Context Navigation

← Previous Changeset
Next Changeset →

Changeset 284451 in webkit

Timestamp:

Oct 19, 2021, 7:27:17 AM (3 years ago)

Author:

commit-queue@webkit.org

Message:

Update seccomp filters with latest changes from flatpak
https://bugs.webkit.org/show_bug.cgi?id=231479

Patch by Michael Catanzaro <Michael Catanzaro> on 2021-10-19
Reviewed by Adrian Perez de Castro.

Additionally, let's fix a minor inconsistency in our error-handling code: all but one of
our codepaths carefully free and close resources, but the process is about to crash so
there's not really any reason to do so. The code is slightly simpler if we don't bother.

The seemingly-extraneous include order changes are required to placate the style checker.

UIProcess/Launcher/glib/BubblewrapLauncher.cpp:

(WebKit::seccompStrerror):
(WebKit::setupSeccomp):

UIProcess/Launcher/glib/Syscalls.h: Added.

Location:

trunk/Source/WebKit

Files:

: 1 added
: 2 edited

ChangeLog (modified) (1 diff)
UIProcess/Launcher/glib/BubblewrapLauncher.cpp (modified) (8 diffs)
UIProcess/Launcher/glib/Syscalls.h (added)

Legend:

: Unmodified
: Added
: Removed

trunk/Source/WebKit/ChangeLog

-              r284448
+              r284451
+-10-19  Michael Catanzaro  <mcatanzaro@gnome.org>
+        Update seccomp filters with latest changes from flatpak
+        https://bugs.webkit.org/show_bug.cgi?id=231479
+        Reviewed by Adrian Perez de Castro.
+        Additionally, let's fix a minor inconsistency in our error-handling code: all but one of
+        our codepaths carefully free and close resources, but the process is about to crash so
+        there's not really any reason to do so. The code is slightly simpler if we don't bother.
+        The seemingly-extraneous include order changes are required to placate the style checker.
+        * UIProcess/Launcher/glib/BubblewrapLauncher.cpp:
+        (WebKit::seccompStrerror):
+        (WebKit::setupSeccomp):
+        * UIProcess/Launcher/glib/Syscalls.h: Added.
 -10-19  Martin Robinson  <mrobinson@igalia.com>

