Merge branch 'tmp-eperm' into 'master'

worker: allow filtered calls to fail with signal

See merge request openconnect/ocserv!175

.gitlab-ci.yml

@@ -252,6 +252,27 @@ Fedora:
     untracked: true
     when: always
 
+# Tests seccomp filters by asking seccomp to fail with a trap
+seccomp/Fedora:
+  stage: testing
+  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD
+  script:
+  - chmod -R o-w tests/data/raddb
+  - git submodule update --init
+  - autoreconf -fvi
+  - ./configure --disable-maintainer-mode --without-docker-tests --with-kerberos-tests --enable-oidc-auth --with-seccomp-trap
+  - make -j$JOBS
+  - make check -j$JOBS
+  tags:
+  - shared
+  - linux
+  except:
+  - tags
+  artifacts:
+    expire_in: 1 day
+    untracked: true
+    when: on_failure
+
 minimal:
   stage: testing
   image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$CENTOS7_BUILD

configure.ac

@@ -68,6 +68,18 @@ fi
 
 AM_CONDITIONAL(GNUTLS_WITH_NEW_CERTS, $PKG_CONFIG --atleast-version=3.6.0 gnutls)
 
+dnl We want to detect failed syscalls when testing, but not necessarily when
+dnl running in production. This option is provided to enable during CI.
+AC_ARG_WITH(seccomp-trap,
+  AS_HELP_STRING([--with-seccomp-trap], [filtered syscalls will fail with a signal]),
+  use_seccomp_trap=$withval,
+  use_seccomp_trap=no)
+
+if test "$use_seccomp_trap" != no;then
+AC_DEFINE(USE_SECCOMP_TRAP, 1, [use signal on filtered calls])
+fi
+
+
 AC_ARG_WITH(protobuf,
   AS_HELP_STRING([--without-protobuf], [use the included protobuf library]),
   test_for_protobuf=$withval,
@@ -659,6 +671,7 @@ Summary of build options:
   local protobuf-c:     ${with_local_protobuf_c}
   local PCL library:    ${with_local_pcl}
   local http-parser:    ${with_local_http_parser}
+  seccomp trap:		${use_seccomp_trap}
 ])
 
 if test "${warn_leak}" = "yes";then

src/worker-privs.c

@@ -43,13 +43,19 @@
 /* On certain cases gnulib defines gettimeofday as macro; avoid that */
 #undef gettimeofday
 
+#ifdef USE_SECCOMP_TRAP
+# define _SECCOMP_ERR SCMP_ACT_TRAP
+#else
+# define _SECCOMP_ERR SCMP_ACT_ERRNO(ENOSYS)
+#endif
+
 int disable_system_calls(struct worker_st *ws)
 {
 	int ret;
 	scmp_filter_ctx ctx;
 	vhost_cfg_st *vhost = NULL;
 
-	ctx = seccomp_init(SCMP_ACT_ERRNO(ENOSYS));
+	ctx = seccomp_init(_SECCOMP_ERR);
 	if (ctx == NULL) {
 		oclog(ws, LOG_DEBUG, "could not initialize seccomp");
 		return -1;
@@ -64,6 +70,12 @@ int disable_system_calls(struct worker_st *ws)
 		goto fail; \
 	}
 
+	/* These seem to be called by libc or some other dependent library;
+	 * they are not necessary for functioning, but we must allow them in order
+	 * to run under trap mode. */
+	ADD_SYSCALL(getcwd, 0);
+	ADD_SYSCALL(lstat, 0);
+
 	/* we use quite some system calls here, and in the end
 	 * we don't even know whether a newer libc will change the
 	 * underlying calls to something else. seccomp seems to be useful
@@ -110,6 +122,8 @@ int disable_system_calls(struct worker_st *ws)
 	ADD_SYSCALL(poll, 0);
 	ADD_SYSCALL(ppoll, 0);
 
+	/* allow setting non-blocking sockets */
+	ADD_SYSCALL(fcntl, 0);
 	ADD_SYSCALL(close, 0);
 	ADD_SYSCALL(exit, 0);
 	ADD_SYSCALL(exit_group, 0);