From 8289d19ea5d9935883f71a32e2f8f82ba7a283fb Mon Sep 17 00:00:00 2001 From: "W. J. van der Laan" Date: Tue, 5 Oct 2021 00:07:44 +0200 Subject: [PATCH 1/2] util: Define SECCOMP_RET_KILL_PROCESS if not provided by the headers Define `SECCOMP_RET_KILL_PROCESS` as it isn't defined in the headers, as is the case for the GUIX build on this platform. --- src/util/syscall_sandbox.cpp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/util/syscall_sandbox.cpp b/src/util/syscall_sandbox.cpp index c4006cbd3c..c6957be09c 100644 --- a/src/util/syscall_sandbox.cpp +++ b/src/util/syscall_sandbox.cpp @@ -40,6 +40,10 @@ bool g_syscall_sandbox_log_violation_before_terminating{false}; #error Syscall sandbox is an experimental feature currently available only under Linux x86-64. #endif // defined(__x86_64__) +#ifndef SECCOMP_RET_KILL_PROCESS +#define SECCOMP_RET_KILL_PROCESS 0x80000000U +#endif + // This list of syscalls in LINUX_SYSCALLS is only used to map syscall numbers to syscall names in // order to be able to print user friendly error messages which include the syscall name in addition // to the syscall number. From 2d0279987ef04edda5f61c171768b9527cc936cc Mon Sep 17 00:00:00 2001 From: "W. J. van der Laan" Date: Tue, 5 Oct 2021 08:13:02 +0200 Subject: [PATCH 2/2] util: Make sure syscall numbers used in profile are defined Define the following syscall numbers for x86_64, so that the profile will be the same no matter what kernel is built against, including kernels that don't have `__NR_statx`: ```c++ #define __NR_statx 332 #define __NR_getrandom 318 #define __NR_membarrier 324 ``` --- src/util/syscall_sandbox.cpp | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/src/util/syscall_sandbox.cpp b/src/util/syscall_sandbox.cpp index c6957be09c..0e2295ead8 100644 --- a/src/util/syscall_sandbox.cpp +++ b/src/util/syscall_sandbox.cpp @@ -44,6 +44,20 @@ bool g_syscall_sandbox_log_violation_before_terminating{false}; #define SECCOMP_RET_KILL_PROCESS 0x80000000U #endif +// Define system call numbers for x86_64 that are referenced in the system call profile +// but not provided by the kernel headers used in the GUIX build. +#ifndef __NR_statx +#define __NR_statx 332 +#endif + +#ifndef __NR_getrandom +#define __NR_getrandom 318 +#endif + +#ifndef __NR_membarrier +#define __NR_membarrier 324 +#endif + // This list of syscalls in LINUX_SYSCALLS is only used to map syscall numbers to syscall names in // order to be able to print user friendly error messages which include the syscall name in addition // to the syscall number. @@ -162,9 +176,7 @@ const std::map LINUX_SYSCALLS{ {__NR_getpmsg, "getpmsg"}, {__NR_getppid, "getppid"}, {__NR_getpriority, "getpriority"}, -#if defined(__NR_getrandom) {__NR_getrandom, "getrandom"}, -#endif // defined(__NR_getrandom) {__NR_getresgid, "getresgid"}, {__NR_getresuid, "getresuid"}, {__NR_getrlimit, "getrlimit"}, @@ -212,9 +224,7 @@ const std::map LINUX_SYSCALLS{ {__NR_lstat, "lstat"}, {__NR_madvise, "madvise"}, {__NR_mbind, "mbind"}, -#if defined(__NR_membarrier) {__NR_membarrier, "membarrier"}, -#endif // defined(__NR_membarrier) {__NR_memfd_create, "memfd_create"}, {__NR_migrate_pages, "migrate_pages"}, {__NR_mincore, "mincore"}, @@ -515,9 +525,7 @@ public: { allowed_syscalls.insert(__NR_brk); // change data segment size allowed_syscalls.insert(__NR_madvise); // give advice about use of memory -#if defined(__NR_membarrier) allowed_syscalls.insert(__NR_membarrier); // issue memory barriers on a set of threads -#endif // defined(__NR_membarrier) allowed_syscalls.insert(__NR_mlock); // lock memory allowed_syscalls.insert(__NR_mmap); // map files or devices into memory allowed_syscalls.insert(__NR_mprotect); // set protection on a region of memory @@ -595,9 +603,7 @@ public: void AllowGetRandom() { -#if defined(__NR_getrandom) allowed_syscalls.insert(__NR_getrandom); // obtain a series of random bytes -#endif // defined(__NR_getrandom) } void AllowGetSimpleId()