Backwardscompatibly handle syscalls unknown to us or libseccomp #30291
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
An -rc1 tag has been created and a release is being prepared, so please note that PRs introducing new features and APIs will be held back until the new version has been released. |
YHNdnzj
reviewed
Dec 1, 2023
bluca
approved these changes
Dec 1, 2023
YHNdnzj
approved these changes
Dec 1, 2023
poettering
reviewed
Dec 1, 2023
b1f26d6
to
a3f88b7
Compare
|
Updated with the suggested changes. |
glibc starting using fchmodat2 to implement fchmod with flags [1], but current version of libseccomp does not support fchmodat2 [2]. This is causing problems with programs sandboxed by systemd. libseccomp needs to know a syscall to be able to set any kind of filter for it, so for syscalls unknown by libseccomp we would always do the default action, i.e. either return the errno set by SystemCallErrorNumber or send a fatal signal. For glibc to ignore the unknown syscall and gracefully fall back to the older implementation, we need to return ENOSYS. In particular, tar now fails with the default SystemCallFilter="@System-service" sandbox [3]. This is of course a wider problem: any time the kernel gains new syscalls, before libseccomp and systemd have caught up, we'd behave incorrectly. Let's do the same as we already were doing in nspawn since 3573e03, and do the "default action" only for syscalls which are known by us and libseccomp, and return ENOSYS for anything else. This means that users can start using a sandbox with the new syscalls only after libseccomp and systemd have been updated, but before that happens they behaviour that is backwards-compatible. [1] bminor/glibc@65341f7 [2] seccomp/libseccomp#406 [2] systemd#30250 Fixes systemd#30250. In seccomp_restrict_sxid() there's a chunk conditionalized with '#if defined(__SNR_fchmodat2)'. We need to kep that because seccomp_restrict_sxid() seccomp_restrict_suid_sgid() uses SCMP_ACT_ALLOW as the default action.
We were calling seccomp_syscall_resolve_name three times and using a slightly different error message in each of the cases.
This mirrors what d75615f did for nspawn. It isn't really a fatal failure if we can't set that, so ignore it in libseccomp cannot set the attribute. line OP JT JF K ================================= 0000: 0x20 0x00 0x00 0x00000004 ld $data[4] 0001: 0x15 0x00 0xb7 0x40000003 jeq 1073741827 true:0002 false:0185 0002: 0x20 0x00 0x00 0x00000000 ld $data[0] 0003: 0x15 0xb5 0x00 0x00000000 jeq 0 true:0185 false:0004 0004: 0x15 0xb4 0x00 0x00000001 jeq 1 true:0185 false:0005 0005: 0x15 0xb3 0x00 0x00000002 jeq 2 true:0185 false:0006 0006: 0x15 0xb2 0x00 0x00000003 jeq 3 true:0185 false:0007 0007: 0x15 0xb1 0x00 0x00000004 jeq 4 true:0185 false:0008 0008: 0x15 0xb0 0x00 0x00000005 jeq 5 true:0185 false:0009 0009: 0x15 0xaf 0x00 0x00000006 jeq 6 true:0185 false:0010 ... 0438: 0x15 0x03 0x00 0x000001be jeq 446 true:0442 false:0439 0439: 0x15 0x02 0x00 0x000001bf jeq 447 true:0442 false:0440 0440: 0x15 0x01 0x00 0x000001c0 jeq 448 true:0442 false:0441 0441: 0x06 0x00 0x00 0x00050026 ret ERRNO(38) 0442: 0x06 0x00 0x00 0x7fff0000 ret ALLOW line OP JT JF K ================================= 0000: 0x20 0x00 0x00 0x00000004 ld $data[4] 0001: 0x15 0x00 0x27 0x40000003 jeq 1073741827 true:0002 false:0041 0002: 0x20 0x00 0x00 0x00000000 ld $data[0] 0003: 0x25 0x01 0x00 0x000000b5 jgt 181 true:0005 false:0004 0004: 0x05 0x00 0x00 0x00000143 jmp 0328 0005: 0x25 0x00 0xa1 0x00000139 jgt 313 true:0006 false:0167 0006: 0x25 0x00 0x51 0x00000179 jgt 377 true:0007 false:0088 0007: 0x25 0x00 0x29 0x000001a0 jgt 416 true:0008 false:0049 0008: 0x25 0x00 0x13 0x000001b0 jgt 432 true:0009 false:0028 0009: 0x25 0x00 0x09 0x000001b8 jgt 440 true:0010 false:0019 ... 0551: 0x15 0x03 0x00 0x00000002 jeq 2 true:0555 false:0552 0552: 0x15 0x02 0x01 0x00000001 jeq 1 true:0555 false:0554 0553: 0x15 0x01 0x00 0x00000000 jeq 0 true:0555 false:0554 0554: 0x06 0x00 0x00 0x00050026 ret ERRNO(38) 0555: 0x06 0x00 0x00 0x7fff0000 ret ALLOW The program is longer but hopefully faster because of the binary search.
a3f88b7
to
e6c5386
Compare
|
Ooops. The change that was suggested in #30291 (review) broke a valid test case. I removed that that chunk and added a note in the commit message. In this regard, it's a revert to the previous version of the patch. |
|
/packit build |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.