[File] [PATCH] allow PR_SET_VMA_ANON_NAME in seccomp sandbox

Thomas Weißschuh thomas at t-8ch.de
Thu May 23 16:07:55 UTC 2024 

Hi,

thanks for picking up this patch.

However the actually applied patch does a lot of things that were not in
my patch.

It doesn't even compile:

    make[3]: Entering directory '/home/t-8ch/src/file/src'
      CC       seccomp.o
    seccomp.c: In function ‘enable_sandbox_basic’:
    seccomp.c:160:9: error: ‘memory’ undeclared (first use in this function)
      160 |         memory
          |         ^~~~~~
    seccomp.c:160:9: note: each undeclared identifier is reported only once for each function it appears in
    seccomp.c:160:15: error: expected ‘;’ before ‘if’
      160 |         memory
          |               ^
          |               ;
      161 |         // applying filter...
      162 |         if (seccomp_load(ctx) == -1)
          |         ~~

When deleting the spurious "memory", it segfaults:

    Making all in magic
    make[2]: Entering directory '/home/t-8ch/src/file/magic'
    ../src/file -C -m magic
    make[2]: *** [Makefile:868: magic.mgc] Segmentation fault (core dumped)

Backtrace:

    #0  0x00007fe8985a1432 in _db_reset (db=db at entry=0x55839fdba0ad) at /usr/src/debug/libseccomp/libseccomp-2.5.5/src/db.c:834
    #1  0x00007fe8985a1579 in _db_release (db=0x55839fdba0ad) at /usr/src/debug/libseccomp/libseccomp-2.5.5/src/db.c:897
    #2  _db_release (db=0x55839fdba0ad) at /usr/src/debug/libseccomp/libseccomp-2.5.5/src/db.c:891
    #3  db_col_release (col=0x5586c7b7da90) at /usr/src/debug/libseccomp/libseccomp-2.5.5/src/db.c:1159
    #4  0x00007fe8985a74d4 in db_col_release (col=<optimized out>) at /usr/src/debug/libseccomp/libseccomp-2.5.5/src/db.c:1151
    #5  0x000055869afe4bac in enable_sandbox_full () at seccomp.c:306
    #6  0x000055869afe28b0 in main (argc=4, argv=0x7ffeaefd3c88) at file.c:371

As I don't know what the additional changes where supposed to do over
the original patch, I can't provide ideas.

Thomas


On 2024-04-28 19:24:45+0000, Thomas Weißschuh wrote:
> Newer versions of glibc try to name their malloc memory blocks via
> prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME).
> With the current sandbox this leads to the file process being killed.
> 
>  #0  __GI___prctl (option=option at entry=1398164801) at ../sysdeps/unix/sysv/linux/prctl.c:38
>  #1  0x0000753faabc79cb in __set_vma_name (name=0x753faabcde93 " glibc: malloc", len=135168, start=0x753faabf4000) at ../sysdeps/unix/sysv/linux/setvmaname.h:32
>  #2  sysmalloc_mmap (nb=nb at entry=134096, pagesize=pagesize at entry=4096, extra_flags=extra_flags at entry=0, av=0x753faabd10e0 <main_arena>)
>      at /usr/src/debug/glibc/glibc/malloc/malloc.c:2432
>  #3  0x0000753faabc9354 in sysmalloc (av=0x753faabd10e0 <main_arena>, nb=134096) at /usr/src/debug/glibc/glibc/malloc/malloc.c:2576
>  #4  _int_malloc (bytes=bytes at entry=134081, av=0x753faabd10e0 <main_arena>) at /usr/src/debug/glibc/glibc/malloc/malloc.c:4481
>  #5  0x0000753faabc97d0 in malloc_check (sz=134080) at /usr/src/debug/glibc/glibc/malloc/malloc-check.c:205
>  #6  0x0000753faabcb8d5 in __debug_calloc (nmemb=<optimized out>, size=size at entry=8) at malloc-debug.c:391
>  #7  0x0000753faab9e982 in add_mlist (mlp=mlp at entry=0x612db5811e50, map=map at entry=0x612db57e6010, idx=idx at entry=0) at apprentice.c:455
>  #8  0x0000753faaba3296 in apprentice_1 (action=0, fn=<optimized out>, ms=<optimized out>) at apprentice.c:506
>  #9  file_apprentice (ms=ms at entry=0x612db57e5e80, fn=<optimized out>, fn at entry=0x0, action=action at entry=0) at apprentice.c:774
>  #10 0x0000753faab9e36c in magic_load (ms=ms at entry=0x612db57e5e80, magicfile=magicfile at entry=0x0) at magic.c:321
>  #11 0x0000612db3b7eaf3 in load (magicfile=magicfile at entry=0x0, flags=flags at entry=67108864) at file.c:500
>  #12 0x0000612db3b7df26 in main (argc=2, argv=0x7ffc42c55328) at file.c:419
> ---
>  src/seccomp.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/src/seccomp.c b/src/seccomp.c
> index 4be94c2f1e00..6af9f23e22f7 100644
> --- a/src/seccomp.c
> +++ b/src/seccomp.c
> @@ -279,6 +279,12 @@ enable_sandbox_full(void)
>  		 goto out;
>  #endif
>  
> +	 /* allow glibc to name malloc areas */
> +	 if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(prctl), 2,
> +	     SCMP_CMP32(0, SCMP_CMP_EQ, PR_SET_VMA),
> +	     SCMP_CMP64(1, SCMP_CMP_EQ, PR_SET_VMA_ANON_NAME)) == -1)
> +		 goto out;
> +
>  	// applying filter...
>  	if (seccomp_load(ctx) == -1)
>  		goto out;
> 
> base-commit: d977f9388f25bcbfa4c2f91afb45033c445f5e0d
> -- 
> 2.44.0
>

More information about the File mailing list