Quoting Paul Moore ([email protected]):
> On Friday, June 20, 2014 05:23:02 PM Serge Hallyn wrote:
> > Quoting Paul Moore ([email protected]):
> > > On Friday, June 20, 2014 04:33:32 PM Serge Hallyn wrote:
> > > > Quoting Paul Moore ([email protected]):
> > > >
> > > > This gets more and more confusing.
> > > >
> > > > > On Thursday, June 19, 2014 08:01:59 PM Serge Hallyn wrote:
> > > > > > Hi,
> > > > > >
> > > > > > I built the following program on a 64-bit host:
> > > > > >
> > > > > > =======================================================
> > > > > > #include <stdio.h>
> > > > > > #include <seccomp.h>
> > > > > > #include <unistd.h>
> > > > > > #include <sys/personality.h>
> > > > > >
> > > > > > int main()
> > > > > > {
> > > > > >
> > > > > > int ret;
> > > > > >
> > > > > > scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW),
> > > > > >
> > > > > > ctx32 = seccomp_init(SCMP_ACT_ALLOW);
> > > > > >
> > > > > > seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 0);
> > > > > > seccomp_attr_set(ctx32, SCMP_FLTATR_CTL_NNP, 0);
> > > > > > ret = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(1),
> > > > > >
> > > > > > seccomp_syscall_resolve_name("delete_module"),
> > > > > > 0);
> > > > >
> > > > > FWIW, you can use __NR_delete_module here instead of
> > > > > seccomp_syscall_resolve_name() if you like. Both work, and the macro
> > > > > is a
> > > > > bit shorter :)
> > > >
> > > > Right, but really i want to use seccomp_syscall_resolve_name_arch(). Or
> > > > at
> > > > least I thought I wanted to ...
> > >
> > > Ah ha! I should have looked more closely at your original code, my fault.
> > > The issue you are running into is that when you specify the syscall in the
> > > call to seccomp_rule_add() you always need to specify it with respect to
> > > the native ABI, libseccomp will handle any translation that may be
> > > necessary.
> > >
> > > I did it this way so that you could use the __NR_* macros without having
> > > to worry about what arch/ABIs you have in the seccomp filter. With all
> > > this in mind, you could re-write your test program as follows:
> >
> > Ok, so let's say I only want to filter the 32-bit version of SYS_foo,
> > bc I dunno I don't trust it's compat code. The way I read what you say
> > above, that's not possible?
>
> Nope, you could do that. The example below adds both a x86 and a x86_64
> specific rule as well as common rule ...
>
> =======================================================
> #include <stdio.h>
> #include <seccomp.h>
> #include <unistd.h>
> #include <sys/personality.h>
>
> int main()
> {
> int ret;
>
> scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW);
> scmp_filter_ctx ctx32 = seccomp_init(SCMP_ACT_ALLOW);
>
> seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 0);
> seccomp_attr_set(ctx32, SCMP_FLTATR_CTL_NNP, 0);
>
> /* setup x86 filter */
>
> ret = seccomp_arch_add(ctx32, SCMP_ARCH_X86);
> printf("archadd: ret is %d\n", ret);
>
> ret = seccomp_arch_remove(ctx32, SCMP_ARCH_NATIVE);
> printf("archrm: ret is %d\n", ret);
>
> /* x86-only rules */
>
> ret = seccomp_rule_add(ctx32, SCMP_ACT_ERRNO(1),
> __NR_foo, 0);
> printf("ruleadd: ret is %d\n", ret);
>
> /* x86_64-only rules */
>
> ret = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(1),
> __NR_bar, 0);
> printf("ruleadd: ret is %d\n", ret);
>
> /* common rules */
>
> ret = seccomp_merge(ctx, ctx32);
> printf("merge: ret is %d\n", ret);
>
> ret = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(1),
> __NR_delete_module, 0);
Could you also have added this rule separately to each context
before merging them?
> printf("ruleadd: ret is %d\n", ret);
>
> ret = seccomp_load(ctx);
> printf("ret for load %d\n", ret);
>
> personality(PER_LINUX32);
> execl("/bin/bash", "/bin/bash", NULL);
> }
> =======================================================
Ok, so nwo we're getting close to my original code again - keeping
in mind that I am processing a policy configuration file, I can't
actually use __NR_foo, I need to resolve the symbol names. I'm
doing it using seccomp_syscall_resolve_name_arch. Do you expect
that to work as well?
Can you explain where I go wrong with my original code? (re-pasted
below)
-serge
#include <stdio.h>
#include <seccomp.h>
#include <unistd.h>
#include <sys/personality.h>
int main()
{
int ret;
scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW),
ctx32 = seccomp_init(SCMP_ACT_ALLOW);
seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 0);
seccomp_attr_set(ctx32, SCMP_FLTATR_CTL_NNP, 0);
ret = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(1),
seccomp_syscall_resolve_name("delete_module"), 0);
printf("ret is %d", ret);
ret = seccomp_arch_add(ctx32, SCMP_ARCH_X86);
printf("archadd: ret is %d", ret);
ret = seccomp_arch_remove(ctx32, SCMP_ARCH_NATIVE);
printf("archrm: ret is %d", ret);
ret = seccomp_rule_add(ctx32, SCMP_ACT_ERRNO(1),
seccomp_syscall_resolve_name_arch(SCMP_ARCH_X86,
"delete_module"), 0);
printf("ruleadd ret is %d", ret);
ret = seccomp_merge(ctx, ctx32);
printf("merge ret is %d", ret);
ret = seccomp_load(ctx);
printf("ret for load %d", ret);
personality(PER_LINUX32);
execl("/bin/bash", "/bin/bash", NULL);
}
------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
libseccomp-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/libseccomp-discuss
