mirror of
https://sourceware.org/git/glibc.git
synced 2024-12-25 04:01:10 +00:00
linux: Fail as unsupported if personality call is filtered
Container management default seccomp filter [1] only accepts personality(2) with PER_LINUX, (0x0), UNAME26 (0x20000), PER_LINUX32 (0x8), UNAME26 | PER_LINUX32, and 0xffffffff (to query current personality) Although the documentation only state it is blocked to prevent 'enabling BSD emulation' (PER_BSD, not implemented by Linux), checking on repository log the real reason is to block ASLR disable flag (ADDR_NO_RANDOMIZE) and other poorly support emulations. So handle EPERM and fail as UNSUPPORTED if we can really check for BZ#19408. Checked on aarch64-linux-gnu. [1] https://github.com/moby/moby/blob/master/profiles/seccomp/default.json Reviewed-by: Florian Weimer <fweimer@redhat.com>
This commit is contained in:
parent
be9b883ddd
commit
d4963a844d
@ -19,27 +19,36 @@
|
|||||||
|
|
||||||
#include <errno.h>
|
#include <errno.h>
|
||||||
#include <sys/personality.h>
|
#include <sys/personality.h>
|
||||||
|
#include <support/check.h>
|
||||||
|
|
||||||
static int
|
static int
|
||||||
do_test (void)
|
do_test (void)
|
||||||
{
|
{
|
||||||
int rc = 0;
|
|
||||||
unsigned int test_persona = -EINVAL;
|
unsigned int test_persona = -EINVAL;
|
||||||
unsigned int saved_persona;
|
unsigned int saved_persona;
|
||||||
|
|
||||||
errno = 0xdefaced;
|
errno = 0xdefaced;
|
||||||
saved_persona = personality (0xffffffff);
|
saved_persona = personality (0xffffffff);
|
||||||
|
|
||||||
if (personality (test_persona) != saved_persona
|
unsigned int r = personality (test_persona);
|
||||||
|| personality (0xffffffff) == -1
|
if (r == -1)
|
||||||
|| personality (PER_LINUX) == -1
|
{
|
||||||
|| personality (0xffffffff) != PER_LINUX
|
/* The syscall argument might be filtered by kernel, so the
|
||||||
|| 0xdefaced != errno)
|
test can not check for the bug issue. */
|
||||||
rc = 1;
|
if (errno == EPERM)
|
||||||
|
FAIL_UNSUPPORTED ("personality syscall argument are filtered");
|
||||||
|
FAIL_EXIT1 ("personality (%#x) failed: %m", test_persona);
|
||||||
|
}
|
||||||
|
|
||||||
(void) personality (saved_persona);
|
TEST_COMPARE (r, saved_persona);
|
||||||
return rc;
|
TEST_VERIFY (personality (0xffffffff) != -1);
|
||||||
|
TEST_VERIFY (personality (PER_LINUX) != -1);
|
||||||
|
TEST_COMPARE (personality (0xffffffff), PER_LINUX);
|
||||||
|
TEST_COMPARE (0xdefaced, errno);
|
||||||
|
|
||||||
|
personality (saved_persona);
|
||||||
|
|
||||||
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
#define TEST_FUNCTION do_test ()
|
#include <support/test-driver.c>
|
||||||
#include "../test-skeleton.c"
|
|
||||||
|
Loading…
Reference in New Issue
Block a user