[compiler-rt] [compiler-rt] prctl interception update, SECCOMP_MODE_FILTER support. (PR #107722)

David CARLIER via llvm-commits llvm-commits at lists.llvm.org
Tue Sep 17 04:00:27 PDT 2024 

https://github.com/devnexen updated https://github.com/llvm/llvm-project/pull/107722

>From 9dad4416f4437beb92ef4bf793db27db5bb35dca Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen at gmail.com>
Date: Sat, 7 Sep 2024 22:52:40 +0100
Subject: [PATCH] [compiler-rt] prctl interception update, SECCOMP_MODE_FILTER
 support.

---
 .../sanitizer_common_interceptors.inc           |  5 +++++
 .../sanitizer_platform_limits_posix.cpp         |  2 ++
 .../sanitizer_platform_limits_posix.h           |  1 +
 .../sanitizer_common/TestCases/Linux/prctl.cpp  | 17 +++++++++++++++++
 4 files changed, 25 insertions(+)

diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc b/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
index e09a4a8ae25fd8..c0511755378bad 100644
--- a/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
+++ b/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
@@ -1256,6 +1256,9 @@ INTERCEPTOR(int, prctl, int option, unsigned long arg2, unsigned long arg3,
   static const int PR_SCHED_CORE = 62;
   static const int PR_SCHED_CORE_GET = 0;
   static const int PR_GET_PDEATHSIG = 2;
+  static const int PR_SET_SECCOMP = 22;
+
+  static const int SECCOMP_MODE_FILTER = 2;
   if (option == PR_SET_VMA && arg2 == 0UL) {
     char *name = (char *)arg5;
     COMMON_INTERCEPTOR_READ_RANGE(ctx, name, internal_strlen(name) + 1);
@@ -1274,6 +1277,8 @@ INTERCEPTOR(int, prctl, int option, unsigned long arg2, unsigned long arg3,
     COMMON_INTERCEPTOR_WRITE_RANGE(ctx, (u64 *)(arg5), sizeof(u64));
   } else if (res != -1 && option == PR_GET_PDEATHSIG) {
     COMMON_INTERCEPTOR_WRITE_RANGE(ctx, (u64 *)(arg2), sizeof(int));
+  } else if (res != -1 && option == PR_SET_SECCOMP && arg2 == SECCOMP_MODE_FILTER) {
+    COMMON_INTERCEPTOR_WRITE_RANGE(ctx, (u64 *)(arg3), struct_sock_fprog_sz);
   }
   return res;
 }
diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.cpp b/compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.cpp
index 6d61d276d77e35..c7802045376858 100644
--- a/compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.cpp
+++ b/compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.cpp
@@ -117,6 +117,7 @@ typedef struct user_fpregs elf_fpregset_t;
 #if SANITIZER_LINUX
 #if SANITIZER_GLIBC
 #include <fstab.h>
+#include <linux/filter.h>
 #include <net/if_ppp.h>
 #include <netax25/ax25.h>
 #include <netipx/ipx.h>
@@ -531,6 +532,7 @@ unsigned struct_ElfW_Phdr_sz = sizeof(Elf_Phdr);
 
   unsigned struct_audio_buf_info_sz = sizeof(struct audio_buf_info);
   unsigned struct_ppp_stats_sz = sizeof(struct ppp_stats);
+  unsigned struct_sock_fprog_sz = sizeof(struct sock_fprog);
 #endif  // SANITIZER_GLIBC
 
 #if !SANITIZER_ANDROID && !SANITIZER_APPLE
diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.h b/compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.h
index 34bfef1f7ef456..4b3c949c1ead82 100644
--- a/compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.h
+++ b/compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.h
@@ -1050,6 +1050,7 @@ extern unsigned struct_serial_struct_sz;
 extern unsigned struct_sockaddr_ax25_sz;
 extern unsigned struct_unimapdesc_sz;
 extern unsigned struct_unimapinit_sz;
+extern unsigned struct_sock_fprog_sz;
 #endif  // SANITIZER_LINUX && !SANITIZER_ANDROID
 
 extern const unsigned long __sanitizer_bufsiz;
diff --git a/compiler-rt/test/sanitizer_common/TestCases/Linux/prctl.cpp b/compiler-rt/test/sanitizer_common/TestCases/Linux/prctl.cpp
index cbff02d66efa78..abb872d87a8bf9 100644
--- a/compiler-rt/test/sanitizer_common/TestCases/Linux/prctl.cpp
+++ b/compiler-rt/test/sanitizer_common/TestCases/Linux/prctl.cpp
@@ -4,6 +4,8 @@
 
 #include <assert.h>
 #include <errno.h>
+#include <linux/filter.h>
+#include <linux/seccomp.h>
 #include <stdint.h>
 #include <string.h>
 #include <sys/mman.h>
@@ -78,5 +80,20 @@ int main() {
     }
   }
 
+  sock_filter f[] = {{
+	.code = (BPF_LD|BPF_W|BPF_ABS),
+	.k = (uint32_t)(SKF_AD_OFF | SKF_AD_CPU)
+  },{
+	.code = (BPF_RET|BPF_A),
+	.k = 0
+  }};
+  sock_fprog pr = {
+	.len = 2,
+	.filter = f
+  };
+  
+  res = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &pr);
+  assert(res == -1);
+
   return 0;
 }

More information about the llvm-commits mailing list