util: add linkat to syscall sandbox (AllowFileSystem) #24659

pull fanquake wants to merge 1 commits into bitcoin:master from fanquake:maybe_fix_24536 changing 1 files +1 −0
  1. fanquake commented at 11:50 am on March 24, 2022: member
    Should fix #24536.
  2. util: add linkat to syscall sandbox (AllowFileSystem) 9809db3577
  3. fanquake added the label Linux/Unix on Mar 24, 2022
  4. fanquake added the label Utils/log/libs on Mar 24, 2022
  5. MarcoFalke commented at 12:01 pm on March 24, 2022: member

    cr ACK 9809db3577f0fa618bea42635b1581e628a30395

    but might be good to test

  6. luke-jr commented at 0:22 am on March 25, 2022: member
    Should we allow regular link too? My manpage says glibc can fallback to link for emulating linkat on older kernels.
  7. fanquake marked this as ready for review on Mar 25, 2022
  8. fanquake commented at 7:44 am on March 25, 2022: member

    Should we allow regular link too? My manpage says glibc can fallback to link for emulating linkat on older kernels.

    Yes, if someone reports an issue with it. I don’t think we want/need to preemptively allow syscalls.

  9. luke-jr commented at 1:18 pm on March 25, 2022: member
    We don’t usually leave known bugs until someone reports them…
  10. MarcoFalke commented at 1:25 pm on March 25, 2022: member
    Yeah, I think it is fine to put in both.
  11. fanquake commented at 1:34 pm on March 25, 2022: member

    We don’t usually leave known bugs until someone reports them…

    Sure, but this isn’t a known bug yet. If we want it to be one, can you elaborate more than “my manpage says maybe this is needed for some older kernels”.

    Which manpage? Which older kernel (versions)? Which versions of glibc perform the fallback-ing? Do we support them? Can you reproduce the bug?

    I’m not really interested in adding exceptions to our syscall sandbox based on hypotheticals derived from a possibly irrelevant (to our project & runtime back-compatibilities) sentence in a manpage. Especially if the problem hasn’t actually been run into in the wild.

  12. in src/util/syscall_sandbox.cpp:595 in 9809db3577 
    591@@ -592,6 +592,7 @@ class SeccompPolicyBuilder
592         allowed_syscalls.insert(__NR_getcwd);          // get current working directory
593         allowed_syscalls.insert(__NR_getdents);        // get directory entries
594         allowed_syscalls.insert(__NR_getdents64);      // get directory entries
595+        allowed_syscalls.insert(__NR_linkat);          // create relative to a directory file descriptor
    hebasto commented at 10:12 am on March 26, 2022:

    Tested on Ubuntu 22.04:

    0        allowed_syscalls.insert(__NR_inotify_rm_watch);// remove an existing watch from an inotify instance
1        allowed_syscalls.insert(__NR_linkat);          // create relative to a directory file descriptor
    hebasto commented at 7:17 am on March 28, 2022:
    Done in #24690.
  13. Rspigler commented at 4:53 am on March 28, 2022: contributor
    Tested ACK (commit 9809db3577f0fa618bea42635b1581e628a30395) - this fixes https://github.com/bitcoin/bitcoin/issues/24536
  14. MarcoFalke commented at 7:04 am on March 28, 2022: member
    Going to merge this, since it is tested and reviewed. Maybe issues on other OS can be fixed in a separate commit?
  15. MarcoFalke merged this on Mar 28, 2022
  16. MarcoFalke closed this on Mar 28, 2022
  17. MarcoFalke added the label Needs backport (23.x) on Mar 28, 2022
  18. fanquake deleted the branch on Mar 28, 2022
  19. jonatack commented at 11:41 am on March 28, 2022: member
    Backported to v23.0 in #24512
  20. jonatack referenced this in commit ca46f282b1 on Mar 28, 2022
  21. jonatack referenced this in commit 54e787b767 on Mar 28, 2022
  22. fanquake removed the label Needs backport (23.x) on Mar 28, 2022
  23. fanquake referenced this in commit f9aedbc300 on Mar 30, 2022
  24. hebasto referenced this in commit 6cf6924ab9 on Mar 31, 2022
  25. jonatack referenced this in commit 85f85c7e5f on Mar 31, 2022
  26. fanquake referenced this in commit c243e08351 on Mar 31, 2022
  27. sidhujag referenced this in commit c2d3886e0f on Apr 2, 2022
  28. sidhujag referenced this in commit 393dc49055 on Apr 3, 2022
  29. DrahtBot locked this on Mar 28, 2023


fanquake MarcoFalke luke-jr hebasto Rspigler jonatack

Labels
Linux/Unix Utils/log/libs

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-07-01 10:13 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me