On Wed, Jan 16, 2013 at 6:05 PM, Paul Moore <pmo...@redhat.com> wrote:
> On Wednesday, January 16, 2013 02:43:21 PM Thiago Marcos P. Santos wrote:
>> Hi,
>>
>> Let's suppose we have a permissive default seccomp policy and at the
>> same time I want to restrict write() to only 2 fds. I tried the rules
>> bellow:
>>
>> ctx = seccomp_init(SCMP_ACT_ALLOW);
>>
>> seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1,
>> SCMP_A0(SCMP_CMP_EQ, 7));
>> seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1,
>> SCMP_A0(SCMP_CMP_EQ, 58));
>> seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(write), 0);
>>
>> What was assumed here is: the first rule that matches is the one that
>> will be applied. Not sure if it makes sense because of my limited
>> knowledge of BPF.
>
> This isn't how libseccomp works; libseccomp doesn't take ordering into account
> when converting rules into seccomp BPF. It does provide a mechanism to allow
> users to provide rule priority hints, but that is for the sake of performance
> only.
>
>> I found out later that libseccomp doesn't allow adding a rule that has
>> the same action as the default action, which makes my example
>> hopeless. Is there a way of achieving what I want without inverting
>> the logic of the example (i.e SCMP_ACT_KILL on all other fds other
>> than the ones I want to allow write)?
>
> If I'm understanding what you're trying to do correctly, I think the following
> will do what you want (haven't test this, but I believe it should work) ...
>
> ctx = seccomp_init(SCMP_ACT_ALLOW);
>
> seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(write), 1,
> SCMP_A0(SCMP_CMP_NE, 7));
> seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(write), 1,
> SCMP_A0(SCMP_CMP_NE, 58));
>
> Is that what you were trying to do?
Yes, you got the idea. But after loading these rules, all the writes
are being killed.
Examining the pseudo filter I got from these rules, looks like they
are mutually exclusive and it will always hit KILL since a number
can't be 58 and 7 at the same time.
#
# pseudo filter code start
#
# filter for arch x86 (1073741827)
if ($arch == 1073741827)
# filter for syscall #4 (priority: 65533)
if ($syscall == 4)
if ($a0 == 58)
else
action KILL;
if ($a0 == 7)
else
action KILL;
# default action
action ALLOW;
# invalid architecture action
action KILL;
#
# pseudo filter code end
#
Probably the way of solving this would be something like the follow,
but this rule is invalid right now.
seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(write), 2,
SCMP_A0(SCMP_CMP_NE, 7),
SCMP_A0(SCMP_CMP_NE, 58));
Br,
------------------------------------------------------------------------------
Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery
and much more. Keep your Java skills current with LearnJavaNow -
200+ hours of step-by-step video tutorials by Java experts.
SALE $49.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122612
_______________________________________________
libseccomp-discuss mailing list
libseccomp-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/libseccomp-discuss
