projects / packages / systemd.git / blame
| Commit | Line | Data |
|---|---|---|
| 3dd3da56 AM |
1 | From 62f66fdbcc33580467c01b1f149474b6c973df5a Mon Sep 17 00:00:00 2001 |
| 2 | From: Lennart Poettering <lennart@poettering.net> | |
| 3 | Date: Thu, 14 Nov 2019 17:51:30 +0100 | |
| 4 | Subject: [PATCH] seccomp: more comprehensive protection against libseccomp's | |
| 5 | __NR_xyz namespace invasion | |
| 6 | ||
| 7 | A follow-up for 59b657296a2fe104f112b91bbf9301724067cc81, adding the | |
| 8 | same conditioning for all cases of our __NR_xyz use. | |
| 9 | ||
| 10 | Fixes: #14031 | |
| 11 | --- | |
| 12 | src/basic/missing_syscall.h | 10 +++++----- | |
| 13 | src/test/test-seccomp.c | 19 ++++++++++--------- | |
| 14 | 2 files changed, 15 insertions(+), 14 deletions(-) | |
| 15 | ||
| 16 | diff --git a/src/basic/missing_syscall.h b/src/basic/missing_syscall.h | |
| 17 | index 6d9b12544d2..1255d8b1972 100644 | |
| 18 | --- a/src/basic/missing_syscall.h | |
| 19 | +++ b/src/basic/missing_syscall.h | |
| 20 | @@ -274,7 +274,7 @@ static inline int missing_renameat2(int oldfd, const char *oldname, int newfd, c | |
| 21 | ||
| 22 | #if !HAVE_KCMP | |
| 23 | static inline int missing_kcmp(pid_t pid1, pid_t pid2, int type, unsigned long idx1, unsigned long idx2) { | |
| 24 | -# ifdef __NR_kcmp | |
| 25 | +# if defined __NR_kcmp && __NR_kcmp > 0 | |
| 26 | return syscall(__NR_kcmp, pid1, pid2, type, idx1, idx2); | |
| 27 | # else | |
| 28 | errno = ENOSYS; | |
| 29 | @@ -289,7 +289,7 @@ static inline int missing_kcmp(pid_t pid1, pid_t pid2, int type, unsigned long i | |
| 30 | ||
| 31 | #if !HAVE_KEYCTL | |
| 32 | static inline long missing_keyctl(int cmd, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5) { | |
| 33 | -# ifdef __NR_keyctl | |
| 34 | +# if defined __NR_keyctl && __NR_keyctl > 0 | |
| 35 | return syscall(__NR_keyctl, cmd, arg2, arg3, arg4, arg5); | |
| 36 | # else | |
| 37 | errno = ENOSYS; | |
| 38 | @@ -300,7 +300,7 @@ static inline long missing_keyctl(int cmd, unsigned long arg2, unsigned long arg | |
| 39 | } | |
| 40 | ||
| 41 | static inline key_serial_t missing_add_key(const char *type, const char *description, const void *payload, size_t plen, key_serial_t ringid) { | |
| 42 | -# ifdef __NR_add_key | |
| 43 | +# if defined __NR_add_key && __NR_add_key > 0 | |
| 44 | return syscall(__NR_add_key, type, description, payload, plen, ringid); | |
| 45 | # else | |
| 46 | errno = ENOSYS; | |
| 47 | @@ -311,7 +311,7 @@ static inline key_serial_t missing_add_key(const char *type, const char *descrip | |
| 48 | } | |
| 49 | ||
| 50 | static inline key_serial_t missing_request_key(const char *type, const char *description, const char * callout_info, key_serial_t destringid) { | |
| 51 | -# ifdef __NR_request_key | |
| 52 | +# if defined __NR_request_key && __NR_request_key > 0 | |
| 53 | return syscall(__NR_request_key, type, description, callout_info, destringid); | |
| 54 | # else | |
| 55 | errno = ENOSYS; | |
| 56 | @@ -496,7 +496,7 @@ enum { | |
| 57 | static inline long missing_set_mempolicy(int mode, const unsigned long *nodemask, | |
| 58 | unsigned long maxnode) { | |
| 59 | long i; | |
| 60 | -# ifdef __NR_set_mempolicy | |
| 61 | +# if defined __NR_set_mempolicy && __NR_set_mempolicy > 0 | |
| 62 | i = syscall(__NR_set_mempolicy, mode, nodemask, maxnode); | |
| 63 | # else | |
| 64 | errno = ENOSYS; | |
| 65 | diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c | |
| 66 | index 018c20f8be2..c6692043fed 100644 | |
| 67 | --- a/src/test/test-seccomp.c | |
| 68 | +++ b/src/test/test-seccomp.c | |
| 69 | @@ -28,7 +28,8 @@ | |
