-
Notifications
You must be signed in to change notification settings - Fork 170
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
api: provide 32-bit friendly argument comparison macros
We have a longstanding issue with 32-bit to 64-bit sign extension inadvertently resulting in bogus syscall argument extensions. This patch introduces a new set of argument comparison macros which limit the argument values to 32-bit values so that we don't run into problems with sign extension. We use the macro overloading proposed by Roman at https://kecher.net/overloading-macros/ to retain the feature of these macros being usable as static initializers. Thanks to @jdstrand on GitHub for reporting the problem. Signed-off-by: Paul Moore <[email protected]> Signed-off-by: Michael Weiser <[email protected]>
- Loading branch information
Showing
6 changed files
with
295 additions
and
22 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,4 @@ | ||
.TH "seccomp_rule_add" 3 "25 July 2012" "[email protected]" "libseccomp Documentation" | ||
.TH "seccomp_rule_add" 3 "17 February 2019" "[email protected]" "libseccomp Documentation" | ||
.\" ////////////////////////////////////////////////////////////////////////// | ||
.SH NAME | ||
.\" ////////////////////////////////////////////////////////////////////////// | ||
|
@@ -22,6 +22,24 @@ seccomp_rule_add, seccomp_rule_add_exact \- Add a seccomp filter rule | |
.BI "struct scmp_arg_cmp SCMP_A4(enum scmp_compare " op ", " ... ");" | ||
.BI "struct scmp_arg_cmp SCMP_A5(enum scmp_compare " op ", " ... ");" | ||
.sp | ||
.BI "struct scmp_arg_cmp SCMP_CMP64(unsigned int " arg "," | ||
.BI " enum scmp_compare " op ", " ... ");" | ||
.BI "struct scmp_arg_cmp SCMP_A0_64(enum scmp_compare " op ", " ... ");" | ||
.BI "struct scmp_arg_cmp SCMP_A1_64(enum scmp_compare " op ", " ... ");" | ||
.BI "struct scmp_arg_cmp SCMP_A2_64(enum scmp_compare " op ", " ... ");" | ||
.BI "struct scmp_arg_cmp SCMP_A3_64(enum scmp_compare " op ", " ... ");" | ||
.BI "struct scmp_arg_cmp SCMP_A4_64(enum scmp_compare " op ", " ... ");" | ||
.BI "struct scmp_arg_cmp SCMP_A5_64(enum scmp_compare " op ", " ... ");" | ||
.sp | ||
.BI "struct scmp_arg_cmp SCMP_CMP32(unsigned int " arg "," | ||
.BI " enum scmp_compare " op ", " ... ");" | ||
.BI "struct scmp_arg_cmp SCMP_A0_32(enum scmp_compare " op ", " ... ");" | ||
.BI "struct scmp_arg_cmp SCMP_A1_32(enum scmp_compare " op ", " ... ");" | ||
.BI "struct scmp_arg_cmp SCMP_A2_32(enum scmp_compare " op ", " ... ");" | ||
.BI "struct scmp_arg_cmp SCMP_A3_32(enum scmp_compare " op ", " ... ");" | ||
.BI "struct scmp_arg_cmp SCMP_A4_32(enum scmp_compare " op ", " ... ");" | ||
.BI "struct scmp_arg_cmp SCMP_A5_32(enum scmp_compare " op ", " ... ");" | ||
.sp | ||
.BI "int seccomp_rule_add(scmp_filter_ctx " ctx ", uint32_t " action "," | ||
.BI " int " syscall ", unsigned int " arg_cnt ", " ... ");" | ||
.BI "int seccomp_rule_add_exact(scmp_filter_ctx " ctx ", uint32_t " action "," | ||
|
@@ -71,15 +89,36 @@ loaded into the kernel using | |
.BR seccomp_load (3). | ||
.P | ||
The | ||
.BR SCMP_CMP (), | ||
.BR SCMP_CMP64 (), | ||
.BR SCMP_A{0-5} (), | ||
and | ||
.BR SCMP_A{0-5}_64 () | ||
macros generate a scmp_arg_cmp structure for use with the above functions. The | ||
.BR SCMP_CMP () | ||
and | ||
.BR SCMP_CMP64 () | ||
macros allows the caller to specify an arbitrary argument along with the | ||
