1. 05 Sep, 2019 4 commits
    • Dave Martin's avatar
      bouncer: README: Add link to kernel SECCOMP patches · b409e10a
      Dave Martin authored
      Add a link to a tree with the kernel SECCOMP patches required by
      the bouncer.
      Signed-off-by: default avatarDave Martin <Dave.Martin@arm.com>
      b409e10a
    • Dave Martin's avatar
      bouncer: Hide SIGSYS from user code · 338c4762
      Dave Martin authored
      To stop the user program interfering with the bouncer's use of
      SIGSYS, intercept and emulate the sigaction() and rt_sigprocmask()
      syscalls to prevent userspace masking or handling SIGSYS.
      
      This is of course impossible: signals are highly hostile to
      proxying or emulation.  So only make basic efforts to make this
      work.
      
      It is assumed that the architecture has no sigaction(), signal()
      or sigprocmask() syscalls that would provide a means to circumvent
      this emulation.  arm64 is new enough not to have them.
      Signed-off-by: default avatarDave Martin <Dave.Martin@arm.com>
      338c4762
    • Dave Martin's avatar
      bouncer: Intercept and forbid prctl SECCOMP calls · c9396fb1
      Dave Martin authored
      To avoid interference between user code and the syscall bouncer,
      intercept and stub out prctl ommands PR_SET_SECCOMP and
      PR_GET_SECCOMP.
      
      Of course, this also means that the user code can't use SECCOMP,
      which some might regard as a bug.
      
      Allow other prctl commands through to the underlying syscall.
      Signed-off-by: default avatarDave Martin <Dave.Martin@arm.com>
      c9396fb1
    • Dave Martin's avatar
      bouncer: Basic arm64 syscall bouncer · 638831e0
      Dave Martin authored
      This initial commit builds a preloadable shared object bouncer.so
      that enables SECCOMP syscall call-site filtering in the target
      command and installs a SIGSYS handler to redirect bounces syscalls
      back to the vDSO.
      
      A kernel with the magic seccomp_data ip_bounds[] and
      SECCOMP_MODE_FILTER_UNTIL_EXEC support is needed in order for this
      to work.
      
      Some parts are fairly generic, but no effort has been made to make
      this work on architectures other arm64, for now.
      Signed-off-by: default avatarDave Martin <Dave.Martin@arm.com>
      638831e0