RESOLVED FIXED 142983
[Seccomp] Set appropriate filters when trapping syscalls by default 
https://bugs.webkit.org/show_bug.cgi?id=142983
Summary [Seccomp] Set appropriate filters when trapping syscalls by default
Michael Catanzaro
Reported 2015-03-23 14:30:41 PDT
If we trap syscalls by default, we must not manually set any filters to trap anything, since it will fail causing us to crash. But also, there are some things we must allow unconditionally even when trapping by default, for the broker to work. sigreturn, obviously, and brk.
Attachments
[Linux] Seccomp Filters: Set appropriate filters when trapping by default (6.10 KB, patch)
2015-03-23 14:34 PDT, Michael Catanzaro 		zan: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Michael Catanzaro
Comment 1 2015-03-23 14:34:19 PDT
Created attachment 249275 [details] [Linux] Seccomp Filters: Set appropriate filters when trapping by default
Michael Catanzaro
Comment 2 2015-07-22 09:04:42 PDT
I think it would be nicer to use RELEASE_ASSERT_NOT_REACHED() rather than CRASH() here (note they are synonyms), but the existing code uses CRASH() so I picked that for consistency.
Zan Dobersek
Comment 3 2015-07-27 10:26:19 PDT
Comment on attachment 249275 [details] [Linux] Seccomp Filters: Set appropriate filters when trapping by default View in context: https://bugs.webkit.org/attachment.cgi?id=249275&action=review > Source/WebKit2/Shared/linux/SeccompFilters/SeccompFilters.cpp:105 > + Action result = static_cast<Action>(value); Is converting to Action here required?
Michael Catanzaro
Comment 4 2015-07-27 15:14:25 PDT
(In reply to comment #3) > > Source/WebKit2/Shared/linux/SeccompFilters/SeccompFilters.cpp:105 > > + Action result = static_cast<Action>(value); > > Is converting to Action here required? Thanks. Yes: ../../Source/WebKit2/Shared/linux/SeccompFilters/SeccompFilters.cpp:105:12: error: cannot initialize a variable of type 'WebKit::SeccompFilters::Action' with an lvalue of type 'uint32_t' (aka 'unsigned int') Action result = value; ^ ~~~~~
Michael Catanzaro
Comment 5 2015-07-27 15:20:22 PDT
Committed r187455: <http://trac.webkit.org/changeset/187455>
Zan Dobersek
Comment 6 2015-07-27 22:27:10 PDT
(In reply to comment #4) > (In reply to comment #3) > > > Source/WebKit2/Shared/linux/SeccompFilters/SeccompFilters.cpp:105 > > > + Action result = static_cast<Action>(value); > > > > Is converting to Action here required? > > Thanks. Yes: > > ../../Source/WebKit2/Shared/linux/SeccompFilters/SeccompFilters.cpp:105:12: > error: cannot initialize a variable of type 'WebKit::SeccompFilters::Action' > with an lvalue of type 'uint32_t' (aka 'unsigned int') > Action result = value; > ^ ~~~~~ What I meant was using the uint32_t variable directly in the switch conditional. At the second passing, I now see you have to return an Action value, so you'd have to cast it to the Action type in the return statement at the latest.
Note You need to log in before you can comment on or make changes to this bug.