trunk/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp

-              r284156
+              r284451
 #include <seccomp.h>
 #include <sys/ioctl.h>
+#include <sys/mman.h>
 #include <unistd.h>
 #include <wtf/FileSystem.h>
 …
 #include <wtf/glib/GUniquePtr.h>
+#if !defined(MFD_ALLOW_SEALING) && HAVE(LINUX_MEMFD_H)
+#include <linux/memfd.h>
+#endif
+#include "Syscalls.h"
 #if PLATFORM(GTK)
 #include "WaylandCompositor.h"
 …
 #endif
+#include <sys/mman.h>
+#ifndef MFD_ALLOW_SEALING
+#if HAVE(LINUX_MEMFD_H)
+#include <linux/memfd.h>
+#if !defined(MFD_ALLOW_SEALING) && HAVE(LINUX_MEMFD_H)
 // These defines were added in glibc 2.27, the same release that added memfd_create.
 …
     return syscall(__NR_memfd_create, name, flags);
+}
+#endif // #if HAVE(LINUX_MEMFD_H)
+#endif // #ifndef MFD_ALLOW_SEALING
+#endif // #if !defined(MFD_ALLOW_SEALING) && HAVE(LINUX_MEMFD_H)
 namespace WebKit {
 …
         }));
+    }
+}
+// Translate a libseccomp error code into an error message. libseccomp
+// mostly returns negative errno values such as -ENOMEM, but some
+// standard errno values are used for non-standard purposes where their
+// strerror() would be misleading.
+static const char* seccompStrerror(int negativeErrno)
+{
+    RELEASE_ASSERT_WITH_MESSAGE(negativeErrno < 0, "Non-negative error value from libseccomp?");
+    RELEASE_ASSERT_WITH_MESSAGE(negativeErrno > INT_MIN, "Out of range error value from libseccomp?");
+    switch (negativeErrno) {
+    case -EDOM:
+        return "Architecture-specific failure";
+    case -EFAULT:
+        return "Internal libseccomp failure (unknown syscall?)";
+    case -ECANCELED:
+        return "System failure beyond the control of libseccomp";
+    }
+    // e.g. -ENOMEM: the result of strerror() is good enough
+    return g_strerror(-negativeErrno);
+}
 …
     //  https://git.gnome.org/browse/linux-user-chroot
     //    in src/setup-seccomp.c
+    //
+    // Other useful resources:
+    // https://github.com/systemd/systemd/blob/HEAD/src/shared/seccomp-util.c
+    // https://github.com/moby/moby/blob/HEAD/profiles/seccomp/default.json
 #if defined(__s390__) || defined(__s390x__) || defined(__CRIS__)
 …
     struct {
         int scall;
+        int errnum;
         struct scmp_arg_cmp* arg;
     } syscallBlockList[] = {
         // Block dmesg
         { SCMP_SYS(syslog), nullptr },
+        { SCMP_SYS(syslog), EPERM, nullptr },
         // Useless old syscall.
         { SCMP_SYS(uselib), nullptr },
+        { SCMP_SYS(uselib), EPERM, nullptr },
         // Don't allow disabling accounting.
         { SCMP_SYS(acct), nullptr },
+        { SCMP_SYS(acct), EPERM, nullptr },
         // 16-bit code is unnecessary in the sandbox, and modify_ldt is a
         // historic source of interesting information leaks.
         { SCMP_SYS(modify_ldt), nullptr },
+        { SCMP_SYS(modify_ldt), EPERM, nullptr },
         // Don't allow reading current quota use.
         { SCMP_SYS(quotactl), nullptr },
+        { SCMP_SYS(quotactl), EPERM, nullptr },
         // Don't allow access to the kernel keyring.
         { SCMP_SYS(add_key), nullptr },
         { SCMP_SYS(keyctl), nullptr },
         { SCMP_SYS(request_key), nullptr },
+        { SCMP_SYS(add_key), EPERM, nullptr },
+        { SCMP_SYS(keyctl), EPERM, nullptr },
+        { SCMP_SYS(request_key), EPERM, nullptr },
         // Scary VM/NUMA ops
         { SCMP_SYS(move_pages), nullptr },
         { SCMP_SYS(mbind), nullptr },
         { SCMP_SYS(get_mempolicy), nullptr },
         { SCMP_SYS(set_mempolicy), nullptr },
         { SCMP_SYS(migrate_pages), nullptr },
+        { SCMP_SYS(move_pages), EPERM, nullptr },
+        { SCMP_SYS(mbind), EPERM, nullptr },
+        { SCMP_SYS(get_mempolicy), EPERM, nullptr },
+        { SCMP_SYS(set_mempolicy), EPERM, nullptr },
+        { SCMP_SYS(migrate_pages), EPERM, nullptr },
         // Don't allow subnamespace setups:
+        { SCMP_SYS(unshare), nullptr },
+        { SCMP_SYS(mount), nullptr },
+        { SCMP_SYS(pivot_root), nullptr },
+        { SCMP_SYS(clone), &cloneArg },
+        { SCMP_SYS(unshare), EPERM, nullptr },
+        { SCMP_SYS(setns), EPERM, nullptr },
+        { SCMP_SYS(mount), EPERM, nullptr },
+        { SCMP_SYS(umount), EPERM, nullptr },
+        { SCMP_SYS(umount2), EPERM, nullptr },
+        { SCMP_SYS(pivot_root), EPERM, nullptr },
+        { SCMP_SYS(chroot), EPERM, nullptr },
+        { SCMP_SYS(clone), EPERM, &cloneArg },
         // Don't allow faking input to the controlling tty (CVE-2017-5226)
+        { SCMP_SYS(ioctl), &ttyArg },
+        { SCMP_SYS(ioctl), EPERM, &ttyArg },
+        // seccomp can't look into clone3()'s struct clone_args to check whether
+        // the flags are OK, so we have no choice but to block clone3().
+        // Return ENOSYS so user-space will fall back to clone().
+        // (GHSA-67h7-w3jq-vh4q; see also https://github.com/moby/moby/commit/9f6b562d)
+        { SCMP_SYS(clone3), ENOSYS, nullptr },
+        // New mount manipulation APIs can also change our VFS. There's no
+        // legitimate reason to do these in the sandbox, so block all of them
+        // rather than thinking about which ones might be dangerous.
+        // (GHSA-67h7-w3jq-vh4q)
+        { SCMP_SYS(open_tree), ENOSYS, nullptr },
+        { SCMP_SYS(move_mount), ENOSYS, nullptr },
+        { SCMP_SYS(fsopen), ENOSYS, nullptr },
+        { SCMP_SYS(fsconfig), ENOSYS, nullptr },
+        { SCMP_SYS(fsmount), ENOSYS, nullptr },
+        { SCMP_SYS(fspick), ENOSYS, nullptr },
+        { SCMP_SYS(mount_setattr), ENOSYS, nullptr },
         // Profiling operations; we expect these to be done by tools from outside
         // the sandbox. In particular perf has been the source of many CVEs.
         { SCMP_SYS(perf_event_open), nullptr },
+        { SCMP_SYS(perf_event_open), EPERM, nullptr },
         // Don't allow you to switch to bsd emulation or whatnot.
         { SCMP_SYS(personality), nullptr },
         { SCMP_SYS(ptrace), nullptr }
+        { SCMP_SYS(personality), EPERM, nullptr },
+        { SCMP_SYS(ptrace), EPERM, nullptr }
     };
 …
     for (auto& rule : syscallBlockList) {
-        int scall = rule.scall;
         int r;
         if (rule.arg)
             r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), scall, 1, *rule.arg);
+            r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(rule.errnum), rule.scall, 1, *rule.arg);
         else
+            r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), scall, 0);
+        if (r == -EFAULT) {
+            seccomp_release(seccomp);
+            g_error("Failed to add seccomp rule");
+        }
+            r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(rule.errnum), rule.scall, 0);
+        // EFAULT means "internal libseccomp error", but in practice we get
+        // this for syscall numbers added via Syscalls.h (flatpak-syscalls-private.h)
+        // when trying to filter them on a non-native architecture, because
+        // libseccomp cannot map the syscall number to a name and back to a
+        // number for the non-native architecture.
+        if (r == -EFAULT)
+            g_info("Unable to block syscall %d: syscall not known to libseccomp?", rule.scall);
+        else if (r < 0)
+            g_error("Failed to block syscall %d: %s", rule.scall, seccompStrerror(r));
+    }
     int tmpfd = memfd_create("seccomp-bpf", 0);
+    if (tmpfd == -1) {
+        seccomp_release(seccomp);
+    if (tmpfd == -1)
         g_error("Failed to create memfd: %s", g_strerror(errno));
+    }
+    if (seccomp_export_bpf(seccomp, tmpfd)) {
+        seccomp_release(seccomp);
+        close(tmpfd);
+        g_error("Failed to export seccomp bpf");
+    }
+    if (int r = seccomp_export_bpf(seccomp, tmpfd))
+        g_error("Failed to export seccomp bpf: %s", seccompStrerror(r));
     if (lseek(tmpfd, 0, SEEK_SET) < 0)

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 284451 in webkit

Legend:

trunk/Source/WebKit/ChangeLog

trunk/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp

Download in other formats: