summaryrefslogtreecommitdiffhomepage
path: root/runsc/boot
diff options
context:
space:
mode:
Diffstat (limited to 'runsc/boot')
-rw-r--r--runsc/boot/controller.go2
-rw-r--r--runsc/boot/filter/BUILD1
-rw-r--r--runsc/boot/filter/config.go38
-rw-r--r--runsc/boot/filter/filter.go6
-rw-r--r--runsc/boot/loader.go2
5 files changed, 34 insertions, 15 deletions
diff --git a/runsc/boot/controller.go b/runsc/boot/controller.go
index 69e88d8e0..2d6b507b3 100644
--- a/runsc/boot/controller.go
+++ b/runsc/boot/controller.go
@@ -227,7 +227,7 @@ func (cm *containerManager) Start(args *StartArgs, _ *struct{}) error {
// Execute runs a command on a created or running sandbox.
func (cm *containerManager) Execute(e *control.ExecArgs, waitStatus *uint32) error {
- log.Debugf("containerManager.Execute")
+ log.Debugf("containerManager.Execute: %+v", *e)
proc := control.Proc{Kernel: cm.l.k}
if err := proc.Exec(e, waitStatus); err != nil {
return fmt.Errorf("error executing: %+v: %v", e, err)
diff --git a/runsc/boot/filter/BUILD b/runsc/boot/filter/BUILD
index c9837c236..96be051fe 100644
--- a/runsc/boot/filter/BUILD
+++ b/runsc/boot/filter/BUILD
@@ -18,6 +18,7 @@ go_library(
"//runsc/boot:__subpackages__",
],
deps = [
+ "//pkg/abi/linux",
"//pkg/log",
"//pkg/seccomp",
"//pkg/sentry/platform",
diff --git a/runsc/boot/filter/config.go b/runsc/boot/filter/config.go
index e45e599c3..db2e3f9d8 100644
--- a/runsc/boot/filter/config.go
+++ b/runsc/boot/filter/config.go
@@ -18,6 +18,7 @@ import (
"syscall"
"golang.org/x/sys/unix"
+ "gvisor.googlesource.com/gvisor/pkg/abi/linux"
"gvisor.googlesource.com/gvisor/pkg/seccomp"
)
@@ -78,15 +79,36 @@ var allowedSyscalls = seccomp.SyscallRules{
syscall.SYS_TGKILL: {},
syscall.SYS_WRITE: {},
syscall.SYS_WRITEV: {},
-}
-// TODO: Ioctl is needed in order to support tty consoles.
-// Once filters support argument-checking, we should only allow ioctl
-// with tty-related arguments.
-func consoleFilters() seccomp.SyscallRules {
- return seccomp.SyscallRules{
- syscall.SYS_IOCTL: {},
- }
+ // SYS_IOCTL is needed for terminal support, but we only allow
+ // setting/getting termios and winsize.
+ syscall.SYS_IOCTL: []seccomp.Rule{
+ {
+ seccomp.AllowAny{}, /* fd */
+ seccomp.AllowValue(linux.TCGETS),
+ seccomp.AllowAny{}, /* termios struct */
+ },
+ {
+ seccomp.AllowAny{}, /* fd */
+ seccomp.AllowValue(linux.TCSETS),
+ seccomp.AllowAny{}, /* termios struct */
+ },
+ {
+ seccomp.AllowAny{}, /* fd */
+ seccomp.AllowValue(linux.TCSETSW),
+ seccomp.AllowAny{}, /* termios struct */
+ },
+ {
+ seccomp.AllowAny{}, /* fd */
+ seccomp.AllowValue(linux.TIOCSWINSZ),
+ seccomp.AllowAny{}, /* winsize struct */
+ },
+ {
+ seccomp.AllowAny{}, /* fd */
+ seccomp.AllowValue(linux.TIOCGWINSZ),
+ seccomp.AllowAny{}, /* winsize struct */
+ },
+ },
}
// whitelistFSFilters returns syscalls made by whitelistFS. Using WhitelistFS
diff --git a/runsc/boot/filter/filter.go b/runsc/boot/filter/filter.go
index 6ea9c464e..c57bbd2e5 100644
--- a/runsc/boot/filter/filter.go
+++ b/runsc/boot/filter/filter.go
@@ -28,7 +28,7 @@ import (
)
// Install installs seccomp filters for based on the given platform.
-func Install(p platform.Platform, whitelistFS, console, hostNetwork bool) error {
+func Install(p platform.Platform, whitelistFS, hostNetwork bool) error {
s := allowedSyscalls
// Set of additional filters used by -race and -msan. Returns empty
@@ -39,10 +39,6 @@ func Install(p platform.Platform, whitelistFS, console, hostNetwork bool) error
Report("direct file access allows unrestricted file access!")
s.Merge(whitelistFSFilters())
}
- if console {
- Report("console is enabled: syscall filters less restrictive!")
- s.Merge(consoleFilters())
- }
if hostNetwork {
Report("host networking enabled: syscall filters less restrictive!")
s.Merge(hostInetFilters())
diff --git a/runsc/boot/loader.go b/runsc/boot/loader.go
index 2f212c704..0e94cf215 100644
--- a/runsc/boot/loader.go
+++ b/runsc/boot/loader.go
@@ -340,7 +340,7 @@ func (l *Loader) run() error {
} else {
whitelistFS := l.conf.FileAccess == FileAccessDirect
hostNet := l.conf.Network == NetworkHost
- if err := filter.Install(l.k.Platform, whitelistFS, l.console, hostNet); err != nil {
+ if err := filter.Install(l.k.Platform, whitelistFS, hostNet); err != nil {
return fmt.Errorf("Failed to install seccomp filters: %v", err)
}
}