1#include <signal.h>
2#include <stdio.h>
3#include <stdlib.h>
4#include <unistd.h>
5#include <errno.h>
6#include <fcntl.h>
7#include <string.h>
8#include <stddef.h>
9#include <sys/sysmacros.h>
10#include <sys/types.h>
11#include <sys/wait.h>
12#include <sys/socket.h>
13#include <sys/stat.h>
14#include <sys/mman.h>
15#include <sys/syscall.h>
16#include <sys/user.h>
17#include <sys/ioctl.h>
18#include <sys/ptrace.h>
19#include <sys/mount.h>
20#include <linux/limits.h>
21#include <linux/filter.h>
22#include <linux/seccomp.h>
23
24#define ARRAY_SIZE(x) (sizeof(x) / sizeof(*(x)))
25
26static int seccomp(unsigned int op, unsigned int flags, void *args)
27{
28 errno = 0;
29 return syscall(__NR_seccomp, op, flags, args);
30}
31
32static int send_fd(int sock, int fd)
33{
34 struct msghdr msg = {};
35 struct cmsghdr *cmsg;
36 char buf[CMSG_SPACE(sizeof(int))] = {0}, c = 'c';
37 struct iovec io = {
38 .iov_base = &c,
39 .iov_len = 1,
40 };
41
42 msg.msg_iov = &io;
43 msg.msg_iovlen = 1;
44 msg.msg_control = buf;
45 msg.msg_controllen = sizeof(buf);
46 cmsg = CMSG_FIRSTHDR(&msg);
47 cmsg->cmsg_level = SOL_SOCKET;
48 cmsg->cmsg_type = SCM_RIGHTS;
49 cmsg->cmsg_len = CMSG_LEN(sizeof(int));
50 *((int *)CMSG_DATA(cmsg)) = fd;
51 msg.msg_controllen = cmsg->cmsg_len;
52
53 if (sendmsg(sock, &msg, 0) < 0) {
54 perror("sendmsg");
55 return -1;
56 }
57
58 return 0;
59}
60
61static int recv_fd(int sock)
62{
63 struct msghdr msg = {};
64 struct cmsghdr *cmsg;
65 char buf[CMSG_SPACE(sizeof(int))] = {0}, c = 'c';
66 struct iovec io = {
67 .iov_base = &c,
68 .iov_len = 1,
69 };
70
71 msg.msg_iov = &io;
72 msg.msg_iovlen = 1;
73 msg.msg_control = buf;
74 msg.msg_controllen = sizeof(buf);
75
76 if (recvmsg(sock, &msg, 0) < 0) {
77 perror("recvmsg");
78 return -1;
79 }
80
81 cmsg = CMSG_FIRSTHDR(&msg);
82
83 return *((int *)CMSG_DATA(cmsg));
84}
85
86static int user_trap_syscall(int nr, unsigned int flags)
87{
88 struct sock_filter filter[] = {
89 BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
90 offsetof(struct seccomp_data, nr)),
91 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, nr, 0, 1),
92 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_USER_NOTIF),
93 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
94 };
95
96 struct sock_fprog prog = {
97 .len = (unsigned short)ARRAY_SIZE(filter),
98 .filter = filter,
99 };
100
101 return seccomp(SECCOMP_SET_MODE_FILTER, flags, &prog);
102}
103
104static int handle_req(struct seccomp_notif *req,
105 struct seccomp_notif_resp *resp, int listener)
106{
107 char path[PATH_MAX], source[PATH_MAX], target[PATH_MAX];
108 int ret = -1, mem;
109
110 resp->id = req->id;
111 resp->error = -EPERM;
112 resp->val = 0;
113
114 if (req->data.nr != __NR_mount) {
115 fprintf(stderr, "huh? trapped something besides mount? %d\n", req->data.nr);
116 return -1;
117 }
118
119
120 if (!(req->data.args[3] & MS_BIND))
121 return 0;
122
123
124
125
126
127 snprintf(path, sizeof(path), "/proc/%d/mem", req->pid);
128 mem = open(path, O_RDONLY);
129 if (mem < 0) {
130 perror("open mem");
131 return -1;
132 }
133
134
135
136
137
138
139
140
141
142
143
144
145 if (ioctl(listener, SECCOMP_IOCTL_NOTIF_ID_VALID, &req->id) < 0) {
146 fprintf(stderr, "task died before we could map its memory\n");
147 goto out;
148 }
149
150
151
152
153
154
155 if (lseek(mem, req->data.args[0], SEEK_SET) < 0) {
156 perror("seek");
157 goto out;
158 }
159
160 ret = read(mem, source, sizeof(source));
161 if (ret < 0) {
162 perror("read");
163 goto out;
164 }
165
166 if (lseek(mem, req->data.args[1], SEEK_SET) < 0) {
