commit c1118f63e94256b4e1e0e11dfff97a6fa2af5b53
author Nicole Anderson-Au <nvaa@google.com> Tue Sep 14 22:20:23 2021 +0000
committer Treehugger Robot <treehugger-gerrit@google.com> Thu Sep 16 22:05:21 2021 +0000
tree d364142a408781f0a85a4ba00d1c0a3ef6ca924b
parent 7ae41c2a1cbcb44113c53a78ef15a054edc8b6d8

minijail: Don't allow -L and compiled seccomp policy

-L works by changing the default value when a syscall is not found in a
policy file to be a ret_log rather than a kill, this only works for text
policy files that are parsed by libminijail. Precompiled policy files
inherently cannot work with -L, so do not allow users to specify these 2
flags together.

Bug: 199178193
Test: Run minijail0 and unit tests
Change-Id: I499ddc67608845d8397e47e986eb8ffcb48e82ae

minijail0_cli.c

diff --git a/minijail0_cli.c b/minijail0_cli.c
index 508ead9..e07fc56 100644
--- a/minijail0_cli.c
+++ b/minijail0_cli.c
@@ -637,8 +637,12 @@
 	       int *exit_immediately, ElfType *elftype,
 	       const char **preload_path)
 {
+	enum seccomp_type{None, Strict, Filter, BpfBinaryFilter};
+	enum seccomp_type seccomp = None;
 	int opt;
-	int use_seccomp_filter = 0, use_seccomp_filter_binary = 0;
+	int use_seccomp_filter = 0;
+	int use_seccomp_filter_binary = 0;
+	int use_seccomp_log = 0;
 	int forward = 1;
 	int binding = 0;
 	int chroot = 0, pivot_root = 0;
@@ -646,7 +650,6 @@
 	const char *remount_mode = NULL;
 	int inherit_suppl_gids = 0, keep_suppl_gids = 0;
 	int caps = 0, ambient_caps = 0;
-	int seccomp = -1;
 	bool use_uid = false, use_gid = false;
 	uid_t uid = 0;
 	gid_t gid = 0;
@@ -701,23 +704,23 @@
 			minijail_no_new_privs(j);
 			break;
 		case 's':
-			if (seccomp != -1 && seccomp != 1) {
+			if (seccomp != None && seccomp != Strict) {
 				fprintf(stderr,
 					"Do not use -s, -S, or "
 					"--seccomp-bpf-binary together.\n");
 				exit(1);
 			}
-			seccomp = 1;
+			seccomp = Strict;
 			minijail_use_seccomp(j);
 			break;
 		case 'S':
-			if (seccomp != -1 && seccomp != 2) {
+			if (seccomp != None && seccomp != Filter) {
 				fprintf(stderr,
 					"Do not use -s, -S, or "
 					"--seccomp-bpf-binary together.\n");
 				exit(1);
 			}
-			seccomp = 2;
+			seccomp = Filter;
 			minijail_use_seccomp_filter(j);
 			filter_path = optarg;
 			use_seccomp_filter = 1;
@@ -726,6 +729,13 @@
 			minijail_namespace_ipc(j);
 			break;
 		case 'L':
+			if (seccomp == BpfBinaryFilter) {
+				fprintf(stderr,
+					"-L does not work with "
+					"--seccomp-bpf-binary.\n");
+				exit(1);
+			}
+			use_seccomp_log = 1;
 			minijail_log_seccomp_filter_failures(j);
 			break;
 		case 'b':
@@ -941,13 +951,18 @@
 			*preload_path = optarg;
 			break;
 		case 133: /* seccomp-bpf binary. */
-			if (seccomp != -1 && seccomp != 3) {
+			if (seccomp != None && seccomp != BpfBinaryFilter) {
 				fprintf(stderr,
 					"Do not use -s, -S, or "
 					"--seccomp-bpf-binary together.\n");
 				exit(1);
 			}
-			seccomp = 3;
+			if (use_seccomp_log == 1) {
+				fprintf(stderr,
+					"-L does not work with --seccomp-bpf-binary.\n");
+				exit(1);
+			}
+			seccomp = BpfBinaryFilter;
 			minijail_use_seccomp_filter(j);
 			filter_path = optarg;
 			use_seccomp_filter_binary = 1;