Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow loading more than one seccomp program #459

Merged
merged 3 commits into from
Jan 31, 2022
Merged

Allow loading more than one seccomp program #459

merged 3 commits into from
Jan 31, 2022

Conversation

smcv
Copy link
Collaborator

@smcv smcv commented Oct 12, 2021
edited
Loading

  • Generalize linked lists of LockFile and SetupOp

    I'm about to add a third linked list, for seccomp programs, which would
    seem like too much duplication.

  • Allow loading more than one seccomp program

    This will allow Flatpak to combine an allow-list (default-deny) of
    known system calls with a deny-list (default-allow) of system calls
    that are undesired.

    Resolves: RFE: a way to add more than one seccomp program #453

  • tests: Exercise seccomp filters

@smcv smcv requested review from cgwalters and alexlarsson October 12, 2021 09:46
@smcv smcv marked this pull request as draft October 12, 2021 09:48
@smcv
Copy link
Collaborator Author

smcv commented Oct 12, 2021

Before merging this we should test it on a sufficiently ancient OS like Ubuntu 16.04 or Debian 9, to make sure we've avoided regressions like the ones triggered by fixing CVE-2021-41133 in Flatpak.

@alexlarsson
Copy link
Collaborator

This looks good to me.

@smcv
Copy link
Collaborator Author

smcv commented Oct 14, 2021

Thanks, I'll give this a try on ye olde Ubuntu VM and make sure it works there.

@smcv smcv force-pushed the multiple-seccomp branch 4 times, most recently from 5a5815f to 33f2192 Compare October 21, 2021 15:47
@smcv smcv marked this pull request as ready for review October 21, 2021 15:51
@smcv
Copy link
Collaborator Author

smcv commented Oct 21, 2021

I've expanded the tests a bit. The actual implementation is still the same as @alexlarsson reviewed.

I can't easily run the tests on anything older than Debian 10 and Ubuntu 20.04 because those are the oldest with python3-seccomp, but they pass on Debian 10.

@smcv smcv requested a review from alexlarsson October 21, 2021 15:53
smcv added a commit to smcv/flatpak that referenced this pull request Oct 21, 2021
@smcv
tests: Add try-syscall helper
091e768 
This exercises various syscalls. It's heavily based on the one from
<containers/bubblewrap#459>, but with the
addition of a mode to output the numeric values of various expected
errno codes, which are not otherwise available to shell scripts.

Signed-off-by: Simon McVittie <smcv@collabora.com>
smcv added a commit to smcv/flatpak that referenced this pull request Oct 21, 2021
@smcv
tests: Add try-syscall helper
e45bfde 
This exercises various syscalls. It's heavily based on the one from
<containers/bubblewrap#459>, but with the
addition of a mode to output the numeric values of various expected
errno codes, which are not otherwise available to shell scripts.

Signed-off-by: Simon McVittie <smcv@collabora.com>
@smcv smcv mentioned this pull request Oct 21, 2021
Merged
smcv added a commit to smcv/flatpak that referenced this pull request Oct 25, 2021
@smcv
tests: Add try-syscall helper
4ce2518 
This exercises various syscalls. It's heavily based on the one from
<containers/bubblewrap#459>, but with the
addition of a mode to output the numeric values of various expected
errno codes, which are not otherwise available to shell scripts.

Signed-off-by: Simon McVittie <smcv@collabora.com>
@smcv smcv force-pushed the multiple-seccomp branch from 33f2192 to 8dff615 Compare October 27, 2021 16:40
@smcv
Copy link
Collaborator Author

smcv commented Oct 27, 2021

Changes in 8dff615: synced try-seccomp test helper with the version I merged into Flatpak in flatpak/flatpak#4505.

mwleeds
mwleeds reviewed Oct 27, 2021
View reviewed changes
bubblewrap.c Outdated Show resolved Hide resolved
tests/test-seccomp.py Outdated

if completed.returncode != 0:
raise unittest.SkipTest(
'cannot run bwrap (does it need to be setuid?'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
'cannot run bwrap (does it need to be setuid?'
'cannot run bwrap (does it need to be setuid?)'

tests/try-syscall.c Show resolved Hide resolved
smcv added a commit to smcv/flatpak that referenced this pull request Jan 4, 2022
@smcv
tests: Add try-syscall helper
53428bb 
This exercises various syscalls. It's heavily based on the one from
<containers/bubblewrap#459>, but with the
addition of a mode to output the numeric values of various expected
errno codes, which are not otherwise available to shell scripts.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 4ce2518)
smcv added a commit to smcv/flatpak that referenced this pull request Jan 4, 2022
@smcv
tests: Add try-syscall helper
df5433d 
This exercises various syscalls. It's heavily based on the one from
<containers/bubblewrap#459>, but with the
addition of a mode to output the numeric values of various expected
errno codes, which are not otherwise available to shell scripts.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 4ce2518)
mwleeds pushed a commit to flatpak/flatpak that referenced this pull request Jan 4, 2022
@smcv @mwleeds
tests: Add try-syscall helper
f82e2a4 
This exercises various syscalls. It's heavily based on the one from
<containers/bubblewrap#459>, but with the
addition of a mode to output the numeric values of various expected
errno codes, which are not otherwise available to shell scripts.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 4ce2518)
smcv added 3 commits January 31, 2022 17:10
@smcv
Generalize linked lists of LockFile and SetupOp
c267db3 
I'm about to add a third linked list, for seccomp programs, which would
seem like too much duplication.

Signed-off-by: Simon McVittie <smcv@collabora.com>
@smcv
Allow loading more than one seccomp program
d625fda 
This will allow Flatpak to combine an allow-list (default-deny) of
known system calls with a deny-list (default-allow) of system calls
that are undesired.

Resolves: containers#453
Signed-off-by: Simon McVittie <smcv@collabora.com>
@smcv
tests: Exercise seccomp filters
3612534 
Signed-off-by: Simon McVittie <smcv@collabora.com>
@smcv smcv force-pushed the multiple-seccomp branch from 8dff615 to 3612534 Compare January 31, 2022 17:14
@smcv
Copy link
Collaborator Author

smcv commented Jan 31, 2022

Changes in 3612534: trivial fixes for review comments from @mwleeds.

@smcv smcv merged commit 43c2d32 into containers:master Jan 31, 2022
@smcv smcv mentioned this pull request Feb 8, 2022
Draft
smcv added a commit to flatpak/flatpak that referenced this pull request Mar 15, 2023
@smcv
tests: Add try-syscall helper
b83fb81 
This exercises various syscalls. It's heavily based on the one from
<containers/bubblewrap#459>, but with the
addition of a mode to output the numeric values of various expected
errno codes, which are not otherwise available to shell scripts.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 4ce2518)
(cherry picked from commit f82e2a4)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mwleeds mwleeds mwleeds left review comments

@cgwalters cgwalters Awaiting requested review from cgwalters

@alexlarsson alexlarsson Awaiting requested review from alexlarsson

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

RFE: a way to add more than one seccomp program
3 participants
@smcv @alexlarsson @mwleeds