From de29d8d415ab539195840aeba57a17cd6c89218f Mon Sep 17 00:00:00 2001
From: Jamie Liu <jamieliu@google.com>
Date: Thu, 8 Jul 2021 18:55:56 -0700
Subject: Fix some //pkg/seccomp bugs.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- LockOSThread() around prctl(PR_SET_NO_NEW_PRIVS) => seccomp(). go:nosplit
  "mostly" prevents async preemption, but IIUC preemption is still permitted
  during function prologues:

funcpctab "".seccomp [valfunc=pctopcdata]
     0     -1 00000 (gvisor/pkg/seccomp/seccomp_unsafe.go:110)	TEXT	"".seccomp(SB), NOSPLIT|ABIInternal, $72-32
     0        00000 (gvisor/pkg/seccomp/seccomp_unsafe.go:110)	TEXT	"".seccomp(SB), NOSPLIT|ABIInternal, $72-32
     0     -1 00000 (gvisor/pkg/seccomp/seccomp_unsafe.go:110)	SUBQ	$72, SP
     4        00004 (gvisor/pkg/seccomp/seccomp_unsafe.go:110)	MOVQ	BP, 64(SP)
     9        00009 (gvisor/pkg/seccomp/seccomp_unsafe.go:110)	LEAQ	64(SP), BP
     e        00014 (gvisor/pkg/seccomp/seccomp_unsafe.go:110)	FUNCDATA	$0, gclocals·ba30782f8935b28ed1adaec603e72627(SB)
     e        00014 (gvisor/pkg/seccomp/seccomp_unsafe.go:110)	FUNCDATA	$1, gclocals·663f8c6bfa83aa777198789ce63d9ab4(SB)
     e        00014 (gvisor/pkg/seccomp/seccomp_unsafe.go:110)	FUNCDATA	$2, "".seccomp.stkobj(SB)
     e        00014 (gvisor/pkg/seccomp/seccomp_unsafe.go:111)	PCDATA	$0, $-2
     e     -2 00014 (gvisor/pkg/seccomp/seccomp_unsafe.go:111)	MOVQ	"".ptr+88(SP), AX

(-1 is objabi.PCDATA_UnsafePointSafe and -2 is objabi.PCDATA_UnsafePointUnsafe,
from Go's cmd/internal/objabi.)

- Handle non-errno failures from seccomp() with SECCOMP_FILTER_FLAG_TSYNC.

PiperOrigin-RevId: 383757580
---
 pkg/sentry/platform/ptrace/subprocess_linux.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'pkg/sentry/platform')

diff --git a/pkg/sentry/platform/ptrace/subprocess_linux.go b/pkg/sentry/platform/ptrace/subprocess_linux.go
index 4f0260432..06a3bd340 100644
--- a/pkg/sentry/platform/ptrace/subprocess_linux.go
+++ b/pkg/sentry/platform/ptrace/subprocess_linux.go
@@ -181,7 +181,7 @@ func attachedThread(flags uintptr, defaultAction linux.BPFAction) (*thread, erro
 
 	// Set an aggressive BPF filter for the stub and all it's children. See
 	// the description of the BPF program built above.
-	if errno := seccomp.SetFilter(instrs); errno != 0 {
+	if errno := seccomp.SetFilterInChild(instrs); errno != 0 {
 		unix.RawSyscall(unix.SYS_EXIT, uintptr(errno), 0, 0)
 	}
 
-- 
cgit v1.2.3