[Linux sandbox] Correctly handle statx in broker integration tests
Newer glibc/kernel combinations are using statx with STATX_BASIC_STATS to implement stat(), certainly on arm/aarch64 systems. The baseline policy correctly returns ENOSYS for these types of statx calls, forcing the stat() implementation to fallback to old stat syscalls as we cannot actually use seccomp to enforce a pathname allowlist while also allowing any form of statx (see AT_EMPTY_PATH). The integration test's seccomp policy accidentally allows statx. So all the stat() calls that are supposed to be denied by the sandbox are actually not. This CL copies the statx policy from the baseline policy to return ENOSYS. Bug: b/210975543 Change-Id: I22a52523f3c7676577b8e5cd62c347b7603c3c9c Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3502289 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Matthew Denton <mpdenton@chromium.org> Cr-Commit-Position: refs/heads/main@{#977333}
This commit is contained in:

committed by
Chromium LUCI CQ

parent
5f7d1e256a
commit
7c7a2c33ee
@@ -45,6 +45,9 @@
|
||||
namespace sandbox {
|
||||
|
||||
using bpf_dsl::Allow;
|
||||
using bpf_dsl::Arg;
|
||||
using bpf_dsl::Error;
|
||||
using bpf_dsl::If;
|
||||
using bpf_dsl::ResultExpr;
|
||||
using bpf_dsl::Trap;
|
||||
|
||||
@@ -512,16 +515,21 @@ class HandleFilesystemViaBrokerPolicy : public bpf_dsl::Policy {
|
||||
DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
|
||||
// Broker everything that we're supposed to broker.
|
||||
if (broker_process_->IsSyscallAllowed(sysno)) {
|
||||
return sandbox::bpf_dsl::Trap(
|
||||
sandbox::syscall_broker::BrokerClient::SIGSYS_Handler,
|
||||
broker_process_->GetBrokerClientSignalBased());
|
||||
return Trap(BrokerClient::SIGSYS_Handler,
|
||||
broker_process_->GetBrokerClientSignalBased());
|
||||
}
|
||||
|
||||
// Otherwise, if this is a syscall that takes a pathname but isn't an
|
||||
// allowed command, deny it.
|
||||
if (broker_process_->IsSyscallBrokerable(sysno,
|
||||
/*fast_check_in_client=*/false)) {
|
||||
return bpf_dsl::Error(denied_errno_);
|
||||
return Error(denied_errno_);
|
||||
}
|
||||
|
||||
if (sysno == __NR_statx) {
|
||||
const Arg<int> mask(3);
|
||||
return If(mask == STATX_BASIC_STATS, Error(ENOSYS))
|
||||
.Else(Error(denied_errno_));
|
||||
}
|
||||
|
||||
// Allow everything else that doesn't take a pathname.
|
||||
|
Reference in New Issue
Block a user