rpms/libseccomp
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Rebase to 2.5.2

Browse Source 
resolves: rhbz#2019887
This commit is contained in:
Zoltan Fridrich 2021-11-05 15:30:23 +01:00
parent ce53fdfbb0
commit 3f26c11a41
6 changed files with 102 additions and 732 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -15,3 +15,4 @@
/libseccomp-2.4.1.tar.gz /libseccomp-2.4.1.tar.gz
/libseccomp-2.4.2.tar.gz /libseccomp-2.4.2.tar.gz
/libseccomp-2.5.0.tar.gz /libseccomp-2.5.0.tar.gz
/libseccomp-2.5.2.tar.gz

631
0101-all-only-request-the-userspace-notification-fd-once.patch
View File

@ -1,631 +0,0 @@
From bbf4ae95742662e641e0a456951b912024433435 Mon Sep 17 00:00:00 2001
From: Paul Moore <paul@paul-moore.com>
Date: Sun, 26 Jul 2020 11:01:49 -0400
Subject: [PATCH 101/102] all: only request the userspace notification fd once
It turns out that requesting the seccomp userspace notifcation fd
more than once is a bad thing which causes the kernel to complain
(rightfully so for a variety of reasons). Unfortunately as we were
always requesting the notification fd whenever possible this results
in problems at filter load time.
Our solution is to move the notification fd out of the filter context
and into the global task context, using a newly created task_state
structure. This allows us to store, and retrieve the notification
outside the scope of an individual filter context. It also provides
some implementation improvements by giving us a convenient place to
stash all of the API level related support variables. We also extend
the seccomp_reset() API call to reset this internal global state when
passed a NULL filter context.
There is one potential case which we don't currently handle well:
threads. At the moment libseccomp is thread ignorant, and that works
well as the only global state up to this point was the currently
supported API level information which was common to all threads in a
process. Unfortunately, it appears that the notification fd need not
be common to all threads in a process, yet this patch treats it as if
it is common. I suspect this is a very unusual use case so I decided
to keep this patch simple and ignore this case, but in the future if
we need to support this properly we should be able to do so without
API changes by keeping an internal list of notification fds indexed
by gettid(2).
This fixes the GitHub issue below:
* https://github.com/seccomp/libseccomp/issues/273
Reported-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
doc/man/man3/seccomp_init.3 | 10 +-
doc/man/man3/seccomp_notify_alloc.3 | 3 +-
src/api.c | 19 ++-
src/db.c | 1 -
src/db.h | 3 +-
src/system.c | 204 ++++++++++++++++++----------
src/system.h | 3 +
tests/11-basic-basic_errors.c | 9 +-
tests/51-live-user_notification.c | 21 +++
tests/51-live-user_notification.py | 4 +
10 files changed, 187 insertions(+), 90 deletions(-)
diff --git a/doc/man/man3/seccomp_init.3 b/doc/man/man3/seccomp_init.3
index 3ab68fe..87520cd 100644
--- a/doc/man/man3/seccomp_init.3
+++ b/doc/man/man3/seccomp_init.3
@@ -36,7 +36,15 @@ The
function releases the existing filter context state before reinitializing it
and can only be called after a call to
.BR seccomp_init ()
-has succeeded.
+has succeeded. If
+.BR seccomp_reset ()
+is called with a NULL filter, it resets the library's global task state;
+normally this is not needed, but it may be required to continue using the
+library after a
+.BR fork ()
+or
+.BR clone ()
+call to ensure the API level and user notification state is properly reset.
.P
When the caller is finished configuring the seccomp filter and has loaded it
into the kernel, the caller should call
diff --git a/doc/man/man3/seccomp_notify_alloc.3 b/doc/man/man3/seccomp_notify_alloc.3
index 50c8970..cb1c048 100644
--- a/doc/man/man3/seccomp_notify_alloc.3
+++ b/doc/man/man3/seccomp_notify_alloc.3
@@ -59,7 +59,8 @@ returns the notification fd of a filter after it has been loaded.
.\" //////////////////////////////////////////////////////////////////////////
The
.BR seccomp_notify_fd ()
-returns the notification fd of the loaded filter.
+returns the notification fd of the loaded filter, -1 if a notification fd has
+not yet been created, and -EINVAL if the filter context is invalid.
