From 00614c5e6702db8ac3f18a9e193c7a8382f16e6b Mon Sep 17 00:00:00 2001 From: Stefano Brivio Date: Wed, 14 Jun 2023 07:25:52 +0200 Subject: cooker: Support for read(), OP_STORE, field-based filters Signed-off-by: Stefano Brivio --- operations.c | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) (limited to 'operations.c') diff --git a/operations.c b/operations.c index e1132d5..70c8f08 100644 --- a/operations.c +++ b/operations.c @@ -292,6 +292,45 @@ out: return ret; } +int op_store(const struct seccomp_notif *req, int notifier, struct gluten *g, + struct op_store *store) +{ + const long unsigned int *dst = gluten_ptr(&req->data, g, store->dst); + const size_t *count = gluten_ptr(&req->data, g, store->count); + const void *src = gluten_ptr(&req->data, g, store->src); + char path[PATH_MAX]; + int fd, ret = 0; + + debug(" op_store: argument (%s %d) in (%s %d) size=%d", + gluten_offset_name[store->src.type], store->src.offset, + gluten_offset_name[store->dst.type], store->dst.offset); + + if (dst == NULL) + ret_err(-1, " op_store: empty destination"); + + snprintf(path, sizeof(path), "/proc/%d/mem", req->pid); + if ((fd = open(path, O_WRONLY | O_CLOEXEC)) < 0) + ret_err(-1, "error opening mem for %d", req->pid); + /* + * Avoid the TOCTOU and check if the read mappings are still valid + */ + if (!is_cookie_valid(notifier, req->id)) { + err("the seccomp request isn't valid anymore"); + ret = -1; + goto out; + } + + if (pwrite(fd, src, *count, *dst) < 0) { + err("pwrite"); + ret = -1; + goto out; + } + +out: + close(fd); + return ret; +} + int op_return(const struct seccomp_notif *req, int notifier, struct gluten *g, struct op_return *op) { @@ -503,6 +542,7 @@ int eval(struct gluten *g, const struct seccomp_notif *req, HANDLE_OP(OP_RETURN, op_return, ret, g); HANDLE_OP(OP_FD, op_fd, fd, g); HANDLE_OP(OP_LOAD, op_load, load, g); + HANDLE_OP(OP_STORE, op_store, store, g); HANDLE_OP(OP_BITWISE, op_bitwise, bitwise, g); HANDLE_OP(OP_CMP, op_cmp, cmp, g); HANDLE_OP(OP_RESOLVEDFD, op_resolve_fd, resfd, g); -- cgit v1.2.3