Excluding insecure syscalls by default from global requirements, unle…

…ss specified otherwise
avilum · Apr 30, 2023 · 78ac4da · 78ac4da
1 parent 64d5179
commit 78ac4da
Showing 1 changed file with 245 additions and 0 deletions.
diff --git a/secimport/backends/common/utils.py b/secimport/backends/common/utils.py
@@ -369,6 +369,243 @@
 
 SYSCALLS_NAMES = {str(v): k for k, v in SYSCALLS_NUMBERS.items()}
 
+INSECURE_SYSCALLS = [
+    "vfork",
+    "clone",
+    "access",
+    "chdir",
+    "creat",
+    "dup",
+    "dup2",
+    "execve",
+    "faccessat",
+    "fcntl",
+    "fdatasync",
+    "fork",
+    "fstat",
+    "fsync",
+    "getegid",
+    "geteuid",
+    "getgid",
+    "getgroups",
+    "getpid",
+    "getppid",
+    "getrlimit",
+    "getsockname",
+    "getsid",
+    "getuid",
+    "ioctl",
+    "link",
+    "lseek",
+    "lstat",
+    "mkdir",
+    "mknod",
+    "open",
+    "openat",
+    "pipe",
+    "poll",
+    "read",
+    "readlink",
+    "readv",
+    "recvfrom",
+    "recvmsg",
+    "rename",
+    "rmdir",
+    "select",
+    "sendmsg",
+    "sendto",
+    "setgid",
+    "setgroups",
+    "setpgid",
+    "setpriority",
+    "setregid",
+    "setreuid",
+    "setrlimit",
+    "setsid",
+    "setsockopt",
+    "stat",
+    "symlink",
+    "truncate",
+    "umask",
+    "utime",
+    "utimes",
+    "write",
+    "writev",
+]
+
+# NETWORKING_SYSCALLS = [
+#     "socket",
+#     "connect",
+#     "bind",
+#     "listen",
+#     "accept",
+#     "send",
+#     "recv",
+#     "sendto",
+#     "recvfrom",
+#     "shutdown",
+#     "setsockopt",
+#     "getsockopt",
+#     "getpeername",
+#     "getsockname",
+#     "gethostbyname",
+#     "gethostbyaddr",
+#     "getservbyname",
+#     "getservbyport",
+#     "getifaddrs",
+#     "ioctl",
+#     "rt_names_to_index",
+#     "rt_index_to_name",
+#     "rt_newlink",
+#     "rt_dellink",
+#     "rt_changelink",
+#     "rt_getlink",
+#     "rt_getroute",
+#     "rt_newroute",
+#     "rt_delroute",
+#     "rt_changeroute",
+#     "rt_priority",
+#     "rt_classid",
+#     "rt_mark",
+#     "rt_table",
+#     "rt_protocol",
+#     "rt_scope",
+#     "rt_flags",
+#     "rt_ifindex",
+#     "rt_metric",
+#     "rt_gateway",
+#     "rt_src",
+#     "rt_dst",
+#     "rt_genmask",
+#     "rt_flags",
+#     "rt_refcnt",
+#     "rt_fib",
+#     "rt_nexthop",
+#     "rt_ifa",
+#     "rt_ifa_index",
+#     "rt_ifa_flags",
+#     "rt_ifa_scope",
+#     "rt_ifa_mntr",
+#     "rt_ifa_brd",
+#     "rt_ifa_dst",
+#     "rt_ifa_netmask",
+#     "rt_ifa_net",
+#     "rt_ifa_flags",
+#     "rt_ifa_ifindex",
+#     "rt_ifa_hwaddr",
+#     "rt_ifa_rtnl",
+#     "rt_ifa_type",
+#     "rt_ifa_metric",
+#     "rt_ifa_refcnt",
+#     "rt_ifa_mtu",
+#     "rt_ifa_lladdr",
+#     "rt_ifa_addr",
+#     "rt_ifa_brd",
+#     "rt_ifa_netmask",
+#     "rt_ifa_net",
+#     "rt_ifa_flags",
+#     "rt_ifa_ifindex",
+#     "rt_ifa_hwaddr",
+#     "rt_ifa_rtnl",
+#     "rt_ifa_type",
+#     "rt_ifa_metric",
+#     "rt_ifa_refcnt",
+#     "rt_ifa_mtu",
+#     "rt_ifa_lladdr",
+# ]
+# FILESYSTEM_SYSCALLS = [
+#     "access",
+#     "chdir",
+#     "chmod",
+#     "chown",
+#     "cksum",
+#     "creat",
+#     "ctermid",
+#     "dup",
+#     "dup2",
+#     "execve",
+#     "faccessat",
+#     "fchmod",
+#     "fchown",
+#     "fcntl",
+#     "fdatasync",
+#     "fdopendir",
+#     "fdopen",
+#     "fexecve",
+#     "fflush",
+#     "fgetpos",
+#     "fgets",
+#     "fgetwc",
+#     "fileno",
+#     "flock",
+#     "fmemopen",
+#     "fopen",
+#     "fopencookie",
+#     "fork",
+#     "fputwc",
+#     "fstat",
+#     "fsync",
+#     "ftruncate",
+#     "getegid",
+#     "geteuid",
+#     "getgid",
+#     "getgroups",
+#     "getpid",
+#     "getppid",
+#     "getrlimit",
+#     "getsockname",
+#     "getsid",
+#     "getuid",
+#     "ioctl",
+#     "link",
+#     "lseek",
+#     "lstat",
+#     "mkdir",
+#     "mknod",
+#     "open",
+#     "openat",
+#     "pipe",
+#     "poll",
+#     # "posix_fallocate",
+#     # "posix_fadvise",
+#     # "posix_fadvise64",
+#     "read",
+#     "readlink",
+#     # "readdir",
+#     "readv",
+#     "recv",
+#     "recvfrom",
+#     "recvmsg",
+#     "rename",
+#     "rewind",
+#     "rmdir",
+#     "seekdir",
+#     "select",
+#     "send",
+#     "sendmsg",
+#     "sendto",
+#     "setegid",
+#     "seteuid",
+#     "setgid",
+#     "setgroups",
+#     "setpgid",
+#     "setpriority",
+#     "setregid",
+#     "setreuid",
+#     "setrlimit",
+#     "setsid",
+#     "setsockopt",
+#     "stat",
+#     "symlink",
+#     "truncate",
+#     "umask",
+#     "umount",
+#     "utime",
+#     "utimes",
+#     "write",
+#     "writev",
+# ]
+
 
 def render_syscalls_filter(
     syscalls_list: List[str],
@@ -450,6 +687,14 @@ def build_module_sandbox_from_yaml_template(
     safe_yaml = yaml.safe_load(open(template_path, "r").read())
     parsed_probes = []
     syscalls_filter = ""
+    # Adding the general syscalls filter
+    syscalls_filter += render_syscalls_filter(
+        syscalls_list=INSECURE_SYSCALLS,
+        allow=False,
+        instrumentation_backend=InstrumentationBackend.EBPF,
+        module_name="general_requirements",
+    )
+
     for module_name, module_config in safe_yaml.get("modules", {}).items():
         # Finding the module without loading
         module = importlib.machinery.PathFinder().find_spec(module_name)