.P
The
.BR seccomp_notify_id_valid ()
diff --git a/src/api.c b/src/api.c
index 00975ad..5cec088 100644
--- a/src/api.c
+++ b/src/api.c
@@ -301,10 +301,18 @@ API int seccomp_reset(scmp_filter_ctx ctx, uint32_t def_action)
{
struct db_filter_col *col = (struct db_filter_col *)ctx;
- /* use a NULL filter collection here since we are resetting it */
- if (ctx == NULL || db_col_action_valid(NULL, def_action) < 0)
+ /* a NULL filter context indicates we are resetting the global state */
+ if (ctx == NULL) {
+ /* reset the global state and redetermine the api level */
+ sys_reset_state();
+ _seccomp_api_update();
+ return _rc_filter(0);
+ }
+ /* ensure the default action is valid */
+ if (db_col_action_valid(NULL, def_action) < 0)
return _rc_filter(-EINVAL);
+ /* reset the filter */
return _rc_filter(db_col_reset(col, def_action));
}
@@ -675,16 +683,17 @@ API int seccomp_notify_id_valid(int fd, uint64_t id)
/* NOTE - function header comment in include/seccomp.h */
API int seccomp_notify_fd(const scmp_filter_ctx ctx)
{
- struct db_filter_col *col;
+ /* NOTE: for historical reasons, and possibly future use, we require a
+ * valid filter context even though we don't actual use it here; the
+ * api update is also not strictly necessary, but keep it for now */
/* force a runtime api level detection */
_seccomp_api_update();
if (_ctx_valid(ctx))
return _rc_filter(-EINVAL);
- col = (struct db_filter_col *)ctx;
- return _rc_filter(col->notify_fd);
+ return _rc_filter(sys_notify_fd());
}
/* NOTE - function header comment in include/seccomp.h */
diff --git a/src/db.c b/src/db.c
index 4a87ea3..836171a 100644
--- a/src/db.c
+++ b/src/db.c
@@ -1057,7 +1057,6 @@ int db_col_reset(struct db_filter_col *col, uint32_t def_action)
if (col->filters)
free(col->filters);
col->filters = NULL;
- col->notify_fd = -1;
/* set the endianess to undefined */
col->endian = 0;
diff --git a/src/db.h b/src/db.h
index b96b104..765c607 100644
--- a/src/db.h
+++ b/src/db.h
@@ -160,8 +160,7 @@ struct db_filter_col {
/* transaction snapshots */
struct db_filter_snap *snapshots;
- /* notification fd that was returned from seccomp() */
- int notify_fd;
+ /* userspace notification */
bool notify_used;
};
diff --git a/src/system.c b/src/system.c
index 6cdfc16..3b43b2a 100644
--- a/src/system.c
+++ b/src/system.c
@@ -40,16 +40,61 @@
* our next release we may have to enable the allowlist */
#define SYSCALL_ALLOWLIST_ENABLE 0
-static int _nr_seccomp = -1;
-static int _support_seccomp_syscall = -1;
-static int _support_seccomp_flag_tsync = -1;
-static int _support_seccomp_flag_log = -1;
-static int _support_seccomp_action_log = -1;
-static int _support_seccomp_kill_process = -1;
-static int _support_seccomp_flag_spec_allow = -1;
-static int _support_seccomp_flag_new_listener = -1;
-static int _support_seccomp_user_notif = -1;
-static int _support_seccomp_flag_tsync_esrch = -1;
+/* task global state */
+struct task_state {
+ /* seccomp(2) syscall */
+ int nr_seccomp;
+
+ /* userspace notification fd */
+ int notify_fd;
+
+ /* runtime support flags */
+ int sup_syscall;
+ int sup_flag_tsync;
+ int sup_flag_log;
+ int sup_action_log;
+ int sup_kill_process;
+ int sup_flag_spec_allow;
+ int sup_flag_new_listener;
+ int sup_user_notif;
+ int sup_flag_tsync_esrch;
+};
+static struct task_state state = {
+ .nr_seccomp = -1,
+
+ .notify_fd = -1,
+
+ .sup_syscall = -1,
+ .sup_flag_tsync = -1,
+ .sup_flag_log = -1,
+ .sup_action_log = -1,
+ .sup_kill_process = -1,
+ .sup_flag_spec_allow = -1,
+ .sup_flag_new_listener = -1,
+ .sup_user_notif = -1,
+ .sup_flag_tsync_esrch = -1,
+};
+
+/**
+ * Reset the task state
+ *
+ * This function fully resets the library's global "system task state".
