Skip to content
This repository has been archived by the owner on Oct 2, 2024. It is now read-only.

detect unsupported seccomp architecture #1776

Merged
merged 3 commits into from
Dec 6, 2023
Merged

detect unsupported seccomp architecture #1776

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a17d1a1
detect unsupported seccomp architecture
reidpr Nov 27, 2023
cbeecf2
fix docs [skip ci]
reidpr Nov 27, 2023
d18ae6b
Merge branch 'master' into seccomp-fail_1771
reidpr Dec 5, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions bin/ch_core.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -123,6 +123,7 @@ int FAKE_SYSCALL_NRS[][5] = {
{ 55, 95, 95, 95, 93 }, // fchown
{ 0, 207, 207, 0, 0 }, // fchown32
{ 54, 325, 298, 289, 260 }, // fchownat
{ 104, 347, 283, 268, 246 }, // kexec_load (see below)
{ 0, 16, 16, 16, 94 }, // lchown
{ 0, 198, 198, 0, 0 }, // lchown32
{ 0, 14, 14, 14, 133 }, // mknod
Expand Down Expand Up @@ -592,6 +593,15 @@ void seccomp_install(void)
// compatibility (Linux 3.5 rather than 3.17) and because there is a glibc
// wrapper.
Z_ (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &p));

// Test filter. This will fail if the kernel executes the call (because we
// are not really privileged and the arguments are bogus) or succeed if
// filter handles it. We selected it over something more naturally in the
// filter, e.g. setuid(2), because (1) no container process should ever use
// it and (2) it’s unlikely to be emulated by a smarter filter in the
// future, i.e., it won’t silently start doing something.
Zf (syscall(SYS_kexec_load, 0, 0, NULL, 0),
"seccomp root emulation failed (is your architecture supported?)");
}
#endif

Expand Down
9 changes: 5 additions & 4 deletions doc/ch-image.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -780,9 +780,10 @@ intercept certain privileged system calls, do absolutely nothing, and return
success to the program.

The quashed system calls are: :code:`capset(2)`; :code:`chown(2)` and friends;
:code:`mknod(2)` and :code:`mknodat(2)`; and :code:`setuid(2)`,
:code:`setgid(2)`, and :code:`setgroups(2)` along with the other system calls
that change user or group.
:code:`kexec_load(2)` (used to validate the filter itself); :code:`mknod(2)`
and :code:`mknodat(2)`; and :code:`setuid(2)`, :code:`setgid(2)`, and
:code:`setgroups(2)` along with the other system calls that change user or
group.

The advantages of this approach is that it’s much simpler, it’s faster, it’s
completely agnostic to libc, and it’s mostly agnostic to distribution. The
Expand Down Expand Up @@ -2107,4 +2108,4 @@ Environment variables
.. LocalWords: dlcache graphviz packfile packfiles bigFileThreshold fd Tpdf
.. LocalWords: pstats gprof chofile cffd cacdb ARGs NSYNC dst imgroot popt
.. LocalWords: globbed ni AHSXpr drwxrwx ctx sym nom newB newC newD dstC
.. LocalWords: dstB dstF dstG upover drwx
.. LocalWords: dstB dstF dstG upover drwx kexec