[compiler-rt] prctl interception update, SECCOMP_MODE_FILTER support.

[devnexen]

No description provided.

[llvmbot]

@llvm/pr-subscribers-compiler-rt-sanitizer

Author: David CARLIER (devnexen)

Changes

---

Full diff: https://github.com/llvm/llvm-project/pull/107722.diff

4 Files Affected:

• (modified) compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc (+3)
• (modified) compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.cpp (+2)
• (modified) compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.h (+1)
• (modified) compiler-rt/test/sanitizer_common/TestCases/Linux/prctl.cpp (+17)

diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc b/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
index e09a4a8ae25fd8..0389915907c5d7 100644
--- a/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
+++ b/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
@@ -1256,6 +1256,7 @@ INTERCEPTOR(int, prctl, int option, unsigned long arg2, unsigned long arg3,
   static const int PR_SCHED_CORE = 62;
   static const int PR_SCHED_CORE_GET = 0;
   static const int PR_GET_PDEATHSIG = 2;
+  static const int PR_SET_SECCOMP = 22;
   if (option == PR_SET_VMA && arg2 == 0UL) {
     char *name = (char *)arg5;
     COMMON_INTERCEPTOR_READ_RANGE(ctx, name, internal_strlen(name) + 1);
@@ -1274,6 +1275,8 @@ INTERCEPTOR(int, prctl, int option, unsigned long arg2, unsigned long arg3,
     COMMON_INTERCEPTOR_WRITE_RANGE(ctx, (u64 *)(arg5), sizeof(u64));
   } else if (res != -1 && option == PR_GET_PDEATHSIG) {
     COMMON_INTERCEPTOR_WRITE_RANGE(ctx, (u64 *)(arg2), sizeof(int));
+  } else if (res != -1 && option == PR_SET_SECCOMP) {
+    COMMON_INTERCEPTOR_WRITE_RANGE(ctx, (u64 *)(arg3), struct_sock_fprog_sz);
   }
   return res;
 }
diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.cpp b/compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.cpp
index 6d61d276d77e35..c7802045376858 100644
--- a/compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.cpp
+++ b/compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.cpp
@@ -117,6 +117,7 @@ typedef struct user_fpregs elf_fpregset_t;
 #if SANITIZER_LINUX
 #if SANITIZER_GLIBC
 #include <fstab.h>
+#include <linux/filter.h>
 #include <net/if_ppp.h>
 #include <netax25/ax25.h>
 #include <netipx/ipx.h>
@@ -531,6 +532,7 @@ unsigned struct_ElfW_Phdr_sz = sizeof(Elf_Phdr);
 
   unsigned struct_audio_buf_info_sz = sizeof(struct audio_buf_info);
   unsigned struct_ppp_stats_sz = sizeof(struct ppp_stats);
+  unsigned struct_sock_fprog_sz = sizeof(struct sock_fprog);
 #endif  // SANITIZER_GLIBC
 
 #if !SANITIZER_ANDROID && !SANITIZER_APPLE
diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.h b/compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.h
index 34bfef1f7ef456..4b3c949c1ead82 100644
--- a/compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.h
+++ b/compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.h
@@ -1050,6 +1050,7 @@ extern unsigned struct_serial_struct_sz;
 extern unsigned struct_sockaddr_ax25_sz;
 extern unsigned struct_unimapdesc_sz;
 extern unsigned struct_unimapinit_sz;
+extern unsigned struct_sock_fprog_sz;
 #endif  // SANITIZER_LINUX && !SANITIZER_ANDROID
 
 extern const unsigned long __sanitizer_bufsiz;
diff --git a/compiler-rt/test/sanitizer_common/TestCases/Linux/prctl.cpp b/compiler-rt/test/sanitizer_common/TestCases/Linux/prctl.cpp
index cbff02d66efa78..abb872d87a8bf9 100644
--- a/compiler-rt/test/sanitizer_common/TestCases/Linux/prctl.cpp
+++ b/compiler-rt/test/sanitizer_common/TestCases/Linux/prctl.cpp
@@ -4,6 +4,8 @@
 
 #include <assert.h>
 #include <errno.h>
+#include <linux/filter.h>
+#include <linux/seccomp.h>
 #include <stdint.h>
 #include <string.h>
 #include <sys/mman.h>
@@ -78,5 +80,20 @@ int main() {
     }
   }
 
+  sock_filter f[] = {{
+	.code = (BPF_LD|BPF_W|BPF_ABS),
+	.k = (uint32_t)(SKF_AD_OFF | SKF_AD_CPU)
+  },{
+	.code = (BPF_RET|BPF_A),
+	.k = 0
+  }};
+  sock_fprog pr = {
+	.len = 2,
+	.filter = f
+  };
+  
+  res = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &pr);
+  assert(res == -1);
+
   return 0;
 }

[github-actions]

✅ With the latest revision this PR passed the C/C++ code formatter.

[vitalybuka]

SECCOMP_MODE_FILTER only?

[vitalybuka]

Please don't forget to click "re-request review"

LGTM with clang-format

[kstoimenov]

@devnexen, this probably broke the Sanitizer Android build: https://lab.llvm.org/buildbot/#/builders/186/builds/2622. Please take a look.

[nico]

+1, breaks buildilng compiler-rt runtimes on android for us too: https://logs.chromium.org/logs/chromium/buildbucket/cr-buildbucket/8735905318006197441/+/u/gclient_runhooks/stdout?format=raw

In file included from /b/s/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_interceptors.cpp:204:
/b/s/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1315:56: error: use of undeclared identifier 'struct_sock_fprog_sz'
 1315 |     COMMON_INTERCEPTOR_WRITE_RANGE(ctx, (u64 *)(arg3), struct_sock_fprog_sz);
      |    

[nico]

Reverted in 99ade15 for now.

[devnexen]

Thanks for reporting I ll fix the Android case when I reapply.