passt: Allow exit_group() system call in seccomp profiles
We handle SIGQUIT and SIGTERM calling exit(), which is usually implemented with the exit_group() system call. If we don't allow exit_group(), we'll get a SIGSYS while handling SIGQUIT and SIGTERM, which means a misleading non-zero exit code. Reported-by: Wenli Quan <wquan@redhat.com> Link: https://bugzilla.redhat.com/show_bug.cgi?id=2101990 Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
This commit is contained in:
parent
17689cc9bf
commit
1d223e4b4c
3 changed files with 4 additions and 2 deletions
2
Makefile
2
Makefile
|
@ -115,7 +115,7 @@ qrap: $(QRAP_SRCS) passt.h
|
||||||
|
|
||||||
valgrind: EXTRA_SYSCALLS="rt_sigprocmask rt_sigtimedwait rt_sigaction \
|
valgrind: EXTRA_SYSCALLS="rt_sigprocmask rt_sigtimedwait rt_sigaction \
|
||||||
getpid gettid kill clock_gettime mmap munmap open \
|
getpid gettid kill clock_gettime mmap munmap open \
|
||||||
unlink exit_group gettimeofday"
|
unlink gettimeofday"
|
||||||
valgrind: CFLAGS:=-g -O0 $(filter-out -O%,$(CFLAGS))
|
valgrind: CFLAGS:=-g -O0 $(filter-out -O%,$(CFLAGS))
|
||||||
valgrind: all
|
valgrind: all
|
||||||
|
|
||||||
|
|
|
@ -286,7 +286,7 @@ speeding up local connections, and usually requiring NAT. _pasta_:
|
||||||
* ✅ all capabilities dropped, other than `CAP_NET_BIND_SERVICE` (if granted)
|
* ✅ all capabilities dropped, other than `CAP_NET_BIND_SERVICE` (if granted)
|
||||||
* ✅ with default options, user, mount, IPC, UTS, PID namespaces are detached
|
* ✅ with default options, user, mount, IPC, UTS, PID namespaces are detached
|
||||||
* ✅ no external dependencies (other than a standard C library)
|
* ✅ no external dependencies (other than a standard C library)
|
||||||
* ✅ restrictive seccomp profiles (25 syscalls allowed for _passt_, 39 for
|
* ✅ restrictive seccomp profiles (26 syscalls allowed for _passt_, 40 for
|
||||||
_pasta_ on x86_64)
|
_pasta_ on x86_64)
|
||||||
* ✅ examples of [AppArmor](/passt/tree/contrib/apparmor) and
|
* ✅ examples of [AppArmor](/passt/tree/contrib/apparmor) and
|
||||||
[SELinux](/passt/tree/contrib/selinux) profiles available
|
[SELinux](/passt/tree/contrib/selinux) profiles available
|
||||||
|
|
2
passt.c
2
passt.c
|
@ -257,6 +257,8 @@ static int sandbox(struct ctx *c)
|
||||||
*
|
*
|
||||||
* TODO: After unsharing the PID namespace and forking, SIG_DFL for SIGTERM and
|
* TODO: After unsharing the PID namespace and forking, SIG_DFL for SIGTERM and
|
||||||
* SIGQUIT unexpectedly doesn't cause the process to terminate, figure out why.
|
* SIGQUIT unexpectedly doesn't cause the process to terminate, figure out why.
|
||||||
|
*
|
||||||
|
* #syscalls exit_group
|
||||||
*/
|
*/
|
||||||
void exit_handler(int signal)
|
void exit_handler(int signal)
|
||||||
{
|
{
|
||||||
|
|
Loading…
Reference in a new issue