From 93ab972ddc5ff423f3042c254eff39a5c90d42bf Mon Sep 17 00:00:00 2001 From: Christian Helmuth Date: Thu, 2 Jul 2020 09:03:33 +0200 Subject: [PATCH] tool/seccomp: allow sigreturn on x86 Fixes #3799 --- .../seccomp/spec/x86_32/seccomp_bpf_policy.bin | Bin 336 -> 344 bytes .../seccomp/spec/x86_64/seccomp_bpf_policy.bin | Bin 352 -> 360 bytes tool/seccomp/.gitignore | 3 +++ tool/seccomp/Makefile | 4 +++- tool/seccomp/seccomp_bpf_compiler.h | 10 ++++++++-- 5 files changed, 14 insertions(+), 3 deletions(-) create mode 100644 tool/seccomp/.gitignore diff --git a/repos/base-linux/src/lib/seccomp/spec/x86_32/seccomp_bpf_policy.bin b/repos/base-linux/src/lib/seccomp/spec/x86_32/seccomp_bpf_policy.bin index 38a12d4e00db95a3dd042e55a7eeba47d34a9450..7f70cd945ec437fd0af58486555282b0bc45d292 100644 GIT binary patch delta 101 zcmcb>bb~2Yfq{X61&Bo%7&Mp}7#u)+5D;ZhWncu;Do}Z41~xEXi9rNRD>7(;X$1y9 VFfGpz4W{K7a=^4KL;1we-vE6F2x$NS delta 93 zcmcb?bb%>Ufq{X61&Bo%7}S{=7#u)+5D;ZhVPFK)%20VF1~xEXkwFAZD==t+X?X@e RFfGRr4W?xoawf+91^`Cb2e$wK diff --git a/repos/base-linux/src/lib/seccomp/spec/x86_64/seccomp_bpf_policy.bin b/repos/base-linux/src/lib/seccomp/spec/x86_64/seccomp_bpf_policy.bin index 0264978c1dcb8482cd1a0ca9444c6b66e87c17bc..5bb506b9346cf5581b3e90bd96a9b793ad322806 100644 GIT binary patch delta 110 zcmaFB^nxi>fq{X61&Bo%7_{sd7!H8=AYjVCzzC!qfa2=^fk2c&6)Ygipu)fmln`Z5 iW?%)=N(}5^T9JVhOe-*OgK2pNUN9}kz`rq;nGpa2Vhd*g delta 102 zcmaFC^nfW=fq{X61&Bo%7&Pq|7!H8=AYjVCzzC!qfZ}TZfk2c&1uP)Spv=Gwln`Z5 dVqgW+iVW;vT7iKROv^KHgK0Si-i@iui~y^Q3mgCd diff --git a/tool/seccomp/.gitignore b/tool/seccomp/.gitignore new file mode 100644 index 0000000000..b9659241aa --- /dev/null +++ b/tool/seccomp/.gitignore @@ -0,0 +1,3 @@ +/seccomp_bpf_policy_arm.bin +/seccomp_bpf_policy_x86_32.bin +/seccomp_bpf_policy_x86_64.bin diff --git a/tool/seccomp/Makefile b/tool/seccomp/Makefile index f996bc2362..15f213cb27 100644 --- a/tool/seccomp/Makefile +++ b/tool/seccomp/Makefile @@ -5,9 +5,11 @@ seccomp_bpf_filters: seccomp_bpf_policy_x86_32.bin seccomp_bpf_policy_x86_64.bin seccomp_bpf_policy_%.bin: seccomp_bpf_compiler_%.prg ./$< > $@ -seccomp_bpf_compiler_%.prg: seccomp_bpf_compiler_%.cc +seccomp_bpf_compiler_%.prg: seccomp_bpf_compiler_%.cc seccomp_bpf_compiler.h @g++ $< -o $@ -lseccomp clean: @rm seccomp_bpf_policy_*.bin 2> /dev/null; true @rm seccomp_bpf_compiler_*.prg 2> /dev/null; true + +.PHONY: seccomp_bpf_filters diff --git a/tool/seccomp/seccomp_bpf_compiler.h b/tool/seccomp/seccomp_bpf_compiler.h index c666547c16..0f9e06c39e 100644 --- a/tool/seccomp/seccomp_bpf_compiler.h +++ b/tool/seccomp/seccomp_bpf_compiler.h @@ -140,6 +140,9 @@ class Filter /* The nmap syscall has a different name on different architectures * but it slould be save as it only uses an already open socket. */ _add_allow_rule(SCMP_SYS(mmap2)); + + /* returning from signal handlers is safe */ + _add_allow_rule(SCMP_SYS(sigreturn)); } break; case SCMP_ARCH_X86_64: @@ -158,6 +161,9 @@ class Filter /* The nmap syscall has a different name on different architectures * but it slould be save as it only uses an already open socket. */ _add_allow_rule(SCMP_SYS(mmap)); + + /* returning from signal handlers is safe */ + _add_allow_rule(SCMP_SYS(rt_sigreturn)); } break; case SCMP_ARCH_ARM: @@ -180,7 +186,7 @@ class Filter /* This syscall is only used on ARM. */ _add_allow_rule(SCMP_SYS(cacheflush)); - /* This syscall is only used on ARM. */ + /* returning from signal handlers is safe */ _add_allow_rule(SCMP_SYS(sigreturn)); } break; @@ -189,7 +195,7 @@ class Filter throw -104; } - // build and export + /* build and export */ seccomp_export_bpf(_ctx, 1); return 0;