proxmox-mirrors/mirror_lxc
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_lxc synced 2025-08-15 13:47:41 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

seccomp: do_resolve_add_rule()

Browse Source 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
This commit is contained in:
Christian Brauner 2018-05-24 16:35:21 +02:00
parent 04263914e5
commit ad9a5b72a9
No known key found for this signature in database
GPG Key ID: 8EB056D53EECB12D
1 changed files with 35 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
src/lxc/seccomp.c
View File

@ -462,16 +462,12 @@ scmp_filter_ctx get_new_ctx(enum lxc_hostarch_t n_arch,
bool do_resolve_add_rule(uint32_t arch, char *line, scmp_filter_ctx ctx,
struct seccomp_v2_rule *rule)
{
int nr, ret, i;
int i, nr, ret;
struct scmp_arg_cmp arg_cmp[6];
memset(arg_cmp, 0 ,sizeof(arg_cmp));
ret = seccomp_arch_exist(ctx, arch);
if (arch && ret != 0) {
ERROR("BUG: Seccomp: rule and context arch do not match (arch "
"%d): %s",
arch, strerror(-ret));
ERROR("%s - Seccomp: rule and context arch do not match (arch %d)", strerror(-ret), arch);
return false;
}
@ -481,30 +477,32 @@ bool do_resolve_add_rule(uint32_t arch, char *line, scmp_filter_ctx ctx,
*p = '\0';
if (strncmp(line, "reject_force_umount", 19) == 0) {
INFO("Setting Seccomp rule to reject force umounts");
ret = seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(umount2),
1, SCMP_A1(SCMP_CMP_MASKED_EQ , MNT_FORCE , MNT_FORCE ));
ret = seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(EACCES),
SCMP_SYS(umount2), 1,
SCMP_A1(SCMP_CMP_MASKED_EQ, MNT_FORCE, MNT_FORCE));
if (ret < 0) {
ERROR("Failed (%d) loading rule to reject force "
"umount: %s",
ret, strerror(-ret));
ERROR("%s - Failed loading rule to reject force umount", strerror(-ret));
return false;
}
INFO("Set seccomp rule to reject force umounts");
return true;
}
nr = seccomp_syscall_resolve_name(line);
if (nr == __NR_SCMP_ERROR) {
WARN("Seccomp: failed to resolve syscall: %s", line);
WARN("This syscall will NOT be blacklisted");
return true;
}
if (nr < 0) {
WARN("Seccomp: got negative for syscall: %d: %s", nr, line);
WARN("Failed to resolve syscall \"%s\"", line);
WARN("This syscall will NOT be blacklisted");
return true;
}
if (nr < 0) {
WARN("Got negative return value %d for syscall \"%s\"", nr, line);
WARN("This syscall will NOT be blacklisted");
return true;
}
memset(&arg_cmp, 0, sizeof(arg_cmp));
for (i = 0; i < rule->args_num; i++) {
INFO("arg_cmp[%d]: SCMP_CMP(%u, %llu, %llu, %llu)", i,
rule->args_value[i].index,
@ -513,17 +511,25 @@ bool do_resolve_add_rule(uint32_t arch, char *line, scmp_filter_ctx ctx,
(long long unsigned int)rule->args_value[i].value);
if (SCMP_CMP_MASKED_EQ == rule->args_value[i].op)
arg_cmp[i] = SCMP_CMP(rule->args_value[i].index, rule->args_value[i].op, rule->args_value[i].mask, rule->args_value[i].value);
arg_cmp[i] = SCMP_CMP(rule->args_value[i].index,
rule->args_value[i].op,
rule->args_value[i].mask,
rule->args_value[i].value);
else
arg_cmp[i] = SCMP_CMP(rule->args_value[i].index, rule->args_value[i].op, rule->args_value[i].value);
arg_cmp[i] = SCMP_CMP(rule->args_value[i].index,
rule->args_value[i].op,
rule->args_value[i].value);
}
ret = seccomp_rule_add_exact_array(ctx, rule->action, nr, rule->args_num, arg_cmp);
ret = seccomp_rule_add_exact_array(ctx, rule->action, nr,
rule->args_num, arg_cmp);
if (ret < 0) {
ERROR("Failed (%d) loading rule for %s (nr %d action %d(%s)): %s",
ret, line, nr, rule->action, get_action_name(rule->action), strerror(-ret));
ERROR("%s - Failed loading rule for %s (nr %d action %d (%s))",
strerror(-ret), line, nr, rule->action,
get_action_name(rule->action));
return false;
}
return true;
}