On Tuesday, October 02, 2012 05:10:43 PM Luis C wrote:
> Hi all!,
>
> Recently I discover libseccomp and I'm trying to check the viability of add
> to a project, but I have some doubts, probably due to my understanding of
> the library.
Hello Luis,
Hopefully we can help explain the parts of libseccomp which you find
confusing.
> On the example below the getpid syscall its not allowed to execute on the
> child process, no? The basic idea is to deny some syscalls to the child
> process but im missing something, any ideas?
In your example below you initialize the seccomp filter to kill the processes
when it tries to execute a syscall which has not been explicitly allowed via a
call to seccomp_rule_add[_exact](). Since you have commented out the rule
which would allow the getpid() syscall to be executed I would expect the
getpid() function to cause the process to be killed by the kernel.
I did notice that modern versions of glibc cache the PID in order to reduce
the number of syscalls, you might be seeing this in your test example; see the
getpid(2) manpage for more information. I would suggest modifying your
example to use a syscall that isn't affected by glibc, or simply call getpid()
directly using the syscall(2) function.
Good luck!
> #include <stdio.h>
> #include <seccomp.h>
> #include <errno.h>
> #include <sys/types.h>
> #include <sys/wait.h>
>
> int InitSeccomp(void) {
> int ret = 0;
>
> ret = seccomp_init(SCMP_ACT_KILL);
> if(ret == -1) return ret;
>
> ret = seccomp_rule_add_exact(SCMP_ACT_ALLOW, SCMP_SYS(exit), 0);
> if(ret!= 0) return ret;
>
> ret = seccomp_rule_add_exact(SCMP_ACT_ALLOW, SCMP_SYS(read), 0);
> if (ret != 0)return ret;
>
> ret = seccomp_rule_add_exact(SCMP_ACT_ALLOW, SCMP_SYS(write), 0);
> if (ret != 0) return ret;
>
> ret = seccomp_rule_add_exact(SCMP_ACT_ALLOW, SCMP_SYS(open), 0);
> if (ret != 0) return ret;
>
> // ret = seccomp_rule_add_exact(SCMP_ACT_ALLOW, SCMP_SYS(getpid), 0);
> // if(ret!= 0) return ret;
>
> ret = seccomp_load();
> return ret;
> }
>
>
> int main(int argc, char *argv[])
> {
> int ret;
> int status;
> pid_t pid;
> siginfo_t sig;
>
> pid = fork();
> if(pid == 0){
> printf("child executing\n");
> sleep(2);
> ret = InitSeccomp();
> printf("child on seccomp sandbox ret = %d\n",ret);
> printf("child pid %d\n",getpid());
> exit(0);
> }
> printf("parent waiting for %d\n",pid);
> status = waitpid(pid,&status,0);
> int ifexisted = WIFEXITED(status);
> int ifexisstatus = WEXITSTATUS(status);
> int ifsignaled = WIFSIGNALED(status);
> printf(...);
> return 0;
> }
--
paul moore
security and virtualization @ redhat
------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
libseccomp-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/libseccomp-discuss
