search

seccomp / libseccomp

The main libseccomp repository
GNU Lesser General Public License v2.1
791 stars 170 forks source link

Q: getting errno 14 and returned error code -13 when adding rule #385

Closed Foosec closed 2 years ago

Foosec commented 2 years ago 
#include <stdlib.h>
#include <iostream>
#include <seccomp.h>
#include <unistd.h>
#include <sys/wait.h>
#include <sys/syscall.h>
#include <stdio.h>

int main(int argc, char *argv[])
{
    int pipefd[2];
    int ret = pipe(pipefd);

     if(ret < 0){
        perror("Pipe:");
    }

    pid_t pid = fork();
    if (pid == 0)
    {
        scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_NOTIFY);

        int err = seccomp_rule_add(ctx, SCMP_ACT_NOTIFY, SCMP_SYS(open), 0);
        if(err < 0){
            std::cerr << errno << " ret: " << err << std::endl << std::flush;
            perror("Failed to add rule 1");
        }
        err = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, 
                        SCMP_A0(SCMP_CMP_EQ, pipefd[1]));
        if(err < 0){
            std::cerr << errno << " ret: " << err << std::endl << std::flush;
            perror("Failed to add rule 2");
        }

        seccomp_load(ctx);

        return 0;
    }

    std::cout << "Forked child process PID:" << pid << std::endl;

    int tempFD;
    read(pipefd[0], &tempFD, sizeof(tempFD));

    waitpid(pid, NULL, 0);

    return EXIT_SUCCESS;
}

The above code only seems to error on adding the second rule, when seccomp_init doesn't use SCMP_ACT_NOTIFY or SCMP_ACT_ALLOW, for example setting it to SCMP_ACT_LOG proceeds without issue.

Hopefully im not missing some intended behaviour here.

The output of the above code is : 

In file included from bug.cpp:3:
bug.cpp: In function ‘int main(int, char**)’:
bug.cpp:30:54: warning: narrowing conversion of ‘pipefd[1]’ from ‘int’ to ‘scmp_datum_t’ {aka ‘long unsigned int’} [-Wnarrowing]
   30 |                         SCMP_A0(SCMP_CMP_EQ, pipefd[1]));
      |                                              ~~~~~~~~^
Forked child process PID:1313
14 ret: -13
Failed to add rule 1: Bad address
rusty-snake commented 2 years ago

It's expected behaviour

man 3 seccomp_rule_add:

RETURN VALUE

-EACCCES The rule conflicts with the filter (for example, the rule action equals the default action of the filter).

EACCES is 13

Foosec commented 2 years ago

Thank you! Not sure how i missed that one.