Seccomp #532
Seccomp #532
Conversation
outscale-hmi
force-pushed
the
seccomp
branch
3 times, most recently
from
6137ce7
to
1a852d8
Compare
outscale-hmi
force-pushed
the
seccomp
branch
2 times, most recently
from
fc720e7
to
f726594
Compare
src/seccomp.c
Outdated
| struct sigaction act; | ||
| int check = 0; | ||
| /* Set up seccomp filter */ | ||
| if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)){ |
There was a problem hiding this comment.
it seems this is also call in pg_install_filter, why it it call here too ?
src/seccomp.c
Outdated
| { | ||
| int old_errno = errno; | ||
|
|
||
| printf("Attempted banned syscall number [%d] and sig [%d]\n", |
There was a problem hiding this comment.
printf write on stdout, you should write on stderr, so fprintf("Catch sig [%d] when attemption to catch syscall: [%d]\n", sig, si->si_syscall)
There was a problem hiding this comment.
also, I don't see you use errno ?
|
|
||
| KILL_PROCESS, |
There was a problem hiding this comment.
I think this should be configurable, so take a bitmask in function parameter, and use that parameter here
There was a problem hiding this comment.
it is already defined in seccomp-bpf
define SECCOMP_RET_TRAP 0x00030000U /* disallow and force a SIGSYS */
There was a problem hiding this comment.
sure, but filter contain TRAP_PROCESS
Which doesn't work, if you want packetgraph to KILL process.
You can't put KILL_PROCESS into filter either, because that would mean packetgraph doesn't work if you want it to print process.
So you need to have a way to chose at runtime between KILL or TRAP.
src/seccomp.c
Outdated
| return -1; | ||
| if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) | ||
| if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) == 0) |
There was a problem hiding this comment.
that bug me, so if prctl success, you return -1 (which mean fail ?)
src/seccomp.c
Outdated
|
|
||
| int pg_init_seccomp(void) | ||
| int init_seccomp_filters(void) |
There was a problem hiding this comment.
TBH, I don't understand the point of this sub function.
If you really want it please make it static.
int init_seccomp_filters(void)
src/seccomp.c
Outdated
| @@ -81,17 +84,59 @@ int pg_init_seccomp(void) | |||
| ALLOW_SYSCALL(gettimeofday), | |||
| ALLOW_SYSCALL(stat), | |||
| ALLOW_SYSCALL(clock_gettime), | |||
| ALLOW_SYSCALL(mprotect), | |||
There was a problem hiding this comment.
humm, This one is not acceptable.
I understand you need it to debug, but this call is far too dangerous.
outscale-hmi
force-pushed
the
seccomp
branch
3 times, most recently
from
9f635bf
to
98389a1
Compare
Signed-off-by: hanen mizouni <[email protected]>
outscale-hmi
force-pushed
the
seccomp
branch
from
98389a1
to
ad11f03
Compare
No description provided.