+ *
+ */
+void sys_reset_state(void)
+{
+ state.nr_seccomp = -1;
+ state.notify_fd = -1;
+ state.sup_syscall = -1;
+ state.sup_flag_tsync = -1;
+ state.sup_flag_log = -1;
+ state.sup_action_log = -1;
+ state.sup_kill_process = -1;
+ state.sup_flag_spec_allow = -1;
+ state.sup_flag_new_listener = -1;
+ state.sup_user_notif = -1;
+ state.sup_flag_tsync_esrch = -1;
+}
/**
* Check to see if the seccomp() syscall is supported
@@ -68,8 +113,8 @@ int sys_chk_seccomp_syscall(void)
/* NOTE: it is reasonably safe to assume that we should be able to call
* seccomp() when the caller first starts, but we can't rely on
* it later so we need to cache our findings for use later */
- if (_support_seccomp_syscall >= 0)
- return _support_seccomp_syscall;
+ if (state.sup_syscall >= 0)
+ return state.sup_syscall;
#if SYSCALL_ALLOWLIST_ENABLE
/* architecture allowlist */
@@ -100,11 +145,11 @@ int sys_chk_seccomp_syscall(void)
goto supported;
unsupported:
- _support_seccomp_syscall = 0;
+ state.sup_syscall = 0;
return 0;
supported:
- _nr_seccomp = nr_seccomp;
- _support_seccomp_syscall = 1;
+ state.nr_seccomp = nr_seccomp;
+ state.sup_syscall = 1;
return 1;
}
@@ -118,7 +163,7 @@ supported:
*/
void sys_set_seccomp_syscall(bool enable)
{
- _support_seccomp_syscall = (enable ? 1 : 0);
+ state.sup_syscall = (enable ? 1 : 0);
}
/**
@@ -132,16 +177,16 @@ void sys_set_seccomp_syscall(bool enable)
int sys_chk_seccomp_action(uint32_t action)
{
if (action == SCMP_ACT_KILL_PROCESS) {
- if (_support_seccomp_kill_process < 0) {
+ if (state.sup_kill_process < 0) {
if (sys_chk_seccomp_syscall() == 1 &&
- syscall(_nr_seccomp, SECCOMP_GET_ACTION_AVAIL, 0,
- &action) == 0)
- _support_seccomp_kill_process = 1;
+ syscall(state.nr_seccomp,
+ SECCOMP_GET_ACTION_AVAIL, 0, &action) == 0)
+ state.sup_kill_process = 1;
else
- _support_seccomp_kill_process = 0;
+ state.sup_kill_process = 0;
}
- return _support_seccomp_kill_process;
+ return state.sup_kill_process;
} else if (action == SCMP_ACT_KILL_THREAD) {
return 1;
} else if (action == SCMP_ACT_TRAP) {
@@ -152,30 +197,30 @@ int sys_chk_seccomp_action(uint32_t action)
} else if (action == SCMP_ACT_TRACE(action & 0x0000ffff)) {
return 1;
} else if (action == SCMP_ACT_LOG) {
- if (_support_seccomp_action_log < 0) {
+ if (state.sup_action_log < 0) {
if (sys_chk_seccomp_syscall() == 1 &&
- syscall(_nr_seccomp, SECCOMP_GET_ACTION_AVAIL, 0,
- &action) == 0)
- _support_seccomp_action_log = 1;
+ syscall(state.nr_seccomp,
+ SECCOMP_GET_ACTION_AVAIL, 0, &action) == 0)
+ state.sup_action_log = 1;
else
- _support_seccomp_action_log = 0;
+ state.sup_action_log = 0;
}
- return _support_seccomp_action_log;
+ return state.sup_action_log;
} else if (action == SCMP_ACT_ALLOW) {
return 1;
} else if (action == SCMP_ACT_NOTIFY) {
- if (_support_seccomp_user_notif < 0) {
+ if (state.sup_user_notif < 0) {
struct seccomp_notif_sizes sizes;
if (sys_chk_seccomp_syscall() == 1 &&
- syscall(_nr_seccomp, SECCOMP_GET_NOTIF_SIZES, 0,
- &sizes) == 0)
- _support_seccomp_user_notif = 1;
+ syscall(state.nr_seccomp,
+ SECCOMP_GET_NOTIF_SIZES, 0, &sizes) == 0)
+ state.sup_user_notif = 1;
else
- _support_seccomp_user_notif = 0;
+ state.sup_user_notif = 0;
}
- return _support_seccomp_user_notif;
+ return state.sup_user_notif;
}
return 0;
@@ -193,13 +238,13 @@ void sys_set_seccomp_action(uint32_t action, bool enable)
{
switch (action) {
case SCMP_ACT_LOG:
- _support_seccomp_action_log = (enable ? 1 : 0);
+ state.sup_action_log = (enable ? 1 : 0);
break;
case SCMP_ACT_KILL_PROCESS:
- _support_seccomp_kill_process = (enable ? 1 : 0);
+ state.sup_kill_process = (enable ? 1 : 0);
break;
case SCMP_ACT_NOTIFY:
- _support_seccomp_user_notif = (enable ? 1 : 0);
+ state.sup_user_notif = (enable ? 1 : 0);
break;
}
}
@@ -212,13 +257,14 @@ void sys_set_seccomp_action(uint32_t action, bool enable)
* Return one if the flag is supported, zero otherwise.
