Hi,
On x86 we have rt_sigprocmask and sigprocmask and on x86_64
only rt_sigprocmask. In any case, the libc shipped by Ubuntu 12.10 on
both architectures maps sigprocmask(2) to rt_sigprocmask, something that I
could confirm using strace(1). That said, consider the rule below:
ctx = seccomp_init(SCMP_ACT_ALLOW);
seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(rt_sigprocmask), 2,
SCMP_A0(SCMP_CMP_EQ, SIG_BLOCK),
SCMP_A1(SCMP_CMP_NE, 0));
The following rule works as expected on both archs:
sigprocmask(SIG_BLOCK, 0, &set); // Executed just fine.
This rule matches on x86 but not on x86_64:
sigprocmask(SIG_BLOCK, &set, 0); // Process killed on x86, but not on
x86_64!
I first thought that libc could be playing with the parameters or these
syscalls could have different signatures on x86 and x86_64, but looks like
that is not the case. Any suggestion? Am I missing something?
My test case is attached.
Cheers,
/**
* Seccomp Library test program
*
* Copyright (c) 2012 Red Hat <pmo...@redhat.com>
* Author: Paul Moore <pmo...@redhat.com>
*/
/*
* This library is free software; you can redistribute it and/or modify it
* under the terms of version 2.1 of the GNU Lesser General Public License as
* published by the Free Software Foundation.
*
* This library is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
* for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this library; if not, see <http://www.gnu.org/licenses>.
*/
#include <signal.h>
#include <stdio.h>
#include <unistd.h>
#include <seccomp.h>
#include "util.h"
int main(int argc, char *argv[])
{
int rc;
struct util_options opts;
scmp_filter_ctx ctx;
sigset_t set;
rc = util_getopt(argc, argv, &opts);
if (rc < 0)
goto out;
ctx = seccomp_init(SCMP_ACT_ALLOW);
if (ctx == NULL)
goto out;
rc = seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(rt_sigprocmask), 2,
SCMP_A0(SCMP_CMP_EQ, SIG_BLOCK),
SCMP_A1(SCMP_CMP_NE, 0));
if (rc != 0)
goto out;
rc = seccomp_load(ctx);
if (rc != 0)
goto out;
rc = util_filter_output(&opts, ctx);
if (rc)
goto out;
sigemptyset(&set);
sigaddset(&set, SIGUSR1);
sigprocmask(SIG_SETMASK, &set, 0);
sigprocmask(SIG_SETMASK, 0, &set);
sigprocmask(SIG_BLOCK, 0, &set);
printf("You should see this message.\n");
sigprocmask(SIG_BLOCK, &set, 0); // Killed!
printf("The test should be killed before printing this message.\n");
out:
seccomp_release(ctx);
return (rc < 0 ? -rc : rc);
}
------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
libseccomp-discuss mailing list
libseccomp-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/libseccomp-discuss
