From: Roy Marples Date: Tue, 15 Apr 2025 09:29:11 +0000 (+0100) Subject: privsep: Fix valgrind and hardened-malloc on Linux with SECCOMP X-Git-Tag: v10.2.3~14 X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=0f62fdd014e497da69723087c6b4ba50933553ab;p=thirdparty%2Fdhcpcd.git privsep: Fix valgrind and hardened-malloc on Linux with SECCOMP Valgrind will still error by default at exit as the syscall to unlink the pipe files is denied. This can be avoided by compiling with -DVALGRIND. The pipe files still won't be removed as dhcpcd has already dropped to the non root user. This is a Vagrind issue really. hardened-malloc should now run as well as their documented syscalls are now allowed by default. Fixes #497. --- diff --git a/BUILDING.md b/BUILDING.md index 18615397..b70022c8 100644 --- a/BUILDING.md +++ b/BUILDING.md @@ -129,6 +129,12 @@ still. If you do this, please report the issue so that we can adjust the SECCOMP filter so that dhcpcd can use SECCOMP once more. Or convince the libc/kernel people to adpot something more maintainable like FreeBSD's capsicum or OpenBSD's pledge. +To test ASAN with privsep you need to add ASAN to CPPFLAGS. +To test Valgrind with privsep you can optionally add VALGRIND to CPPFLAGS. +For both they need some syscalls which are potentially dangerous and thus +are disabled by default. +For Valgrind, it needs to unlink the pipe files which it can't do anyway +as it's dropped permissions. Otherwise it works fine. ## Init systems We try and detect how dhcpcd should interact with system services at runtime. diff --git a/src/privsep-linux.c b/src/privsep-linux.c index d79fc23b..036a35fe 100644 --- a/src/privsep-linux.c +++ b/src/privsep-linux.c @@ -468,9 +468,6 @@ static struct sock_filter ps_seccomp_filter[] = { /* These are for compiling with address sanitization */ #ifdef ASAN -#ifdef __NR_futex - SECCOMP_ALLOW(__NR_futex), -#endif #ifdef __NR_openat SECCOMP_ALLOW(__NR_openat), #endif @@ -482,12 +479,42 @@ static struct sock_filter ps_seccomp_filter[] = { #endif /* coredumps */ +#ifdef __NR_tgkill + SECCOMP_ALLOW(__NR_tgkill), +#endif +#endif + +/* valgrind */ +#ifdef __NR_futex + SECCOMP_ALLOW(__NR_futex), +#endif #ifdef __NR_gettid SECCOMP_ALLOW(__NR_gettid), #endif -#ifdef __NR_tgkill - SECCOMP_ALLOW(__NR_tgkill), +#ifdef __NR_rt_sigtimedwait + SECCOMP_ALLOW(__NR_rt_sigtimedwait), +#endif +#ifdef VALGRIND +#ifdef __NR_unlink + /* This is dangerous, and also pointless as in privsep + * we are no longer root and thus cannot unlink the valgrind + * pipes anyway. */ + SECCOMP_ALLOW(__NR_unlink), +#endif +#endif + +/* hardened-malloc */ +#ifdef __NR_mprotect + SECCOMP_ALLOW(__NR_mprotect), +#endif +#ifdef __NR_mremap + SECCOMP_ALLOW(__NR_mremap), +#endif +#ifdef __NR_pkey_alloc + SECCOMP_ALLOW(__NR_pkey_alloc), #endif +#ifdef __NR_pkey_mprotect + SECCOMP_ALLOW(__NR_pkey_mprotect), #endif /* Deny everything else */