Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

test: use seccomp on handshake test #4768

Merged
merged 6 commits into from
Sep 17, 2024
Merged

test: use seccomp on handshake test #4768

merged 6 commits into from
Sep 17, 2024

Conversation

lrstewart
Copy link
Contributor

@lrstewart lrstewart commented Sep 13, 2024
edited
Loading

Resolved issues:

resolves #4766

Description of changes:

I've got an s2n-tls handshake + app data running with seccomp, when built with aws-lc.

I integrated the tests into our existing cmake + ctest, so if we build seccomp into our codebuild images then we could run it as part of standard testing.

Call-outs:

I'm still debugging when built with openssl: X509_verify_cert appears to be trying to open a file to determine the local time? It works if I disable x509 validation. I included that test so that it's easy to repro, but left it disabled.

Testing:

New test. From the test output, you can see that it's running with seccomp linked:

...
-- feature S2N_STACKTRACE: TRUE
-- Linking tests with seccomp
-- Running tests with environment: S2N_DONT_MLOCK=1
...

The test also produced plenty of failures before I got the allowlist right :( Here's an example: https://github.com/lrstewart/s2n/actions/runs/10853333535/job/30121385790

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@github-actions github-actions bot added the s2n-core team label Sep 13, 2024
@lrstewart lrstewart requested a review from jouho September 13, 2024 20:09
@lrstewart lrstewart marked this pull request as ready for review September 13, 2024 20:10
lrstewart
lrstewart commented Sep 13, 2024
View reviewed changes
utils/s2n_init.c Outdated
Comment on lines 90 to 92
#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
CRYPTO_pre_sandbox_init();
#endif
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I debated putting this in a feature probe. I know it would be better, but it kind of seems like overkill :/ Thoughts?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess it depends on a few things:

  • Are there versions of these libraries that don't include this API and do we want to support those?
  • Do we anticipate other libcryptos adding this API in the future?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wouldn't expect other libraries to add it. It's not from openssl.

The API has been in aws-lc from the beginning: aws/aws-lc@3e4dfbb (note that commit was merged in the first PR, along with the rest of the boringssl history).

But it's only been in boringssl since 2020: google/boringssl@3e4dfbb However, we don't really have an alternative, so earlier versions would just not be sandboxable. Still, not being sandboxable is better than not building at all. Let me see if I can find a reasonable place for documentation.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we're not testing this on boringssl (and I doubt plan to), I restricted the call to aws-lc and documented the support.

maddeleine
maddeleine reviewed Sep 16, 2024
View reviewed changes
tests/testlib/s2n_seccomp.c Show resolved Hide resolved
tests/unit/s2n_seccomp_handshake_test.c Outdated Show resolved Hide resolved
tests/unit/s2n_seccomp_handshake_test.c Outdated Show resolved Hide resolved
@lrstewart lrstewart merged commit aaaa2e9 into aws:main Sep 17, 2024
37 checks passed
@lrstewart lrstewart deleted the seccomp branch September 17, 2024 17:06
@BrewTestBot BrewTestBot mentioned this pull request Sep 20, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maddeleine maddeleine maddeleine approved these changes

@jouho jouho jouho approved these changes

@camshaft camshaft camshaft approved these changes

Assignees
No one assigned
Labels
s2n-core team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add seccomp test for sandboxed environments
4 participants
@lrstewart @camshaft @jouho @maddeleine