1 From 62f66fdbcc33580467c01b1f149474b6c973df5a Mon Sep 17 00:00:00 2001
2 From: Lennart Poettering <lennart@poettering.net>
3 Date: Thu, 14 Nov 2019 17:51:30 +0100
4 Subject: [PATCH] seccomp: more comprehensive protection against libseccomp's
5 __NR_xyz namespace invasion
7 A follow-up for 59b657296a2fe104f112b91bbf9301724067cc81, adding the
8 same conditioning for all cases of our __NR_xyz use.
12 src/basic/missing_syscall.h | 10 +++++-----
13 src/test/test-seccomp.c | 19 ++++++++++---------
14 2 files changed, 15 insertions(+), 14 deletions(-)
16 diff --git a/src/basic/missing_syscall.h b/src/basic/missing_syscall.h
17 index 6d9b12544d2..1255d8b1972 100644
18 --- a/src/basic/missing_syscall.h
19 +++ b/src/basic/missing_syscall.h
20 @@ -274,7 +274,7 @@ static inline int missing_renameat2(int oldfd, const char *oldname, int newfd, c
23 static inline int missing_kcmp(pid_t pid1, pid_t pid2, int type, unsigned long idx1, unsigned long idx2) {
25 +# if defined __NR_kcmp && __NR_kcmp > 0
26 return syscall(__NR_kcmp, pid1, pid2, type, idx1, idx2);
29 @@ -289,7 +289,7 @@ static inline int missing_kcmp(pid_t pid1, pid_t pid2, int type, unsigned long i
32 static inline long missing_keyctl(int cmd, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5) {
34 +# if defined __NR_keyctl && __NR_keyctl > 0
35 return syscall(__NR_keyctl, cmd, arg2, arg3, arg4, arg5);
38 @@ -300,7 +300,7 @@ static inline long missing_keyctl(int cmd, unsigned long arg2, unsigned long arg
41 static inline key_serial_t missing_add_key(const char *type, const char *description, const void *payload, size_t plen, key_serial_t ringid) {
43 +# if defined __NR_add_key && __NR_add_key > 0
44 return syscall(__NR_add_key, type, description, payload, plen, ringid);
47 @@ -311,7 +311,7 @@ static inline key_serial_t missing_add_key(const char *type, const char *descrip
50 static inline key_serial_t missing_request_key(const char *type, const char *description, const char * callout_info, key_serial_t destringid) {
51 -# ifdef __NR_request_key
52 +# if defined __NR_request_key && __NR_request_key > 0
53 return syscall(__NR_request_key, type, description, callout_info, destringid);
56 @@ -496,7 +496,7 @@ enum {
57 static inline long missing_set_mempolicy(int mode, const unsigned long *nodemask,
58 unsigned long maxnode) {
60 -# ifdef __NR_set_mempolicy
61 +# if defined __NR_set_mempolicy && __NR_set_mempolicy > 0
62 i = syscall(__NR_set_mempolicy, mode, nodemask, maxnode);
65 diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c
66 index 018c20f8be2..c6692043fed 100644
67 --- a/src/test/test-seccomp.c
68 +++ b/src/test/test-seccomp.c
70 #include "tmpfile-util.h"
73 -#if SCMP_SYS(socket) < 0 || defined(__i386__) || defined(__s390x__) || defined(__s390__)
74 +/* __NR_socket may be invalid due to libseccomp */
75 +#if !defined(__NR_socket) || __NR_socket <= 0 || defined(__i386__) || defined(__s390x__) || defined(__s390__)
76 /* On these archs, socket() is implemented via the socketcall() syscall multiplexer,
77 * and we can't restrict it hence via seccomp. */
78 # define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 1
79 @@ -304,14 +305,14 @@ static void test_protect_sysctl(void) {
84 +#if defined __NR__sysctl && __NR__sysctl > 0
85 assert_se(syscall(__NR__sysctl, NULL) < 0);
86 assert_se(errno == EFAULT);
89 assert_se(seccomp_protect_sysctl() >= 0);
92 +#if defined __NR__sysctl && __NR__sysctl > 0
93 assert_se(syscall(__NR__sysctl, 0, 0, 0) < 0);
94 assert_se(errno == EPERM);
96 @@ -640,7 +641,7 @@ static void test_load_syscall_filter_set_raw(void) {
97 assert_se(poll(NULL, 0, 0) == 0);
99 assert_se(s = hashmap_new(NULL));
100 -#if SCMP_SYS(access) >= 0
101 +#if defined __NR_access && __NR_access > 0
102 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(-1)) >= 0);
104 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(-1)) >= 0);
105 @@ -656,7 +657,7 @@ static void test_load_syscall_filter_set_raw(void) {
108 assert_se(s = hashmap_new(NULL));
109 -#if SCMP_SYS(access) >= 0
110 +#if defined __NR_access && __NR_access > 0
111 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(EILSEQ)) >= 0);
113 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(EILSEQ)) >= 0);
114 @@ -672,7 +673,7 @@ static void test_load_syscall_filter_set_raw(void) {
117 assert_se(s = hashmap_new(NULL));
118 -#if SCMP_SYS(poll) >= 0
119 +#if defined __NR_poll && __NR_poll > 0
120 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(-1)) >= 0);
122 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(-1)) >= 0);
123 @@ -689,7 +690,7 @@ static void test_load_syscall_filter_set_raw(void) {
126 assert_se(s = hashmap_new(NULL));
127 -#if SCMP_SYS(poll) >= 0
128 +#if defined __NR_poll && __NR_poll > 0
129 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(EILSEQ)) >= 0);
131 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(EILSEQ)) >= 0);
132 @@ -767,8 +768,8 @@ static int real_open(const char *path, int flags, mode_t mode) {
133 * testing purposes that calls the real syscall, on architectures where SYS_open is defined. On
134 * other architectures, let's just fall back to the glibc call. */
137 - return (int) syscall(SYS_open, path, flags, mode);
138 +#if defined __NR_open && __NR_open > 0
139 + return (int) syscall(__NR_open, path, flags, mode);
141 return open(path, flags, mode);