Commit 1d70ac40 authored by Fabian Vogt's avatar Fabian Vogt

seccomp filter: Handle openat as well

Summary:
With glibc 2.26, the open syscall is not used anymore as openat is favored.
This causes the testcase to fail, which shows that openat is not handled
correctly by the seccomp filter.
This adds a testcase that tests both open and openat (needs to use direct
syscalls on glibc 2.26 as calls to open would otherwise result in openat)
and implements the proper handling for openat in the filter.

BUG: 384651

Test Plan:
Ran seccomp test before and after, now succeeds.
Ran make install, screenlocker still works.

Reviewers: #plasma, graesslin

Reviewed By: #plasma, graesslin

Subscribers: plasma-devel

Tags: #plasma

Differential Revision: https://phabricator.kde.org/D7806
parent a18ebe92
......@@ -29,6 +29,12 @@ along with this program. If not, see <http://www.gnu.org/licenses/>.
#include <QNetworkRequest>
#include <QNetworkReply>
#ifdef __linux__
#include <sys/syscall.h>
#endif
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
class SeccompTest : public QObject
......@@ -38,6 +44,8 @@ private Q_SLOTS:
void initTestCase();
void testCreateFile();
void testOpenFile();
void testOpenFilePosix();
void testWriteFilePosix();
void testStartProcess();
void testNetworkAccess_data();
void testNetworkAccess();
......@@ -66,6 +74,33 @@ void SeccompTest::testOpenFile()
QVERIFY(file.open(QIODevice::ReadOnly));
}
void SeccompTest::testOpenFilePosix()
{
QVERIFY(open("/dev/null", O_RDONLY | O_CREAT, 0) == -1 && errno == EPERM);
QVERIFY(openat(AT_FDCWD, "/dev/null", O_RDONLY | O_CREAT, 0) == -1 && errno == EPERM);
#ifdef SYS_open
QVERIFY(syscall(SYS_open, "/dev/null", O_RDONLY | O_CREAT, 0) == -1 && errno == EPERM);
#endif
#ifdef SYS_openat
QVERIFY(syscall(SYS_openat, AT_FDCWD, "/dev/null", O_RDONLY | O_CREAT, 0) == -1 && errno == EPERM);
#endif
}
void SeccompTest::testWriteFilePosix()
{
if (KWin::GLPlatform::instance()->driver() == KWin::Driver_NVidia) {
QSKIP("Write protection not supported on NVIDIA");
}
QVERIFY(open("/dev/null", O_RDWR) == -1 && errno == EPERM);
QVERIFY(openat(AT_FDCWD, "/dev/null", O_RDWR) == -1 && errno == EPERM);
#ifdef SYS_open
QVERIFY(syscall(SYS_open, "/dev/null", O_RDWR) == -1 && errno == EPERM);
#endif
#ifdef SYS_openat
QVERIFY(syscall(SYS_openat, AT_FDCWD, "/dev/null", O_RDWR) == -1 && errno == EPERM);
#endif
}
void SeccompTest::testStartProcess()
{
// QProcess fails already using pipe
......
......@@ -76,8 +76,11 @@ void init()
// they should fail with EPERM error
if (writeSupported) {
seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(open), 1, SCMP_A1(SCMP_CMP_MASKED_EQ, O_WRONLY, O_WRONLY));
seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(openat), 1, SCMP_A2(SCMP_CMP_MASKED_EQ, O_WRONLY, O_WRONLY));
seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(open), 1, SCMP_A1(SCMP_CMP_MASKED_EQ, O_RDWR, O_RDWR));
seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(openat), 1, SCMP_A2(SCMP_CMP_MASKED_EQ, O_RDWR, O_RDWR));
}
seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(openat), 1, SCMP_A2(SCMP_CMP_MASKED_EQ, O_CREAT, O_CREAT));
seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(open), 1, SCMP_A1(SCMP_CMP_MASKED_EQ, O_CREAT, O_CREAT));
// disallow going to a socket
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment