[compiler-rt] prctl interception update, SECCOMP_MODE_FILTER support. (#107722)

Author: devnexen

compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc

@@ -1289,6 +1289,9 @@ INTERCEPTOR(int, prctl, int option, unsigned long arg2, unsigned long arg3,
   static const int PR_SCHED_CORE = 62;
   static const int PR_SCHED_CORE_GET = 0;
   static const int PR_GET_PDEATHSIG = 2;
+  static const int PR_SET_SECCOMP = 22;
+
+  static const int SECCOMP_MODE_FILTER = 2;
   if (option == PR_SET_VMA && arg2 == 0UL) {
     char *name = (char *)arg5;
     COMMON_INTERCEPTOR_READ_RANGE(ctx, name, internal_strlen(name) + 1);
@@ -1307,6 +1310,9 @@ INTERCEPTOR(int, prctl, int option, unsigned long arg2, unsigned long arg3,
     COMMON_INTERCEPTOR_WRITE_RANGE(ctx, (u64 *)(arg5), sizeof(u64));
   } else if (res != -1 && option == PR_GET_PDEATHSIG) {
     COMMON_INTERCEPTOR_WRITE_RANGE(ctx, (u64 *)(arg2), sizeof(int));
+  } else if (res != -1 && option == PR_SET_SECCOMP &&
+             arg2 == SECCOMP_MODE_FILTER) {
+    COMMON_INTERCEPTOR_WRITE_RANGE(ctx, (u64 *)(arg3), struct_sock_fprog_sz);
   }
   return res;
 }

compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.cpp

@@ -117,15 +117,16 @@ typedef struct user_fpregs elf_fpregset_t;
 #if SANITIZER_LINUX
 #if SANITIZER_GLIBC
 #include <fstab.h>
-#include <net/if_ppp.h>
-#include <netax25/ax25.h>
-#include <netipx/ipx.h>
-#include <netrom/netrom.h>
-#include <obstack.h>
-#if HAVE_RPC_XDR_H
-# include <rpc/xdr.h>
-#endif
-#include <scsi/scsi.h>
+#      include <linux/filter.h>
+#      include <net/if_ppp.h>
+#      include <netax25/ax25.h>
+#      include <netipx/ipx.h>
+#      include <netrom/netrom.h>
+#      include <obstack.h>
+#      if HAVE_RPC_XDR_H
+#        include <rpc/xdr.h>
+#      endif
+#      include <scsi/scsi.h>
 #else
 #include <linux/if_ppp.h>
 #include <linux/kd.h>
@@ -531,9 +532,10 @@ unsigned struct_ElfW_Phdr_sz = sizeof(Elf_Phdr);
 
   unsigned struct_audio_buf_info_sz = sizeof(struct audio_buf_info);
   unsigned struct_ppp_stats_sz = sizeof(struct ppp_stats);
-#endif  // SANITIZER_GLIBC
+  unsigned struct_sock_fprog_sz = sizeof(struct sock_fprog);
+#  endif  // SANITIZER_GLIBC
 
-#if !SANITIZER_ANDROID && !SANITIZER_APPLE
+#  if !SANITIZER_ANDROID && !SANITIZER_APPLE
   unsigned struct_sioc_sg_req_sz = sizeof(struct sioc_sg_req);
   unsigned struct_sioc_vif_req_sz = sizeof(struct sioc_vif_req);
 #endif

compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.h

@@ -1050,7 +1050,8 @@ extern unsigned struct_serial_struct_sz;
 extern unsigned struct_sockaddr_ax25_sz;
 extern unsigned struct_unimapdesc_sz;
 extern unsigned struct_unimapinit_sz;
-#endif  // SANITIZER_LINUX && !SANITIZER_ANDROID
+extern unsigned struct_sock_fprog_sz;
+#  endif  // SANITIZER_LINUX && !SANITIZER_ANDROID
 
 extern const unsigned long __sanitizer_bufsiz;
 

compiler-rt/test/sanitizer_common/TestCases/Linux/prctl.cpp

@@ -4,6 +4,8 @@
 
 #include <assert.h>
 #include <errno.h>
+#include <linux/filter.h>
+#include <linux/seccomp.h>
 #include <stdint.h>
 #include <string.h>
 #include <sys/mman.h>
@@ -78,5 +80,13 @@ int main() {
     }
   }
 
+  sock_filter f[] = {{.code = (BPF_LD | BPF_W | BPF_ABS),
+                      .k = (uint32_t)(SKF_AD_OFF | SKF_AD_CPU)},
+                     {.code = (BPF_RET | BPF_A), .k = 0}};
+  sock_fprog pr = {.len = 2, .filter = f};
+
+  res = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &pr);
+  assert(res == -1);
+
   return 0;
 }