Re: [libseccomp-discuss] problem with PNR_ handling

Wed, 18 Jun 2014 14:16:30 -0700 

On Wednesday, June 18, 2014 08:31:42 PM Serge Hallyn wrote:
> Hi,
> 
> As i was testing the blacklisting of finit_modules, I ran across what
> appears to be a systematic (cut-paste?) error in
> src/arch-x86_64-syscalls.c.  It has for instance
> 
>   { "fchown32", __PNR_fchown32 },
>       ...
>   { "finit_module", __PNR_finit_module },

Hmm, looking at the current kernel sources those two syscalls are indeed 
defined.  In the case of finit_module it looks like it was added in 3.8 (the 
x86_64 syscall table was based on 3.4.7) so it was missing in the initial 
table and the pseudo-syscall entry was added along with the initial ARM 
support.

This is clearly a bug.

> However, seccomp.h.in has stanzas like
> 
> #define __PNR_fchown32          -10008
> #ifndef __NR_fchown32
> #define __NR_fchown32           __PNR_fchown32
> #endif /* __NR_fchown32 */
> 
> #define __PNR_finit_module      -10085
> #ifndef __NR_finit_module
> #define __NR_finit_module       __PNR_finit_module
> #endif /* __NR_finit_module */
> 
> As a result, on my 3.15 host I'm getting a negative return value when
> resolving finit_module and fchown32, and am not able to blacklist them.

I'm guessing you're using the seccomp_add_rule_exact() API?
 
> It seems to me therefore that src/arch-x86_64-syscalls.c should have
> 
>   { "fchown32", __NR_fchown32 },
>       ...
>   { "finit_module", __NR_finit_module },

Yep.

Patches are always welcome ;)

> and the same for all other __PNR entries. In fact looking at grep output
> it seems
> 
>       sed -i 's/__PNR_/__NR_/ src/arch-*-syscalls.c
> 
> should be safe...

Nope.  The __PNR_* defines are for syscalls that do not exist for a given 
arch/ABI.  While in the two examples above we should be using the __NR_* 
equivalents, there are legitimate uses for the __PNR_* defines.

-- 
paul moore
security and virtualization @ redhat


------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
libseccomp-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/libseccomp-discuss

Reply via email to