commit da6b55b6f47efacf20f525c644b349666bbe77aa
parent cac7bec130d8655888470c40582dfdbfcce9ced8
Author: Simon South <simon@simonsouth.net>
Date: Mon, 6 Sep 2021 09:21:16 -0400
sandbox: Filter "fchmodat" on systems using generic syscalls
On architectures that use Linux's generic syscall interface the legacy "chmod"
call is not available; on these systems glibc uses "fchmodat" instead. Modify
the sandbox implementation to match.
Diffstat:
1 file changed, 19 insertions(+), 14 deletions(-)
diff --git a/src/lib/sandbox/sandbox.c b/src/lib/sandbox/sandbox.c
@@ -601,8 +601,9 @@ sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
return 0;
}
+#ifdef ARCH_USES_GENERIC_SYSCALLS
static int
-sb_chmod(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
+sb_fchmodat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
{
int rc;
sandbox_cfg_t *elem = NULL;
@@ -612,11 +613,12 @@ sb_chmod(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
smp_param_t *param = elem->param;
if (param != NULL && param->prot == 1 && param->syscall
- == SCMP_SYS(chmod)) {
- rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(chmod),
- SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value));
+ == SCMP_SYS(fchmodat)) {
+ rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fchmodat),
+ SCMP_CMP_LOWER32_EQ(0, AT_FDCWD),
+ SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value));
if (rc != 0) {
- log_err(LD_BUG,"(Sandbox) failed to add chmod syscall, received "
+ log_err(LD_BUG,"(Sandbox) failed to add fchmodat syscall, received "
"libseccomp error %d", rc);
return rc;
}
@@ -625,9 +627,9 @@ sb_chmod(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
return 0;
}
-
+#else
static int
-sb_fchmodat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
+sb_chmod(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
{
int rc;
sandbox_cfg_t *elem = NULL;
@@ -637,12 +639,11 @@ sb_fchmodat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
smp_param_t *param = elem->param;
if (param != NULL && param->prot == 1 && param->syscall
- == SCMP_SYS(fchmodat)) {
- rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fchmodat),
- SCMP_CMP_LOWER32_EQ(0, AT_FDCWD),
- SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value));
+ == SCMP_SYS(chmod)) {
+ rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(chmod),
+ SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value));
if (rc != 0) {
- log_err(LD_BUG,"(Sandbox) failed to add fchmodat syscall, received "
+ log_err(LD_BUG,"(Sandbox) failed to add chmod syscall, received "
"libseccomp error %d", rc);
return rc;
}
@@ -651,6 +652,7 @@ sb_fchmodat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
return 0;
}
+#endif /* defined(ARCH_USES_GENERIC_SYSCALLS) */
#ifdef __i386__
static int
@@ -1485,8 +1487,11 @@ static sandbox_filter_func_t filter_func[] = {
sb_chown,
#endif
sb_fchownat,
- sb_chmod,
+#if defined(ARCH_USES_GENERIC_SYSCALLS)
sb_fchmodat,
+#else
+ sb_chmod,
+#endif
sb_open,
sb_openat,
sb_opendir,
@@ -1775,7 +1780,7 @@ new_element(int syscall, char *value)
#define SCMP_chown SCMP_SYS(chown)
#endif
-#if defined(__aarch64__) && defined(__LP64__)
+#if defined(ARCH_USES_GENERIC_SYSCALLS)
#define SCMP_chmod SCMP_SYS(fchmodat)
#else
#define SCMP_chmod SCMP_SYS(chmod)
