fix: enhanced syscall list

2022-10-20 15:44:03 +08:00 · 2022-10-20 15:44:03 +08:00 · dec92fbf65
commit dec92fbf65
parent 05372f10e8
4 changed files with 27 additions and 14 deletions
--- a/build_libseccomp.sh
+++ b/build_libseccomp.sh
@ -1,11 +1,13 @@
+#!/usr/bin/env bash
+
 VERSION=v2.5.4
 if [ -d ./libseccomp ]; then exit 0; fi

 set -x

-git clone https://github.com/seccomp/libseccomp.git &>/dev/null
+git clone https://github.com/seccomp/libseccomp.git >/dev/null 2>&1 || exit 1
 cd libseccomp || exit 1
-git checkout $VERSION &>/dev/null
-./autogen.sh &>/dev/null || exit 1
-./configure --enable-shared=no &>/dev/null || exit 1
-make -j &>/dev/null || exit 1
+git checkout $VERSION >/dev/null 2>&1
+./autogen.sh >/dev/null 2>&1 || exit 1
+./configure --enable-shared=no >/dev/null 2>&1 || exit 1
+make -j >/dev/null 2>&1 || exit 1
--- a/library.c
+++ b/library.c
@ -7,11 +7,11 @@
 #include <unistd.h>

 static __attribute__((constructor)) void inject(void) {
-    char   comm[64];
-    int    fd  = open("/proc/self/comm", O_RDONLY);
-    size_t len = read(fd, comm, sizeof(comm));
-    len        = len ? len - 1 : 0;
-    comm[len]  = '\0';
+    char    comm[64];
+    int     fd  = open("/proc/self/comm", O_RDONLY);
+    ssize_t len = read(fd, comm, sizeof(comm));
+    len         = len > 0 ? len - 1 : 0;
+    comm[len]   = '\0';
    close(fd);

    LOG_INFO("Setting up sandbox for %s(%d)", comm, getpid());
--- a/rules/lang_c_cpp.c
+++ b/rules/lang_c_cpp.c
@ -8,18 +8,23 @@ void setup_lang_c_cpp(scmp_filter_ctx ctx) {
    int white[] = {
        SCMP_SYS(read),            // 0
        SCMP_SYS(write),           // 1
+        SCMP_SYS(close),           // 3
        SCMP_SYS(fstat),           // 5
        SCMP_SYS(lseek),           // 8
        SCMP_SYS(mmap),            // 9
        SCMP_SYS(munmap),          // 11
+        SCMP_SYS(brk),             // 12
        SCMP_SYS(pread64),         // 17
        SCMP_SYS(getpid),          // 39
+        SCMP_SYS(clone),           // 56
        SCMP_SYS(futex),           // 202
        SCMP_SYS(newfstatat),      // 262
        SCMP_SYS(clock_gettime),   // 228
        SCMP_SYS(clock_getres),    // 229
        SCMP_SYS(clock_nanosleep), // 230
        SCMP_SYS(exit_group),      // 231
+        SCMP_SYS(set_robust_list), // 273
+        SCMP_SYS(get_robust_list), // 274
    };
    int white_len = sizeof(white) / sizeof(white[0]);

--- a/test.c
+++ b/test.c
@ -4,10 +4,16 @@

 int main() {
    LOG_INFO("Testing Memory Limit");
-    void *p = malloc(sizeof(int) * 1024 * 1024 * 10);
-    if (!p) {
-        LOG_ERR("malloc failed");
-    }
+
+    void *p;
+    int   counter = 0;
+    do {
+        p = malloc(1);
+        if (!p) {
+            LOG_ERR("malloc failed, cnt=%d", counter);
+        }
+        counter++;
+    } while (p);

    LOG_INFO("Testing NPROC Limit");
    pid_t pid = fork();