Skip to content

Allow loading more than one seccomp program#459

Merged
smcv merged 3 commits intocontainers:masterfrom
smcv:multiple-seccomp
Jan 31, 2022
Merged

Allow loading more than one seccomp program#459
smcv merged 3 commits intocontainers:masterfrom
smcv:multiple-seccomp

Conversation

@smcv
Copy link
Copy Markdown
Collaborator

@smcv smcv commented Oct 12, 2021
edited
Loading

  • Generalize linked lists of LockFile and SetupOp

    I'm about to add a third linked list, for seccomp programs, which would
    seem like too much duplication.

  • Allow loading more than one seccomp program

    This will allow Flatpak to combine an allow-list (default-deny) of
    known system calls with a deny-list (default-allow) of system calls
    that are undesired.

    Resolves: RFE: a way to add more than one seccomp program #453

  • tests: Exercise seccomp filters

@smcv smcv requested review from alexlarsson and cgwalters October 12, 2021 09:46
@smcv smcv marked this pull request as draft October 12, 2021 09:48
@smcv
Copy link
Copy Markdown
Collaborator Author

smcv commented Oct 12, 2021

Before merging this we should test it on a sufficiently ancient OS like Ubuntu 16.04 or Debian 9, to make sure we've avoided regressions like the ones triggered by fixing CVE-2021-41133 in Flatpak.

@alexlarsson
Copy link
Copy Markdown
Collaborator

alexlarsson commented Oct 14, 2021

This looks good to me.

@smcv
Copy link
Copy Markdown
Collaborator Author

smcv commented Oct 14, 2021

Thanks, I'll give this a try on ye olde Ubuntu VM and make sure it works there.

@smcv smcv force-pushed the multiple-seccomp branch 4 times, most recently from 5a5815f to 33f2192 Compare October 21, 2021 15:47
@smcv smcv marked this pull request as ready for review October 21, 2021 15:51
@smcv
Copy link
Copy Markdown
Collaborator Author

smcv commented Oct 21, 2021

I've expanded the tests a bit. The actual implementation is still the same as @alexlarsson reviewed.

I can't easily run the tests on anything older than Debian 10 and Ubuntu 20.04 because those are the oldest with python3-seccomp, but they pass on Debian 10.

@smcv smcv requested a review from alexlarsson October 21, 2021 15:53
smcv added a commit to smcv/flatpak that referenced this pull request Oct 21, 2021
@smcv
tests: Add try-syscall helper
091e768 
This exercises various syscalls. It's heavily based on the one from
<containers/bubblewrap#459>, but with the
addition of a mode to output the numeric values of various expected
errno codes, which are not otherwise available to shell scripts.

Signed-off-by: Simon McVittie <smcv@collabora.com>
smcv added a commit to smcv/flatpak that referenced this pull request Oct 21, 2021
@smcv
tests: Add try-syscall helper
e45bfde 
This exercises various syscalls. It's heavily based on the one from
<containers/bubblewrap#459>, but with the
addition of a mode to output the numeric values of various expected
errno codes, which are not otherwise available to shell scripts.

Signed-off-by: Simon McVittie <smcv@collabora.com>
@smcv smcv mentioned this pull request Oct 21, 2021
Merged
smcv added a commit to smcv/flatpak that referenced this pull request Oct 25, 2021
@smcv
tests: Add try-syscall helper
4ce2518 
This exercises various syscalls. It's heavily based on the one from
<containers/bubblewrap#459>, but with the
addition of a mode to output the numeric values of various expected
errno codes, which are not otherwise available to shell scripts.

Signed-off-by: Simon McVittie <smcv@collabora.com>
@smcv smcv force-pushed the multiple-seccomp branch from 33f2192 to 8dff615 Compare October 27, 2021 16:40
@smcv
Copy link
Copy Markdown
Collaborator Author

smcv commented Oct 27, 2021

Changes in 8dff615: synced try-seccomp test helper with the version I merged into Flatpak in flatpak/flatpak#4505.

mwleeds
mwleeds reviewed Oct 27, 2021
View reviewed changes
Comment thread bubblewrap.c Outdated
Comment thread tests/test-seccomp.py Outdated

if completed.returncode != 0:
raise unittest.SkipTest(
'cannot run bwrap (does it need to be setuid?'
Copy link
Copy Markdown
Contributor

@mwleeds mwleeds Oct 27, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
'cannot run bwrap (does it need to be setuid?'
'cannot run bwrap (does it need to be setuid?)'

Comment thread tests/try-syscall.c
smcv added a commit to smcv/flatpak that referenced this pull request Jan 4, 2022
@smcv
tests: Add try-syscall helper
53428bb 
This exercises various syscalls. It's heavily based on the one from
<containers/bubblewrap#459>, but with the
addition of a mode to output the numeric values of various expected
errno codes, which are not otherwise available to shell scripts.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 4ce2518)
smcv added a commit to smcv/flatpak that referenced this pull request Jan 4, 2022
@smcv
tests: Add try-syscall helper
df5433d 
This exercises various syscalls. It's heavily based on the one from
<containers/bubblewrap#459>, but with the
addition of a mode to output the numeric values of various expected
errno codes, which are not otherwise available to shell scripts.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 4ce2518)
mwleeds pushed a commit to flatpak/flatpak that referenced this pull request Jan 4, 2022
@smcv @mwleeds
tests: Add try-syscall helper
f82e2a4 
This exercises various syscalls. It's heavily based on the one from
<containers/bubblewrap#459>, but with the
addition of a mode to output the numeric values of various expected
errno codes, which are not otherwise available to shell scripts.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 4ce2518)
smcv added 3 commits January 31, 2022 17:10
@smcv
Generalize linked lists of LockFile and SetupOp
c267db3 
I'm about to add a third linked list, for seccomp programs, which would
seem like too much duplication.

Signed-off-by: Simon McVittie <smcv@collabora.com>
@smcv
Allow loading more than one seccomp program
d625fda 
This will allow Flatpak to combine an allow-list (default-deny) of
known system calls with a deny-list (default-allow) of system calls
that are undesired.

Resolves: containers#453
Signed-off-by: Simon McVittie <smcv@collabora.com>
@smcv
tests: Exercise seccomp filters
3612534 
Signed-off-by: Simon McVittie <smcv@collabora.com>
@smcv smcv force-pushed the multiple-seccomp branch from 8dff615 to 3612534 Compare January 31, 2022 17:14
@smcv
Copy link
Copy Markdown
Collaborator Author

smcv commented Jan 31, 2022

Changes in 3612534: trivial fixes for review comments from @mwleeds.

@smcv smcv merged commit 43c2d32 into containers:master Jan 31, 2022
@smcv smcv mentioned this pull request Feb 8, 2022
Draft
smcv added a commit to flatpak/flatpak that referenced this pull request Mar 15, 2023
@smcv
tests: Add try-syscall helper
b83fb81 
This exercises various syscalls. It's heavily based on the one from
<containers/bubblewrap#459>, but with the
addition of a mode to output the numeric values of various expected
errno codes, which are not otherwise available to shell scripts.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 4ce2518)
(cherry picked from commit f82e2a4)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cgwalters cgwalters Awaiting requested review from cgwalters

@alexlarsson alexlarsson Awaiting requested review from alexlarsson

1 more reviewer

@mwleeds mwleeds mwleeds left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

RFE: a way to add more than one seccomp program

3 participants

@smcv @alexlarsson @mwleeds