Skip to content

set_secure_computing_mode(SecureComputingMode::Filter) has no filter argument #1451

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Open
rusty-snake opened this issue Apr 12, 2025 · 7 comments · May be fixed by #1458
Open

set_secure_computing_mode(SecureComputingMode::Filter) has no filter argument #1451

rusty-snake opened this issue Apr 12, 2025 · 7 comments · May be fixed by #1458

Comments

@rusty-snake
Copy link
Contributor

The C interface looks like

[[deprecated]]
int prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, struct sock_fprog *filter);

however rustix' iterface looks like

set_secure_computing_mode(SecureComputingMode::Filter)

so filter will be some garbage, mostly likely failing with EFAULT.

Since PR_SET_SECCOMP (but not PR_GET_SECCOMP) is deprecated and superseded by seccomp anyway. Do you see a good reason to fix the prctl variant? Or should we just deprecated and later remove the prctl variant in rustix and add support for seccomp(2) as seccomp_set_mode_strict() and seccomp_set_mode_filter(flags, args)?
@sunfishcode
Copy link
Member

sunfishcode commented Apr 12, 2025
edited
Loading

There is a bug here, though it doesn't pass a garbage pointer; it uses prctl_2args which always passes NULL as the remaining arguments.

set_secure_computing_mode does work with SecureComputingMode::Strict, so I think the thing to do is to deprecate just SecureComputingMode::Filter. And yes, I think it's sufficient to just deprecate it. We can always add a new interface in the future, if we get requests for it.

@rusty-snake rusty-snake changed the title set_secure_computing_mode(SecureComputingMode::Filter) passes a pointer to garbage to the kernel set_secure_computing_mode(SecureComputingMode::Filter) has no filter argument Apr 12, 2025
@rusty-snake
Copy link
Contributor Author

set_secure_computing_mode does work with SecureComputingMode::Strict

+1

deprecate just SecureComputingMode::Filter

This is still a valid return value of secure_computing_mode(). And actually the only possible return value of secure_computing_mode() other than SecureComputingMode::Disabled.

@sunfishcode
Copy link
Member

sunfishcode commented Apr 21, 2025
edited
Loading

This is still a valid return value of secure_computing_mode(). And actually the only possible return value of secure_computing_mode() other than SecureComputingMode::Disabled.

Ah. In that case we probably should deprecate set_secure_computing_mode and define a new function that at least supports the SecureComputingMode::Strict functionality, so that the deprecated message can recommend it as a replacement.

Edit: set_secure_computing_mode is the one that needs to be deprecated because it doesn't work for Filter.

@rusty-snake
Copy link
Contributor Author

deprecate secure_computing_mode

secure_computing_mode or set_secure_computing_mode?

@sunfishcode
Copy link
Member

Oops yes, set_secure_computing_mode.

@rusty-snake
Copy link
Contributor Author

So basically we deprecate set_secure_computing_mode and add set_secure_computing_mode_strict() and set_secure_computing_mode_filter(filter, flags).

@sunfishcode
Copy link
Member

Yeah, that sounds reasonable. It is less convenient if users want to change the mode dynamically, but that seems unlikely to be common.

@rusty-snake rusty-snake linked a pull request May 1, 2025 that will close this issue
Draft
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Draft: seccomp syscall and ioctls rusty-snake/rustix
2 participants
@sunfishcode @rusty-snake