On Friday, June 20, 2014 04:33:32 PM Serge Hallyn wrote:
> Quoting Paul Moore ([email protected]):
>
> This gets more and more confusing.
>
> > On Thursday, June 19, 2014 08:01:59 PM Serge Hallyn wrote:
> > > Hi,
> > >
> > > I built the following program on a 64-bit host:
> > >
> > > =======================================================
> > > #include <stdio.h>
> > > #include <seccomp.h>
> > > #include <unistd.h>
> > > #include <sys/personality.h>
> > >
> > > int main()
> > > {
> > >
> > > int ret;
> > >
> > > scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW),
> > >
> > > ctx32 = seccomp_init(SCMP_ACT_ALLOW);
> > >
> > > seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 0);
> > > seccomp_attr_set(ctx32, SCMP_FLTATR_CTL_NNP, 0);
> > > ret = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(1),
> > >
> > > seccomp_syscall_resolve_name("delete_module"), 0);
> >
> > FWIW, you can use __NR_delete_module here instead of
> > seccomp_syscall_resolve_name() if you like. Both work, and the macro is a
> > bit shorter :)
>
> Right, but really i want to use seccomp_syscall_resolve_name_arch(). Or at
> least I thought I wanted to ...
Ah ha! I should have looked more closely at your original code, my fault.
The issue you are running into is that when you specify the syscall in the
call to seccomp_rule_add() you always need to specify it with respect to the
native ABI, libseccomp will handle any translation that may be necessary.
I did it this way so that you could use the __NR_* macros without having to
worry about what arch/ABIs you have in the seccomp filter. With all this in
mind, you could re-write your test program as follows:
=======================================================
#include <stdio.h>
#include <seccomp.h>
#include <unistd.h>
#include <sys/personality.h>
int main()
{
int ret;
scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW);
seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 0);
/* add the arch first so we don't need to repeat the filter */
ret = seccomp_arch_add(ctx, SCMP_ARCH_X86);
printf("archadd: ret is %d", ret);
ret = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(1),
__NR_delete_module, 0);
printf("ruleadd: ret is %d", ret);
ret = seccomp_load(ctx);
printf("ret for load %d", ret);
personality(PER_LINUX32);
execl("/bin/bash", "/bin/bash", NULL);
}
=======================================================
--
paul moore
security and virtualization @ redhat
------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
libseccomp-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/libseccomp-discuss
