syd 3.52.0

rock-solid application kernel
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93

//
// Syd: rock-solid application kernel
// src/kernel/ioctl.rs: ioctl(2) handler
//
// Copyright (c) 2023, 2024, 2025, 2026 Ali Polatel <alip@chesswob.org>
//
// SPDX-License-Identifier: GPL-3.0

use libseccomp::ScmpNotifResp;
use nix::errno::Errno;

#[cfg(feature = "kcov")]
use crate::kcov::abi::kcov_ioctl;
use crate::{
    ioctl::Ioctl,
    log::get_ioctl_log,
    log_enabled,
    req::UNotifyEventRequest,
    sandbox::{Action, Capability},
    syslog::LogLevel,
    warn,
};

#[expect(clippy::cognitive_complexity)]
pub(crate) fn sys_ioctl(request: UNotifyEventRequest) -> ScmpNotifResp {
    syscall_handler!(request, |request: UNotifyEventRequest| {
        let req = request.scmpreq;
        let sandbox = request.get_sandbox();

        #[cfg(feature = "kcov")]
        {
            // Check ioctl(2) is for KCOV.
            let arg = crate::req::SysArg {
                dirfd: Some(0),
                ..Default::default()
            };
            let (path, _, _) = request.read_path(&sandbox, arg)?;
            if path.is_memory_fd() && path.abs().is_kcov_mfd() {
                return kcov_ioctl(&request);
            }
        }

        // Linux kernel truncates upper bits.
        #[expect(clippy::cast_possible_truncation)]
        let arg = req.data.args[1] as Ioctl;

        // Check if the ioctl(2) request is allowed or denied.
        let cap = Capability::CAP_IOCTL;
        let action = sandbox.check_ioctl(arg, req.data.arch);

        let filter = action == Action::Filter;
        if !filter && action >= Action::Warn && log_enabled!(LogLevel::Warn) {
            let log_scmp = sandbox.log_scmp();
            let ctl = get_ioctl_log(arg, req.data.arch, sandbox.log_ioctl())
                .ok()
                .flatten();
            let grp = cap.to_string().to_ascii_lowercase();
            let tip = if let Some(name) = ctl.as_ref().and_then(|ctl| ctl.first()) {
                format!("configure `allow/{grp}+{name}'")
            } else {
                format!("configure `allow/{grp}+{arg:#x}'")
            };
            if log_scmp {
                warn!("ctx": "access", "cap": cap, "act": action,
                    "sys": "ioctl", "ctl": ctl, "tip": tip,
                    "req": &request);
            } else {
                warn!("ctx": "access", "cap": cap, "act": action,
                    "sys": "ioctl", "ctl": ctl, "tip": tip,
                    "pid": request.scmpreq.pid);
            }
        }
        drop(sandbox); // release the read-lock.

        match action {
            Action::Allow | Action::Warn => {
                // SAFETY:
                // Access check depends on the request number only,
                // which is saved in a register and inaccessible
                // to other threads.
                Ok(unsafe { request.continue_syscall() })
            }
            Action::Filter | Action::Deny => Err(Errno::EACCES),
            Action::Panic => panic!(),
            Action::Exit => std::process::exit(libc::EACCES),
            action => {
                // Stop|Kill
                let _ = request.kill(action);
                Err(Errno::EACCES)
            }
        }
    })
}