*
*/
-static int _sys_chk_seccomp_flag_kernel(int flag)
+static int _sys_chk_flag_kernel(int flag)
{
/* this is an invalid seccomp(2) call because the last argument
* is NULL, but depending on the errno value of EFAULT we can
* guess if the filter flag is supported or not */
if (sys_chk_seccomp_syscall() == 1 &&
- syscall(_nr_seccomp, SECCOMP_SET_MODE_FILTER, flag, NULL) == -1 &&
+ syscall(state.nr_seccomp,
+ SECCOMP_SET_MODE_FILTER, flag, NULL) == -1 &&
errno == EFAULT)
return 1;
@@ -238,29 +284,25 @@ int sys_chk_seccomp_flag(int flag)
{
switch (flag) {
case SECCOMP_FILTER_FLAG_TSYNC:
- if (_support_seccomp_flag_tsync < 0)
- _support_seccomp_flag_tsync = _sys_chk_seccomp_flag_kernel(flag);
-
- return _support_seccomp_flag_tsync;
+ if (state.sup_flag_tsync < 0)
+ state.sup_flag_tsync = _sys_chk_flag_kernel(flag);
+ return state.sup_flag_tsync;
case SECCOMP_FILTER_FLAG_LOG:
- if (_support_seccomp_flag_log < 0)
- _support_seccomp_flag_log = _sys_chk_seccomp_flag_kernel(flag);
-
- return _support_seccomp_flag_log;
+ if (state.sup_flag_log < 0)
+ state.sup_flag_log = _sys_chk_flag_kernel(flag);
+ return state.sup_flag_log;
case SECCOMP_FILTER_FLAG_SPEC_ALLOW:
- if (_support_seccomp_flag_spec_allow < 0)
- _support_seccomp_flag_spec_allow = _sys_chk_seccomp_flag_kernel(flag);
-
- return _support_seccomp_flag_spec_allow;
+ if (state.sup_flag_spec_allow < 0)
+ state.sup_flag_spec_allow = _sys_chk_flag_kernel(flag);
+ return state.sup_flag_spec_allow;
case SECCOMP_FILTER_FLAG_NEW_LISTENER:
- if (_support_seccomp_flag_new_listener < 0)
- _support_seccomp_flag_new_listener = _sys_chk_seccomp_flag_kernel(flag);
-
- return _support_seccomp_flag_new_listener;
+ if (state.sup_flag_new_listener < 0)
+ state.sup_flag_new_listener = _sys_chk_flag_kernel(flag);
+ return state.sup_flag_new_listener;
case SECCOMP_FILTER_FLAG_TSYNC_ESRCH:
- if (_support_seccomp_flag_tsync_esrch < 0)
- _support_seccomp_flag_tsync_esrch = _sys_chk_seccomp_flag_kernel(flag);
- return _support_seccomp_flag_tsync_esrch;
+ if (state.sup_flag_tsync_esrch < 0)
+ state.sup_flag_tsync_esrch = _sys_chk_flag_kernel(flag);
+ return state.sup_flag_tsync_esrch;
}
return -EOPNOTSUPP;
@@ -279,19 +321,19 @@ void sys_set_seccomp_flag(int flag, bool enable)
{
switch (flag) {
case SECCOMP_FILTER_FLAG_TSYNC:
- _support_seccomp_flag_tsync = (enable ? 1 : 0);
+ state.sup_flag_tsync = (enable ? 1 : 0);
break;
case SECCOMP_FILTER_FLAG_LOG:
