Fix breaking change in Seccomp profile behavior

Multiple conditions were previously allowed to be placed upon the
same syscall argument. Restore this behavior.

Signed-off-by: Matthew Heon <mheon@redhat.com>
This commit is contained in:
Matthew Heon 2017-10-16 16:27:40 -04:00
parent d5fc10a011
commit e9193ba6e6
2 changed files with 135 additions and 8 deletions

View File

@ -321,3 +321,99 @@ func TestSeccompDenyWriteMultipleConditions(t *testing.T) {
t.Fatalf("Expected output %s but got %s\n", expected, actual) t.Fatalf("Expected output %s but got %s\n", expected, actual)
} }
} }
func TestSeccompMultipleConditionSameArgDeniesStdout(t *testing.T) {
if testing.Short() {
return
}
rootfs, err := newRootfs()
if err != nil {
t.Fatal(err)
}
defer remove(rootfs)
// Prevent writing to both stdout and stderr
config := newTemplateConfig(rootfs)
config.Seccomp = &configs.Seccomp{
DefaultAction: configs.Allow,
Syscalls: []*configs.Syscall{
{
Name: "write",
Action: configs.Errno,
Args: []*configs.Arg{
{
Index: 0,
Value: 1,
Op: configs.EqualTo,
},
{
Index: 0,
Value: 2,
Op: configs.EqualTo,
},
},
},
},
}
buffers, exitCode, err := runContainer(config, "", "ls", "/")
if err != nil {
t.Fatalf("%s: %s", buffers, err)
}
if exitCode != 0 {
t.Fatalf("exit code not 0. code %d buffers %s", exitCode, buffers)
}
// Verify that nothing was printed
if len(buffers.Stdout.String()) != 0 {
t.Fatalf("Something was written to stdout, write call succeeded!\n")
}
}
func TestSeccompMultipleConditionSameArgDeniesStderr(t *testing.T) {
if testing.Short() {
return
}
rootfs, err := newRootfs()
if err != nil {
t.Fatal(err)
}
defer remove(rootfs)
// Prevent writing to both stdout and stderr
config := newTemplateConfig(rootfs)
config.Seccomp = &configs.Seccomp{
DefaultAction: configs.Allow,
Syscalls: []*configs.Syscall{
{
Name: "write",
Action: configs.Errno,
Args: []*configs.Arg{
{
Index: 0,
Value: 1,
Op: configs.EqualTo,
},
{
Index: 0,
Value: 2,
Op: configs.EqualTo,
},
},
},
},
}
buffers, exitCode, err := runContainer(config, "", "ls", "/does_not_exist")
if err == nil {
t.Fatalf("Expecting error return, instead got 0")
}
if exitCode == 0 {
t.Fatalf("Busybox should fail with negative exit code, instead got %d!", exitCode)
}
// Verify nothing was printed
if len(buffers.Stderr.String()) != 0 {
t.Fatalf("Something was written to stderr, write call succeeded!\n")
}
}

View File

@ -22,6 +22,11 @@ var (
actErrno = libseccomp.ActErrno.SetReturnCode(int16(unix.EPERM)) actErrno = libseccomp.ActErrno.SetReturnCode(int16(unix.EPERM))
) )
const (
// Linux system calls can have at most 6 arguments
syscallMaxArguments int = 6
)
// Filters given syscalls in a container, preventing them from being used // Filters given syscalls in a container, preventing them from being used
// Started in the container init process, and carried over to all child processes // Started in the container init process, and carried over to all child processes
// Setns calls, however, require a separate invocation, as they are not children // Setns calls, however, require a separate invocation, as they are not children
@ -45,11 +50,11 @@ func InitSeccomp(config *configs.Seccomp) error {
for _, arch := range config.Architectures { for _, arch := range config.Architectures {
scmpArch, err := libseccomp.GetArchFromString(arch) scmpArch, err := libseccomp.GetArchFromString(arch)
if err != nil { if err != nil {
return err return fmt.Errorf("error validating Seccomp architecture: %s", err)
} }
if err := filter.AddArch(scmpArch); err != nil { if err := filter.AddArch(scmpArch); err != nil {
return err return fmt.Errorf("error adding architecture to seccomp filter: %s", err)
} }
} }
@ -170,29 +175,55 @@ func matchCall(filter *libseccomp.ScmpFilter, call *configs.Syscall) error {
// Convert the call's action to the libseccomp equivalent // Convert the call's action to the libseccomp equivalent
callAct, err := getAction(call.Action) callAct, err := getAction(call.Action)
if err != nil { if err != nil {
return err return fmt.Errorf("action in seccomp profile is invalid: %s", err)
} }
// Unconditional match - just add the rule // Unconditional match - just add the rule
if len(call.Args) == 0 { if len(call.Args) == 0 {
if err = filter.AddRule(callNum, callAct); err != nil { if err = filter.AddRule(callNum, callAct); err != nil {
return err return fmt.Errorf("error adding seccomp filter rule for syscall %s: %s", call.Name, err)
} }
} else { } else {
// Conditional match - convert the per-arg rules into library format // If two or more arguments have the same condition,
// Revert to old behavior, adding each condition as a separate rule
argCounts := make([]uint, syscallMaxArguments)
conditions := []libseccomp.ScmpCondition{} conditions := []libseccomp.ScmpCondition{}
for _, cond := range call.Args { for _, cond := range call.Args {
newCond, err := getCondition(cond) newCond, err := getCondition(cond)
if err != nil { if err != nil {
return err return fmt.Errorf("error creating seccomp syscall condition for syscall %s: %s", call.Name, err)
} }
argCounts[cond.Index] += 1
conditions = append(conditions, newCond) conditions = append(conditions, newCond)
} }
if err = filter.AddRuleConditional(callNum, callAct, conditions); err != nil { hasMultipleArgs := false
return err for _, count := range argCounts {
if count > 1 {
hasMultipleArgs = true
break
}
}
if hasMultipleArgs {
// Revert to old behavior
// Add each condition attached to a separate rule
for _, cond := range conditions {
condArr := []libseccomp.ScmpCondition{cond}
if err = filter.AddRuleConditional(callNum, callAct, condArr); err != nil {
return fmt.Errorf("error adding seccomp rule for syscall %s: %s", call.Name, err)
}
}
} else {
// No conditions share same argument
// Use new, proper behavior
if err = filter.AddRuleConditional(callNum, callAct, conditions); err != nil {
return fmt.Errorf("error adding seccomp rule for syscall %s: %s", call.Name, err)
}
} }
} }