seccomp: drop SECCOMP_MEMORY_DENY_WRITE_EXECUTE_BROKEN, add test for shmat

SECCOMP_MEMORY_DENY_WRITE_EXECUTE_BROKEN was conflating two separate things: 1. whether shmat/shmdt/shmget can be filtered (if ipc multiplexer is used, they can not) 2. whether we know this for the current architecture For i386, shmat is implemented as ipc, so seccomp filter is "broken" for shmat, but not for mmap, and SECCOMP_MEMORY_DENY_WRITE_EXECUTE_BROKEN cannot be used to cover both cases. The define was only used for tests — not in the implementation in seccomp-util.c. So let's get rid of SECCOMP_MEMORY_DENY_WRITE_EXECUTE_BROKEN and encode the right condition directly in tests.
2017-05-04 14:09:53 +00:00 · 2017-05-04 14:09:53 +00:00 · 2a65bd94e4
parent dce0e62046
commit 2a65bd94e4
2 changed files with 58 additions and 15 deletions
--- a/src/shared/seccomp-util.h
+++ b/src/shared/seccomp-util.h
@ -84,13 +84,6 @@ int seccomp_memory_deny_write_execute(void);
 #define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 0
 #endif

-/* mmap() blocking is only available on some archs for now */
-#if defined(__x86_64__) || defined(__i386__)
-#define SECCOMP_MEMORY_DENY_WRITE_EXECUTE_BROKEN 0
-#else
-#define SECCOMP_MEMORY_DENY_WRITE_EXECUTE_BROKEN 1
-#endif
-
 /* we don't know the right order of the clone() parameters except for these archs, for now */
 #if defined(__x86_64__) || defined(__i386__) || defined(__s390x__) || defined(__s390__) || defined(__powerpc64__) || defined(__mips__)
 #define SECCOMP_RESTRICT_NAMESPACES_BROKEN 0
--- a/src/test/test-seccomp.c
+++ b/src/test/test-seccomp.c
@ -21,8 +21,10 @@
 #include <stdlib.h>
 #include <sys/eventfd.h>
 #include <sys/mman.h>
-#include <unistd.h>
 #include <sys/poll.h>
+#include <sys/shm.h>
+#include <sys/types.h>
+#include <unistd.h>

 #include "alloc-util.h"
 #include "fd-util.h"
@ -371,7 +373,7 @@ static void test_restrict_realtime(void) {
        assert_se(wait_for_terminate_and_warn("realtimeseccomp", pid, true) == EXIT_SUCCESS);
 }

-static void test_memory_deny_write_execute(void) {
+static void test_memory_deny_write_execute_mmap(void) {
        pid_t pid;

        if (!is_seccomp_available())
@ -396,12 +398,12 @@ static void test_memory_deny_write_execute(void) {
                assert_se(seccomp_memory_deny_write_execute() >= 0);

                p = mmap(NULL, page_size(), PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1,0);
-#if SECCOMP_MEMORY_DENY_WRITE_EXECUTE_BROKEN
-                assert_se(p != MAP_FAILED);
-                assert_se(munmap(p, page_size()) >= 0);
-#else
+#if defined(__x86_64__) || defined(__i386__)
                assert_se(p == MAP_FAILED);
                assert_se(errno == EPERM);
+#else /* unknown architectures */
+                assert_se(p != MAP_FAILED);
+                assert_se(munmap(p, page_size()) >= 0);
 #endif

                p = mmap(NULL, page_size(), PROT_WRITE|PROT_READ, MAP_PRIVATE|MAP_ANONYMOUS, -1,0);
@ -411,7 +413,54 @@ static void test_memory_deny_write_execute(void) {
                _exit(EXIT_SUCCESS);
        }

-        assert_se(wait_for_terminate_and_warn("memoryseccomp", pid, true) == EXIT_SUCCESS);
+        assert_se(wait_for_terminate_and_warn("memoryseccomp-mmap", pid, true) == EXIT_SUCCESS);
+}
+
+static void test_memory_deny_write_execute_shmat(void) {
+        int shmid;
+        pid_t pid;
+
+        if (!is_seccomp_available())
+                return;
+        if (geteuid() != 0)
+                return;
+
+        shmid = shmget(IPC_PRIVATE, page_size(), 0);
+        assert_se(shmid >= 0);
+
+        pid = fork();
+        assert_se(pid >= 0);
+
+        if (pid == 0) {
+                void *p;
+
+                p = shmat(shmid, NULL, 0);
+                assert_se(p != MAP_FAILED);
+                assert_se(shmdt(p) == 0);
+
+                p = shmat(shmid, NULL, SHM_EXEC);
+                assert_se(p != MAP_FAILED);
+                assert_se(shmdt(p) == 0);
+
+                assert_se(seccomp_memory_deny_write_execute() >= 0);
+
+                p = shmat(shmid, NULL, SHM_EXEC);
+#if defined(__x86_64__)
+                assert_se(p == MAP_FAILED);
+                assert_se(errno == EPERM);
+#else /* __i386__ and "unknown" architectures */
+                assert_se(p != MAP_FAILED);
+                assert_se(shmdt(p) == 0);
+#endif
+
+                p = shmat(shmid, NULL, 0);
+                assert_se(p != MAP_FAILED);
+                assert_se(shmdt(p) == 0);
+
+                _exit(EXIT_SUCCESS);
+        }
+
+        assert_se(wait_for_terminate_and_warn("memoryseccomp-shmat", pid, true) == EXIT_SUCCESS);
 }

 static void test_restrict_archs(void) {
@ -510,7 +559,8 @@ int main(int argc, char *argv[]) {
        test_protect_sysctl();
        test_restrict_address_families();
        test_restrict_realtime();
-        test_memory_deny_write_execute();
+        test_memory_deny_write_execute_mmap();
+        test_memory_deny_write_execute_shmat();
        test_restrict_archs();
        test_load_syscall_filter_set_raw();