- _support_seccomp_flag_log = (enable ? 1 : 0);
+ state.sup_flag_log = (enable ? 1 : 0);
break;
case SECCOMP_FILTER_FLAG_SPEC_ALLOW:
- _support_seccomp_flag_spec_allow = (enable ? 1 : 0);
+ state.sup_flag_spec_allow = (enable ? 1 : 0);
break;
case SECCOMP_FILTER_FLAG_NEW_LISTENER:
- _support_seccomp_flag_new_listener = (enable ? 1 : 0);
+ state.sup_flag_new_listener = (enable ? 1 : 0);
break;
case SECCOMP_FILTER_FLAG_TSYNC_ESRCH:
- _support_seccomp_flag_tsync_esrch = (enable ? 1 : 0);
+ state.sup_flag_tsync_esrch = (enable ? 1 : 0);
break;
}
}
@@ -324,7 +366,7 @@ int sys_filter_load(struct db_filter_col *col, bool rawrc)
goto filter_load_out;
}
- tsync_notify = (_support_seccomp_flag_tsync_esrch > 0);
+ tsync_notify = state.sup_flag_tsync_esrch > 0 && state.notify_fd == -1;
/* load the filter into the kernel */
if (sys_chk_seccomp_syscall() == 1) {
@@ -333,28 +375,29 @@ int sys_filter_load(struct db_filter_col *col, bool rawrc)
if (col->attr.tsync_enable)
flgs |= SECCOMP_FILTER_FLAG_TSYNC | \
SECCOMP_FILTER_FLAG_TSYNC_ESRCH;
- if (_support_seccomp_user_notif > 0)
+ if (state.sup_user_notif > 0)
flgs |= SECCOMP_FILTER_FLAG_NEW_LISTENER;
} else if (col->attr.tsync_enable)
flgs |= SECCOMP_FILTER_FLAG_TSYNC;
- else if (_support_seccomp_user_notif > 0)
+ else if (state.sup_user_notif > 0 && state.notify_fd == -1)
flgs |= SECCOMP_FILTER_FLAG_NEW_LISTENER;
if (col->attr.log_enable)
flgs |= SECCOMP_FILTER_FLAG_LOG;
if (col->attr.spec_allow)
flgs |= SECCOMP_FILTER_FLAG_SPEC_ALLOW;
- rc = syscall(_nr_seccomp, SECCOMP_SET_MODE_FILTER, flgs, prgm);
+ rc = syscall(state.nr_seccomp,
+ SECCOMP_SET_MODE_FILTER, flgs, prgm);
if (tsync_notify && rc > 0) {
/* return 0 on NEW_LISTENER success, but save the fd */
- col->notify_fd = rc;
+ state.notify_fd = rc;
rc = 0;
} else if (rc > 0 && col->attr.tsync_enable) {
/* always return -ESRCH if we fail to sync threads */
errno = ESRCH;
rc = -errno;
- } else if (rc > 0 && _support_seccomp_user_notif > 0) {
+ } else if (rc > 0 && state.sup_user_notif > 0) {
/* return 0 on NEW_LISTENER success, but save the fd */
- col->notify_fd = rc;
+ state.notify_fd = rc;
rc = 0;
}
} else
@@ -370,6 +413,19 @@ filter_load_out:
return rc;
}
+/**
+ * Return the userspace notification fd
+ *
+ * This function returns the userspace notification fd from
+ * SECCOMP_FILTER_FLAG_NEW_LISTENER. If the notification fd has not yet been
+ * set, or an error has occurred, -1 is returned.