comparison operator, 64-bit mask, and 64-bit datum values where the | ||
.BR SCMP_A{0-5} () | ||
macros generate a scmp_arg_cmp structure for use with the above functions. The | ||
and | ||
.BR SCMP_A{0-5}_64 () | ||
macros are specific to a certain argument. | ||
.P | ||
The | ||
.BR SCMP_CMP32 () | ||
and | ||
.BR SCMP_A{0-5}_32 () | ||
macros are similar to the variants above, but they take 32-bit mask and 32-bit | ||
datum values. | ||
.P | ||
It is recommended that whenever possible developers avoid using the | ||
.BR SCMP_CMP () | ||
macro allows the caller to specify an arbitrary argument along with the | ||
comparison operator, mask, and datum values where the | ||
and | ||
.BR SCMP_A{0-5} () | ||
macros are specific to a certain argument. See the EXAMPLES section below. | ||
macros and use the variants which are explicitly 32 or 64-bit. This should | ||
help eliminate problems caused by an unwanted sign extension of negative datum | ||
values. | ||
.P | ||
While it is possible to specify the | ||
.I syscall | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,84 @@ | ||
/** | ||
* Seccomp Library test program | ||
* | ||
* Copyright (c) 2019 Cisco Systems, Inc. <[email protected]> | ||
* Author: Paul Moore <[email protected]> | ||
* Additions: Michael Weiser <[email protected]> | ||
*/ | ||
|
||
/* | ||
* This library is free software; you can redistribute it and/or modify it | ||
* under the terms of version 2.1 of the GNU Lesser General Public License as | ||
* published by the Free Software Foundation. | ||
* | ||
* This library is distributed in the hope that it will be useful, but WITHOUT | ||
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or | ||
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License | ||
* for more details. | ||
* | ||
* You should have received a copy of the GNU Lesser General Public License | ||
* along with this library; if not, see <http:https://www.gnu.org/licenses>. | ||
*/ | ||
|
||
#include <errno.h> | ||
#include <unistd.h> | ||
#include <inttypes.h> | ||
|
||
#include <seccomp.h> | ||
|
||
#include "util.h" | ||
|
||
int main(int argc, char *argv[]) | ||
{ | ||
int rc; | ||
struct util_options opts; | ||
scmp_filter_ctx ctx = NULL; | ||
struct args { | ||
uint32_t action; | ||
int syscall; | ||
struct scmp_arg_cmp cmp; | ||
} *a, f[] = { | ||
{SCMP_ACT_ALLOW, 2000, SCMP_A0(SCMP_CMP_EQ, -1)}, | ||
{SCMP_ACT_ALLOW, 2064, SCMP_A0_64(SCMP_CMP_EQ, -1)}, | ||
{SCMP_ACT_ALLOW, 2032, SCMP_A0_32(SCMP_CMP_EQ, -1)}, | ||
{0}, | ||
}; | ||
|
||
rc = util_getopt(argc, argv, &opts); | ||
if (rc < 0) | ||
goto out; | ||
|
||
ctx = seccomp_init(SCMP_ACT_KILL); | ||
if (ctx == NULL) | ||
return ENOMEM; | ||
|
||
rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1000, 1, | ||
SCMP_A0(SCMP_CMP_EQ, -1)); | ||
if (rc != 0) | ||
goto out; | ||
|
||
rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1064, 1, | ||
SCMP_A0_64(SCMP_CMP_EQ, -1)); | ||
if (rc != 0) | ||
goto out; | ||
|
||
rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1032, 1, | ||
SCMP_A0_32(SCMP_CMP_EQ, -1)); | ||
if (rc != 0) | ||
goto out; | ||
|
||
for (a = f; a->syscall != 0; a++) { | ||
rc = seccomp_rule_add_exact(ctx, a->action, a->syscall, 1, | ||
a->cmp); | ||
if (rc != 0) | ||
goto out; | ||
} | ||
|
||
rc = util_filter_output(&opts, ctx); | ||
if (rc) | ||
goto out; | ||
|
||
out: | ||
seccomp_release(ctx); | ||
