Add ability to list syscalls blocked by seccomp

[staaldraad]

Adds a switch -s to toggle listing of available syscalls. The check tries to invoke all syscalls and takes note of the errno returned. It is assumed that with seccomp filtering enabled that we'll get a EPERM or EACCES (depending on runtime - Docker vs LXC respectively) and it doesn't matter that we haven't created a correct syscall, since seccomp filtering happens before invocation.

This approach has meant that some syscalls are not checked as they influence the currently running binary. There are also the false positives of sys_setuid sys_setgid related, since a correct syscall to these can result in EPERM if the amicontained process isn't privileged.

Docker example:

$ sudo docker run -it --rm -v `pwd`/amicontained:/amicontained ubuntu:18.04 ./amicontained -s
Container Runtime: docker
Has Namespaces:
        pid: true
        user: false
AppArmor Profile: docker-default (enforce)
Capabilities:
        BOUNDING -> chown dac_override fowner fsetid kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap
Seccomp: filtering
Blocked Syscalls:
        MSGRCV PTRACE SYSLOG SETPGID SETSID USELIB USTAT SYSFS VHANGUP PIVOT_ROOT _SYSCTL ACCT SETTIMEOFDAY MOUNT UMOUNT2 SWAPON SWAPOFF REBOOT SETHOSTNAME SETDOMAINNAME IOPL IOPERM CREATE_MODULE INIT_MODULE DELETE_MODULE GET_KERNEL_SYMS QUERY_MODULE QUOTACTL NFSSERVCTL GETPMSG PUTPMSG AFS_SYSCALL TUXCALL SECURITY LOOKUP_DCOOKIE CLOCK_SETTIME VSERVER MBIND SET_MEMPOLICY GET_MEMPOLICY KEXEC_LOAD ADD_KEY REQUEST_KEY KEYCTL MIGRATE_PAGES UNSHARE MOVE_PAGES PERF_EVENT_OPEN FANOTIFY_INIT NAME_TO_HANDLE_AT OPEN_BY_HANDLE_AT CLOCK_ADJTIME SETNS PROCESS_VM_READV PROCESS_VM_WRITEV KCMP FINIT_MODULE

LXC example:

$ ./amicontained -s
Container Runtime: lxc
Has Namespaces:
        pid: true
        user: true
User Namespace Mappings:
        Container -> 0  Host -> 1000000 Range -> 1000
        Container -> 1000       Host -> 1000    Range -> 1
        Container -> 1001       Host -> 1001001 Range -> 999998999
AppArmor Profile: kernel
Capabilities:
        BOUNDING -> chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read
Seccomp: filtering
Blocked Syscalls:
        SYSLOG SETUID SETGID SETSID SETREUID SETREGID SETGROUPS SETRESUID SETRESGID VHANGUP PIVOT_ROOT SETTIMEOFDAY UMOUNT2 REBOOT SETHOSTNAME SETDOMAINNAME FUTIMESAT UTIMENSAT

If running with -d debugging, the allowed syscalls will also be listed.

Note

The syscallName function would probably be better housed in a separate file, but not too sure of how you prefer to structure these things

[staaldraad]

I missed that this doesn't compile for:

• linux/arm
• linux/arm64
• linux/386

So it breaks your auto-releases. Happy to close this PR and keep these checks as a separate project rather, not sure how many people would actually have a need for seccomp checking.

[jessfraz]

ah this is awesome! thanks!