[Refactor:Autograding] Invert syscall logic (#11757)

### Why is this Change Important & Necessary?
In order to autograding the Julia programming language (Issue #11621) we
need to refactor the system call to default allow rather than default
disallow.

This is continuation of work in PR #11712 (repair system call filtering)

### What is the New Behavior?
This is a refactor, so no change should be visible to the instructor or
students.

### What steps should a reviewer take to reproduce or test the bug or
new feature?
The more_autograding_examples/c_system_call_filtering example should
work the same before & after installation of this PR. NOTE: gradeable
configuration will need to be rebuilt before & after installation.

### Automated Testing & Documentation
documentation was updated as part of the previous PR
Submitty/submitty.github.io#680

### Other information
Once this PR is merged, we will be able to finish & merge #11718 (add
julia)

NOTE: Now that the logic is switched to default allow, it will be even
more important to stay on top of the addition of new system calls with
the release of new OS versions.
new issue: #11893

---------

Co-authored-by: Barb Cutler <Barb Cutler>

Author: bmcutler

.setup/install_grading_dev_helper.sh

@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+
+#
+# This helper script is useful during development of the autograding system code.
+# It contains a subset of commands from .setup/INSTALL_SUBMITTY_HELPER.sh related to autograding.
+#
+
+# copy the grading code
+rsync -rtz /usr/local/submitty/GIT_CHECKOUT/Submitty/grading /usr/local/submitty/src
+
+# substitute the global variables
+sed -i -e "s|__INSTALL__FILLIN__SUBMITTY_INSTALL_DIR__|/usr/local/submitty|g" /usr/local/submitty/src/grading/CMakeLists.txt
+sed -i -e "s|__INSTALL__FILLIN__SUBMITTY_INSTALL_DIR__|/usr/local/submitty|g" /usr/local/submitty/src/grading/Sample_CMakeLists.txt
+sed -i -e "s|__INSTALL__FILLIN__SUBMITTY_INSTALL_DIR__|/usr/local/submitty|g" /usr/local/submitty/src/grading/system_call_check.cpp
+
+# build the grading library
+cd /usr/local/submitty/src/grading/lib || exit
+cmake ..
+make
+
+# set the permissions
+chown -R  root:root /usr/local/submitty/src
+find /usr/local/submitty/src -type d -exec chmod 555 {} \;
+find /usr/local/submitty/src -type f -exec chmod 444 {} \;
+
+# build the helper program for strace output and restrictions by system call categories
+g++ /usr/local/submitty/src/grading/system_call_check.cpp -o /usr/local/submitty/bin/system_call_check.out

grading/execute.cpp

@@ -30,6 +30,8 @@
 
 extern const int CPU_TO_WALLCLOCK_TIME_BUFFER;  // defined in default_config.h
 
+// set to 0 for debugging/disabling seccomp filter & 1 for normal use
+#define SECCOMP_ENABLED 1
 
 #define DIR_PATH_MAX 1000
 
@@ -762,11 +764,11 @@ int exec_this_command(const std::string &cmd, std::ofstream &logfile,
   }
   // END SECCOMP
 
-  //if (SECCOMP_ENABLED != 0) {
-  // std::cout << "seccomp filter enabled" << std::endl;
-  //} else {
-  //std::cout << "********** SECCOMP FILTER DISABLED *********** " << std::endl;
-  // }
+  if (SECCOMP_ENABLED != 0) {
+    std::cout << "seccomp filter enabled" << std::endl;
+  } else {
+    std::cout << "********** SECCOMP FILTER DISABLED *********** " << std::endl;
+  }
 
 
   char** temp_args = new char* [my_args.size()+2];   //memory leak here
@@ -882,28 +884,28 @@ int exec_this_command(const std::string &cmd, std::ofstream &logfile,
   set_environment_variables(whole_config.value("environment_variables",nlohmann::json()));
 
   my_path = getenv("PATH");
-
   // std::cout << "PATH post= " << (my_path ? my_path : "<empty>") << std::endl;
 
 
   // print this out here (before losing our output)
-  //  if (SECCOMP_ENABLED != 0) {
-  // std::cout << "going to install syscall filter for " << my_program << std::endl;
-  //}
+  if (SECCOMP_ENABLED != 0) {
+    //std::cout << "going to install syscall filter for " << my_program << std::endl;
+  }
 
   /*************************************************
   *
   * APPLY SECCOMP
   *
   **************************************************/
 
-  // SECCOMP: install the filter (system calls restrictions)
-  if (install_syscall_filter(prog_is_32bit, my_program,logfile, whole_config, test_case_config)) {
-    logfile << "seccomp filter install failed" << std::endl;
-    return 1;
+  if (SECCOMP_ENABLED != 0) {
+    // SECCOMP: install the filter (system calls restrictions)
+    if (install_syscall_filter(prog_is_32bit, my_program,logfile, whole_config, test_case_config)) {
+      logfile << "seccomp filter install failed" << std::endl;
+      return 1;
+    }
+    // END SECCOMP
   }
-  // END SECCOMP
-
 
   /*************************************************
   *

grading/seccomp_functions.cpp

@@ -8,6 +8,7 @@
 #include <elf.h>
 #include <algorithm>
 #include <cassert>
+#include <iomanip>
 
 // COMPILATION NOTE: Must pass -lseccomp to build
 #ifndef __NR_rseq
@@ -19,25 +20,63 @@
 #endif
 #include <seccomp.h>
 #include <set>
+#include <map>
 #include <string>
 #include <seccomp.h>
 #include <iostream>
 #include <fstream>
 #include <vector>
 #include <string>
 
