[File] [PATCH] allow PR_SET_VMA_ANON_NAME in seccomp sandbox

Thomas Weißschuh thomas at t-8ch.de
Sun Apr 28 17:32:23 UTC 2024 

Newer versions of glibc try to name their malloc memory blocks via
prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME).
With the current sandbox this leads to the file process being killed.

 #0  __GI___prctl (option=option at entry=1398164801) at ../sysdeps/unix/sysv/linux/prctl.c:38
 #1  0x0000753faabc79cb in __set_vma_name (name=0x753faabcde93 " glibc: malloc", len=135168, start=0x753faabf4000) at ../sysdeps/unix/sysv/linux/setvmaname.h:32
 #2  sysmalloc_mmap (nb=nb at entry=134096, pagesize=pagesize at entry=4096, extra_flags=extra_flags at entry=0, av=0x753faabd10e0 <main_arena>)
     at /usr/src/debug/glibc/glibc/malloc/malloc.c:2432
 #3  0x0000753faabc9354 in sysmalloc (av=0x753faabd10e0 <main_arena>, nb=134096) at /usr/src/debug/glibc/glibc/malloc/malloc.c:2576
 #4  _int_malloc (bytes=bytes at entry=134081, av=0x753faabd10e0 <main_arena>) at /usr/src/debug/glibc/glibc/malloc/malloc.c:4481
 #5  0x0000753faabc97d0 in malloc_check (sz=134080) at /usr/src/debug/glibc/glibc/malloc/malloc-check.c:205
 #6  0x0000753faabcb8d5 in __debug_calloc (nmemb=<optimized out>, size=size at entry=8) at malloc-debug.c:391
 #7  0x0000753faab9e982 in add_mlist (mlp=mlp at entry=0x612db5811e50, map=map at entry=0x612db57e6010, idx=idx at entry=0) at apprentice.c:455
 #8  0x0000753faaba3296 in apprentice_1 (action=0, fn=<optimized out>, ms=<optimized out>) at apprentice.c:506
 #9  file_apprentice (ms=ms at entry=0x612db57e5e80, fn=<optimized out>, fn at entry=0x0, action=action at entry=0) at apprentice.c:774
 #10 0x0000753faab9e36c in magic_load (ms=ms at entry=0x612db57e5e80, magicfile=magicfile at entry=0x0) at magic.c:321
 #11 0x0000612db3b7eaf3 in load (magicfile=magicfile at entry=0x0, flags=flags at entry=67108864) at file.c:500
 #12 0x0000612db3b7df26 in main (argc=2, argv=0x7ffc42c55328) at file.c:419
---
 src/seccomp.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/seccomp.c b/src/seccomp.c
index 4be94c2f1e00..6af9f23e22f7 100644
--- a/src/seccomp.c
+++ b/src/seccomp.c
@@ -279,6 +279,12 @@ enable_sandbox_full(void)
 		 goto out;
 #endif
 
+	 /* allow glibc to name malloc areas */
+	 if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(prctl), 2,
+	     SCMP_CMP32(0, SCMP_CMP_EQ, PR_SET_VMA),
+	     SCMP_CMP64(1, SCMP_CMP_EQ, PR_SET_VMA_ANON_NAME)) == -1)
+		 goto out;
+
 	// applying filter...
 	if (seccomp_load(ctx) == -1)
 		goto out;

base-commit: d977f9388f25bcbfa4c2f91afb45033c445f5e0d
-- 
2.44.0

More information about the File mailing list