccomp_bpf_policy_bin_start[];
+extern char _binary_seccomp_bpf_policy_bin_end[];
+
+struct bpf_program {
+  Genode::uint16_t blk_cnt;
+  Genode::uint64_t* blks;
+};
+
+void Genode::binary_ready_hook_for_platform()
+{
+	if (lx_prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) != 0) {
+		error("PR_SET_NO_NEW_PRIVS failed");
+		throw Exception();
+	}
+
+	for (char* i = _binary_seccomp_bpf_policy_bin_start;
+	     i < _binary_seccomp_bpf_policy_bin_end - sizeof(Genode::uint32_t); i++) {
+		Genode::uint32_t* v = reinterpret_cast<Genode::uint32_t*>(i);
+		if (*v == 0xCAFEAFFE) {
+			*v = lx_getpid();
+		}
+	}
+
+	bpf_program program;
+	program.blk_cnt = (_binary_seccomp_bpf_policy_bin_end -
+	                   _binary_seccomp_bpf_policy_bin_start) /
+	                   sizeof(Genode::uint64_t);
+	program.blks = (Genode::uint64_t*)_binary_seccomp_bpf_policy_bin_start;
+	Genode::uint64_t flags = SECCOMP_FILTER_FLAG_TSYNC;
+	auto ret = lx_seccomp(SECCOMP_SET_MODE_FILTER, flags, &program);
+	if (ret != 0) {
+		error("SECCOMP_SET_MODE_FILTER failed ", ret);
+		throw Exception();
+	}
+}
 

repos/base-linux/src/lib/base/thread_linux.cc

@@ -123,7 +123,10 @@ void Thread::_deinit_platform_thread()
 	for (;;) {
 
 		/* destroy thread locally */
-		int ret = lx_tgkill(native_thread().pid, native_thread().tid, LX_SIGCANCEL);
+		int pid = native_thread().pid;
+		if (pid == 0) break;
+
+		int ret = lx_tgkill(pid, native_thread().tid, LX_SIGCANCEL);
 
 		if (ret < 0) break;
 

repos/base-linux/src/lib/seccomp/seccomp_bpf_policy.h

@@ -0,0 +1,40 @@
+/*
+ * \brief  Including seccomp filter policy binary
+ * \author Stefan Thoeni
+ * \date   2019-12-13
+ */
+
+/*
+ * Copyright (C) 2019 Genode Labs GmbH
+ * Copyright (C) 2019 gapfruit AG
+ *
+ * This file is part of the Genode OS framework, which is distributed
+ * under the terms of the GNU Affero General Public License version 3.
+ */
+
+#ifndef _LIB__SECCOMP_BPF_POLICY_H_
+#define _LIB__SECCOMP_BPF_POLICY_H_
+
+#define STR2(x) #x
+#define STR(x) STR2(x)
+
+#define INCBIN(name, file) \
+    __asm__(".section .rodata\n" \
+            ".global incbin_" STR(name) "_start\n" \
+            ".type incbin_" STR(name) "_start, @object\n" \
+            ".balign 16\n" \
+            "incbin_" STR(name) "_start:\n" \
+            ".incbin \"" file "\"\n" \
+            \
+            ".global incbin_" STR(name) "_end\n" \
+            ".type incbin_" STR(name) "_end, @object\n" \
+            ".balign 1\n" \
+            "incbin_" STR(name) "_end:\n" \
+            ".byte 0\n" \
+    ); \
+    extern const __attribute__((aligned(16))) void* incbin_ ## name ## _start; \
+    extern const void* incbin_ ## name ## _end; \
+
+INCBIN(seccomp_bpf_policy, "seccomp_bpf_policy.bin");
+
+#endif /* _LIB__SECCOMP_BPF_POLICY_H_ */

repos/base-linux/src/lib/seccomp/update.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# Build and update seccomp Berkeley Packet Filter binary
+# for use in base-linux
+
+SCRIPT_FILE=$(realpath "$0")
+SCRIPT_DIR=$(dirname $SCRIPT_FILE)
+
+make -C $SCRIPT_DIR/../../../../../tool/seccomp \
+&& cp $SCRIPT_DIR/../../../../../tool/seccomp/seccomp_bpf_policy_x86_32.bin $SCRIPT_DIR/spec/x86_32/seccomp_bpf_policy.bin\
+&& cp $SCRIPT_DIR/../../../../../tool/seccomp/seccomp_bpf_policy_x86_64.bin $SCRIPT_DIR/spec/x86_64/seccomp_bpf_policy.bin\
+&& cp $SCRIPT_DIR/../../../../../tool/seccomp/seccomp_bpf_policy_arm.bin $SCRIPT_DIR/spec/arm/seccomp_bpf_policy.bin \
+&& make -C $SCRIPT_DIR/../../../../../tool/seccomp clean \
+|| exit $?
+

repos/base-linux/src/lib/syscall/linux_syscalls.h

@@ -522,4 +522,16 @@ inline bool lx_sigsetmask(int signum, bool state)
 }
 
 
+inline int lx_prctl(int option, unsigned long arg2, unsigned long arg3,
+                                unsigned long arg4, unsigned long arg5)
+{
+	return lx_syscall(SYS_prctl, option, arg2, arg3, arg4, arg5);
+}
+
+
+inline int lx_seccomp(int option, int flag, void* program)
+{
+	return lx_syscall(SYS_seccomp, option, flag, program);
+}
+
 #endif /* _LIB__SYSCALL__LINUX_SYSCALLS_H_ */