rpms / systemd

Clone
Source Code
GIT

Blame SOURCES/0817-seccomp-tighten-checking-of-seccomp-filter-creation.patch

c10s-sig-hyperscale c10s-sig-hyperscale-v255 c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-atomic c7-atomic-beta c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta c9s-sig-hyperscale c9s-sig-hyperscale-v255
  1.   c8-beta
  2.   SOURCES
  3.   0817-seccomp-tighten-checking-of-seccomp-filter-creation.patch
Blob History Raw
984f77 
From 42ed3377b5817f2c1f84e1bdca301ea51ecc3299 Mon Sep 17 00:00:00 2001
984f77 
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
984f77 
Date: Thu, 20 Sep 2018 14:19:41 +0200
984f77 
Subject: [PATCH] seccomp: tighten checking of seccomp filter creation
984f77
984f77 
In seccomp code, the code is changed to propagate errors which are about
984f77 
anything other than unknown/unimplemented syscalls. I *think* such errors
984f77 
should not happen in normal usage, but so far we would summarilly ignore all
984f77 
errors, so that part is uncertain. If it turns out that other errors occur and
984f77 
should be ignored, this should be added later.
984f77
984f77 
In nspawn, we would count the number of added filters, but didn't use this for
984f77 
anything. Drop that part.
984f77
984f77 
The comments suggested that seccomp_add_syscall_filter_item() returned negative
984f77 
if the syscall is unknown, but this wasn't true: it returns 0.
984f77
984f77 
The error at this point can only be if the syscall was known but couldn't be
984f77 
added. If the error comes from our internal whitelist in nspawn, treat this as
984f77 
error, because it means that our internal table is wrong. If the error comes
984f77 
from user arguments, warn and ignore. (If some syscall is not known at current
984f77 
architecture, it is still silently ignored.)
984f77
984f77 
(cherry picked from commit 7e86bd73a47f2b8dd3d9a743e69fb0117f450ad8)
984f77
984f77 
Related: #2040247
984f77 
---
984f77 
 src/nspawn/nspawn-seccomp.c | 14 +++++---------
984f77 
 src/shared/seccomp-util.c   | 26 ++++++++++++++++----------
984f77 
 2 files changed, 21 insertions(+), 19 deletions(-)
984f77
984f77 
diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c
984f77 
index fba22644da..17abfcec26 100644
984f77 
--- a/src/nspawn/nspawn-seccomp.c
984f77 
+++ b/src/nspawn/nspawn-seccomp.c
984f77 
@@ -140,7 +140,7 @@ static int seccomp_add_default_syscall_filter(
984f77 
                  */
984f77 
         };
984f77
984f77 
-        int r, c = 0;
984f77 
+        int r;
984f77 
         size_t i;
984f77 
         char **p;
984f77
984f77 
@@ -150,21 +150,17 @@ static int seccomp_add_default_syscall_filter(
984f77
984f77 
                 r = seccomp_add_syscall_filter_item(ctx, whitelist[i].name, SCMP_ACT_ALLOW, syscall_blacklist, false);
984f77 
                 if (r < 0)
984f77 
-                        /* If the system call is not known on this architecture, then that's fine, let's ignore it */
984f77 
-                        log_debug_errno(r, "Failed to add rule for system call %s on %s, ignoring: %m", whitelist[i].name, seccomp_arch_to_string(arch));
984f77 
-                else
984f77 
-                        c++;
984f77 
+                        return log_error_errno(r, "Failed to add syscall filter item %s: %m", whitelist[i].name);
984f77 
         }
984f77
984f77 
         STRV_FOREACH(p, syscall_whitelist) {
984f77 
                 r = seccomp_add_syscall_filter_item(ctx, *p, SCMP_ACT_ALLOW, syscall_blacklist, false);
984f77 
                 if (r < 0)
984f77 
-                        log_debug_errno(r, "Failed to add rule for system call %s on %s, ignoring: %m", *p, seccomp_arch_to_string(arch));
984f77 
-                else
984f77 
-                        c++;
984f77 
+                        log_warning_errno(r, "Failed to add rule for system call %s on %s, ignoring: %m",
984f77 
+                                          *p, seccomp_arch_to_string(arch));
984f77 
         }
984f77
984f77 
-        return c;
984f77 
+        return 0;
984f77 
 }
984f77
984f77 
 int setup_seccomp(uint64_t cap_list_retain, char **syscall_whitelist, char **syscall_blacklist) {
984f77 
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
984f77 
index 4d2ba31d47..710a734715 100644
984f77 
--- a/src/shared/seccomp-util.c
984f77 
+++ b/src/shared/seccomp-util.c
984f77 
@@ -907,9 +907,13 @@ int seccomp_add_syscall_filter_item(scmp_filter_ctx *seccomp, const char *name,
984f77 
                 r = seccomp_rule_add_exact(seccomp, action, id, 0);
984f77 
                 if (r < 0) {
984f77 
                         /* If the system call is not known on this architecture, then that's fine, let's ignore it */
984f77 
-                        if (log_missing)
984f77 
-                                log_debug_errno(r, "Failed to add rule for system call %s() / %d, ignoring: %m",
984f77 
-                                                name, id);
984f77 
+                        bool ignore = r == -EDOM;
984f77 
+
984f77 
+                        if (!ignore || log_missing)
984f77 
+                                log_debug_errno(r, "Failed to add rule for system call %s() / %d%s: %m",
984f77 
+                                                name, id, ignore ? ", ignoring" : "");
984f77 
+                        if (!ignore)
984f77 
+                                return r;
984f77 
                 }
984f77
984f77 
                 return 0;
984f77 
@@ -957,10 +961,8 @@ int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilter
984f77 
                         return r;
984f77
984f77 
                 r = seccomp_add_syscall_filter_set(seccomp, set, action, NULL, log_missing);
984f77 
-                if (r < 0) {
984f77 
-                        log_debug_errno(r, "Failed to add filter set, ignoring: %m");
984f77 
-                        continue;
984f77 
-                }
984f77 
+                if (r < 0)
984f77 
+                        return log_debug_errno(r, "Failed to add filter set: %m");
984f77
984f77 
                 r = seccomp_load(seccomp);
984f77 
                 if (IN_SET(r, -EPERM, -EACCES))
984f77 
@@ -1005,11 +1007,15 @@ int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* set, u
984f77 
                         if (r < 0) {
984f77 
                                 /* If the system call is not known on this architecture, then that's fine, let's ignore it */
984f77 
                                 _cleanup_free_ char *n = NULL;
984f77 
+                                bool ignore;
984f77
984f77 
                                 n = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, id);
984f77 
-                                if (log_missing)
984f77 
-                                        log_debug_errno(r, "Failed to add rule for system call %s() / %d, ignoring: %m",
984f77 
-                                                        strna(n), id);
984f77 
+                                ignore = r == -EDOM;
984f77 
+                                if (!ignore || log_missing)
984f77 
+                                        log_debug_errno(r, "Failed to add rule for system call %s() / %d%s: %m",
984f77 
+                                                        strna(n), id, ignore ? ", ignoring" : "");
984f77 
+                                if (!ignore)
984f77 
+                                        return r;
984f77 
                         }
984f77 
                 }
984f77

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation