Hi,
I built the following program on a 64-bit host:
=======================================================
#include <stdio.h>
#include <seccomp.h>
#include <unistd.h>
#include <sys/personality.h>
int main()
{
int ret;
scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW),
ctx32 = seccomp_init(SCMP_ACT_ALLOW);
seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 0);
seccomp_attr_set(ctx32, SCMP_FLTATR_CTL_NNP, 0);
ret = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(1),
seccomp_syscall_resolve_name("delete_module"), 0);
printf("ret is %d", ret);
ret = seccomp_arch_add(ctx32, SCMP_ARCH_X86);
printf("archadd: ret is %d", ret);
ret = seccomp_arch_remove(ctx32, SCMP_ARCH_NATIVE);
printf("archrm: ret is %d", ret);
ret = seccomp_rule_add(ctx32, SCMP_ACT_ERRNO(1),
seccomp_syscall_resolve_name_arch(SCMP_ARCH_X86,
"delete_module"), 0);
printf("ruleadd ret is %d", ret);
ret = seccomp_merge(ctx, ctx32);
printf("merge ret is %d", ret);
ret = seccomp_load(ctx);
printf("ret for load %d", ret);
personality(PER_LINUX32);
execl("/bin/bash", "/bin/bash", NULL);
}
=======================================================
I created a 32-bit chroot, ran the above program as root,
chrooted into the 32-bit chroot, and mounted /sys and /proc.
Then I ran 'strace -f rmmod overlayfs'. delete_module was
allowed.
Am I misunderstanding something about the compat use of
seccomp
-serge
------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
libseccomp-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/libseccomp-discuss
