Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

__X32_SYSCALL_BIT not checked #19

Open
mejedi opened this issue Apr 6, 2019 · 2 comments · May be fixed by #26
Open

__X32_SYSCALL_BIT not checked #19

mejedi opened this issue Apr 6, 2019 · 2 comments · May be fixed by #26

Comments

@mejedi
Copy link

mejedi commented Apr 6, 2019
edited
Loading

man seccomp:

The arch field is not unique for all calling conventions. The x86-64 ABI and the x32 ABI both use AUDIT_ARCH_X86_64 as arch, and they run on the same processors. Instead, the mask __X32_SYSCALL_BIT is used on the system call number to tell the two ABIs apart.

This means that in order to create a seccomp-based blacklist for system calls performed through the x86-64 ABI, it is necessary to not only check that arch equals AUDIT_ARCH_X86_64, but also to explicitly reject all system calls that contain __X32_SYSCALL_BIT in nr.

Apparently, __X32_SYSCALL_BIT is not checked. Meaning that if a policy is compiled for x86_64, blacklists certain syscalls but the default action is ALLOW, a 32-bit caller will bypass the blacklist.

$ echo "DENY{SYSCALL[10]}DEFAULT ALLOW" | ./tools/dump_policy_bpf/dump_policy_bpf
BPF program with 7 instructions
  0: A := architecture
  1: if A != 0xc000003e goto 5
  2: A := syscall number
  3: if A < 0xa goto 6
  4: if A >= 0xb goto 6
  5: KILL
  6: ALLOW
@basilgello
Copy link

I encountered the same issue + the 'mirrored' one: the amd64 kernel allows not only x32 runtimes but also i386, but only one architecture is checked in BPF policy. To close this issues, I modernized the i386 and amd64 syscall set from current kernel (Debian GNU/Linux 5.8.10) and added x32 syscall set.

Next step is to define the 'companion architectures' and let the policy code generator add them in the BPF policy. x32 should operate under amd64 architecture and i386 should get another if A... clause.

basilgello added a commit to basilgello/kafel that referenced this issue Oct 12, 2020
@basilgello
Implement policy knitting
5b58e5d 
It is too hard to tweak bison / flex stuff to combine policies
targeting different architectures so I decided to generate a
separate policy for every target and companion architecture,
and knit them altogether following these rules:

 * The architecture check of each target policy passes the
   control to the next target policy if present, or returns KILL
   if no more architectures left. This ensures no target
   architecture can slip towards filter
   (see google#19)

 * The default action of each target architecture passes the
   control to the next companion architecture if present.

   This is sufficient assuming there can be only one companion
   architecture for any target architecture.

Signed-off-by: Vasyl Gello <[email protected]>
@basilgello basilgello linked a pull request Oct 12, 2020 that will close this issue
Open
@apmorton
Copy link

apmorton commented Apr 2, 2021

+1. We use nsjail on compiler-explorer and this currently prevents us from enabling any seccomp rules due to issues with 32bit binaries.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@apmorton @mejedi @basilgello