Skip to content

fix(seccomp): remove the narrower read rule to keep the broader intent #4744

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(seccomp): remove the narrower read rule to keep the broader intent #4744

wants to merge 1 commit into from
+37 −34

Conversation

ripatel-fd
Copy link
Contributor

This is the same as PR #4742, but also checking in the changes to the generated code.

@eternalsakura13 @riptl
fix(seccomp): remove the narrower read rule to keep the broader intent
ff1bf94 
In fd_rpcserv_tile.seccomppolicy, two separate read rules were defined:
1) A broader rule allowing reads from any FD except 2, logfile_fd, and rpcserv_socket_fd.
2) A narrower rule only allowing reads from blockstore_fd.

Because generate_filters.py overwrites earlier rules with later ones, the second (narrower) rule
effectively replaced the first, resulting in read calls from all other FDs being denied. To
maintain the original intended security boundary, this commit removes the second rule, ensuring
the broader rule remains in effect.
@ripatel-fd ripatel-fd requested a review from asiegel-jt April 8, 2025 11:50
mmcgee-jump
mmcgee-jump reviewed Apr 10, 2025
View reviewed changes
src/discof/rpc/fd_rpcserv_tile.seccomppolicy
@@ -68,8 +68,5 @@ close: (not (or (eq (arg 0) 2)
# arg 2 is the timeout.
poll: (eq (arg 2) 0)

# blockstore: read archival file
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't you need to add blockstore_fd to the above read rule as well then?

Copy link
Contributor

@eternalsakura13 eternalsakura13 Apr 12, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If blockstore_fd is not one of the three disallowed file descriptors, then it’s already implicitly allowed by the first rule. In that case, you can simply keep the first rule.

see #4740

mmcgee-jump
mmcgee-jump requested changes Apr 10, 2025
View reviewed changes
Copy link
Contributor

@mmcgee-jump mmcgee-jump left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eternalsakura13 eternalsakura13 eternalsakura13 left review comments

@mmcgee-jump mmcgee-jump mmcgee-jump requested changes

@asiegel-jt asiegel-jt Awaiting requested review from asiegel-jt

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ripatel-fd @mmcgee-jump @eternalsakura13