snapd

Bug #1825052
Comment #3

Comment 3 for bug 1825052

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2019-04-22: Re: seccomp argument filtering not working on Fedora with 2.38 and Debian with 2.37.4

I looked at this a little more and the pfc (generate with 'SNAP_SECCOMP_DEBUG=1 /usr/libexec/snapd/snap-seccomp compile /var/lib/snapd/seccomp/bpf/snap.hello-world.sh.src /tmp/snap.hello-world.sh.bin > /tmp/snap.hello-world.sh.pfc) on Fedora (libseccomp 2.3.3) is simply wrong for our 'setpriority PRIO_PROCESS 0 <=19' rule (note, on amd64, sepriority is '141' as seen with scmp_sys_resolver) since it isn't ANDing the arguments:

# filter for arch x86 (1073741827)
if ($arch == 1073741827)
...
  # filter for syscall "setpriority" (141) [priority: 65529]
  if ($syscall == 141)
    if ($a0.hi32 == 0)
      if ($a0.lo32 == 0)
        action ALLOW;
    if ($a1.hi32 == 0)
      if ($a1.lo32 == 0)
        action ALLOW;
    if ($a2.hi32 >= 0)
      if ($a2.lo32 > 19)
      else
        action ALLOW;
    else
      action ALLOW;

Debian unstable (libseccomp 2.3.3) is also wrong:

# filter for arch x86_64 (3221225534)
if ($arch == 3221225534)
...
  # filter for syscall "setpriority" (141) [priority: 65529]
  if ($syscall == 141)
    if ($a0.hi32 == 0)
      if ($a0.lo32 == 0)
        action ALLOW;
    if ($a1.hi32 == 0)
      if ($a1.lo32 == 0)
        action ALLOW;
    if ($a2.hi32 >= 0)
      if ($a2.lo32 > 19)
      else
        action ALLOW;
    else
      action ALLOW;

on Ubuntu 16.04 (libseccomp 2.3.1), for example, this rule is:
# filter for arch x86_64 (3221225534)
if ($arch == 3221225534)
...
  # filter for syscall "setpriority" (141) [priority: 65529]
  if ($syscall == 141)
    if ($a0.hi32 == 0)
      if ($a0.lo32 == 0)
        if ($a1.hi32 == 0)
          if ($a1.lo32 == 0)
            if ($a2.hi32 >= 0)
              if ($a2.lo32 > 19)
              else
                action ALLOW;
            else
              action ALLOW;

which is correctly ANDing the args (though we should be masking the high bits since a high negative number will be allowed; will fix in a PR). On Ubuntu 18.10 (libseccomp 2.3.3), it is the same as on Ubuntu 16.04:

# filter for arch x86_64 (3221225534)
if ($arch == 3221225534)
...
  # filter for syscall "setpriority" (141) [priority: 65529]
  if ($syscall == 141)
    if ($a0.hi32 == 0)
      if ($a0.lo32 == 0)
        if ($a1.hi32 == 0)
          if ($a1.lo32 == 0)
            if ($a2.hi32 >= 0)
              if ($a2.lo32 > 19)
              else
                action ALLOW;
            else
              action ALLOW;

Debian unstable (libseccomp 2.3.3) is also wrong:

# filter for arch x86_64 (3221225534)
if ($arch == 3221225534)
...
  # filter for syscall "setpriority" (141) [priority: 65529]
  if ($syscall == 141)
    if ($a0.hi32 == 0)
      if ($a0.lo32 == 0)
        if ($a1.hi32 == 0)
          if ($a1.lo32 == 0)
            if ($a2.hi32 >= 0)
              if ($a2.lo32 > 19)
              else
                action ALLOW;
            else
              action ALLOW;