Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add rules for mmap and dup #41

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add rules for mmap and dup #41

wants to merge 1 commit into from

Conversation

MasloMaslane
Copy link
Member

Now mmap is allowed to read only from fd > 2, and dup isn't allowed to use fd < 3

@MasloMaslane MasloMaslane self-assigned this Nov 27, 2023
Wolf480pl
Wolf480pl reviewed Nov 27, 2023
View reviewed changes
src/seccomp/policy/DefaultPolicy.cc
Comment on lines +113 to +116
rules_.emplace_back(SeccompRule(
syscall,
action::ActionAllow(),
filter::SyscallArg(4) >= 3));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Currently, when this rule fails, we kill the tracee with "intercepted forbidden syscall", right?
Can we add a second rule which, when the fd is not >= 3, we return EACCES? That means

EACCES A file descriptor refers to a non-regular file. Or a file mapping was requested, but fd is not open for reading. Or MAP_SHARED was requested and PROT_WRITE is set, but fd is not open in read/write (O_RDWR) mode. Or PROT_WRITE is set, but the file is append-only.

which should basically tell whoever tried to mmap that this file is not mmapable and they should proceed with regular reads instead.

Also, I think we also need to handle MAP_ANONYMOUS somehow, so that the process can allocate memory? On my system it appears even in strace true, probably ld.so or libc prologue uses it.

The manpage says in case of MAP_ANONYMOUS

The fd argument is ignored; however, some implementations require fd to be -1 if MAP_ANONYMOUS (or MAP_ANON) is specified, and portable applications should ensure this.

If our conditions treat args as unsigned then -1 would be >= 3 and that'd pass through, but I'm not sure if I want to rely on programs passing -1 as fd when the kernel doesn't require it...
Maybe we could have another rule for MAP_ANONYMOUS?

@Wolf480pl
Copy link
Member

I wonder if we should add tests for this kinda stuff

@MasloMaslane
Copy link
Member Author

Ughh, Python for some reason dups file descriptors 0-2, so the tests fail (for example test/src/sum_python3.9.py)

@MasloMaslane
Copy link
Member Author

And when dup returns EACCES, python fails with runtime error 1

@Wolf480pl
Copy link
Member

Looks like Python 3.9 in its infinite wisdom uses dup to check if an FD is valid.

https://github.com/python/cpython/blob/v3.9.18/Python/pylifecycle.c#L1735-L1765

Looks like they changed it to fcntl in 3.11 and later python/cpython@f87ea03

But if python 3.9 specifically is used in some contests then we can't drop support for that by forbidding dup....

@MasloMaslane
Copy link
Member Author

OIJ and Szkopuł use python3.9, so I guess for now we have to allow mmap for fd < 3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Wolf480pl Wolf480pl Wolf480pl left review comments

Assignees

@MasloMaslane MasloMaslane

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@MasloMaslane @Wolf480pl