| 70 | #include "tmpfile-util.h" | |
| 71 | #include "virt.h" | |
| 72 | ||
| 73 | -#if SCMP_SYS(socket) < 0 || defined(__i386__) || defined(__s390x__) || defined(__s390__) | |
| 74 | +/* __NR_socket may be invalid due to libseccomp */ | |
| 75 | +#if !defined(__NR_socket) || __NR_socket <= 0 || defined(__i386__) || defined(__s390x__) || defined(__s390__) | |
| 76 | /* On these archs, socket() is implemented via the socketcall() syscall multiplexer, | |
| 77 | * and we can't restrict it hence via seccomp. */ | |
| 78 | # define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 1 | |
| 79 | @@ -304,14 +305,14 @@ static void test_protect_sysctl(void) { | |
| 80 | assert_se(pid >= 0); | |
| 81 | ||
| 82 | if (pid == 0) { | |
| 83 | -#if __NR__sysctl > 0 | |
| 84 | +#if defined __NR__sysctl && __NR__sysctl > 0 | |
| 85 | assert_se(syscall(__NR__sysctl, NULL) < 0); | |
| 86 | assert_se(errno == EFAULT); | |
| 87 | #endif | |
| 88 | ||
| 89 | assert_se(seccomp_protect_sysctl() >= 0); | |
| 90 | ||
| 91 | -#if __NR__sysctl > 0 | |
| 92 | +#if defined __NR__sysctl && __NR__sysctl > 0 | |
| 93 | assert_se(syscall(__NR__sysctl, 0, 0, 0) < 0); | |
| 94 | assert_se(errno == EPERM); | |
| 95 | #endif | |
| 96 | @@ -640,7 +641,7 @@ static void test_load_syscall_filter_set_raw(void) { | |
| 97 | assert_se(poll(NULL, 0, 0) == 0); | |
| 98 | ||
| 99 | assert_se(s = hashmap_new(NULL)); | |
| 100 | -#if SCMP_SYS(access) >= 0 | |
| 101 | +#if defined __NR_access && __NR_access > 0 | |
| 102 | assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(-1)) >= 0); | |
| 103 | #else | |
| 104 | assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(-1)) >= 0); | |
| 105 | @@ -656,7 +657,7 @@ static void test_load_syscall_filter_set_raw(void) { | |
| 106 | s = hashmap_free(s); | |
| 107 | ||
| 108 | assert_se(s = hashmap_new(NULL)); | |
| 109 | -#if SCMP_SYS(access) >= 0 | |
| 110 | +#if defined __NR_access && __NR_access > 0 | |
| 111 | assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(EILSEQ)) >= 0); | |
| 112 | #else | |
| 113 | assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(EILSEQ)) >= 0); | |
| 114 | @@ -672,7 +673,7 @@ static void test_load_syscall_filter_set_raw(void) { | |
| 115 | s = hashmap_free(s); | |
| 116 | ||
| 117 | assert_se(s = hashmap_new(NULL)); | |
| 118 | -#if SCMP_SYS(poll) >= 0 | |
| 119 | +#if defined __NR_poll && __NR_poll > 0 | |
| 120 | assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(-1)) >= 0); | |
| 121 | #else | |
| 122 | assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(-1)) >= 0); | |
| 123 | @@ -689,7 +690,7 @@ static void test_load_syscall_filter_set_raw(void) { | |
| 124 | s = hashmap_free(s); | |
| 125 | ||
| 126 | assert_se(s = hashmap_new(NULL)); | |
| 127 | -#if SCMP_SYS(poll) >= 0 | |
| 128 | +#if defined __NR_poll && __NR_poll > 0 | |
| 129 | assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(EILSEQ)) >= 0); | |
| 130 | #else | |
| 131 | assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(EILSEQ)) >= 0); | |
| 132 | @@ -767,8 +768,8 @@ static int real_open(const char *path, int flags, mode_t mode) { | |
| 133 | * testing purposes that calls the real syscall, on architectures where SYS_open is defined. On | |
| 134 | * other architectures, let's just fall back to the glibc call. */ | |
| 135 | ||
| 136 | -#ifdef SYS_open | |
| 137 | - return (int) syscall(SYS_open, path, flags, mode); | |
| 138 | +#if defined __NR_open && __NR_open > 0 | |
| 139 | + return (int) syscall(__NR_open, path, flags, mode); | |
| 140 | #else | |
| 141 | return open(path, flags, mode); | |
| 142 | #endif |