proxmox-mirrors/mirror_lxc
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_lxc synced 2025-08-15 04:09:46 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #2345 from flx42/seccomp-fixes

Browse Source 
Seccomp fixes
This commit is contained in:
Christian Brauner 2018-05-24 11:30:30 +02:00 committed by GitHub
commit 73b5b70eb7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 39 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
src/lxc/seccomp.c
View File

@ -32,6 +32,7 @@
#include "config.h" #include "config.h"
#include "log.h" #include "log.h"
#include "lxcseccomp.h" #include "lxcseccomp.h"
#include "utils.h"
lxc_log_define(lxc_seccomp, lxc); lxc_log_define(lxc_seccomp, lxc);
@ -164,7 +165,6 @@ static enum scmp_compare parse_v2_rule_op(char *s)
/* This function is used to parse the args string into the structure. /* This function is used to parse the args string into the structure.
* args string format:[index,value,op,valueTwo] or [index,value,op] * args string format:[index,value,op,valueTwo] or [index,value,op]
* For one arguments, [index,value,valueTwo,op]
* index: the index for syscall arguments (type uint) * index: the index for syscall arguments (type uint)
* value: the value for syscall arguments (type uint64) * value: the value for syscall arguments (type uint64)
* op: the operator for syscall arguments(string), * op: the operator for syscall arguments(string),
@ -181,21 +181,32 @@ static int get_seccomp_arg_value(char *key, struct v2_rule_args *rule_args)
uint64_t mask = 0; uint64_t mask = 0;
enum scmp_compare op = 0; enum scmp_compare op = 0;
uint32_t index = 0; uint32_t index = 0;
char s[30] = {0}; char s[31] = {0}, v[24] = {0}, m[24] = {0};
char *tmp = NULL; char *tmp = NULL;
memset(s, 0, sizeof(s));
tmp = strchr(key, '['); tmp = strchr(key, '[');
if (!tmp) { if (!tmp) {
ERROR("Failed to interpret args"); ERROR("Failed to interpret args");
return -1; return -1;
} }
ret = sscanf(tmp, "[%i,%lli,%30[^0-9^,],%lli", &index, (long long unsigned int *)&value, s, (long long unsigned int *)&mask); ret = sscanf(tmp, "[%i,%23[^,],%30[^0-9^,],%23[^,]", &index, v, s, m);
if ((ret != 3 && ret != 4) || index >= 6) { if ((ret != 3 && ret != 4) || index >= 6) {
ERROR("Failed to interpret args value"); ERROR("Failed to interpret args value");
return -1; return -1;
} }
ret = lxc_safe_uint64(v, &value);
if (ret < 0) {
ERROR("Invalid argument value");
return -1;
}
ret = lxc_safe_uint64(v, &mask);
if (ret < 0) {
ERROR("Invalid argument mask");
return -1;
}
op = parse_v2_rule_op(s); op = parse_v2_rule_op(s);
if (op == _SCMP_CMP_MAX) { if (op == _SCMP_CMP_MAX) {
ERROR("Failed to interpret args operator value"); ERROR("Failed to interpret args operator value");

23
src/lxc/utils.c
View File

@ -1958,6 +1958,29 @@ int lxc_safe_ulong(const char *numstr, unsigned long *converted)
return 0; return 0;
} }
int lxc_safe_uint64(const char *numstr, uint64_t *converted)
{
char *err = NULL;
uint64_t u;
while (isspace(*numstr))
numstr++;
if (*numstr == '-')
return -EINVAL;
errno = 0;
u = strtoull(numstr, &err, 0);
if (errno == ERANGE && u == ULLONG_MAX)
return -ERANGE;
if (err == numstr || *err != '\0')
return -EINVAL;
*converted = u;
return 0;
}
int lxc_safe_int(const char *numstr, int *converted) int lxc_safe_int(const char *numstr, int *converted)
{ {
char *err = NULL; char *err = NULL;

1
src/lxc/utils.h
View File

@ -530,6 +530,7 @@ extern int lxc_safe_int(const char *numstr, int *converted);
extern int lxc_safe_long(const char *numstr, long int *converted); extern int lxc_safe_long(const char *numstr, long int *converted);
extern int lxc_safe_long_long(const char *numstr, long long int *converted); extern int lxc_safe_long_long(const char *numstr, long long int *converted);
extern int lxc_safe_ulong(const char *numstr, unsigned long *converted); extern int lxc_safe_ulong(const char *numstr, unsigned long *converted);
extern int lxc_safe_uint64(const char *numstr, uint64_t *converted);
/* Handles B, kb, MB, GB. Detects overflows and reports -ERANGE. */ /* Handles B, kb, MB, GB. Detects overflows and reports -ERANGE. */
extern int parse_byte_size_string(const char *s, int64_t *converted); extern int parse_byte_size_string(const char *s, int64_t *converted);