| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250110.152323-sassy.torch.lavish.rent-vKX3ul5B3qyi@cyphar.com>
Date: Sat, 11 Jan 2025 02:25:37 +1100
From: Aleksa Sarai <cyphar@...har.com>
To: Eyal Birger <eyal.birger@...il.com>
Cc: Jiri Olsa <jolsa@...nel.org>, olsajiri@...il.com, mhiramat@...nel.org,
oleg@...hat.com, linux-kernel <linux-kernel@...r.kernel.org>,
linux-trace-kernel@...r.kernel.org, BPF-dev-list <bpf@...r.kernel.org>,
Song Liu <songliubraving@...com>, Yonghong Song <yhs@...com>,
John Fastabend <john.fastabend@...il.com>, peterz@...radead.org, tglx@...utronix.de, bp@...en8.de,
x86@...nel.org, linux-api@...r.kernel.org, Andrii Nakryiko <andrii@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>, Alexei Starovoitov <ast@...nel.org>,
Andrii Nakryiko <andrii.nakryiko@...il.com>, "rostedt@...dmis.org" <rostedt@...dmis.org>, rafi@....io,
Shmulik Ladkani <shmulik.ladkani@...il.com>
Subject: Re: Crash when attaching uretprobes to processes running in Docker
On 2025-01-10, Eyal Birger <eyal.birger@...il.com> wrote:
> Hi,
>
> When attaching uretprobes to processes running inside docker, the attached
> process is segfaulted when encountering the retprobe. The offending commit
> is:
>
> ff474a78cef5 ("uprobe: Add uretprobe syscall to speed up return probe")
>
> To my understanding, the reason is that now that uretprobe is a system call,
> the default seccomp filters in docker block it as they only allow a specific
> set of known syscalls.
FWIW, the default seccomp profile of Docker _should_ return -ENOSYS for
uretprobe (runc has a bunch of ugly logic to try to guarantee this if
Docker hasn't updated their profile to include it). Though I guess that
isn't sufficient for the magic that uretprobe(2) does...
> This behavior can be reproduced by the below bash script, which works before
> this commit.
>
> Reported-by: Rafael Buchbinder <rafi@....io>
>
> Eyal.
>
> --- CODE ---
> #!/bin/bash
>
> cat > /tmp/x.c << EOF
> #include <stdio.h>
> #include <seccomp.h>
>
> char *syscalls[] = {
> "write",
> "exit_group",
> };
>
> __attribute__((noinline)) int probed(void)
> {
> printf("Probed\n");
> return 1;
> }
>
> void apply_seccomp_filter(char **syscalls, int num_syscalls)
> {
> scmp_filter_ctx ctx;
>
> ctx = seccomp_init(SCMP_ACT_ERRNO(1));
> for (int i = 0; i < num_syscalls; i++) {
> seccomp_rule_add(ctx, SCMP_ACT_ALLOW,
> seccomp_syscall_resolve_name(syscalls[i]), 0);
> }
> seccomp_load(ctx);
> seccomp_release(ctx);
> }
>
> int main(int argc, char *argv[])
> {
> int num_syscalls = sizeof(syscalls) / sizeof(syscalls[0]);
>
> apply_seccomp_filter(syscalls, num_syscalls);
>
> probed();
>
> return 0;
> }
> EOF
>
> cat > /tmp/trace.bt << EOF
> uretprobe:/tmp/x:probed
> {
> printf("ret=%d\n", retval);
> }
> EOF
>
> gcc -o /tmp/x /tmp/x.c -lseccomp
>
> /usr/bin/bpftrace /tmp/trace.bt &
>
> sleep 5 # wait for uretprobe attach
> /tmp/x
>
> pkill bpftrace
>
> rm /tmp/x /tmp/x.c /tmp/trace.bt
>
--
Aleksa Sarai
Senior Software Engineer (Containers)
SUSE Linux GmbH
https://www.cyphar.com/
Download attachment "signature.asc" of type "application/pgp-signature" (229 bytes)
Powered by blists - more mailing lists