Fix problem that we don't block syscalls below min value

The check that we are not below the lowest permitted syscall was off by one, so we always allowed them, rather than always denying them Test: Check arm64 boots, chrome and maps work mips and mips64 emulators boot Note that arm, x86 and x86_64 already allow syscall 0 so there will be no functional change there Change-Id: I85873f1d04124e634e648bd47c027f280f1d6dbd
2017-03-22 08:03:51 -07:00 · 2017-03-22 08:03:51 -07:00 · 65b47c9fe0
parent 8ebfc0d3a3
commit 65b47c9fe0
8 changed files with 12 additions and 11 deletions
--- a/libc/seccomp/arm64_policy.cpp
+++ b/libc/seccomp/arm64_policy.cpp
@ -5,7 +5,7 @@

 #include "seccomp_bpfs.h"
 const sock_filter arm64_filter[] = {
-BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 5, 0, 25),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 5, 0, 26),
 BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 203, 13, 0),
 BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 101, 7, 0),
 BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 43, 3, 0),
--- a/libc/seccomp/arm_policy.cpp
+++ b/libc/seccomp/arm_policy.cpp
@ -5,7 +5,7 @@

 #include "seccomp_bpfs.h"
 const sock_filter arm_filter[] = {
-BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 0, 0, 123),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 0, 0, 124),
 BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 143, 61, 0),
 BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 74, 31, 0),
 BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 41, 15, 0),
--- a/libc/seccomp/mips64_policy.cpp
+++ b/libc/seccomp/mips64_policy.cpp
@ -5,7 +5,7 @@

 #include "seccomp_bpfs.h"
 const sock_filter mips64_filter[] = {
-BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 5000, 0, 77),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 5000, 0, 78),
 BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 5168, 39, 0),
 BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 5077, 19, 0),
 BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 5034, 9, 0),
--- a/libc/seccomp/mips_policy.cpp
+++ b/libc/seccomp/mips_policy.cpp
@ -5,7 +5,7 @@

 #include "seccomp_bpfs.h"
 const sock_filter mips_filter[] = {
-BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 4001, 0, 107),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 4001, 0, 108),
 BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 4131, 53, 0),
 BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 4064, 27, 0),
 BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 4036, 13, 0),
--- a/libc/seccomp/x86_64_policy.cpp
+++ b/libc/seccomp/x86_64_policy.cpp
@ -5,7 +5,7 @@

 #include "seccomp_bpfs.h"
 const sock_filter x86_64_filter[] = {
-BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 0, 0, 79),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 0, 0, 80),
 BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 157, 39, 0),
 BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 72, 19, 0),
 BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 32, 9, 0),
--- a/libc/seccomp/x86_policy.cpp
+++ b/libc/seccomp/x86_policy.cpp
@ -5,7 +5,7 @@

 #include "seccomp_bpfs.h"
 const sock_filter x86_filter[] = {
-BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 0, 0, 109),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 0, 0, 110),
 BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 131, 55, 0),
 BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 64, 27, 0),
 BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 36, 13, 0),
--- a/libc/tools/genseccomp.py
+++ b/libc/tools/genseccomp.py
@ -149,13 +149,14 @@ def convert_ranges_to_bpf(ranges):
      bpf[i] = statement.format(fail=str(len(bpf) - i),
                                allow=str(len(bpf) - i - 1))

-  # Add check that we aren't off the bottom of the syscalls
-  bpf.insert(0, BPF_JGE.format(ranges[0].begin, 0, str(len(bpf))) + ',')

  # Add the allow calls at the end. If the syscall is not matched, we will
  # continue. This allows the user to choose to match further syscalls, and
  # also to choose the action when we want to block
  bpf.append(BPF_ALLOW + ",")
+
+  # Add check that we aren't off the bottom of the syscalls
+  bpf.insert(0, BPF_JGE.format(ranges[0].begin, 0, str(len(bpf))) + ',')
  return bpf


--- a/libc/tools/test_genseccomp.py
+++ b/libc/tools/test_genseccomp.py
@ -113,13 +113,13 @@ ssize_t     read(int, void*, size_t)        all
  def test_convert_ranges_to_bpf(self):
    ranges = genseccomp.convert_NRs_to_ranges([("b", 2), ("a", 1)])
    bpf = genseccomp.convert_ranges_to_bpf(ranges)
-    self.assertEquals(bpf, ['BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 1, 0, 1),',
+    self.assertEquals(bpf, ['BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 1, 0, 2),',
                            'BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 3, 1, 0), //a|b',
                            'BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),'])

    ranges = genseccomp.convert_NRs_to_ranges([("b", 3), ("a", 1)])
    bpf = genseccomp.convert_ranges_to_bpf(ranges)
-    self.assertEquals(bpf, ['BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 1, 0, 3),',
+    self.assertEquals(bpf, ['BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 1, 0, 4),',
                            'BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 3, 1, 0),',
                            'BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 2, 2, 1), //a',
                            'BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 4, 1, 0), //b',
@ -165,7 +165,7 @@ ssize_t     read(int, void*, size_t)        all

    #include "seccomp_bpfs.h"
    const sock_filter arm_filter[] = {
-    BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 3, 0, 3),
+    BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 3, 0, 4),
    BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 140, 1, 0),
    BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 4, 2, 1), //read
    BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 141, 1, 0), //_llseek