Remove seccomp support.

It breaks with the existing whitelists on the latest glibc and is just too much maintenance burden. It also causes the most questions for new users. Something like openbsd's pledge() would be fine, but I have no intention of maintaining such a thing. Most of the value-gain would come from disallowing high-risk syscalls like ptrace() and the perf syscalls, anyway. ndhc already uses extensive defense-in-depth and wasn't using seccomp on non-(x86|x86-64) platforms, so it's not a huge loss.
niklata · Feb 9, 2018 · e08d3b1 · e08d3b1
1 parent e8d9720
commit e08d3b1
Show file tree

Hide file tree

Showing 8 changed files with 2 additions and 305 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -134,19 +134,6 @@ else()
   set(MACHINENAME $ENV{CROSSCOMPILE_MACHINENAME})
 endif()
 
-if (${MACHINENAME} STREQUAL "x86_64")
-  message("Detected that the current host is x86_64.  Enabling seccomp-filter.")
-  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DENABLE_SECCOMP_FILTER")
-  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DENABLE_SECCOMP_FILTER")
-elseif ((${MACHINENAME} STREQUAL "i686") OR (${MACHINENAME} STREQUAL "i586") OR
-        (${MACHINENAME} STREQUAL "i486") OR (${MACHINENAME} STREQUAL "i386"))
-  message("Detected that the current host is x86.  Enabling seccomp-filter.")
-  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DENABLE_SECCOMP_FILTER")
-  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DENABLE_SECCOMP_FILTER")
-else()
-  message("Host machine type does not support seccomp-filter.")
-endif()
-
 include_directories("${PROJECT_SOURCE_DIR}/ncmlib")
 add_subdirectory(ncmlib)
 

diff --git a/src/cfg.rl b/src/cfg.rl
@@ -11,7 +11,6 @@
 #include "ndhc.h"
 #include "ifchd.h"
 #include "sockd.h"
-#include "seccomp.h"
 #include "nk/log.h"
 #include "nk/privilege.h"
 #include "nk/copy_cmdarg.h"
@@ -108,10 +107,8 @@ struct cfgparse {
         copy_cmdarg(state_dir, ccfg.buf, sizeof state_dir, "state-dir");
     }
     action seccomp_enforce {
-        switch (ccfg.ternary) {
-        case 1: seccomp_enforce = true; break;
-        case -1: seccomp_enforce = false; default: break;
-        }
+        log_line("seccomp_enforce option is deprecated; please remove it");
+        log_line("In the meanwhile, it is ignored and seccomp is disabled.");
     }
     action relentless_defense {
         switch (ccfg.ternary) {

diff --git a/src/ifchd.c b/src/ifchd.c
@@ -45,7 +45,6 @@
 #include "nk/signals.h"
 #include "nk/io.h"
 
-#include "seccomp.h"
 #include "ifchd.h"
 #include "ndhc.h"
 #include "ifchd-parse.h"
@@ -346,9 +345,6 @@ static void do_ifch_work(void)
     if (epollfd < 0)
         suicide("epoll_create1 failed");
 
-    if (enforce_seccomp_ifch())
-        log_line("ifch seccomp filter cannot be installed");
-
     cl.state = STATE_NOTHING;
     memset(cl.ibuf, 0, sizeof cl.ibuf);
     memset(cl.namesvrs, 0, sizeof cl.namesvrs);

diff --git a/src/ndhc.8 b/src/ndhc.8
@@ -101,15 +101,6 @@ hostname option field provided by a remote DHCP server on the request of
 a ndhc client.  If this option is not specified, ndhc will never change
 the system hostname.
 .TP
-.BI \-S ,\  \-\-seccomp\-enforce
-Enforces seccomp-based syscall whitelisting.  System calls that ndhc and
-ndhc-ifch are not expected to need are prohibited from being called if this
-flag is set.  The lists of allowed syscalls are hardcoded, and attempts
-to call a non-listed syscall will result in the ndhc process being
-terminated.  As systems vary, it cannot be guaranteed that these system
-call lists are accurate for your system, and thus seccomp filtering will
-not be used unless this flag is set.
-.TP
 .BI \-w\  TIMEMS ,\  \-\-arp\-probe\-wait= TIMEMS
 Adjusts the time that we wait for an ARP response when checking to see if
 our lease assignment is already taken by an existing host.  Default is

diff --git a/src/ndhc.c b/src/ndhc.c
@@ -57,7 +57,6 @@
 #include "ndhc.h"
 #include "ndhc-defines.h"
 #include "cfg.h"
-#include "seccomp.h"
 #include "state.h"
 #include "options.h"
 #include "dhcp.h"
@@ -145,9 +144,6 @@ void show_usage(void)
 "  -D, --sockd-user=USER           Change ndhc-sockd privileges to this user\n"
 "  -C, --chroot=DIR                Chroot to this directory\n"
 "  -s, --state-dir=DIR             State storage dir (default: /etc/ndhc)\n"
-#ifdef ENABLE_SECCOMP_FILTER
-"  -S, --seccomp-enforce           Enforce seccomp syscall restrictions\n"
-#endif
 "  -d, --relentless-defense        Never back off in defending IP against\n"
 "                                  conflicting hosts (servers only)\n"
 "  -w, --arp-probe-wait            Time to delay before first ARP probe\n"
@@ -270,9 +266,6 @@ static void do_ndhc_work(void)
     if (cs.epollFd < 0)
         suicide("epoll_create1 failed");
 
-    if (enforce_seccomp_ndhc())
-        log_line("ndhc seccomp filter cannot be installed");
-
     setup_signals_ndhc();
 
     epoll_add(cs.epollFd, cs.nlFd);

diff --git a/src/seccomp.c b/src/seccomp.c
diff --git a/src/seccomp.h b/src/seccomp.h
diff --git a/src/sockd.c b/src/sockd.c
@@ -57,7 +57,6 @@
 #include "ndhc.h"
 #include "dhcp.h"
 #include "sys.h"
-#include "seccomp.h"
 
 static int epollfd, signalFd;
 /* Slots are for signalFd and the ndhc -> ifchd socket. */
@@ -555,9 +554,6 @@ static void do_sockd_work(void)
     if (epollfd < 0)
         suicide("epoll_create1 failed");
 
-    if (enforce_seccomp_sockd())
-        log_line("sockd seccomp filter cannot be installed");
-
     epoll_add(epollfd, sockdSock[1]);
     epoll_add(epollfd, sockdStream[1]);
     epoll_add(epollfd, signalFd);