Re: [chrony-dev] [PATCH] sys_linux: allow clock_gettime64 in seccomp filter

[Vincent Blut <vincent.debian@xxxxxxx>]

On 2020-05-14T15:35+0200, Miroslav Lichvar wrote:
> On Thu, May 14, 2020 at 03:26:20PM +0200, Vincent Blut wrote:
> > #ifdef __NR_clock_gettime64
> >     SCMP_SYS(clock_gettime64),
> > #endif
> >
> > would fly for you‽
>
> Yes.
>
> > By the way, shouldn’t we add *time64 variants to some of our already
> > whistelisted syscalls?
>
> Yes, that would probably make sense. It looks like they were added in
> the same libseccomp commit, so maybe they could be all together in a
> single ifdef?

So when I started working on this, it became apparent that the seccomp 
filter was becoming indigestible, too painful to read. For that reason, 
I took the liberty of restructuring the list of permitted system calls 
in the seccomp filter (I did not touch socket_domains, socket_options 
and ioctls).  This is 0001-sys_linux-restructure-syscalls-in-seccomp-filter.patch.
If the result doesn’t suit you, feel free to tell me and I’ll make the 
necessary changes.

0002-sys_linux-allow-some-time64-syscalls-in-seccomp-filt.patch adds 
64-bit variants of some syscalls. I did not put them in a single 
“#ifdef” as I don’t know if a specific macro has been defined for these 
kind of syscalls.

Cheers,
Vincent

From 64dad75090f88a3862d8141f78ee58330b676b1e Mon Sep 17 00:00:00 2001
From: Vincent Blut <vincent.debian@xxxxxxx>
Date: Thu, 14 May 2020 18:10:22 +0200
Subject: [PATCH 1/2] sys_linux: restructure syscalls in seccomp filter

Having one syscall per line improves the seccomp filter reading. It
should also make updates more straightforward.
---
 sys_linux.c | 109 +++++++++++++++++++++++++++++++++++++++++-----------
 1 file changed, 87 insertions(+), 22 deletions(-)

diff --git a/sys_linux.c b/sys_linux.c
index 1f08e64..68e7ce9 100644
--- a/sys_linux.c
+++ b/sys_linux.c
@@ -478,36 +478,101 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_SystemCallContext context)
 {
   const int syscalls[] = {
     /* Clock */
-    SCMP_SYS(adjtimex), SCMP_SYS(clock_adjtime), SCMP_SYS(clock_gettime),
-    SCMP_SYS(gettimeofday), SCMP_SYS(settimeofday), SCMP_SYS(time),
+    SCMP_SYS(adjtimex),
+    SCMP_SYS(clock_adjtime),
+    SCMP_SYS(clock_gettime),
+    SCMP_SYS(gettimeofday),
+    SCMP_SYS(settimeofday),
+    SCMP_SYS(time),
+
     /* Process */
-    SCMP_SYS(clone), SCMP_SYS(exit), SCMP_SYS(exit_group), SCMP_SYS(getpid),
-    SCMP_SYS(getrlimit), SCMP_SYS(getuid), SCMP_SYS(rt_sigaction), SCMP_SYS(rt_sigreturn),
-    SCMP_SYS(rt_sigprocmask), SCMP_SYS(set_tid_address), SCMP_SYS(sigreturn),
-    SCMP_SYS(wait4), SCMP_SYS(waitpid),
+    SCMP_SYS(clone),
+    SCMP_SYS(exit),
+    SCMP_SYS(exit_group),
+    SCMP_SYS(getpid),
+    SCMP_SYS(getrlimit),
+    SCMP_SYS(getuid),
+    SCMP_SYS(rt_sigaction),
+    SCMP_SYS(rt_sigreturn),
+    SCMP_SYS(rt_sigprocmask),
+    SCMP_SYS(set_tid_address),
+    SCMP_SYS(sigreturn),
+    SCMP_SYS(wait4),
+    SCMP_SYS(waitpid),
+
     /* Memory */
-    SCMP_SYS(brk), SCMP_SYS(madvise), SCMP_SYS(mmap), SCMP_SYS(mmap2),
-    SCMP_SYS(mprotect), SCMP_SYS(mremap), SCMP_SYS(munmap), SCMP_SYS(shmdt),
+    SCMP_SYS(brk),
+    SCMP_SYS(madvise),
+    SCMP_SYS(mmap),
+    SCMP_SYS(mmap2),
+    SCMP_SYS(mprotect),
+    SCMP_SYS(mremap),
+    SCMP_SYS(munmap),
+    SCMP_SYS(shmdt),
+
     /* Filesystem */
-    SCMP_SYS(_llseek), SCMP_SYS(access), SCMP_SYS(chmod), SCMP_SYS(chown),
-    SCMP_SYS(chown32), SCMP_SYS(faccessat), SCMP_SYS(fchmodat), SCMP_SYS(fchownat),
-    SCMP_SYS(fstat), SCMP_SYS(fstat64), SCMP_SYS(getdents), SCMP_SYS(getdents64),
-    SCMP_SYS(lseek), SCMP_SYS(newfstatat), SCMP_SYS(rename), SCMP_SYS(renameat),
-    SCMP_SYS(renameat2), SCMP_SYS(stat), SCMP_SYS(stat64), SCMP_SYS(statfs),
-    SCMP_SYS(statfs64), SCMP_SYS(unlink), SCMP_SYS(unlinkat),
+    SCMP_SYS(_llseek),
+    SCMP_SYS(access),
+    SCMP_SYS(chmod),
+    SCMP_SYS(chown),
+    SCMP_SYS(chown32),
+    SCMP_SYS(faccessat),
+    SCMP_SYS(fchmodat),
+    SCMP_SYS(fchownat),
+    SCMP_SYS(fstat),
+    SCMP_SYS(fstat64),
+    SCMP_SYS(getdents),
+    SCMP_SYS(getdents64),
+    SCMP_SYS(lseek),
+    SCMP_SYS(newfstatat),
+    SCMP_SYS(rename),
+    SCMP_SYS(renameat),
+    SCMP_SYS(renameat2),
+    SCMP_SYS(stat),
+    SCMP_SYS(stat64),
+    SCMP_SYS(statfs),
+    SCMP_SYS(statfs64),
+    SCMP_SYS(unlink),
+    SCMP_SYS(unlinkat),
+
     /* Socket */
-    SCMP_SYS(accept), SCMP_SYS(bind), SCMP_SYS(connect), SCMP_SYS(getsockname),
-    SCMP_SYS(getsockopt), SCMP_SYS(recv), SCMP_SYS(recvfrom),
-    SCMP_SYS(recvmmsg), SCMP_SYS(recvmsg), SCMP_SYS(send), SCMP_SYS(sendmmsg),
-    SCMP_SYS(sendmsg), SCMP_SYS(sendto), SCMP_SYS(shutdown),
+    SCMP_SYS(accept),
+    SCMP_SYS(bind),
+    SCMP_SYS(connect),
+    SCMP_SYS(getsockname),
+    SCMP_SYS(getsockopt),
+    SCMP_SYS(recv),
+    SCMP_SYS(recvfrom),
+    SCMP_SYS(recvmmsg),
+    SCMP_SYS(recvmsg),
+    SCMP_SYS(send),
+    SCMP_SYS(sendmmsg),
+    SCMP_SYS(sendmsg),
+    SCMP_SYS(sendto),
+    SCMP_SYS(shutdown),
     /* TODO: check socketcall arguments */
     SCMP_SYS(socketcall),
+
     /* General I/O */
-    SCMP_SYS(_newselect), SCMP_SYS(close), SCMP_SYS(open), SCMP_SYS(openat), SCMP_SYS(pipe),
-    SCMP_SYS(pipe2), SCMP_SYS(poll), SCMP_SYS(ppoll), SCMP_SYS(pselect6), SCMP_SYS(read),
-    SCMP_SYS(futex), SCMP_SYS(select), SCMP_SYS(set_robust_list), SCMP_SYS(write),
+    SCMP_SYS(_newselect),
+    SCMP_SYS(close),
+    SCMP_SYS(open),
+    SCMP_SYS(openat),
+    SCMP_SYS(pipe),
+    SCMP_SYS(pipe2),
+    SCMP_SYS(poll),
+    SCMP_SYS(ppoll),
+    SCMP_SYS(pselect6),
+    SCMP_SYS(read),
+    SCMP_SYS(futex),
+    SCMP_SYS(select),
+    SCMP_SYS(set_robust_list),
+    SCMP_SYS(write),
+
     /* Miscellaneous */
-    SCMP_SYS(getrandom), SCMP_SYS(sysinfo), SCMP_SYS(uname),
+    SCMP_SYS(getrandom),
+    SCMP_SYS(sysinfo),
+    SCMP_SYS(uname),
   };
 
   const int socket_domains[] = {
-- 
2.26.2

From 923639690d1e3a46429987cbd6516ff4eef75bf1 Mon Sep 17 00:00:00 2001
From: Vincent Blut <vincent.debian@xxxxxxx>
Date: Thu, 14 May 2020 19:05:14 +0200
Subject: [PATCH 2/2] sys_linux: allow some *time64 syscalls in seccomp filter

These are needed for 32-bits architectures with a 64-bit time_t
structure.
---
 sys_linux.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/sys_linux.c b/sys_linux.c
index 68e7ce9..f74e323 100644
--- a/sys_linux.c
+++ b/sys_linux.c
@@ -480,7 +480,13 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_SystemCallContext context)
     /* Clock */
     SCMP_SYS(adjtimex),
     SCMP_SYS(clock_adjtime),
+#ifdef __NR_clock_adjtime64
+    SCMP_SYS(clock_adjtime64),
+#endif
     SCMP_SYS(clock_gettime),
+#ifdef __NR_clock_gettime64
+    SCMP_SYS(clock_gettime64),
+#endif
     SCMP_SYS(gettimeofday),
     SCMP_SYS(settimeofday),
     SCMP_SYS(time),
@@ -544,6 +550,9 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_SystemCallContext context)
     SCMP_SYS(recv),
     SCMP_SYS(recvfrom),
     SCMP_SYS(recvmmsg),
+#ifdef __NR_recvmmsg_time64
+    SCMP_SYS(recvmmsg_time64),
+#endif
     SCMP_SYS(recvmsg),
     SCMP_SYS(send),
     SCMP_SYS(sendmmsg),
@@ -562,9 +571,18 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_SystemCallContext context)
     SCMP_SYS(pipe2),
     SCMP_SYS(poll),
     SCMP_SYS(ppoll),
+#ifdef __NR_ppoll_time64
+    SCMP_SYS(ppoll_time64),
+#endif
     SCMP_SYS(pselect6),
+#ifdef __NR_pselect6_time64
+    SCMP_SYS(pselect6_time64),
+#endif
     SCMP_SYS(read),
     SCMP_SYS(futex),
+#ifdef __NR_futex_time64
+    SCMP_SYS(futex_time64),
+#endif
     SCMP_SYS(select),
     SCMP_SYS(set_robust_list),
     SCMP_SYS(write),
-- 
2.26.2

Attachment: signature.asc
Description: PGP signature