0

[Linux sandbox] Correctly handle statx in broker integration tests

Newer glibc/kernel combinations are using statx with STATX_BASIC_STATS
to implement stat(), certainly on arm/aarch64 systems.

The baseline policy correctly returns ENOSYS for these types of statx
calls, forcing the stat() implementation to fallback to old stat
syscalls as we cannot actually use seccomp to enforce a pathname
allowlist while also allowing any form of statx (see AT_EMPTY_PATH).

The integration test's seccomp policy accidentally allows statx.
So all the stat() calls that are supposed to be denied by the sandbox
are actually not.

This CL copies the statx policy from the baseline policy to return
ENOSYS.

Bug: b/210975543
Change-Id: I22a52523f3c7676577b8e5cd62c347b7603c3c9c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3502289
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Matthew Denton <mpdenton@chromium.org>
Cr-Commit-Position: refs/heads/main@{#977333}
This commit is contained in:
Matthew Denton
2022-03-03 21:30:11 +00:00
committed by Chromium LUCI CQ
parent 5f7d1e256a
commit 7c7a2c33ee

@@ -45,6 +45,9 @@
namespace sandbox {
using bpf_dsl::Allow;
using bpf_dsl::Arg;
using bpf_dsl::Error;
using bpf_dsl::If;
using bpf_dsl::ResultExpr;
using bpf_dsl::Trap;
@@ -512,16 +515,21 @@ class HandleFilesystemViaBrokerPolicy : public bpf_dsl::Policy {
DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
// Broker everything that we're supposed to broker.
if (broker_process_->IsSyscallAllowed(sysno)) {
return sandbox::bpf_dsl::Trap(
sandbox::syscall_broker::BrokerClient::SIGSYS_Handler,
broker_process_->GetBrokerClientSignalBased());
return Trap(BrokerClient::SIGSYS_Handler,
broker_process_->GetBrokerClientSignalBased());
}
// Otherwise, if this is a syscall that takes a pathname but isn't an
// allowed command, deny it.
if (broker_process_->IsSyscallBrokerable(sysno,
/*fast_check_in_client=*/false)) {
return bpf_dsl::Error(denied_errno_);
return Error(denied_errno_);
}
if (sysno == __NR_statx) {
const Arg<int> mask(3);
return If(mask == STATX_BASIC_STATS, Error(ENOSYS))
.Else(Error(denied_errno_));
}
// Allow everything else that doesn't take a pathname.