Only the first syscall group is being executed when there is multiple syscall groups #40

criyle · 2024-12-06T02:48:16Z

For example, if the policy have multiple syscall groups like

	policy := &Policy{
		DefaultAction: ActionKillProcess,
		Syscalls: []SyscallGroup{
			{
				Names:  []string{"execve", "fork"},
				Action: ActionAllow,
			},
			{
				Names:  []string{"clone", "listen"},
				Action: ActionAllow,
			},
		},
	}

The expected behaviour is to execute the default action only when all syscall group not matches, but the current behaviour is to execute the default action if the first syscall group not matches. In this case, for syscall clone in the second group, it suppose to be allowed, but the result is kill.

This behaviour is able to reproduce by adding test case in filter_test.go L190 with

		{
			SeccompData{NR: 56 /* clone */, Arch: uint32(arch.X86_64.ID)},
			ActionAllow,
		},

--- FAIL: TestPolicyAssembleWhitelist (0.00s)
    filter_test.go:185: Expected allow, but got kill_process for test case 2 with seccomp_data=seccomp.SeccompData{NR:56, Arch:0xc000003e, InstructionPointer:0x0, Args:[6]uint64{0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
FAIL
FAIL    github.com/elastic/go-seccomp-bpf       0.179s
FAIL

I think the root cause may be the default action is assembled to every group: https://github.com/elastic/go-seccomp-bpf/blob/main/filter.go#L223

The text was updated successfully, but these errors were encountered:

Add failing test case that demonstrates the bug. The expected behavior is to allow clone, but the default action of kill process is used instead. The log output is: filter_test.go:185: Expected allow, but got kill_process for test case 2 with seccomp_data=seccomp.SeccompData{NR:56, Arch:0xc000003e, InstructionPointer:0x0, Args:[6]uint64{0x0, 0x0, 0x0, 0x0, 0x0, 0x0}} Relates: elastic#40

andrewkroh · 2024-12-06T15:54:47Z

This appears to be a bug. It looks like since #28, if the any SyscallGroup condition does not match that it executes the default action instead of continuing to the next group. That code is here:

go-seccomp-bpf/filter.go

Lines 364 to 367 in 644ae6c

    
           	syscall.Assemble(&p, action) 
        
           } 
        
           p.Ret(defaultAction)

andrewkroh · 2024-12-06T17:39:55Z

From your suggested test modification, I can see the bad logic in the instructions.

go test -run TestPolicyAssembleWhitelist -dump .
0: ld [4]
1: jneq #3221225534,9
2: ld [0]
3: jlt #1073741824,1
4: ret #327718
5: jeq #59,2
6: jeq #57,1
7: ret #2147483648 #!! syscall group action
8: ret #2147418112 #!! default_action (BUG HERE - never fallsthrough to next syscall group)
9: jeq #56,2
10: jeq #50,1
11: ret #2147483648 #!! syscall group action
12: ret #2147418112 #!! default_action

criyle · 2024-12-06T19:12:19Z

Thank you for helping but I think there might be some small mistake in the comment, and I think it should be like

9: jeq #56,2 # jump +2 to 12 to syscall group action
10: jeq #50,1
11: ret #2147483648 #!! default action: kill_process 0x80000000
12: ret #2147418112 #!! syscall group action: allow 0x7fff0000

criyle mentioned this issue Dec 6, 2024

Sandboxing inside Docker criyle/go-sandbox#8

Open

andrewkroh added the bug Something isn't working label Dec 6, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Only the first syscall group is being executed when there is multiple syscall groups #40

Only the first syscall group is being executed when there is multiple syscall groups #40

criyle commented Dec 6, 2024

andrewkroh commented Dec 6, 2024

andrewkroh commented Dec 6, 2024

criyle commented Dec 6, 2024

Only the first syscall group is being executed when there is multiple syscall groups #40

Only the first syscall group is being executed when there is multiple syscall groups #40

Comments

criyle commented Dec 6, 2024

andrewkroh commented Dec 6, 2024

andrewkroh commented Dec 6, 2024

criyle commented Dec 6, 2024