From 86cf56eb71215e24fec49272d915f80c9c569c05 Mon Sep 17 00:00:00 2001 From: Fabricio Voznika Date: Thu, 3 Jun 2021 20:05:33 -0700 Subject: Add additional mmap seccomp rule HostFileMapper.RegenerateMappings calls mmap with MAP_SHARED|MAP_FIXED and these were not allowed. Closes #6116 PiperOrigin-RevId: 377428463 --- pkg/seccomp/seccomp.go | 12 ++++-------- runsc/boot/filter/config.go | 6 ++++++ 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/pkg/seccomp/seccomp.go b/pkg/seccomp/seccomp.go index daea51c4d..8ffa1db37 100644 --- a/pkg/seccomp/seccomp.go +++ b/pkg/seccomp/seccomp.go @@ -36,14 +36,10 @@ const ( // Install generates BPF code based on the set of syscalls provided. It only // allows syscalls that conform to the specification. Syscalls that violate the -// specification will trigger RET_KILL_PROCESS, except for the cases below. -// -// RET_TRAP is used in violations, instead of RET_KILL_PROCESS, in the -// following cases: -// 1. Kernel doesn't support RET_KILL_PROCESS: RET_KILL_THREAD only kills the -// offending thread and often keeps the sentry hanging. -// 2. Debug: RET_TRAP generates a panic followed by a stack trace which is -// much easier to debug then RET_KILL_PROCESS which can't be caught. +// specification will trigger RET_KILL_PROCESS. If RET_KILL_PROCESS is not +// supported, violations will trigger RET_TRAP instead. RET_KILL_THREAD is not +// used because it only kills the offending thread and often keeps the sentry +// hanging. // // Be aware that RET_TRAP sends SIGSYS to the process and it may be ignored, // making it possible for the process to continue running after a violation. diff --git a/runsc/boot/filter/config.go b/runsc/boot/filter/config.go index 49b503f99..905747954 100644 --- a/runsc/boot/filter/config.go +++ b/runsc/boot/filter/config.go @@ -196,6 +196,12 @@ var allowedSyscalls = seccomp.SyscallRules{ seccomp.MatchAny{}, seccomp.EqualTo(unix.MAP_SHARED), }, + { + seccomp.MatchAny{}, + seccomp.MatchAny{}, + seccomp.MatchAny{}, + seccomp.EqualTo(unix.MAP_SHARED | unix.MAP_FIXED), + }, { seccomp.MatchAny{}, seccomp.MatchAny{}, -- cgit v1.2.3