Hi Paul,
You are correct! the getpid are cached by the libc. I just change the
syscall implied and now works as expected!
Thanks and regards,
Luis
2012/10/2 Paul Moore <[email protected]>
> On Tuesday, October 02, 2012 05:10:43 PM Luis C wrote:
> > Hi all!,
> >
> > Recently I discover libseccomp and I'm trying to check the viability of
> add
> > to a project, but I have some doubts, probably due to my understanding of
> > the library.
>
> Hello Luis,
>
> Hopefully we can help explain the parts of libseccomp which you find
> confusing.
>
> > On the example below the getpid syscall its not allowed to execute on the
> > child process, no? The basic idea is to deny some syscalls to the child
> > process but im missing something, any ideas?
>
> In your example below you initialize the seccomp filter to kill the
> processes
> when it tries to execute a syscall which has not been explicitly allowed
> via a
> call to seccomp_rule_add[_exact](). Since you have commented out the rule
> which would allow the getpid() syscall to be executed I would expect the
> getpid() function to cause the process to be killed by the kernel.
>
> I did notice that modern versions of glibc cache the PID in order to reduce
> the number of syscalls, you might be seeing this in your test example; see
> the
> getpid(2) manpage for more information. I would suggest modifying your
> example to use a syscall that isn't affected by glibc, or simply call
> getpid()
> directly using the syscall(2) function.
>
> Good luck!
>
> > #include <stdio.h>
> > #include <seccomp.h>
> > #include <errno.h>
> > #include <sys/types.h>
> > #include <sys/wait.h>
> >
> > int InitSeccomp(void) {
> > int ret = 0;
> >
> > ret = seccomp_init(SCMP_ACT_KILL);
> > if(ret == -1) return ret;
> >
> > ret = seccomp_rule_add_exact(SCMP_ACT_ALLOW, SCMP_SYS(exit), 0);
> > if(ret!= 0) return ret;
> >
> > ret = seccomp_rule_add_exact(SCMP_ACT_ALLOW, SCMP_SYS(read), 0);
> > if (ret != 0)return ret;
> >
> > ret = seccomp_rule_add_exact(SCMP_ACT_ALLOW, SCMP_SYS(write), 0);
> > if (ret != 0) return ret;
> >
> > ret = seccomp_rule_add_exact(SCMP_ACT_ALLOW, SCMP_SYS(open), 0);
> > if (ret != 0) return ret;
> >
> > // ret = seccomp_rule_add_exact(SCMP_ACT_ALLOW, SCMP_SYS(getpid),
> 0);
> > // if(ret!= 0) return ret;
> >
> > ret = seccomp_load();
> > return ret;
> > }
> >
> >
> > int main(int argc, char *argv[])
> > {
> > int ret;
> > int status;
> > pid_t pid;
> > siginfo_t sig;
> >
> > pid = fork();
> > if(pid == 0){
> > printf("child executing\n");
> > sleep(2);
> > ret = InitSeccomp();
> > printf("child on seccomp sandbox ret = %d\n",ret);
> > printf("child pid %d\n",getpid());
> > exit(0);
> > }
> > printf("parent waiting for %d\n",pid);
> > status = waitpid(pid,&status,0);
> > int ifexisted = WIFEXITED(status);
> > int ifexisstatus = WEXITSTATUS(status);
> > int ifsignaled = WIFSIGNALED(status);
> > printf(...);
> > return 0;
> > }
>
>
>
>
> --
> paul moore
> security and virtualization @ redhat
>
>
------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
libseccomp-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/libseccomp-discuss
