[Bug 2361] seccomp filter (not only) for aarch64

Tue Jun 16 20:00:30 AEST 2015

https://bugzilla.mindrot.org/show_bug.cgi?id=2361

--- Comment #14 from Jakub Jelen <jjelen at redhat.com> ---
Created attachment 2648
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2648&action=edit
proposed patch - stat and shutdown on ix68

Some further catch ups:
 1) stat syscall is not as legacy as expected -- gsssapi library issues
such syscall even on x86_64 (based on [1]). Proposing to add back also
stat to make sure everything works.

 2) Socket shutdown is handled by socketcall on i386 linux so we are
getting "socket closed" errors instead of correct closing connection.
Audit messages:

Jun 16 09:27:51 host audit[11004]: SECCOMP auid=4294967295 uid=74
gid=74 ses=4294967295 subj=system_u:system_r:sshd_net_t:s0-s0:c0.c1023
pid=11004 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=40000003
syscall=102 compat=0 ip=0xb77d5be8 code=0x0
Jun 16 09:27:51 host sshd[11003]: error: mm_request_receive: socket
closed
# ausyscall 102
socketcall

We don't want to allow all the syscalls [2] from socketcall. Best would
be to allow only SYS_SHUTDOWN as first argument but in the current code
of seccomp filter, there is no possibility to filter through function
arguments.
Adding so would require additional complexity, but it would be great to
have it "right way", even if it doesn't matter much during connection
close.
See proposed patch with hand-baked seccomp filter for first argument
check. I don't see the changes from previous comments in portable
repository so the patch is not directly applicable (stat part).

Tested on Fedora 22 with openssh-6.8 and after applying this patch, I
no longer see SECCOMP messages.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1228323
[2]
http://jkukunas.blogspot.cz/2010/05/x86-linux-networking-system-calls.html

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.