+ *
+ */
+int sys_notify_fd(void)
+{
+ return state.notify_fd;
+}
+
/**
* Allocate a pair of notification request/response structures
* @param req the request location
@@ -386,7 +442,7 @@ int sys_notify_alloc(struct seccomp_notif **req,
int rc;
static struct seccomp_notif_sizes sizes = { 0, 0, 0 };
- if (_support_seccomp_syscall <= 0)
+ if (state.sup_syscall <= 0)
return -EOPNOTSUPP;
if (sizes.seccomp_notif == 0 && sizes.seccomp_notif_resp == 0) {
@@ -427,7 +483,7 @@ int sys_notify_alloc(struct seccomp_notif **req,
*/
int sys_notify_receive(int fd, struct seccomp_notif *req)
{
- if (_support_seccomp_user_notif <= 0)
+ if (state.sup_user_notif <= 0)
return -EOPNOTSUPP;
if (ioctl(fd, SECCOMP_IOCTL_NOTIF_RECV, req) < 0)
@@ -448,7 +504,7 @@ int sys_notify_receive(int fd, struct seccomp_notif *req)
*/
int sys_notify_respond(int fd, struct seccomp_notif_resp *resp)
{
- if (_support_seccomp_user_notif <= 0)
+ if (state.sup_user_notif <= 0)
return -EOPNOTSUPP;
if (ioctl(fd, SECCOMP_IOCTL_NOTIF_SEND, resp) < 0)
@@ -467,7 +523,7 @@ int sys_notify_respond(int fd, struct seccomp_notif_resp *resp)
*/
int sys_notify_id_valid(int fd, uint64_t id)
{
- if (_support_seccomp_user_notif <= 0)
+ if (state.sup_user_notif <= 0)
return -EOPNOTSUPP;
if (ioctl(fd, SECCOMP_IOCTL_NOTIF_ID_VALID, &id) < 0)
diff --git a/src/system.h b/src/system.h
index 133f9b1..096f3ca 100644
--- a/src/system.h
+++ b/src/system.h
@@ -182,6 +182,8 @@ struct seccomp_notif_resp {
#define SECCOMP_IOCTL_NOTIF_ID_VALID SECCOMP_IOR(2, __u64)
#endif /* SECCOMP_RET_USER_NOTIF */
+void sys_reset_state(void);
+
int sys_chk_seccomp_syscall(void);
void sys_set_seccomp_syscall(bool enable);
@@ -193,6 +195,7 @@ void sys_set_seccomp_flag(int flag, bool enable);
int sys_filter_load(struct db_filter_col *col, bool rawrc);
+int sys_notify_fd(void);
int sys_notify_alloc(struct seccomp_notif **req,
struct seccomp_notif_resp **resp);
int sys_notify_receive(int fd, struct seccomp_notif *req);
diff --git a/tests/11-basic-basic_errors.c b/tests/11-basic-basic_errors.c
index d3b2256..da059df 100644
--- a/tests/11-basic-basic_errors.c
+++ b/tests/11-basic-basic_errors.c
@@ -41,12 +41,9 @@ int main(int argc, char *argv[])
seccomp_release(ctx);
ctx = NULL;
- /* seccomp_reset error */
- rc = seccomp_reset(ctx, SCMP_ACT_KILL + 1);
- if (rc != -EINVAL)
- return -1;
- rc = seccomp_reset(ctx, SCMP_ACT_KILL);
- if (rc != -EINVAL)
+ /* ensure that seccomp_reset(NULL, ...) is accepted */
+ rc = seccomp_reset(NULL, SCMP_ACT_ALLOW);
+ if (rc != 0)
return -1;
/* seccomp_load error */
diff --git a/tests/51-live-user_notification.c b/tests/51-live-user_notification.c
index de31d2f..a00627b 100644
--- a/tests/51-live-user_notification.c
+++ b/tests/51-live-user_notification.c
@@ -98,6 +98,27 @@ int main(int argc, char *argv[])
goto out;
}
+ rc = seccomp_reset(ctx, SCMP_ACT_ALLOW);
+ if (rc < 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_NOTIFY, SCMP_SYS(getppid), 0, NULL);
+ if (rc)
+ goto out;
+
+ rc = seccomp_load(ctx);
+ if (rc < 0)
+ goto out;
+
+ rc = seccomp_notify_fd(ctx);
+ if (rc < 0)
+ goto out;
+ if (rc != fd) {
+ rc = -EFAULT;
+ goto out;
+ } else
+ rc = 0;
+
out:
if (fd >= 0)
close(fd);
diff --git a/tests/51-live-user_notification.py b/tests/51-live-user_notification.py
index 0d81f5e..3449c44 100755
--- a/tests/51-live-user_notification.py
+++ b/tests/51-live-user_notification.py
@@ -52,6 +52,10 @@ def test():
raise RuntimeError("Child process error")
if os.WEXITSTATUS(rc) != 0:
raise RuntimeError("Child process error")
+ f.reset(ALLOW)
+ f.add_rule(NOTIFY, "getppid")
+ f.load()
+ # no easy way to check the notification fd here
quit(160)
test()
--
2.26.2

92
0101-fix-11-basic-basic_errors-on-old-kernels.patch Normal file
