Quoting Paul Moore ([email protected]):
This gets more and more confusing.
> On Thursday, June 19, 2014 08:01:59 PM Serge Hallyn wrote:
> > Hi,
> >
> > I built the following program on a 64-bit host:
> >
> > =======================================================
> > #include <stdio.h>
> > #include <seccomp.h>
> > #include <unistd.h>
> > #include <sys/personality.h>
> >
> > int main()
> > {
> > int ret;
> >
> > scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW),
> > ctx32 = seccomp_init(SCMP_ACT_ALLOW);
> >
> > seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 0);
> > seccomp_attr_set(ctx32, SCMP_FLTATR_CTL_NNP, 0);
> > ret = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(1),
> > seccomp_syscall_resolve_name("delete_module"), 0);
>
> FWIW, you can use __NR_delete_module here instead of
> seccomp_syscall_resolve_name() if you like. Both work, and the macro is a
> bit
> shorter :)
Right, but really i want to use seccomp_syscall_resolve_name_arch(). Or at
least I thought I wanted to. However,
> > printf("ret is %d", ret);
> >
> > ret = seccomp_arch_add(ctx32, SCMP_ARCH_X86);
> > printf("archadd: ret is %d", ret);
> > ret = seccomp_arch_remove(ctx32, SCMP_ARCH_NATIVE);
> > printf("archrm: ret is %d", ret);
> > ret = seccomp_rule_add(ctx32, SCMP_ACT_ERRNO(1),
> > seccomp_syscall_resolve_name_arch(SCMP_ARCH_X86,
> "delete_module"), 0);
> > printf("ruleadd ret is %d", ret);
> > ret = seccomp_merge(ctx, ctx32);
> > printf("merge ret is %d", ret);
> >
> > ret = seccomp_load(ctx);
> > printf("ret for load %d", ret);
> > personality(PER_LINUX32);
> > execl("/bin/bash", "/bin/bash", NULL);
> > }
> > =======================================================
> >
> > I created a 32-bit chroot, ran the above program as root,
> > chrooted into the 32-bit chroot, and mounted /sys and /proc.
> > Then I ran 'strace -f rmmod overlayfs'. delete_module was
> > allowed.
> >
> > Am I misunderstanding something about the compat use of
> > seccomp
>
> I wonder if the personality() call is doing something odd ... what if you
> tried the following:
>
> =======================================================
> #include <stdio.h>
> #include <seccomp.h>
> #include <unistd.h>
> #include <sys/personality.h>
>
> int main()
> {
> int ret;
>
> scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW);
>
> seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 0);
> ret = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(1),
> __NR_delete_module, 0);
> printf("ret is %d", ret);
>
> ret = seccomp_load(ctx);
> printf("ret for load %d", ret);
> execl("/bin/bash", "/bin/bash", NULL);
> }
> =======================================================
Ok, so for this to be testable I did have to add a
seccomp_arch_add(ctx, SCMP_ARCH_X86), otherwise I couldn't run anything
in compat mode.
Now with that done, I indeed cannot call rmmod inside a chroot. This
doesn't make sense to me - by adding __NR_delete_module while I was
in 64-bit mode, it should only have blacklisted 176, not 129, right?
Did the seccomp_arch_add() insert the 32-bit duplicates for all
already-registered rules?
(I verified that I was in fact trying the 32-bit syscall with the
following)
#define _GNU_SOURCE
#include <unistd.h>
#include <sys/syscall.h>
#include <stdio.h>
int main()
{
int ret;
ret = syscall(129, "overlayfs", 0);
printf("syscall returned %d\n", ret);
}
-serge
------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
libseccomp-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/libseccomp-discuss
