mirror of https://github.com/mkerrisk/man-pages
seccomp.2: tfix
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
29218e62cc
commit
65cfc71220
|
@ -257,7 +257,7 @@ struct seccomp_data {
|
|||
.in
|
||||
|
||||
Because the numbers of system calls vary between architectures and
|
||||
some architectures (e.g., X86-64) allow user-space code to use
|
||||
some architectures (e.g., x86-64) allow user-space code to use
|
||||
the calling conventions of multiple architectures, it is usually
|
||||
necessary to verify the value of the
|
||||
.IR arch
|
||||
|
@ -274,7 +274,7 @@ a blacklist bypass.
|
|||
The
|
||||
.IR arch
|
||||
field is not unique for all calling conventions.
|
||||
The X86-64 ABI and the X32 ABI both use
|
||||
The x86-64 ABI and the x32 ABI both use
|
||||
.BR AUDIT_ARCH_X86_64
|
||||
as
|
||||
.IR arch ,
|
||||
|
@ -283,7 +283,7 @@ Instead, the mask
|
|||
.BR __X32_SYSCALL_BIT
|
||||
is used on the system call number to tell the two ABIs apart.
|
||||
This means that in order to create a seccomp-based
|
||||
blacklist for system calls performed through the X86-64 ABI,
|
||||
blacklist for system calls performed through the x86-64 ABI,
|
||||
it is necessary to not only check that
|
||||
.IR arch
|
||||
equals
|
||||
|
@ -298,10 +298,10 @@ When checking values from
|
|||
against a blacklist, keep in mind that arguments are often
|
||||
silently truncated before being processed, but after the seccomp check.
|
||||
For example, this happens if the i386 ABI is used on an
|
||||
X86-64 kernel: Although the kernel will normally not look beyond
|
||||
x86-64 kernel: Although the kernel will normally not look beyond
|
||||
the 32 lowest bits of the arguments, the values of the full
|
||||
64-bit registers will be present in the seccomp data.
|
||||
A less surprising example is that if the X86-64 ABI is used to perform
|
||||
A less surprising example is that if the x86-64 ABI is used to perform
|
||||
a system call that takes an argument of type
|
||||
.IR int ,
|
||||
the more-significant half of the argument register is ignored by
|
||||
|
@ -678,7 +678,7 @@ static int
|
|||
install_filter(int syscall_nr, int t_arch, int f_errno)
|
||||
{
|
||||
unsigned int upper_nr_limit = 0xffffffff;
|
||||
/* assume that AUDIT_ARCH_X86_64 means the normal X86-64 ABI */
|
||||
/* assume that AUDIT_ARCH_X86_64 means the normal x86-64 ABI */
|
||||
if (t_arch == AUDIT_ARCH_X86_64)
|
||||
upper_nr_limit = X32_SYSCALL_BIT - 1;
|
||||
|
||||
|
@ -697,7 +697,7 @@ install_filter(int syscall_nr, int t_arch, int f_errno)
|
|||
BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
|
||||
(offsetof(struct seccomp_data, nr))),
|
||||
|
||||
/* [3] Check ABI - only needed for X86-64 in blacklist use
|
||||
/* [3] Check ABI - only needed for x86-64 in blacklist use
|
||||
cases. Use JGT instead of checking against the bit
|
||||
mask to avoid having to reload the syscall number. */
|
||||
BPF_JUMP(BPF_JMP | BPF_JGT | BPF_K, upper_nr_limit, 3, 0),
|
||||
|
|
Loading…
Reference in New Issue