Reapply [compiler-rt] prctl interception update, SECCOMP_MODE_FILTER … #109834
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@llvm/pr-subscribers-compiler-rt-sanitizer Author: David CARLIER (devnexen) Changes…support. Full diff: https://github.com/llvm/llvm-project/pull/109834.diff 4 Files Affected:
diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc b/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
index bf5bb43018efc4..c2b4cc7abf6032 100644
--- a/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
+++ b/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
@@ -1289,6 +1289,11 @@ INTERCEPTOR(int, prctl, int option, unsigned long arg2, unsigned long arg3,
static const int PR_SCHED_CORE = 62;
static const int PR_SCHED_CORE_GET = 0;
static const int PR_GET_PDEATHSIG = 2;
+ static const int PR_SET_SECCOMP = 22;
+
+# if !SANITIZER_ANDROID
+ static const int SECCOMP_MODE_FILTER = 2;
+# endif
if (option == PR_SET_VMA && arg2 == 0UL) {
char *name = (char *)arg5;
COMMON_INTERCEPTOR_READ_RANGE(ctx, name, internal_strlen(name) + 1);
@@ -1307,6 +1312,11 @@ INTERCEPTOR(int, prctl, int option, unsigned long arg2, unsigned long arg3,
COMMON_INTERCEPTOR_WRITE_RANGE(ctx, (u64 *)(arg5), sizeof(u64));
} else if (res != -1 && option == PR_GET_PDEATHSIG) {
COMMON_INTERCEPTOR_WRITE_RANGE(ctx, (u64 *)(arg2), sizeof(int));
+# if !SANITIZER_ANDROID
+ } else if (res != -1 && option == PR_SET_SECCOMP &&
+ arg2 == SECCOMP_MODE_FILTER) {
+ COMMON_INTERCEPTOR_WRITE_RANGE(ctx, (u64 *)(arg3), struct_sock_fprog_sz);
+# endif
}
return res;
}
diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.cpp b/compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.cpp
index 6d61d276d77e35..5eeb2a89efa8c5 100644
--- a/compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.cpp
+++ b/compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.cpp
@@ -117,15 +117,16 @@ typedef struct user_fpregs elf_fpregset_t;
#if SANITIZER_LINUX
#if SANITIZER_GLIBC
#include <fstab.h>
-#include <net/if_ppp.h>
-#include <netax25/ax25.h>
-#include <netipx/ipx.h>
-#include <netrom/netrom.h>
-#include <obstack.h>
-#if HAVE_RPC_XDR_H
-# include <rpc/xdr.h>
-#endif
-#include <scsi/scsi.h>
+# include <linux/filter.h>
+# include <net/if_ppp.h>
+# include <netax25/ax25.h>
+# include <netipx/ipx.h>
+# include <netrom/netrom.h>
+# include <obstack.h>
+# if HAVE_RPC_XDR_H
+# include <rpc/xdr.h>
+# endif
+# include <scsi/scsi.h>
#else
#include <linux/if_ppp.h>
#include <linux/kd.h>
@@ -531,9 +532,10 @@ unsigned struct_ElfW_Phdr_sz = sizeof(Elf_Phdr);
unsigned struct_audio_buf_info_sz = sizeof(struct audio_buf_info);
unsigned struct_ppp_stats_sz = sizeof(struct ppp_stats);
-#endif // SANITIZER_GLIBC
+ unsigned struct_sock_fprog_sz = sizeof(struct sock_fprog);
+# endif // SANITIZER_GLIBC
-#if !SANITIZER_ANDROID && !SANITIZER_APPLE
+# if !SANITIZER_ANDROID && !SANITIZER_APPLE
unsigned struct_sioc_sg_req_sz = sizeof(struct sioc_sg_req);
unsigned struct_sioc_vif_req_sz = sizeof(struct sioc_vif_req);
#endif
diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.h b/compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.h
index 34bfef1f7ef456..ca03841ccc1988 100644
--- a/compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.h
+++ b/compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.h
@@ -1050,7 +1050,8 @@ extern unsigned struct_serial_struct_sz;
extern unsigned struct_sockaddr_ax25_sz;
extern unsigned struct_unimapdesc_sz;
extern unsigned struct_unimapinit_sz;
-#endif // SANITIZER_LINUX && !SANITIZER_ANDROID
+extern unsigned struct_sock_fprog_sz;
+# endif // SANITIZER_LINUX && !SANITIZER_ANDROID
extern const unsigned long __sanitizer_bufsiz;
diff --git a/compiler-rt/test/sanitizer_common/TestCases/Linux/prctl.cpp b/compiler-rt/test/sanitizer_common/TestCases/Linux/prctl.cpp
index cbff02d66efa78..dab1d1b48f8689 100644
--- a/compiler-rt/test/sanitizer_common/TestCases/Linux/prctl.cpp
+++ b/compiler-rt/test/sanitizer_common/TestCases/Linux/prctl.cpp
@@ -4,6 +4,8 @@
#include <assert.h>
#include <errno.h>
+#include <linux/filter.h>
+#include <linux/seccomp.h>
#include <stdint.h>
#include <string.h>
#include <sys/mman.h>
@@ -78,5 +80,13 @@ int main() {
}
}
+ sock_filter f[] = {{.code = (BPF_LD | BPF_W | BPF_ABS),
+ .k = (uint32_t)(SKF_AD_OFF | SKF_AD_CPU)},
+ {.code = (BPF_RET | BPF_A), .k = 0}};
+ sock_fprog pr = {.len = 2, .filter = f};
+
+ res = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &pr);
+ assert(res == -1);
+
return 0;
}
|
|
cc @nico following your revert |
|
✅ With the latest revision this PR passed the C/C++ code formatter. |
devnexen
force-pushed
the
prctl_seccomp_add_reapply
branch
from
c7c84fe to
bae4430
Compare
|
Please include into description a reference to original PR |
vitalybuka
approved these changes
Sep 24, 2024
devnexen
changed the title
devnexen
changed the title
devnexen
force-pushed
the
prctl_seccomp_add_reapply
branch
2 times, most recently
from
f078f87 to
52b8094
Compare
devnexen
force-pushed
the
prctl_seccomp_add_reapply
branch
from
52b8094 to
752032b
Compare
|
@devnexen, broke Android Sanitizer again: https://lab.llvm.org/buildbot/#/builders/186/builds/2641. |
|
seems easy enough to fix this time. |
devnexen
added a commit
to devnexen/llvm-project
that referenced
this pull request
Sep 24, 2024
devnexen
added a commit
that referenced
this pull request
Sep 24, 2024
|
This seems to have broken building on musl for me, do you have any idea how to fix it? Thanks. |
|
I guess this part needs to be made available for musl too. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
…support. #107722