View File

@ -0,0 +1,92 @@
diff --color -ru a/tests/11-basic-basic_errors.c b/tests/11-basic-basic_errors.c
--- a/tests/11-basic-basic_errors.c 2021-09-01 18:57:34.018676687 +0200
+++ b/tests/11-basic-basic_errors.c 2021-11-05 15:04:34.647739284 +0100
@@ -29,9 +29,13 @@
int rc;
scmp_filter_ctx ctx;
uint32_t attr;
+ unsigned int api;
struct seccomp_notif *req = NULL;
struct seccomp_notif_resp *resp = NULL;
+ /* get the api level */
+ api = seccomp_api_get();
+
/* seccomp_init errors */
ctx = seccomp_init(SCMP_ACT_ALLOW + 1);
if (ctx != NULL)
@@ -199,39 +203,41 @@
ctx = NULL;
/* seccomp notify errors */
- ctx = seccomp_init(SCMP_ACT_ALLOW);
- if (ctx == NULL)
- return -1;
- rc = seccomp_notify_alloc(NULL, NULL);
- if (rc != 0)
- return -1;
- rc = seccomp_notify_alloc(&req, NULL);
- if (rc != 0)
- return -1;
- rc = seccomp_notify_alloc(NULL, &resp);
- if (rc != 0)
- return -1;
- seccomp_notify_free(NULL, NULL);
- seccomp_notify_free(req, resp);
- req = NULL;
- resp = NULL;
- rc = seccomp_notify_receive(-1, NULL);
- if (rc == 0)
- return -1;
- rc = seccomp_notify_respond(-1, NULL);
- if (rc == 0)
- return -1;
- rc = seccomp_notify_id_valid(-1, 0);
- if (rc == 0)
- return -1;
- rc = seccomp_notify_fd(NULL);
- if (rc == 0)
- return -1;
- rc = seccomp_notify_fd(ctx);
- if (rc == 0)
- return -1;
- seccomp_release(ctx);
- ctx = NULL;
+ if (api >= 5) {
+ ctx = seccomp_init(SCMP_ACT_ALLOW);
+ if (ctx == NULL)
+ return -1;
+ rc = seccomp_notify_alloc(NULL, NULL);
+ if (rc != 0)
+ return -1;
+ rc = seccomp_notify_alloc(&req, NULL);
+ if (rc != 0)
+ return -1;
+ rc = seccomp_notify_alloc(NULL, &resp);
+ if (rc != 0)
+ return -1;
+ seccomp_notify_free(NULL, NULL);
+ seccomp_notify_free(req, resp);
+ req = NULL;
+ resp = NULL;
+ rc = seccomp_notify_receive(-1, NULL);
+ if (rc == 0)
+ return -1;
+ rc = seccomp_notify_respond(-1, NULL);
+ if (rc == 0)
+ return -1;
+ rc = seccomp_notify_id_valid(-1, 0);
+ if (rc == 0)
+ return -1;
+ rc = seccomp_notify_fd(NULL);
+ if (rc == 0)
+ return -1;
+ rc = seccomp_notify_fd(ctx);
+ if (rc == 0)
+ return -1;
+ seccomp_release(ctx);
+ ctx = NULL;
+ }
return 0;
}

93
0102-system-change-our-notification-fd-handling.patch
View File

@ -1,93 +0,0 @@
From 5201e324d2025b1febbade9bb90d6e405b92a14c Mon Sep 17 00:00:00 2001
From: Paul Moore <paul@paul-moore.com>
Date: Tue, 4 Aug 2020 10:52:08 -0400
Subject: [PATCH 102/102] system: change our notification fd handling
This commit changes how we handle the notification fd by only
requesting it via _NEW_LISTENER if the filter has a _NOTIFY action
in it. We also augment the seccomp_reset(NULL, ...) behavior so
that it closes the notification fd before resetting the global
state; applications that need to keep their notification fd open
across a call to seccomp_reset(NULL, ...) can simply dup() it.
Although one would have to wonder why the application would be
calling seccomp_reset(NULL, ...) in that case.
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
doc/man/man3/seccomp_init.3 | 6 ++++--
src/system.c | 18 +++++++++++++++---
2 files changed, 19 insertions(+), 5 deletions(-)
diff --git a/doc/man/man3/seccomp_init.3 b/doc/man/man3/seccomp_init.3
index 87520cd..7881c35 100644
--- a/doc/man/man3/seccomp_init.3
+++ b/doc/man/man3/seccomp_init.3
@@ -38,8 +38,10 @@ and can only be called after a call to
.BR seccomp_init ()
has succeeded. If
.BR seccomp_reset ()
-is called with a NULL filter, it resets the library's global task state;
-normally this is not needed, but it may be required to continue using the
+is called with a NULL filter, it resets the library's global task state,
+including any notification file descriptors retrieved by
+.BR seccomp_notify_fd(3) .
