Closed SpriteOvO closed 1 year ago
kpcyrd
commented
1 year ago Thanks! Did you have a chance to test if the sandbox works correctly on risc-v? You can use the ci/integration.py script, it runs some scripts automatically and if there's a sandbox violation the binary would segfault. The script can be used like this:
./ci/integration.py target/release/sn0int
SpriteOvO
commented
1 year ago @kpcyrd Unfortunately, the sandbox initialization failed with logs:
Error: Failed to init sandbox
Because: seccomp_init returned null(full: sn0int-ci.log)
The above logs are generated in QEMU-user, which sometimes has some strange bugs causing some packages to fail to compile / test. To rule this out, I've started compiling sn0int on a real RISC-V board, but it will take a bit more time due to performance issues. There will be an answer tomorrow morning.
Now assume it is not caused by QEMU-user bugs, and since it failed a bit early and there is no segfault, I guess it's not a violation? I'm not sure I should go deeper to check if the problem is inside seccomp.
kpcyrd
commented
1 year ago The error is coming from here: https://github.com/kpcyrd/syscallz-rs/blob/cc93601f1d5d0986a73d13279c96c5cc3372f218/src/lib.rs#L97
This is only calling seccomp_init(DEFAULT_KILL), no syscalls have been added at that point. DEFAULT_KILL is either KillProcess if libseccomp is >= 2.4.0, otherwise it's KillThread. (See here https://github.com/kpcyrd/syscallz-rs/blob/3eb19b52450e50c8380abeffbdf0fc681ad8b641/build.rs)
SpriteOvO
commented
1 year ago The initialization failure is indeed caused by QEMU-user bugs, so it can be ignored.
This is the result on a real RISC-V board: sn0int-ci.log
[-] "93.184.216.34" : No geoip database loaded
[+] Finished kpcyrd/geoip (1 errors)Awesome thank you, looks good!
These syscall variants do not exist on
riscv64arch.