Change the sandbox behavior on all failed opens() to EACCES

Previously, most disallowed open(O_RDONLY) attempts would EACCES,
but others would fail with a crash.

diff --git a/changes/bug16106 b/changes/bug16106
new file mode 100644 (file)
index 0000000..9142a37
--- /dev/null
+++ b/changes/bug16106
@@ -0,0 +1,6 @@
+  o Minor bugfixes (linux seccomp2 sandbox):
+    - Cause a wider variety of unpermitted open() calls to fail with the
+      EACCES error when the sandbox is running. This won't enable any
+      previously non-working functionality, but it should turn several cases
+      from crashes into sandbox warnings. Fixes bug 16106; bugfix on
+      0.2.5.1-alpha.

diff --git a/src/common/sandbox.c b/src/common/sandbox.c
index 37f582048cf4badd7de01082cf8398f826d5194b..043b8bf14ff49046096e90ef04c437d10c411825 100644 (file)
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -481,18 +481,14 @@ sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
     }
   }
 
-  rc = seccomp_rule_add_1(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(open),
-                SCMP_CMP_MASKED(1, O_CLOEXEC|O_NONBLOCK|O_NOCTTY|O_NOFOLLOW,
-                                O_RDONLY));
+  rc = seccomp_rule_add_0(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(open));
   if (rc != 0) {
     log_err(LD_BUG,"(Sandbox) failed to add open syscall, received libseccomp "
         "error %d", rc);
     return rc;
   }
 
-  rc = seccomp_rule_add_1(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(openat),
-                SCMP_CMP_MASKED(2, O_CLOEXEC|O_NONBLOCK|O_NOCTTY|O_NOFOLLOW,
-                                O_RDONLY));
+  rc = seccomp_rule_add_0(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(openat));
   if (rc != 0) {
     log_err(LD_BUG,"(Sandbox) failed to add openat syscall, received "
             "libseccomp error %d", rc);