+
 #define SUBMITTY_INSTALL_DIRECTORY  std::string("__INSTALL__FILLIN__SUBMITTY_INSTALL_DIR__")
 
-#define ALLOW_SYSCALL(name)  allow_syscall(sc,SCMP_SYS(name),#name,execute_logfile)
+#define ALLOW_SYSCALL(name, which_category)  allow_syscall(sc,SCMP_SYS(name),#name,execute_logfile, which_category,categories)
+#define ALLOW_SYSCALL_BY_NUMBER(num, name, which_category)  allow_syscall(sc,num,name,execute_logfile, which_category,categories)
+
+static std::map<int,std::pair<std::string,bool> > allowed_system_calls;
 
-static int total_allowed_system_calls = 0;
 
-inline void allow_syscall(scmp_filter_ctx sc, int syscall, const std::string &syscall_string, std::ofstream &execute_logfile) {
-  total_allowed_system_calls++;
-  //execute_logfile << "allow " << total_allowed_system_calls << " " << syscall_string << std::endl;
-  int res = seccomp_rule_add(sc, SCMP_ACT_ALLOW, syscall, 0);
-  if (res < 0) {
-    execute_logfile << "WARNING:  Errno " << res << " installing seccomp rule for " << syscall_string << std::endl;
+inline void allow_syscall(scmp_filter_ctx sc, int syscall, const std::string &syscall_string, std::ofstream &execute_logfile,
+                          const std::string &which_category, const std::set<std::string> &categories) {
+  bool allowed = false;
+  if (which_category.find("SAFELIST:") != std::string::npos)
+    allowed = true;
+  else if (which_category.find("FORBIDDEN:") != std::string::npos)
+    allowed = false;
+  else {
+    assert (which_category.find("RESTRICTED:") != std::string::npos);
+    if (categories.find(which_category.substr(11,which_category.size()-11)) != categories.end()) {
+      allowed = true;
+    }
+  }
+  allowed_system_calls.insert(std::make_pair(syscall,std::make_pair(syscall_string,allowed)));
+}
+
+void process_allow_system_calls(scmp_filter_ctx sc, std::ofstream &execute_logfile) {
+  for (std::map<int,std::pair<std::string,bool> >::iterator itr = allowed_system_calls.begin(); itr != allowed_system_calls.end(); itr++) {
+    if (itr->second.second == false) {
+      //execute_logfile << "              DISALLOWED " << itr->first << " " << itr->second.first << std::endl;
+      int res = seccomp_rule_add(sc, SCMP_ACT_KILL, itr->first, 0);
+      if (res < 0) {
+        //execute_logfile << "WARNING:  Errno " << res << " installing seccomp rule for " << itr->first << std::endl;
+      }
+    } else {
+      // do nothing - allowed by default
+      //execute_logfile << "allowed                  " << itr->first << " " << itr->second.first << std::endl;
+    }
+  }
+  //execute_logfile << std::endl;
+}
+
+void scan_allowed_system_calls(scmp_filter_ctx sc, std::ofstream &execute_logfile) {
+  for (int i = 0; i < 1100; i++) {
+    execute_logfile << "BY NUMBER " << i << " ";
+    if (allowed_system_calls.find(i) != allowed_system_calls.end()) {
+      execute_logfile << " ... already added " << std::endl;
+    } else {
+      execute_logfile << "                            MISSING THIS ONE" << std::endl;
+    }
   }
 }
 
@@ -220,10 +259,10 @@ std::set<std::string> system_call_categories_based_on_program
 
 int install_syscall_filter(bool is_32, const std::string &my_program, std::ofstream &execute_logfile,
                            const nlohmann::json &whole_config, const nlohmann::json &test_case_config) {
-  total_allowed_system_calls = 0;
 
   int res;
-  scmp_filter_ctx sc = seccomp_init(SCMP_ACT_KILL);
+  scmp_filter_ctx sc = seccomp_init(SCMP_ACT_ALLOW);
+
   int target_arch = is_32 ? SCMP_ARCH_X86 : SCMP_ARCH_X86_64;
   if (seccomp_arch_native() != target_arch) {
     res = seccomp_arch_add(sc, target_arch);
@@ -276,7 +315,8 @@ int install_syscall_filter(bool is_32, const std::string &my_program, std::ofstr
     "COMMUNICATIONS_AND_NETWORKING_KILL",
     "UNKNOWN",
     "UNKNOWN_MODULE",
-    "UNKNOWN_REMAP_PAGES"
+    "UNKNOWN_REMAP_PAGES",
+    "CUSTOM_SYSTEM_CALLS"
   };
 
   std::set<std::string> forbidden_categories = {
@@ -322,15 +362,14 @@ int install_syscall_filter(bool is_32, const std::string &my_program, std::ofstr
     }
   }
 
-  //execute_logfile << "categories " << categories.size() << std::endl;
-
   // make sure all categories are valid
   for_each(categories.begin(),categories.end(),
            [restricted_categories](const std::string &s){
              assert (restricted_categories.find(s) != restricted_categories.end()); });
 
   allow_system_calls(sc,categories,execute_logfile);
-  //execute_logfile << "system call filter configured with " << total_allowed_system_calls << " allowed system calls" << std::endl;
+  process_allow_system_calls(sc,execute_logfile);
+  //scan_allowed_system_calls(sc,execute_logfile);
 
   if (seccomp_load(sc) < 0)
     return 1; // failure