[lxc-devel] [lxd/master] seccomp: rework missing syscall number definitions
brauner on Github
lxc-bot at linuxcontainers.org
Fri Jun 14 12:31:35 UTC 2019
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 775 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20190614/a3079347/attachment.bin>
-------------- next part --------------
From c655ed5575bec72fd6940770029d569a10e7f80d Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Fri, 14 Jun 2019 14:10:01 +0200
Subject: [PATCH] seccomp: rework missing syscall number definitions
According to Arnd there are two scenarios as long as __NR_mknodat is
defined:
1. __NR_mknod is defined too
2. __NR_mknod was never defined on that architecture
Even if tools manually define __NR_mknod it must be defined in the
header for them to do this correctly.
If it isn't in the header the number will be wrong and we might
intercept a wrong syscall.
Suggested-by: Arnd Bergmann <arnd at arndb.de>
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
lxd/seccomp.go | 46 +++++++---------------------------------------
1 file changed, 7 insertions(+), 39 deletions(-)
diff --git a/lxd/seccomp.go b/lxd/seccomp.go
index 071859d6a2..32397b9729 100644
--- a/lxd/seccomp.go
+++ b/lxd/seccomp.go
@@ -109,45 +109,11 @@ static int device_allowed(dev_t dev, mode_t mode)
return -EPERM;
}
-#ifndef __NR_mknod
- #ifdef __x86_64__
- #define __NR_mknod 133
- #elif defined __arm__
- #define __NR_mknod 14
- #elif defined __aarch64__
- #define __NR_mknod 14
- #elif defined __s390__
- #define __NR_mknod 14
- #elif defined __s390x__
- #define __NR_mknod 14
- #elif __mips__ && _MIPSEB && _MIPS_SIM ==_ABIO32
- #define __NR_mknod 14
- #elif __mips__ && _MIPSEL && _MIPS_SIM==_ABIO32
- #define __NR_mknod 14
- #elif __mips__ && _MIPSEB && _MIPS_SIM==_ABI64
- #define __NR_mknod 131
- #elif __mips__ && _MIPSEL && _MIPS_SIM==_ABI64
- #define __NR_mknod 131
- #elif __mips__ && _MIPSEB && _MIPS_SIM==_ABIN32
- #define __NR_mknod 131
- #elif __mips__ && _MIPSEL && _MIPS_SIM==_ABIN32
- #define __NR_mknod 131
- #elif defined __i386__
- #define __NR_mknod 14
- #elif defined __alpha__
- #define __NR_mknod 14
- #elif defined __ia64__
- #define __NR_mknod 13
- #elif defined __m68k__
- #define __NR_mknod 14
- #elif defined __sparc__
- #define __NR_mknod 14
- #elif defined __powerpc__
- #define __NR_mknod 14
- #elif defined __sh__
- #define __NR_mknod 14
- #else
- #warning "__NR_mknod unknown for your architecture"
+#ifndef __NR_mknodat
+ #error missing kernel headers
+#else
+ #ifdef __NR_mknod
+ #define LXD_MUST_CHECK_MKNOD
#endif
#endif
@@ -166,6 +132,7 @@ static int seccomp_notify_mknod_set_response(int fd_mem, struct seccomp_notify_p
resp->val = 0;
switch (req->data.nr) {
+#ifdef LXD_MUST_CHECK_MKNOD
case __NR_mknod:
resp->error = device_allowed(req->data.args[2], req->data.args[1]);
if (resp->error) {
@@ -182,6 +149,7 @@ static int seccomp_notify_mknod_set_response(int fd_mem, struct seccomp_notify_p
*pid = req->pid;
break;
+#endif
case __NR_mknodat:
if (req->data.args[0] != AT_FDCWD) {
errno = EINVAL;
More information about the lxc-devel
mailing list