mirror of
https://github.com/google/sandboxed-api.git
synced 2024-03-22 13:11:30 +08:00
Check and limit seccomp policy length.
PiperOrigin-RevId: 409129756 Change-Id: Ib9937495966f545fb980eba04393db640af2325f
This commit is contained in:
parent
00747d5241
commit
c95837a6c1
|
@ -200,6 +200,9 @@ void Client::ApplyPolicyAndBecomeTracee() {
|
||||||
"setting PR_SET_KEEPCAPS flag");
|
"setting PR_SET_KEEPCAPS flag");
|
||||||
|
|
||||||
sock_fprog prog;
|
sock_fprog prog;
|
||||||
|
SAPI_RAW_CHECK(policy_.size() / sizeof(sock_filter) <=
|
||||||
|
std::numeric_limits<uint16_t>::max(),
|
||||||
|
"seccomp policy too long");
|
||||||
prog.len = static_cast<uint16_t>(policy_.size() / sizeof(sock_filter));
|
prog.len = static_cast<uint16_t>(policy_.size() / sizeof(sock_filter));
|
||||||
prog.filter = reinterpret_cast<sock_filter*>(&policy_.front());
|
prog.filter = reinterpret_cast<sock_filter*>(&policy_.front());
|
||||||
|
|
||||||
|
|
|
@ -786,6 +786,12 @@ std::vector<sock_filter> PolicyBuilder::ResolveBpfFunc(BpfFunc f) {
|
||||||
absl::StatusOr<std::unique_ptr<Policy>> PolicyBuilder::TryBuild() {
|
absl::StatusOr<std::unique_ptr<Policy>> PolicyBuilder::TryBuild() {
|
||||||
auto output = absl::WrapUnique(new Policy());
|
auto output = absl::WrapUnique(new Policy());
|
||||||
|
|
||||||
|
if (user_policy_.size() > kMaxUserPolicyLength) {
|
||||||
|
return absl::FailedPreconditionError(
|
||||||
|
absl::StrCat("User syscall policy is to long (", user_policy_.size(),
|
||||||
|
" > ", kMaxUserPolicyLength, ")."));
|
||||||
|
}
|
||||||
|
|
||||||
if (!last_status_.ok()) {
|
if (!last_status_.ok()) {
|
||||||
return last_status_;
|
return last_status_;
|
||||||
}
|
}
|
||||||
|
|
|
@ -99,6 +99,9 @@ class PolicyBuilder final {
|
||||||
};
|
};
|
||||||
|
|
||||||
static constexpr absl::string_view kDefaultHostname = "sandbox2";
|
static constexpr absl::string_view kDefaultHostname = "sandbox2";
|
||||||
|
// Seccomp takes a 16-bit filter length, so the limit would be 64k.
|
||||||
|
// We set it lower so that there is for sure some room for the default policy.
|
||||||
|
static constexpr size_t kMaxUserPolicyLength = 30000;
|
||||||
|
|
||||||
using BpfInitializer = std::initializer_list<sock_filter>;
|
using BpfInitializer = std::initializer_list<sock_filter>;
|
||||||
using BpfFunc = const std::function<std::vector<sock_filter>(bpf_labels&)>&;
|
using BpfFunc = const std::function<std::vector<sock_filter>(bpf_labels&)>&;
|
||||||
|
|
Loading…
Reference in New Issue
Block a user