return (rc < 0 ? -rc : rc); | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
#!/usr/bin/env python | ||
|
||
# | ||
# Seccomp Library test program | ||
# | ||
# Copyright (c) 2019 Cisco Systems, Inc. <[email protected]> | ||
# Author: Paul Moore <[email protected]> | ||
# | ||
|
||
# | ||
# This library is free software; you can redistribute it and/or modify it | ||
# under the terms of version 2.1 of the GNU Lesser General Public License as | ||
# published by the Free Software Foundation. | ||
# | ||
# This library is distributed in the hope that it will be useful, but WITHOUT | ||
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or | ||
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License | ||
# for more details. | ||
# | ||
# You should have received a copy of the GNU Lesser General Public License | ||
# along with this library; if not, see <http:https://www.gnu.org/licenses>. | ||
# | ||
|
||
import argparse | ||
import sys | ||
|
||
import util | ||
|
||
from seccomp import * | ||
|
||
def test(args): | ||
f = SyscallFilter(KILL) | ||
# NOTE: this test is different from the native/c test as the bindings don't | ||
# allow negative numbers (which is a good thing here) | ||
f.add_rule_exactly(ALLOW, 1000, Arg(0, EQ, 0xffffffffffffffff)) | ||
f.add_rule_exactly(ALLOW, 1064, Arg(0, EQ, 0xffffffffffffffff)) | ||
f.add_rule_exactly(ALLOW, 1032, Arg(0, EQ, 0xffffffff)) | ||
# here we do not have static initializers to test but need to keep | ||
# behaviour in sync with the native test | ||
f.add_rule_exactly(ALLOW, 2000, Arg(0, EQ, 0xffffffffffffffff)) | ||
f.add_rule_exactly(ALLOW, 2064, Arg(0, EQ, 0xffffffffffffffff)) | ||
f.add_rule_exactly(ALLOW, 2032, Arg(0, EQ, 0xffffffff)) | ||
return f | ||
|
||
args = util.get_opt() | ||
ctx = test(args) | ||
util.filter_output(args, ctx) | ||
|
||
# kate: syntax python; | ||
# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
# | ||
# libseccomp regression test automation data | ||
# | ||
# Copyright (c) 2019 Cisco Systems, Inc. <[email protected]> | ||
# Author: Paul Moore <[email protected]> | ||
# | ||
|
||
test type: bpf-sim | ||
|
||
# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result | ||
48-sim-32b_args all 1000 0x0 N N N N N KILL | ||
48-sim-32b_args all 1000 0xffffffff N N N N N KILL | ||
48-sim-32b_args all 1000 0xffffffffffffffff N N N N N ALLOW | ||
48-sim-32b_args all 1032 0x0 N N N N N KILL | ||
48-sim-32b_args all 1032 0xffffffff N N N N N ALLOW | ||
48-sim-32b_args all 1032 0xffffffffffffffff N N N N N KILL | ||
48-sim-32b_args all 1064 0x0 N N N N N KILL | ||
48-sim-32b_args all 1064 0xffffffff N N N N N KILL | ||
48-sim-32b_args all 1064 0xffffffffffffffff N N N N N ALLOW | ||
48-sim-32b_args all 2000 0x0 N N N N N KILL | ||
48-sim-32b_args all 2000 0xffffffff N N N N N KILL | ||
48-sim-32b_args all 2000 0xffffffffffffffff N N N N N ALLOW | ||
48-sim-32b_args all 2032 0x0 N N N N N KILL | ||
48-sim-32b_args all 2032 0xffffffff N N N N N ALLOW | ||
48-sim-32b_args all 2032 0xffffffffffffffff N N N N N KILL | ||
48-sim-32b_args all 2064 0x0 N N N N N KILL | ||
48-sim-32b_args all 2064 0xffffffff N N N N N KILL | ||
48-sim-32b_args all 2064 0xffffffffffffffff N N N N N ALLOW | ||
|
||
test type: bpf-sim-fuzz | ||
|
||
# Testname StressCount | ||
48-sim-32b_args 50 | ||
|
||
test type: bpf-valgrind | ||
|
||
# Testname | ||
48-sim-32b_args |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters