Hi all,
I'd like to forbid evil(or unexpected) application behaviour by limiting the
arguments of system calls. Seems libseccomp could help me to do this.
However, libseccomp did not work as I expected. For instance, I tried to
prevent programs from writing something into any file except for STDOUT and
STDERR, and then I had to forbid the syscall 'write' unless its first argument
was equal to '1' or '2', I supposed.
To implement this, I tried two ways to add seccomp filter rules:
---
1.
scmp_filter_ctx ctx;
ctx = seccomp_init(SCMP_ACT_KILL);
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 2,
SCMP_A0(SCMP_CMP_LE, 2),
SCMP_A0(SCMP_CMP_GE, 1)
);
...
write(2, buf, sizeof(buf));
2.
scmp_filter_ctx ctx;
ctx = seccomp_init(SCMP_ACT_KILL);
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1,
SCMP_A0(SCMP_CMP_LE, 2)
);
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1,
SCMP_A0(SCMP_CMP_GE, 1)
);
...
write(2, buf, sizeof(buf));
---
The formmer did not work because the syscall 'write' was still forbidden.
WHY?
The latter seemed to be working fine that the content of buffer was written
to STDERR successfully. However, I found 'write' would not be forbidden though
we change the first argument from 2 to 3 or even larger. I guess this problem
arose because the relationship between those two rules is OR instead of AND.
Any file descriptor >= 1 or <= 2 is accepted, in other way, a file descriptor
with any value is accepted. I was wondering, is there any way to set seccomp
filter rules, so that a syscall is allowed only when both rules are satisfied.
Thank you.
(I'm a newcomer. If there is any problem in my expression, please accept my
apology and remind me of it ^_^)
--
You received this message because you are subscribed to the Google Groups
"libseccomp" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
For more options, visit https://groups.google.com/d/optout.
