diff options
Diffstat (limited to 'runsc')
| -rw-r--r-- | runsc/boot/filter/config.go | 9 | ||||
| -rw-r--r-- | runsc/container/container_test.go | 22 | ||||
| -rw-r--r-- | runsc/fsgofer/filter/config.go | 9 |
3 files changed, 40 insertions, 0 deletions
diff --git a/runsc/boot/filter/config.go b/runsc/boot/filter/config.go index eacd73531..2a8c916d5 100644 --- a/runsc/boot/filter/config.go +++ b/runsc/boot/filter/config.go @@ -100,6 +100,15 @@ var allowedSyscalls = seccomp.SyscallRules{ seccomp.MatchAny{}, }, }, + // getcpu is used by some versions of the Go runtime and by the hostcpu + // package on arm64. + unix.SYS_GETCPU: []seccomp.Rule{ + { + seccomp.MatchAny{}, + seccomp.EqualTo(0), + seccomp.EqualTo(0), + }, + }, syscall.SYS_GETPID: {}, unix.SYS_GETRANDOM: {}, syscall.SYS_GETSOCKOPT: []seccomp.Rule{ diff --git a/runsc/container/container_test.go b/runsc/container/container_test.go index d50bbcd9f..129478505 100644 --- a/runsc/container/container_test.go +++ b/runsc/container/container_test.go @@ -777,6 +777,28 @@ func TestExec(t *testing.T) { } }) } + + // Test for exec failure with an non-existent file. + t.Run("nonexist", func(t *testing.T) { + // b/179114837 found by Syzkaller that causes nil pointer panic when + // trying to dec-ref an unix socket FD. + fds, err := syscall.Socketpair(syscall.AF_UNIX, syscall.SOCK_STREAM, 0) + if err != nil { + t.Fatal(err) + } + defer syscall.Close(fds[0]) + + _, err = cont.executeSync(&control.ExecArgs{ + Argv: []string{"/nonexist"}, + FilePayload: urpc.FilePayload{ + Files: []*os.File{os.NewFile(uintptr(fds[1]), "sock")}, + }, + }) + want := "failed to load /nonexist" + if err == nil || !strings.Contains(err.Error(), want) { + t.Errorf("executeSync: want err containing %q; got err = %q", want, err) + } + }) }) } } diff --git a/runsc/fsgofer/filter/config.go b/runsc/fsgofer/filter/config.go index 39b8a0b1e..f92e2f80e 100644 --- a/runsc/fsgofer/filter/config.go +++ b/runsc/fsgofer/filter/config.go @@ -107,6 +107,15 @@ var allowedSyscalls = seccomp.SyscallRules{ seccomp.MatchAny{}, }, }, + // getcpu is used by some versions of the Go runtime and by the hostcpu + // package on arm64. + unix.SYS_GETCPU: []seccomp.Rule{ + { + seccomp.MatchAny{}, + seccomp.EqualTo(0), + seccomp.EqualTo(0), + }, + }, syscall.SYS_GETDENTS64: {}, syscall.SYS_GETPID: {}, unix.SYS_GETRANDOM: {}, |