Check and limit seccomp policy length.

PiperOrigin-RevId: 409129756
Change-Id: Ib9937495966f545fb980eba04393db640af2325f
This commit is contained in:
Wiktor Garbacz 2021-11-11 06:10:12 -08:00 committed by Copybara-Service
parent 00747d5241
commit c95837a6c1
3 changed files with 12 additions and 0 deletions

View File

@ -200,6 +200,9 @@ void Client::ApplyPolicyAndBecomeTracee() {
"setting PR_SET_KEEPCAPS flag"); "setting PR_SET_KEEPCAPS flag");
sock_fprog prog; sock_fprog prog;
SAPI_RAW_CHECK(policy_.size() / sizeof(sock_filter) <=
std::numeric_limits<uint16_t>::max(),
"seccomp policy too long");
prog.len = static_cast<uint16_t>(policy_.size() / sizeof(sock_filter)); prog.len = static_cast<uint16_t>(policy_.size() / sizeof(sock_filter));
prog.filter = reinterpret_cast<sock_filter*>(&policy_.front()); prog.filter = reinterpret_cast<sock_filter*>(&policy_.front());

View File

@ -786,6 +786,12 @@ std::vector<sock_filter> PolicyBuilder::ResolveBpfFunc(BpfFunc f) {
absl::StatusOr<std::unique_ptr<Policy>> PolicyBuilder::TryBuild() { absl::StatusOr<std::unique_ptr<Policy>> PolicyBuilder::TryBuild() {
auto output = absl::WrapUnique(new Policy()); auto output = absl::WrapUnique(new Policy());
if (user_policy_.size() > kMaxUserPolicyLength) {
return absl::FailedPreconditionError(
absl::StrCat("User syscall policy is to long (", user_policy_.size(),
" > ", kMaxUserPolicyLength, ")."));
}
if (!last_status_.ok()) { if (!last_status_.ok()) {
return last_status_; return last_status_;
} }

View File

@ -99,6 +99,9 @@ class PolicyBuilder final {
}; };
static constexpr absl::string_view kDefaultHostname = "sandbox2"; static constexpr absl::string_view kDefaultHostname = "sandbox2";
// Seccomp takes a 16-bit filter length, so the limit would be 64k.
// We set it lower so that there is for sure some room for the default policy.
static constexpr size_t kMaxUserPolicyLength = 30000;
using BpfInitializer = std::initializer_list<sock_filter>; using BpfInitializer = std::initializer_list<sock_filter>;
using BpfFunc = const std::function<std::vector<sock_filter>(bpf_labels&)>&; using BpfFunc = const std::function<std::vector<sock_filter>(bpf_labels&)>&;