From 3dbded8e32b996543a49a62bf6f3629c8b25ff13 Mon Sep 17 00:00:00 2001 From: pythontest Date: Sun, 11 Feb 2024 20:12:41 +0100 Subject: [PATCH 1/2] Removed syscalls open and openat from policy defined in addExecutionControlRules due to this syscalls being handled by policy defined in addFileSystemAccessRules --- src/seccomp/policy/DefaultPolicy.cc | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/seccomp/policy/DefaultPolicy.cc b/src/seccomp/policy/DefaultPolicy.cc index 3695089..bba7b46 100644 --- a/src/seccomp/policy/DefaultPolicy.cc +++ b/src/seccomp/policy/DefaultPolicy.cc @@ -42,9 +42,7 @@ void DefaultPolicy::addExecutionControlRules(bool allowFork) { "sigaltstack", "sigsuspend", "clock_nanosleep", - "open", - "epoll_create1", - "openat"}); + "epoll_create1"}); rules_.emplace_back(SeccompRule( "set_thread_area", action::ActionTrace([](auto& /* tracee */) { From 1d08e242c7e8d973c44d004cca1bd19c6b8e1eb4 Mon Sep 17 00:00:00 2001 From: pythontest Date: Fri, 16 Feb 2024 19:04:29 +0100 Subject: [PATCH 2/2] Added handling for calls to open and openat with write access when read-only mode is enforced --- src/seccomp/policy/DefaultPolicy.cc | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/seccomp/policy/DefaultPolicy.cc b/src/seccomp/policy/DefaultPolicy.cc index bba7b46..730efe2 100644 --- a/src/seccomp/policy/DefaultPolicy.cc +++ b/src/seccomp/policy/DefaultPolicy.cc @@ -188,6 +188,16 @@ void DefaultPolicy::addFileSystemAccessRules(bool readOnly) { "openat", action::ActionAllow(), (filter::SyscallArg(2) & (O_RDWR | O_WRONLY)) == 0)); + for (const auto& mode: {O_RDWR, O_WRONLY}) { + rules_.emplace_back(SeccompRule( + "open", + action::ActionErrno(EROFS), + (filter::SyscallArg(1) & mode) == mode)); + rules_.emplace_back(SeccompRule( + "openat", + action::ActionErrno(EROFS), + (filter::SyscallArg(2) & mode) == mode)); + } for (const auto& syscall: { "unlink",