Quoting Paul Moore ([email protected]):
> On Friday, June 20, 2014 04:33:32 PM Serge Hallyn wrote:
> > Quoting Paul Moore ([email protected]):
> >
> > This gets more and more confusing.
> >
> > > On Thursday, June 19, 2014 08:01:59 PM Serge Hallyn wrote:
> > > > Hi,
> > > >
> > > > I built the following program on a 64-bit host:
> > > >
> > > > =======================================================
> > > > #include <stdio.h>
> > > > #include <seccomp.h>
> > > > #include <unistd.h>
> > > > #include <sys/personality.h>
> > > >
> > > > int main()
> > > > {
> > > >
> > > > int ret;
> > > >
> > > > scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW),
> > > >
> > > > ctx32 = seccomp_init(SCMP_ACT_ALLOW);
> > > >
> > > > seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 0);
> > > > seccomp_attr_set(ctx32, SCMP_FLTATR_CTL_NNP, 0);
> > > > ret = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(1),
> > > >
> > > > seccomp_syscall_resolve_name("delete_module"),
> > > > 0);
> > >
> > > FWIW, you can use __NR_delete_module here instead of
> > > seccomp_syscall_resolve_name() if you like. Both work, and the macro is a
> > > bit shorter :)
> >
> > Right, but really i want to use seccomp_syscall_resolve_name_arch(). Or at
> > least I thought I wanted to ...
>
> Ah ha! I should have looked more closely at your original code, my fault.
> The issue you are running into is that when you specify the syscall in the
> call to seccomp_rule_add() you always need to specify it with respect to the
> native ABI, libseccomp will handle any translation that may be necessary.
>
> I did it this way so that you could use the __NR_* macros without having to
> worry about what arch/ABIs you have in the seccomp filter. With all this in
> mind, you could re-write your test program as follows:
Ok, so let's say I only want to filter the 32-bit version of SYS_foo,
bc I dunno I don't trust it's compat code. The way I read what you say
above, that's not possible?
> =======================================================
> #include <stdio.h>
> #include <seccomp.h>
> #include <unistd.h>
> #include <sys/personality.h>
>
> int main()
> {
> int ret;
>
> scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW);
>
> seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 0);
>
> /* add the arch first so we don't need to repeat the filter */
> ret = seccomp_arch_add(ctx, SCMP_ARCH_X86);
> printf("archadd: ret is %d", ret);
>
> ret = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(1),
> __NR_delete_module, 0);
> printf("ruleadd: ret is %d", ret);
>
> ret = seccomp_load(ctx);
> printf("ret for load %d", ret);
> personality(PER_LINUX32);
> execl("/bin/bash", "/bin/bash", NULL);
> }
> =======================================================
>
> --
> paul moore
> security and virtualization @ redhat
>
------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
libseccomp-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/libseccomp-discuss
