[File] [PATCH] Allow getrandom, rseq, and prctl for glibc malloc
Cristian Rodríguez
crrodriguez at opensuse.org
Thu Nov 28 14:28:39 UTC 2024
On Thu, Nov 28, 2024 at 11:03 AM Christos Zoulas <christos at zoulas.com>
wrote:
> Hmm, getrandom is already allowed... prctl is dangerous to allow its
> general use. There is a more specific rule already there. Perhaps add to
> that? rseq is fine.
>
Maybe making it return EPERM and continue is also fine. glibc uses this
call to set various VMAs names to ease debugging or analysis by humans.
>
> christos
>
> > On Nov 8, 2024, at 2:42 AM, Werner Fink <werner at suse.de> wrote:
> >
> > From: Cristian Rodríguez <crrodriguez at opensuse.org>
> >
> > glibc uses getrandom in malloc, rseq, and prctl in various other
> > places, allow these syscalls in seccomp filter.
> >
> > ```
> > export GLIBC_TUNABLES=glibc.mem.decorate_maps=1
> > make check
> > ```
> >
> > Signed-off-by: Werner Fink <werner at suse.de>
> > ---
> > src/seccomp.c | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/src/seccomp.c b/src/seccomp.c
> > index ce824330..8a2c8a4c 100644
> > --- a/src/seccomp.c
> > +++ b/src/seccomp.c
> > @@ -80,6 +80,9 @@ enable_sandbox(void)
> > if (ctx == NULL)
> > return -1;
> >
> > + ALLOW_RULE(prctl);
> > + ALLOW_RULE(getrandom);
> > + ALLOW_RULE(rseq);
> > ALLOW_RULE(access);
> > ALLOW_RULE(brk);
> > ALLOW_RULE(close);
> > --
> > 2.43.0
> >
> > --
> > File mailing list
> > File at astron.com
> > https://mailman.astron.com/mailman/listinfo/file
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.astron.com/pipermail/file/attachments/20241128/f92b5fbc/attachment.htm>
More information about the File
mailing list