From af99a4d9e2a1514b8144ce46ce776ec54e6ee03a Mon Sep 17 00:00:00 2001 From: Frederic Cambus Date: Thu, 17 Sep 2020 12:17:57 +0200 Subject: [PATCH] Conditionally allow syscalls required to run on arm. Those syscalls do not exist on other Kore supported platforms, so we must check that they exist before allowing them. --- src/acme.c | 3 +++ src/keymgr.c | 15 +++++++++++++++ src/seccomp.c | 27 +++++++++++++++++++++++++++ 3 files changed, 45 insertions(+) diff --git a/src/acme.c b/src/acme.c index 9ab5dad..c187aad 100644 --- a/src/acme.c +++ b/src/acme.c @@ -86,6 +86,9 @@ static struct sock_filter filter_acme[] = { KORE_SYSCALL_ALLOW(brk), #if defined(SYS_mmap) KORE_SYSCALL_ALLOW(mmap), +#endif +#if defined(SYS_mmap2) + KORE_SYSCALL_ALLOW(mmap2), #endif KORE_SYSCALL_ALLOW(ioctl), KORE_SYSCALL_ALLOW(uname), diff --git a/src/keymgr.c b/src/keymgr.c index b53a9dd..5288053 100644 --- a/src/keymgr.c +++ b/src/keymgr.c @@ -85,6 +85,9 @@ static struct sock_filter filter_keymgr[] = { KORE_SYSCALL_ALLOW(stat), #endif KORE_SYSCALL_ALLOW(fstat), +#if defined(SYS_fstat64) + KORE_SYSCALL_ALLOW(fstat64), +#endif KORE_SYSCALL_ALLOW(futex), KORE_SYSCALL_ALLOW(writev), KORE_SYSCALL_ALLOW(openat), @@ -96,8 +99,14 @@ static struct sock_filter filter_keymgr[] = { /* Net related. */ #if defined(SYS_poll) KORE_SYSCALL_ALLOW(poll), +#endif +#if defined(SYS_send) + KORE_SYSCALL_ALLOW(send), #endif KORE_SYSCALL_ALLOW(sendto), +#if defined(SYS_recv) + KORE_SYSCALL_ALLOW(recv), +#endif KORE_SYSCALL_ALLOW(recvfrom), #if defined(SYS_epoll_wait) KORE_SYSCALL_ALLOW(epoll_wait), @@ -114,6 +123,9 @@ static struct sock_filter filter_keymgr[] = { #endif KORE_SYSCALL_ALLOW(exit_group), KORE_SYSCALL_ALLOW(sigaltstack), +#if defined(SYS_sigreturn) + KORE_SYSCALL_ALLOW(sigreturn), +#endif KORE_SYSCALL_ALLOW(rt_sigreturn), KORE_SYSCALL_ALLOW(rt_sigaction), KORE_SYSCALL_ALLOW(rt_sigprocmask), @@ -122,6 +134,9 @@ static struct sock_filter filter_keymgr[] = { KORE_SYSCALL_ALLOW(brk), #if defined(SYS_mmap) KORE_SYSCALL_ALLOW(mmap), +#endif +#if defined(SYS_mmap2) + KORE_SYSCALL_ALLOW(mmap2), #endif KORE_SYSCALL_ALLOW(munmap), KORE_SYSCALL_ALLOW(clock_gettime), diff --git a/src/seccomp.c b/src/seccomp.c index f001f22..44ee083 100644 --- a/src/seccomp.c +++ b/src/seccomp.c @@ -58,13 +58,25 @@ static struct sock_filter filter_kore[] = { #if defined(SYS_stat) KORE_SYSCALL_ALLOW(stat), #endif +#if defined(SYS_stat64) + KORE_SYSCALL_ALLOW(stat64), +#endif #if defined(SYS_lstat) KORE_SYSCALL_ALLOW(lstat), #endif KORE_SYSCALL_ALLOW(fstat), +#if defined(SYS_fstat64) + KORE_SYSCALL_ALLOW(fstat64), +#endif KORE_SYSCALL_ALLOW(write), KORE_SYSCALL_ALLOW(fcntl), +#if defined(SYS_fcntl64) + KORE_SYSCALL_ALLOW(fcntl64), +#endif KORE_SYSCALL_ALLOW(lseek), +#if defined(SYS__llseek) + KORE_SYSCALL_ALLOW(_llseek), +#endif KORE_SYSCALL_ALLOW(close), KORE_SYSCALL_ALLOW(openat), #if defined(SYS_access) @@ -88,6 +100,9 @@ static struct sock_filter filter_kore[] = { KORE_SYSCALL_ALLOW(exit_group), KORE_SYSCALL_ALLOW(nanosleep), KORE_SYSCALL_ALLOW(clock_nanosleep), +#if defined(SYS_sigreturn) + KORE_SYSCALL_ALLOW(sigreturn), +#endif /* Memory related. */ KORE_SYSCALL_ALLOW(brk), @@ -96,11 +111,17 @@ static struct sock_filter filter_kore[] = { /* Deny mmap/mprotect calls with PROT_EXEC/PROT_WRITE protection. */ #if defined(SYS_mmap) KORE_SYSCALL_DENY_WITH_FLAG(mmap, 2, PROT_EXEC | PROT_WRITE, EINVAL), +#endif +#if defined(SYS_mmap2) + KORE_SYSCALL_DENY_WITH_FLAG(mmap2, 2, PROT_EXEC | PROT_WRITE, EINVAL), #endif KORE_SYSCALL_DENY_WITH_FLAG(mprotect, 2, PROT_EXEC, EINVAL), #if defined(SYS_mmap) KORE_SYSCALL_ALLOW(mmap), +#endif +#if defined(SYS_mmap2) + KORE_SYSCALL_ALLOW(mmap2), #endif KORE_SYSCALL_ALLOW(madvise), KORE_SYSCALL_ALLOW(mprotect), @@ -110,9 +131,15 @@ static struct sock_filter filter_kore[] = { KORE_SYSCALL_ALLOW(poll), #endif KORE_SYSCALL_ALLOW(ppoll), +#if defined(SYS_send) + KORE_SYSCALL_ALLOW(send), +#endif KORE_SYSCALL_ALLOW(sendto), KORE_SYSCALL_ALLOW(accept), KORE_SYSCALL_ALLOW(sendfile), +#if defined(SYS_recv) + KORE_SYSCALL_ALLOW(recv), +#endif KORE_SYSCALL_ALLOW(recvfrom), KORE_SYSCALL_ALLOW(epoll_ctl), KORE_SYSCALL_ALLOW(setsockopt),