Re: [LEDE-DEV] [PATCH procd] service: Start services normally when seccomp is disabled

2017-11-05 Thread Hans Dedecker 
On Fri, Nov 3, 2017 at 10:31 PM, Michal Sojka  wrote:
> When service init file declares seccomp support (procd_set_param seccomp),
> but procd is compiled without seccomp support, the service should be
> started normally, because seccomp-trace and utrace are not available.
>
> Older procd versions decided about whether to start a service in
> seccomp sandbox or not based on existence of seccomp whitelist in the
> filesystem. This was recently removed (c8faedc "Do not disable seccomp
> when configuration is not found", 2017-09-12) because it could be easy
> for attackers to disable seccomp support. This changes is a follow-up
> to the mentioned commit. With it, procd decides about whether to use
> seccomp sandbox based only on compile-time configuration.
>
> Signed-off-by: Michal Sojka 
Tested-by: Hans Dedecker 
> ---
>  CMakeLists.txt | 1 +
>  service/instance.c | 9 ++---
>  2 files changed, 7 insertions(+), 3 deletions(-)
>
> diff --git a/CMakeLists.txt b/CMakeLists.txt
> index 7d05e97..4b3eebd 100644
> --- a/CMakeLists.txt
> +++ b/CMakeLists.txt
> @@ -88,6 +88,7 @@ ADD_CUSTOM_COMMAND(
>  ADD_CUSTOM_TARGET(capabilities-names-h DEPENDS capabilities-names.h)
>
>  IF(SECCOMP_SUPPORT)
> +ADD_DEFINITIONS(-DSECCOMP_SUPPORT)
>  ADD_LIBRARY(preload-seccomp SHARED jail/preload.c jail/seccomp.c)
>  TARGET_LINK_LIBRARIES(preload-seccomp dl ubox blobmsg_json)
>  INSTALL(TARGETS preload-seccomp
> diff --git a/service/instance.c b/service/instance.c
> index 7703686..29d6ea6 100644
> --- a/service/instance.c
> +++ b/service/instance.c
> @@ -141,8 +141,6 @@ static const struct rlimit_name rlimit_names[] = {
> { NULL, 0 }
>  };
>
> -static char trace[] = "/sbin/utrace";
> -
>  static void closefd(int fd)
>  {
> if (fd > STDERR_FILENO)
> @@ -315,10 +313,15 @@ instance_run(struct service_instance *in, int _stdout, 
> int _stderr)
> argv = alloca(sizeof(char *) * (argc + in->jail.argc));
> argc = 0;
>
> +#ifdef SECCOMP_SUPPORT
> if (in->trace)
> -   argv[argc++] = trace;
> +   argv[argc++] = "/sbin/utrace";
> else if (seccomp)
> argv[argc++] = "/sbin/seccomp-trace";
> +#else
> +   if (in->trace || seccomp)
> +   ULOG_WARN("Seccomp support for %s::%s not available\n", 
> in->srv->name, in->name);
> +#endif
>
> if (in->has_jail)
> argc = jail_run(in, argv);
> --
> 2.15.0.rc2
>
>
> ___
> Lede-dev mailing list
> Lede-dev@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/lede-dev

___
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev

[LEDE-DEV] [PATCH procd] service: Start services normally when seccomp is disabled

2017-11-03 Thread Michal Sojka 
When service init file declares seccomp support (procd_set_param seccomp),
but procd is compiled without seccomp support, the service should be
started normally, because seccomp-trace and utrace are not available.

Older procd versions decided about whether to start a service in
seccomp sandbox or not based on existence of seccomp whitelist in the
filesystem. This was recently removed (c8faedc "Do not disable seccomp
when configuration is not found", 2017-09-12) because it could be easy
for attackers to disable seccomp support. This changes is a follow-up
to the mentioned commit. With it, procd decides about whether to use
seccomp sandbox based only on compile-time configuration.

Signed-off-by: Michal Sojka 
---
 CMakeLists.txt | 1 +
 service/instance.c | 9 ++---
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 7d05e97..4b3eebd 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -88,6 +88,7 @@ ADD_CUSTOM_COMMAND(
 ADD_CUSTOM_TARGET(capabilities-names-h DEPENDS capabilities-names.h)
 
 IF(SECCOMP_SUPPORT)
+ADD_DEFINITIONS(-DSECCOMP_SUPPORT)
 ADD_LIBRARY(preload-seccomp SHARED jail/preload.c jail/seccomp.c)
 TARGET_LINK_LIBRARIES(preload-seccomp dl ubox blobmsg_json)
 INSTALL(TARGETS preload-seccomp
diff --git a/service/instance.c b/service/instance.c
index 7703686..29d6ea6 100644
--- a/service/instance.c
+++ b/service/instance.c
@@ -141,8 +141,6 @@ static const struct rlimit_name rlimit_names[] = {
{ NULL, 0 }
 };
 
-static char trace[] = "/sbin/utrace";
-
 static void closefd(int fd)
 {
if (fd > STDERR_FILENO)
@@ -315,10 +313,15 @@ instance_run(struct service_instance *in, int _stdout, 
int _stderr)
argv = alloca(sizeof(char *) * (argc + in->jail.argc));
argc = 0;
 
+#ifdef SECCOMP_SUPPORT
if (in->trace)
-   argv[argc++] = trace;
+   argv[argc++] = "/sbin/utrace";
else if (seccomp)
argv[argc++] = "/sbin/seccomp-trace";
+#else
+   if (in->trace || seccomp)
+   ULOG_WARN("Seccomp support for %s::%s not available\n", 
in->srv->name, in->name);
+#endif
 
if (in->has_jail)
argc = jail_run(in, argv);
-- 
2.15.0.rc2


___
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev