-
Notifications
You must be signed in to change notification settings - Fork 49
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
__X32_SYSCALL_BIT not checked #19
Comments
I encountered the same issue + the 'mirrored' one: the amd64 kernel allows not only x32 runtimes but also i386, but only one architecture is checked in BPF policy. To close this issues, I modernized the i386 and amd64 syscall set from current kernel (Debian GNU/Linux 5.8.10) and added x32 syscall set. Next step is to define the 'companion architectures' and let the policy code generator add them in the BPF policy. x32 should operate under amd64 architecture and i386 should get another |
It is too hard to tweak bison / flex stuff to combine policies targeting different architectures so I decided to generate a separate policy for every target and companion architecture, and knit them altogether following these rules: * The architecture check of each target policy passes the control to the next target policy if present, or returns KILL if no more architectures left. This ensures no target architecture can slip towards filter (see google#19) * The default action of each target architecture passes the control to the next companion architecture if present. This is sufficient assuming there can be only one companion architecture for any target architecture. Signed-off-by: Vasyl Gello <[email protected]>
+1. We use nsjail on compiler-explorer and this currently prevents us from enabling any seccomp rules due to issues with 32bit binaries. |
man seccomp:
Apparently,
__X32_SYSCALL_BIT
is not checked. Meaning that if a policy is compiled for x86_64, blacklists certain syscalls but the default action isALLOW
, a 32-bit caller will bypass the blacklist.The text was updated successfully, but these errors were encountered: