run: Allow perf and ptrace in debug and build mode.

Without this you can't e.g. run a debugger or profiler in the sandbox.
2015-09-18 14:11:15 +02:00 · 2015-09-18 14:11:15 +02:00 · 5065e431a2
parent 645c433960
commit 5065e431a2
3 changed files with 31 additions and 4 deletions
--- a/app/xdg-app-builtins-build.c
+++ b/app/xdg-app-builtins-build.c
@ -134,7 +134,7 @@ xdg_app_builtin_build (int argc, char **argv, GCancellable *cancellable, GError
  argv_array = g_ptr_array_new_with_free_func (g_free);
  g_ptr_array_add (argv_array, g_strdup (HELPER));

-  g_ptr_array_add (argv_array, g_strdup ("-wr"));
+  g_ptr_array_add (argv_array, g_strdup ("-wrc"));

  app_context = xdg_app_context_new ();
  if (!xdg_app_context_load_metadata (app_context, runtime_metakey, error))
--- a/app/xdg-app-builtins-run.c
+++ b/app/xdg-app-builtins-run.c
@ -338,6 +338,9 @@ xdg_app_builtin_run (int argc, char **argv, GCancellable *cancellable, GError **
  g_ptr_array_add (argv_array, g_strdup ("-b"));
  g_ptr_array_add (argv_array, g_strdup_printf ("/run/host/fonts=%s", SYSTEM_FONTS_DIR));

+  if (opt_devel)
+    g_ptr_array_add (argv_array, g_strdup ("-c"));
+
  home = g_file_new_for_path (g_get_home_dir ());
  user_font1 = g_file_resolve_relative_path (home, ".local/share/fonts");
  user_font2 = g_file_resolve_relative_path (home, ".fonts");
--- a/lib/xdg-app-helper.c
+++ b/lib/xdg-app-helper.c
@ -291,7 +291,7 @@ static inline int raw_clone(unsigned long flags, void *child_stack) {
 }

 static void
-setup_seccomp (void)
+setup_seccomp (bool devel)
 {
  scmp_filter_ctx seccomp;
  /**** BEGIN NOTE ON CODE SHARING
@ -353,7 +353,12 @@ setup_seccomp (void)
    {SCMP_SYS(mount)},
    {SCMP_SYS(pivot_root)},
    {SCMP_SYS(clone), &SCMP_A0(SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)},
+  };

+  struct {
+    int scall;
+    struct scmp_arg_cmp *arg;
+  } syscall_nondevel_blacklist[] = {
    /* Profiling operations; we expect these to be done by tools from outside
     * the sandbox.  In particular perf has been the source of many CVEs.
     */
@ -415,6 +420,20 @@ setup_seccomp (void)
        die_with_error ("Failed to block syscall %d", scall);
    }

+  if (!devel)
+    {
+      for (i = 0; i < N_ELEMENTS (syscall_nondevel_blacklist); i++)
+        {
+          int scall = syscall_nondevel_blacklist[i].scall;
+          if (syscall_nondevel_blacklist[i].arg)
+            r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO(EPERM), scall, 1, *syscall_nondevel_blacklist[i].arg);
+          else
+            r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO(EPERM), scall, 0);
+          if (r < 0 && r == -EFAULT /* unknown syscall */)
+            die_with_error ("Failed to block syscall %d", scall);
+        }
+    }
+
  /* Socket filtering doesn't work on x86 */
  if (uname (&uts) == 0 && strcmp (uts.machine, "i686") != 0)
    {
@ -1856,6 +1875,7 @@ main (int argc,
  char **args;
  char *tmp;
  int n_args;
+  bool devel = FALSE;
  bool share_shm = FALSE;
  bool network = FALSE;
  bool ipc = FALSE;
@ -1884,7 +1904,7 @@ main (int argc,

  clean_argv (argc, argv);

-  while ((c =  getopt (argc, argv, "+inWweEsfFHra:m:M:b:B:p:x:ly:d:D:v:I:gS:")) >= 0)
+  while ((c =  getopt (argc, argv, "+inWwceEsfFHra:m:M:b:B:p:x:ly:d:D:v:I:gS:")) >= 0)
    {
      switch (c)
        {
@ -1892,6 +1912,10 @@ main (int argc,
          app_path = optarg;
          break;

+        case 'c':
+          devel = TRUE;
+          break;
+
        case 'M':
          /* Same, but remove source */
          goto extra_file;
@ -2396,7 +2420,7 @@ main (int argc,
 #endif

  __debug__(("setting up seccomp\n"));
-  setup_seccomp ();
+  setup_seccomp (devel);

  __debug__(("forking for child\n"));