[PATCH RFC v2 1/3] Introduce seccomp-assisted syscall filtering

[Paul Chaignon]

On Mon, Aug 12, 2019 at 2:28 PM Eugene Syromiatnikov <esyr at redhat.com> wrote:
> On Wed, Aug 07, 2019 at 06:03:38PM +0200, Paul Chaignon wrote:
> > On Mon, Aug 05, 2019 at 07:59:25PM +0200, Eugene Syromiatnikov wrote:
> > > On Wed, Jul 31, 2019 at 05:35:56PM +0200, Paul Chaignon wrote:

[...]

> > > For IA-64, there's also SYSCALLENT_BASE_NR, which probably has to be
> > > accounted for.
> >
> > Ok, then we'll need
> > "PERSONALITY0_AUDIT_ARCH { AUDIT_ARCH_IA64, SYSCALLENT_BASE_NR }".
> >
> > This slightly changes how audit_arch_vec[p].mask is used; we now should
> > *add* it to the syscall number instead of *bitwise or'ing* it.  So we now
> > have two documented uses for audit_arch_vec[p].mask:
> > - for IA64, "+" is required, "|" works only has long as we have less than
> >   SYSCALLENT_BASE_NR IA64 syscalls;
> > - for x86, "|" is required, "+" works because we have less than
> >   __X32_SYSCALL_BIT x86 syscalls.
> >
> > I'm tempted to use "nr = i | audit_arch_vec[p].mask" and add a static
> > check on the number of syscalls (< SYSCALLENT_BASE_NR).  The other way
> > around also works.
>
> Since on IA-64 the base is a power of 2 (luckily for us), I'd stick with
> treating it as a flag, using "|" and having a static check.

I'm tempted to write a test case instead of a static check.  To use a
static check I need constants, so unless I missed something, I would have
to break (again) the PERSONALITY{0,1,2}_AUDIT_ARCH macros into
PERSONALITY{0,1,2}_AUDIT_ARCH and PERSONALITY{0,1,2}_FLAG.  I also need
the number of syscalls as a constant, which I don't think we have right
now.

With a test case, I could also explicitly check that no syscall conflicts
with the flag's bits, instead of just comparing the number of syscalls to
the flag.  Unless you have a better idea?

Paul