guix_mirror_bot pushed a commit to branch master
in repository guix.
commit b79100ef61bf032528939367883f29137ba103b7
Author: Reepca Russelstein <[email protected]>
AuthorDate: Fri Jun 27 00:49:52 2025 -0500
daemon: Conditionally disable seccomp filter on ‘socketcall’ systems.
glibc currently will insist on using 'socketcall' on i686-linux unless built
with '--enable-kernel=4.3.0' or above, even on systems that have dedicated
system calls available for all the socket-related functionality. This
behavior breaks the assumption that socketcall can be safely blocked without
impacting functionality in slirp4netns, rendering the seccomp filter
unusable
with those glibcs.
This change makes the slirp4netns seccomp filter opt-in on systems with a
'socketcall' system call. It can either be opted-into at compile-time or at
runtime using the NO_SOCKETCALL_LIBC preprocessor define or the
GUIX_FORCE_SECCOMP environment variable, respectively.
The seccomp filter being disabled on these systems means that it is possible
for a compromised slirp4netns to access abstract unix domain sockets in the
root network namespace. It does not affect any of the other mechanisms used
to isolate slirp4netns (e.g. chroot, namespaces, etc).
Fixes guix/guix#808.
* nix/libstore/build.cc (spawnSlirp4netns) [__NR_socketcall]: Do not add
seccomp filter, unless ‘GUIX_FORCE_SECCOMP’ is set.
Change-Id: Ibfe8becc9431f5aff11a21f06858b20496f9cb4a
Signed-off-by: Ludovic Courtès <[email protected]>
---
nix/libstore/build.cc | 20 ++++++++++++++++++--
1 file changed, 18 insertions(+), 2 deletions(-)
diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc
index eee3a33a58..e77869fc3e 100644
--- a/nix/libstore/build.cc
+++ b/nix/libstore/build.cc
@@ -2219,8 +2219,24 @@ static pid_t spawnSlirp4netns(int tapfd, int
notifyReadyFD,
slirpCtx.supplementaryGroups = {};
slirpCtx.setSupplementaryGroups = true;
}
- slirpCtx.seccompFilter = slirpSeccompFilter();
- slirpCtx.addSeccompFilter = true;
+ /* Unless built with '--enable-kernel=4.3.0' or similar, glibc on i686
+ uses 'socketcall' instead of dedicated system calls like 'socket' and
+ 'bind'. Since the seccomp filter cannot inspect 'socketcall' arguments
+ in a meaningful way, it can only prohibit all 'socketcall' calls; the
+ other option is to disable the seccomp filter entirely, meaning that
+ slirp4netns would have access to abstract unix sockets in the root
+ network namespace. */
+#ifdef __NR_socketcall
+#ifndef NO_SOCKETCALL_LIBC
+ if(getenv("GUIX_FORCE_SECCOMP") == NULL)
+ printMsg(lvlInfo, "warning: seccomp filter for slirp4netns presumed
unusable with this libc, disabling it");
+ else
+#endif
+#endif
+ {
+ slirpCtx.seccompFilter = slirpSeccompFilter();
+ slirpCtx.addSeccompFilter = true;
+ }
/* Silence slirp4netns output unless requested */
if(verbosity <= lvlInfo) {
