Bug 142983

Summary:

[Seccomp] Set appropriate filters when trapping syscalls by default

Product:

WebKit

Reporter:

Michael Catanzaro <mcatanzaro>

Component:

WebKit2

Assignee:

Michael Catanzaro <mcatanzaro>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

mcatanzaro, zan

Priority:

Version:

528+ (Nightly build)

Hardware:

OS:

Linux

Bug Depends on:

Bug Blocks:

140072

Attachments:

Description	Flags
[Linux] Seccomp Filters: Set appropriate filters when trapping by default	zan: review+

Description Michael Catanzaro 2015-03-23 14:30:41 PDT

If we trap syscalls by default, we must not manually set any filters to trap anything, since it will fail causing us to crash.
 
But also, there are some things we must allow unconditionally even when trapping by default, for the broker to work. sigreturn, obviously, and brk.

Comment 1 Michael Catanzaro 2015-03-23 14:34:19 PDT

Created attachment 249275 [details]
[Linux] Seccomp Filters: Set appropriate filters when trapping by default

Comment 2 Michael Catanzaro 2015-07-22 09:04:42 PDT

I think it would be nicer to use RELEASE_ASSERT_NOT_REACHED() rather than CRASH() here (note they are synonyms), but the existing code uses CRASH() so I picked that for consistency.

Comment 3 Zan Dobersek 2015-07-27 10:26:19 PDT

Comment on attachment 249275 [details]
[Linux] Seccomp Filters: Set appropriate filters when trapping by default

View in context: https://bugs.webkit.org/attachment.cgi?id=249275&action=review

> Source/WebKit2/Shared/linux/SeccompFilters/SeccompFilters.cpp:105
> +    Action result = static_cast<Action>(value);

Is converting to Action here required?

Comment 4 Michael Catanzaro 2015-07-27 15:14:25 PDT

(In reply to comment #3)
> > Source/WebKit2/Shared/linux/SeccompFilters/SeccompFilters.cpp:105
> > +    Action result = static_cast<Action>(value);
> 
> Is converting to Action here required?

Thanks. Yes:

../../Source/WebKit2/Shared/linux/SeccompFilters/SeccompFilters.cpp:105:12: error: cannot initialize a variable of type 'WebKit::SeccompFilters::Action' with an lvalue of type 'uint32_t' (aka 'unsigned int')
    Action result = value;
           ^        ~~~~~

Comment 5 Michael Catanzaro 2015-07-27 15:20:22 PDT

Committed r187455: <http://trac.webkit.org/changeset/187455>

Comment 6 Zan Dobersek 2015-07-27 22:27:10 PDT

(In reply to comment #4)
> (In reply to comment #3)
> > > Source/WebKit2/Shared/linux/SeccompFilters/SeccompFilters.cpp:105
> > > +    Action result = static_cast<Action>(value);
> > 
> > Is converting to Action here required?
> 
> Thanks. Yes:
> 
> ../../Source/WebKit2/Shared/linux/SeccompFilters/SeccompFilters.cpp:105:12:
> error: cannot initialize a variable of type 'WebKit::SeccompFilters::Action'
> with an lvalue of type 'uint32_t' (aka 'unsigned int')
>     Action result = value;
>            ^        ~~~~~

What I meant was using the uint32_t variable directly in the switch conditional. At the second passing, I now see you have to return an Action value, so you'd have to cast it to the Action type in the return statement at the latest.