[File] [PATCH] Fix seccomp rules for executing decompressor on glibc

Christos Zoulas christos at zoulas.com
Thu Sep 15 14:27:39 UTC 2022


On 2022-09-15 4:10 am, Michał Górny wrote:
> Add ALLOW_RULE for all the syscalls used by glibc on my system to spawn
> the decompressor.  With them present, `file -z ...` starts working 
> again
> when not using external libraries, at least on amd64.  Other
> architectures may need more syscalls.

Yes, I know. The reason I have not done this already is because once we
allow clone and execve there is not much point in sandboxing... I guess
we can modify -S to add those syscalls instead and that is better than
completely disabling sandboxing... What do you think?

christos

> ---
>  src/seccomp.c | 34 ++++++++++++++++++++++++++++++++++
>  1 file changed, 34 insertions(+)
> 
> diff --git a/src/seccomp.c b/src/seccomp.c
> index 7993177b..1c80b540 100644
> --- a/src/seccomp.c
> +++ b/src/seccomp.c
> @@ -236,6 +236,40 @@ enable_sandbox_full(void)
>  	ALLOW_RULE(write);
>  	ALLOW_RULE(writev);
> 
> +	// The following are needed to spawn decompressor on GNU/Linux
> +#ifdef __NR_arch_prctl
> +	ALLOW_RULE(arch_prctl);
> +#endif
> +#ifdef __NR_clone3
> +	ALLOW_RULE(clone3);
> +#endif
> +#ifdef __NR_execve
> +	ALLOW_RULE(execve);
> +#endif
> +#ifdef __NR_getrandom
> +	ALLOW_RULE(getrandom);
> +#endif
> +#ifdef __NR_pipe2
> +	ALLOW_RULE(pipe2);
> +#endif
> +#ifdef __NR_prlimit64
> +	ALLOW_RULE(prlimit64);
> +#endif
> +#ifdef __NR_rseq
> +	ALLOW_RULE(rseq);
> +#endif
> +#ifdef __NR_set_robust_list
> +	ALLOW_RULE(set_robust_list);
> +#endif
> +#ifdef __NR_set_tid_address
> +	ALLOW_RULE(set_tid_address);
> +#endif
> +#ifdef __NR_ugetrlimit
> +	ALLOW_RULE(ugetrlimit);
> +#endif
> +#ifdef __NR_wait4
> +	ALLOW_RULE(wait4);
> +#endif
> 
>  #if 0
>  	// needed by valgrind
> --
> 2.37.3

-- 
christos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <https://mailman.astron.com/pipermail/file/attachments/20220915/8aab834d/attachment.asc>


More information about the File mailing list