For the SECCOMP event, check if the event msg is in the range of one of the known architectures.

If it isn't, assume that the process has exited and the event msg contains an exit code.

PiperOrigin-RevId: 471258449
Change-Id: I44408c30fe7fb39e20b55cea871f3efb68fcde67
This commit is contained in:
Sandboxed API Team 2022-08-31 08:09:05 -07:00 committed by Copybara-Service
parent e541f79abd
commit 75c7081622
2 changed files with 13 additions and 0 deletions

View File

@ -55,6 +55,7 @@ enum Architecture : uint16_t {
kPPC64LE,
kArm64,
kArm,
kMax = kArm
};
} // namespace cpu

View File

@ -929,6 +929,18 @@ void Monitor::LogSyscallViolation(const Syscall& syscall) const {
}
void Monitor::EventPtraceSeccomp(pid_t pid, int event_msg) {
if (event_msg < sapi::cpu::Architecture::kUnknown ||
event_msg > sapi::cpu::Architecture::kMax) {
// We've observed that, if the process has exited, the event_msg may contain
// the exit status even though we haven't received the exit event yet.
// To work around this, if the event msg is not in the range of the known
// architectures, we assume that it's an exit status. We deal with it by
// ignoring this event, and we'll get the exit event in the next iteration.
LOG(WARNING) << "received event_msg for unknown architecture: " << event_msg
<< "; the program may have exited";
return;
}
// If the seccomp-policy is using RET_TRACE, we request that it returns the
// syscall architecture identifier in the SECCOMP_RET_DATA.
const auto syscall_arch = static_cast<sapi::cpu::Architecture>(event_msg);