[File] [PATCH] Fix seccomp rules for executing decompressor on glibc
Christos Zoulas
christos at zoulas.com
Thu Sep 15 14:27:39 UTC 2022
On 2022-09-15 4:10 am, Michał Górny wrote:
> Add ALLOW_RULE for all the syscalls used by glibc on my system to spawn
> the decompressor. With them present, `file -z ...` starts working
> again
> when not using external libraries, at least on amd64. Other
> architectures may need more syscalls.
Yes, I know. The reason I have not done this already is because once we
allow clone and execve there is not much point in sandboxing... I guess
we can modify -S to add those syscalls instead and that is better than
completely disabling sandboxing... What do you think?
christos
> ---
> src/seccomp.c | 34 ++++++++++++++++++++++++++++++++++
> 1 file changed, 34 insertions(+)
>
> diff --git a/src/seccomp.c b/src/seccomp.c
> index 7993177b..1c80b540 100644
> --- a/src/seccomp.c
> +++ b/src/seccomp.c
> @@ -236,6 +236,40 @@ enable_sandbox_full(void)
> ALLOW_RULE(write);
> ALLOW_RULE(writev);
>
> + // The following are needed to spawn decompressor on GNU/Linux
> +#ifdef __NR_arch_prctl
> + ALLOW_RULE(arch_prctl);
> +#endif
> +#ifdef __NR_clone3
> + ALLOW_RULE(clone3);
> +#endif
> +#ifdef __NR_execve
> + ALLOW_RULE(execve);
> +#endif
> +#ifdef __NR_getrandom
> + ALLOW_RULE(getrandom);
> +#endif
> +#ifdef __NR_pipe2
> + ALLOW_RULE(pipe2);
> +#endif
> +#ifdef __NR_prlimit64
> + ALLOW_RULE(prlimit64);
> +#endif
> +#ifdef __NR_rseq
> + ALLOW_RULE(rseq);
> +#endif
> +#ifdef __NR_set_robust_list
> + ALLOW_RULE(set_robust_list);
> +#endif
> +#ifdef __NR_set_tid_address
> + ALLOW_RULE(set_tid_address);
> +#endif
> +#ifdef __NR_ugetrlimit
> + ALLOW_RULE(ugetrlimit);
> +#endif
> +#ifdef __NR_wait4
> + ALLOW_RULE(wait4);
> +#endif
>
> #if 0
> // needed by valgrind
> --
> 2.37.3
--
christos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <https://mailman.astron.com/pipermail/file/attachments/20220915/8aab834d/attachment.asc>
More information about the File
mailing list