Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Integrate runtime components into single runtime #290

Merged
merged 18 commits into from
Jan 9, 2024
Merged

Integrate runtime components into single runtime #290

merged 18 commits into from
Jan 9, 2024

Conversation

fw-immunant
Copy link
Contributor

@fw-immunant fw-immunant commented Sep 25, 2023
edited
Loading

This is not yet applied to our compartmentalized binaries and tests, but runs a tiny (uncompartmentalized) demo program I've been linking against it manually for validation.

This PR will be ready for merging when the build-system work is done to integrate the runtime with our tests themselves, but we'll want a switch to build without the runtime (or disable it) so that we can debug tests, as the runtime (being a ptracer) conflicts with gdb and other debuggers.

This implements an initial coarse-grained syscall policy very similar to that described in #233, and integrates fine-grained syscall filtering as described in #235. As we validate this on our tests/demons/nginx we'll probably add syscalls to our allowlist to get closer to what #231 outlines.

@fw-immunant
Copy link
Contributor Author

One wart here is that we use SECCOMP_FILTER_FLAG_NEW_LISTENER to get a seccomp_unotify fd, but we don't actually use this fd for anything. If we need to do more detailed inspection of syscall arguments in memory or if we need to inject fds into the inferior to simulate some syscalls, we likely will need this fd; see man 2 seccomp_unotify. But for now, we're setting up this infrastructure without it being load-bearing.

@rinon rinon self-requested a review October 2, 2023 20:15
rinon
rinon reviewed Oct 5, 2023
View reviewed changes
Copy link
Collaborator

@rinon rinon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So as is the usage for this is to add the ia2-main library which wraps main to fork and run the binary? How does this interact with our existing wrapping of main to set the pkey?

Did you decide to do this rather than the external binary that runs a separate child with fork+exec? Or was this implementation before we discussed that?

runtime/CMakeLists.txt Outdated Show resolved Hide resolved
runtime/seccomp_filter_demo.c Outdated Show resolved Hide resolved
runtime/track_memory_map.c
Comment on lines +362 to +373
/* track the inferior process' memory map.

returns true if the inferior exits, false on trace error.

if true is returned, the inferior's exit status will be stored to *exit_status_out if not NULL. */
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably want to put this in the header?

@fw-immunant fw-immunant force-pushed the fw/integrate-runtime branch 2 times, most recently from 3c7d8f1 to 8f99d07 Compare October 18, 2023 16:10
@fw-immunant
runtime/seccomp_demo: fix program name in usage comment
8746280
@fw-immunant
runtime: split seccomp functionality out of seccomp demo
963734e
@fw-immunant
runtime/track_memory_map: track inferior exit status
3a88aee
@fw-immunant
runtime/track_memory_map_demo: cleanups and comments
0a14415
@fw-immunant
runtime/seccomp_filter: accept program as argument
51ffc32
@fw-immunant
runtime/seccomp_filter: normalize comment syntax
cc3f008
@fw-immunant
runtime/seccomp_filter: wrap seccomp()
88ce00a
@fw-immunant
runtime/seccomp_filter: use RET_KILL_PROCESS, not RET_KILL
3d96a8e 
the latter only kills one thread which is really never what you want
@fw-immunant
runtime/seccomp_filter: add filter program for IA2 coarse-grained sys…
edff2b6 
…call policy
@fw-immunant
runtime/start: add IA2 runtime wrapper
39337d3 
this produces a binary `ia2-sandbox` that wraps the execution of its arguments
@fw-immunant
runtime/track_memory_map: distinguish between seccomp and ptrace modes
e9f0ade 
in ptrace mode we run the child to the next syscall entry/exit, while in seccomp mode we run until our seccomp policy causes a stop

this means we should never see extraneous stops in seccomp mode; we now check this
@fw-immunant
runtime/seccomp_filter: allow dup/dup2/fcntl
c1e1956 
these are needed to gracefully handle the case of exec() of the child failing
@fw-immunant
runtime/track_memory_map: consider inability to interpret syscall fatal
88e566a
@fw-immunant
runtime/track_memory_map: manage memory map internally
d6089cd
@fw-immunant
runtime: avoid deprecated PTRACE_KILL
5abc742
@fw-immunant fw-immunant marked this pull request as ready for review November 1, 2023 21:45
@fw-immunant
Copy link
Contributor Author

This is without the changes needed to support multiple threads and fork/exec; see #307.

@fw-immunant fw-immunant merged commit eb134ed into main Jan 9, 2024
33 checks passed
@fw-immunant fw-immunant mentioned this pull request Jan 9, 2024
Closed
@fw-immunant fw-immunant mentioned this pull request Jan 22, 2024
Closed
2 tasks
@fw-immunant fw-immunant deleted the fw/integrate-runtime branch May 28, 2024 20:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rinon rinon rinon left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@fw-immunant @rinon