167 perror("seek");
168 goto out;
169 }
170
171 ret = read(mem, target, sizeof(target));
172 if (ret < 0) {
173 perror("read");
174 goto out;
175 }
176
177
178
179
180
181
182 if (!strncmp(source, "/tmp/", 5) && !strncmp(target, "/tmp/", 5)) {
183 if (mount(source, target, NULL, req->data.args[3], NULL) < 0) {
184 ret = -1;
185 perror("actual mount");
186 goto out;
187 }
188 resp->error = 0;
189 }
190
191
192
193
194 ret = 0;
195
196out:
197 close(mem);
198 return ret;
199}
200
201int main(void)
202{
203 int sk_pair[2], ret = 1, status, listener;
204 pid_t worker = 0 , tracer = 0;
205
206 if (socketpair(PF_LOCAL, SOCK_SEQPACKET, 0, sk_pair) < 0) {
207 perror("socketpair");
208 return 1;
209 }
210
211 worker = fork();
212 if (worker < 0) {
213 perror("fork");
214 goto close_pair;
215 }
216
217 if (worker == 0) {
218 listener = user_trap_syscall(__NR_mount,
219 SECCOMP_FILTER_FLAG_NEW_LISTENER);
220 if (listener < 0) {
221 perror("seccomp");
222 exit(1);
223 }
224
225
226
227
228 if (setuid(1000) < 0) {
229 perror("setuid");
230 exit(1);
231 }
232
233
234
235
236
237 if (send_fd(sk_pair[1], listener) < 0)
238 exit(1);
239 close(listener);
240
241 if (mkdir("/tmp/foo", 0755) < 0) {
242 perror("mkdir");
243 exit(1);
244 }
245
246
247
248
249 if (mount("/dev/sda", "/tmp/foo", NULL, 0, NULL) != -1) {
250 fprintf(stderr, "huh? mounted /dev/sda?\n");
251 exit(1);
252 }
253
254 if (errno != EPERM) {
255 perror("bad error from mount");
256 exit(1);
257 }
258
259
260
261
262 if (mount("/tmp/foo", "/tmp/foo", NULL, MS_BIND, NULL) < 0) {
263 perror("mount");
264 exit(1);
265 }
266
267 exit(0);
268 }
269
270
271
272
273 listener = recv_fd(sk_pair[0]);
274 if (listener < 0)
275 goto out_kill;
276
277
278
279
280
281
282 tracer = fork();
283 if (tracer < 0) {
284 perror("fork");
285 goto out_kill;
286 }
287
288 if (tracer == 0) {
289 struct seccomp_notif *req;
290 struct seccomp_notif_resp *resp;
291 struct seccomp_notif_sizes sizes;
292
293 if (seccomp(SECCOMP_GET_NOTIF_SIZES, 0, &sizes) < 0) {
294 perror("seccomp(GET_NOTIF_SIZES)");
295 goto out_close;
296 }
297
298 req = malloc(sizes.seccomp_notif);
299 if (!req)
300 goto out_close;
301
302 resp = malloc(sizes.seccomp_notif_resp);
303 if (!resp)
304 goto out_req;
305 memset(resp, 0, sizes.seccomp_notif_resp);
306
307 while (1) {
308 memset(req, 0, sizes.seccomp_notif);
309 if (ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, req)) {
310 perror("ioctl recv");
311 goto out_resp;
312 }
313
314 if (handle_req(req, resp, listener) < 0)
315 goto out_resp;
316
317
318
319
320
321
322
323
324
325
326 if (ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, resp) < 0 &&
327 errno != ENOENT) {
328 perror("ioctl send");
329 goto out_resp;
330 }
331 }
332out_resp:
333 free(resp);
334out_req:
335 free(req);
336out_close:
337 close(listener);
338 exit(1);
339 }
340
341 close(listener);
342
343 if (waitpid(worker, &status, 0) != worker) {
344 perror("waitpid");
345 goto out_kill;
346 }
347
348 if (umount2("/tmp/foo", MNT_DETACH) < 0 && errno != EINVAL) {
349 perror("umount2");
350 goto out_kill;
351 }
352
353 if (remove("/tmp/foo") < 0 && errno != ENOENT) {
354 perror("remove");
355 exit(1);
356 }
357
358 if (!WIFEXITED(status) || WEXITSTATUS(status)) {
359 fprintf(stderr, "worker exited nonzero\n");
360 goto out_kill;
361 }
362
363 ret = 0;
364
365out_kill:
366 if (tracer > 0)
367 kill(tracer, SIGKILL);
368 if (worker > 0)
369 kill(worker, SIGKILL);
370
371close_pair:
372 close(sk_pair[0]);
373 close(sk_pair[1]);
374 return ret;
375}
376