+Normally this is not needed, but it may be required to continue using the
library after a
.BR fork ()
or
diff --git a/src/system.c b/src/system.c
index 3b43b2a..c646c65 100644
--- a/src/system.c
+++ b/src/system.c
@@ -84,7 +84,11 @@ static struct task_state state = {
void sys_reset_state(void)
{
state.nr_seccomp = -1;
+
+ if (state.notify_fd > 0)
+ close(state.notify_fd);
state.notify_fd = -1;
+
state.sup_syscall = -1;
state.sup_flag_tsync = -1;
state.sup_flag_log = -1;
@@ -353,6 +357,7 @@ int sys_filter_load(struct db_filter_col *col, bool rawrc)
{
int rc;
bool tsync_notify;
+ bool listener_req;
struct bpf_program *prgm = NULL;
rc = gen_bpf_generate(col, &prgm);
@@ -367,6 +372,8 @@ int sys_filter_load(struct db_filter_col *col, bool rawrc)
}
tsync_notify = state.sup_flag_tsync_esrch > 0 && state.notify_fd == -1;
+ listener_req = state.sup_user_notif > 0 && \
+ col->notify_used && state.notify_fd == -1;
/* load the filter into the kernel */
if (sys_chk_seccomp_syscall() == 1) {
@@ -375,11 +382,16 @@ int sys_filter_load(struct db_filter_col *col, bool rawrc)
if (col->attr.tsync_enable)
flgs |= SECCOMP_FILTER_FLAG_TSYNC | \
SECCOMP_FILTER_FLAG_TSYNC_ESRCH;
- if (state.sup_user_notif > 0)
+ if (listener_req)
flgs |= SECCOMP_FILTER_FLAG_NEW_LISTENER;
- } else if (col->attr.tsync_enable)
+ } else if (col->attr.tsync_enable) {
+ if (listener_req) {
+ /* NOTE: we _should_ catch this in db.c */
+ rc = -EFAULT;
+ goto filter_load_out;
+ }
flgs |= SECCOMP_FILTER_FLAG_TSYNC;
- else if (state.sup_user_notif > 0 && state.notify_fd == -1)
+ } else if (listener_req)
flgs |= SECCOMP_FILTER_FLAG_NEW_LISTENER;
if (col->attr.log_enable)
flgs |= SECCOMP_FILTER_FLAG_LOG;
--
2.26.2

15
libseccomp.spec
View File

@ -1,6 +1,6 @@
Name: libseccomp Name: libseccomp
Version: 2.5.0 Version: 2.5.2
Release: 6%{?dist} Release: 1%{?dist}
Summary: Enhanced seccomp library Summary: Enhanced seccomp library
License: LGPLv2 License: LGPLv2
URL: https://github.com/seccomp/libseccomp URL: https://github.com/seccomp/libseccomp
@ -8,11 +8,8 @@ Source0: %{url}/releases/download/v%{version}/%{name}-%{version}.tar.gz
# Backports from upstream # Backports from upstream
# Patches pending merge ## From: https://github.com/seccomp/libseccomp/commit/5532444587fa5f33a43179ca5cc710f1bb05f51f
## From: https://github.com/seccomp/libseccomp/pull/280 Patch0101: 0101-fix-11-basic-basic_errors-on-old-kernels.patch
## Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1865802
Patch0101: 0101-all-only-request-the-userspace-notification-fd-once.patch
Patch0102: 0102-system-change-our-notification-fd-handling.patch
BuildRequires: gcc BuildRequires: gcc
BuildRequires: gperf BuildRequires: gperf
@ -96,6 +93,10 @@ rm -f tests/36-sim-ipc_syscalls.tests tests/37-sim-ipc_syscalls_be.tests
%{_libdir}/libseccomp.a %{_libdir}/libseccomp.a
%changelog %changelog
* Fri Nov 05 2021 Zoltan Fridrich <zfridric@redhat.com> - 2.5.2-1
- rebase to 2.5.2
resolves: rhbz#2019887
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.5.0-6 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.5.0-6
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688 Related: rhbz#1991688

2
sources
View File

@ -1 +1 @@
SHA512 (libseccomp-2.5.0.tar.gz) = 00ef5aeb4db8dafb546ae680b2d6d9b6aeed008df805d0f28f9dd15c074ff6ea7a5e5131ab503825b8011c59aa23046baedd5849ca040aa73352f43ab2d602ae SHA512 (libseccomp-2.5.2.tar.gz) = b2a95152cb274d6b35753596fd825406dae20c4a48b2f4076f835f977ecf324de38a3fe02e789dc20b49ecf6b4eb67f03e7733e92d40f5e20f25874307f1c2ac