From a1c56bc227287b38ee327411dc79e23fce259a85 Mon Sep 17 00:00:00 2001 From: Ayush Ranjan Date: Mon, 14 Dec 2020 17:58:37 -0800 Subject: [netstack] Update raw socket and hostinet control message parsing. There are surprisingly few syscall tests that run with hostinet. For example running the following command only returns two results: `bazel query test/syscalls:all | grep hostnet` I think as a result, as our control messages evolved, hostinet was left behind. Update it to support all control messages netstack supports. This change also updates sentry's control message parsing logic to make it up to date with all the control messages we support. PiperOrigin-RevId: 347508892 --- runsc/boot/filter/config.go | 60 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) (limited to 'runsc') diff --git a/runsc/boot/filter/config.go b/runsc/boot/filter/config.go index a7c4ebb0c..4e3bb9ac7 100644 --- a/runsc/boot/filter/config.go +++ b/runsc/boot/filter/config.go @@ -341,6 +341,16 @@ func hostInetFilters() seccomp.SyscallRules { seccomp.EqualTo(syscall.SOL_IP), seccomp.EqualTo(syscall.IP_RECVTOS), }, + { + seccomp.MatchAny{}, + seccomp.EqualTo(syscall.SOL_IP), + seccomp.EqualTo(syscall.IP_PKTINFO), + }, + { + seccomp.MatchAny{}, + seccomp.EqualTo(syscall.SOL_IP), + seccomp.EqualTo(syscall.IP_RECVORIGDSTADDR), + }, { seccomp.MatchAny{}, seccomp.EqualTo(syscall.SOL_IPV6), @@ -356,6 +366,11 @@ func hostInetFilters() seccomp.SyscallRules { seccomp.EqualTo(syscall.SOL_IPV6), seccomp.EqualTo(syscall.IPV6_V6ONLY), }, + { + seccomp.MatchAny{}, + seccomp.EqualTo(syscall.SOL_IPV6), + seccomp.EqualTo(linux.IPV6_RECVORIGDSTADDR), + }, { seccomp.MatchAny{}, seccomp.EqualTo(syscall.SOL_SOCKET), @@ -391,6 +406,11 @@ func hostInetFilters() seccomp.SyscallRules { seccomp.EqualTo(syscall.SOL_SOCKET), seccomp.EqualTo(syscall.SO_LINGER), }, + { + seccomp.MatchAny{}, + seccomp.EqualTo(syscall.SOL_SOCKET), + seccomp.EqualTo(syscall.SO_TIMESTAMP), + }, { seccomp.MatchAny{}, seccomp.EqualTo(syscall.SOL_TCP), @@ -401,6 +421,11 @@ func hostInetFilters() seccomp.SyscallRules { seccomp.EqualTo(syscall.SOL_TCP), seccomp.EqualTo(syscall.TCP_INFO), }, + { + seccomp.MatchAny{}, + seccomp.EqualTo(syscall.SOL_TCP), + seccomp.EqualTo(linux.TCP_INQ), + }, }, syscall.SYS_IOCTL: []seccomp.Rule{ { @@ -447,6 +472,13 @@ func hostInetFilters() seccomp.SyscallRules { seccomp.MatchAny{}, seccomp.EqualTo(4), }, + { + seccomp.MatchAny{}, + seccomp.EqualTo(syscall.SOL_SOCKET), + seccomp.EqualTo(syscall.SO_TIMESTAMP), + seccomp.MatchAny{}, + seccomp.EqualTo(4), + }, { seccomp.MatchAny{}, seccomp.EqualTo(syscall.SOL_TCP), @@ -454,6 +486,13 @@ func hostInetFilters() seccomp.SyscallRules { seccomp.MatchAny{}, seccomp.EqualTo(4), }, + { + seccomp.MatchAny{}, + seccomp.EqualTo(syscall.SOL_TCP), + seccomp.EqualTo(linux.TCP_INQ), + seccomp.MatchAny{}, + seccomp.EqualTo(4), + }, { seccomp.MatchAny{}, seccomp.EqualTo(syscall.SOL_IP), @@ -468,6 +507,20 @@ func hostInetFilters() seccomp.SyscallRules { seccomp.MatchAny{}, seccomp.EqualTo(4), }, + { + seccomp.MatchAny{}, + seccomp.EqualTo(syscall.SOL_IP), + seccomp.EqualTo(syscall.IP_PKTINFO), + seccomp.MatchAny{}, + seccomp.EqualTo(4), + }, + { + seccomp.MatchAny{}, + seccomp.EqualTo(syscall.SOL_IP), + seccomp.EqualTo(syscall.IP_RECVORIGDSTADDR), + seccomp.MatchAny{}, + seccomp.EqualTo(4), + }, { seccomp.MatchAny{}, seccomp.EqualTo(syscall.SOL_IPV6), @@ -482,6 +535,13 @@ func hostInetFilters() seccomp.SyscallRules { seccomp.MatchAny{}, seccomp.EqualTo(4), }, + { + seccomp.MatchAny{}, + seccomp.EqualTo(syscall.SOL_IPV6), + seccomp.EqualTo(linux.IPV6_RECVORIGDSTADDR), + seccomp.MatchAny{}, + seccomp.EqualTo(4), + }, }, syscall.SYS_SHUTDOWN: []seccomp.Rule{ { -- cgit v1.2.3