mirror of
https://github.com/google/sandboxed-api.git
synced 2024-03-22 13:11:30 +08:00
Check and limit seccomp policy length.
PiperOrigin-RevId: 409129756 Change-Id: Ib9937495966f545fb980eba04393db640af2325f
This commit is contained in:
parent
00747d5241
commit
c95837a6c1
|
@ -200,6 +200,9 @@ void Client::ApplyPolicyAndBecomeTracee() {
|
|||
"setting PR_SET_KEEPCAPS flag");
|
||||
|
||||
sock_fprog prog;
|
||||
SAPI_RAW_CHECK(policy_.size() / sizeof(sock_filter) <=
|
||||
std::numeric_limits<uint16_t>::max(),
|
||||
"seccomp policy too long");
|
||||
prog.len = static_cast<uint16_t>(policy_.size() / sizeof(sock_filter));
|
||||
prog.filter = reinterpret_cast<sock_filter*>(&policy_.front());
|
||||
|
||||
|
|
|
@ -786,6 +786,12 @@ std::vector<sock_filter> PolicyBuilder::ResolveBpfFunc(BpfFunc f) {
|
|||
absl::StatusOr<std::unique_ptr<Policy>> PolicyBuilder::TryBuild() {
|
||||
auto output = absl::WrapUnique(new Policy());
|
||||
|
||||
if (user_policy_.size() > kMaxUserPolicyLength) {
|
||||
return absl::FailedPreconditionError(
|
||||
absl::StrCat("User syscall policy is to long (", user_policy_.size(),
|
||||
" > ", kMaxUserPolicyLength, ")."));
|
||||
}
|
||||
|
||||
if (!last_status_.ok()) {
|
||||
return last_status_;
|
||||
}
|
||||
|
|
|
@ -99,6 +99,9 @@ class PolicyBuilder final {
|
|||
};
|
||||
|
||||
static constexpr absl::string_view kDefaultHostname = "sandbox2";
|
||||
// Seccomp takes a 16-bit filter length, so the limit would be 64k.
|
||||
// We set it lower so that there is for sure some room for the default policy.
|
||||
static constexpr size_t kMaxUserPolicyLength = 30000;
|
||||
|
||||
using BpfInitializer = std::initializer_list<sock_filter>;
|
||||
using BpfFunc = const std::function<std::vector<sock_filter>(bpf_labels&)>&;
|
||||
|
|
Loading…
Reference in New Issue
Block a user