diff options
| author | Stanisław Pitucha <viraptor@gmail.com> | 2014-12-13 20:27:53 +1100 |
|---|---|---|
| committer | dormando <dormando@rydia.net> | 2017-08-23 23:59:11 -0700 |
| commit | 78c260a2ea8a3662720562ef2c0364eac36dfa4a (patch) | |
| tree | 7453fad7c38002c7ab332aeb2b3e5990c96d6675 /HACKING | |
| parent | 3e8f5e25f06dc7649038e8a0a229acd5b627882d (diff) | |
| download | memcached-78c260a2ea8a3662720562ef2c0364eac36dfa4a.tar.gz | |
Add drop_privileges() for Linux
Implement an aggressive version of drop_privileges(). Additionally add
similar initialization function for threads drop_worker_privileges().
This version is similar to Solaris one and prohibits memcached from
making any not approved syscalls. Current list narrows down the allowed
calls to socket sends/recvs, accept, epoll handling, futex (and
dependencies - mmap), getrusage (for stats), and signal / exit
handling.
Any incorrect behaviour will result in EACCES returned. This should be
restricted further to KILL in the future (after more testing).
The feature is only tested for i386 and x86_64. It depends on bpf
filters and seccomp enabled in the kernel. It also requires libsecomp
for abstraction to seccomp filters. All are available since Linux 3.5.
Seccomp filtering can be enabled at compile time with --enable-seccomp.
In case of local customisations which require more rights, memcached
allows disabling drop_privileges() with "-o no_drop_privileges" at
startup.
Tests have to run with "-o relaxed_privileges", since they require
disk access after the tests complete. This adds a few allowed syscalls,
but does not disable the protection system completely.
Diffstat (limited to 'HACKING')
| -rw-r--r-- | HACKING | 27 |
1 files changed, 27 insertions, 0 deletions
@@ -47,6 +47,33 @@ If you export the environment variable T_MEMD_USE_DAEMON="127.0.0.1:11211" the tests will use an existing daemon at that address. +* Debugging seccomp issues + +If new functionality fails when built with seccomp / drop privileges +support, it can be debugged in one of two ways: + +Run the memcached via strace. For example: + + strace -o /tmp/memcache.strace -f -- ./memcached + less /tmp/memcache.strace + +And look for calls which failed due to access restriction. They will +show up with result: "-1 (errno 13)". Then add them to linux_priv.c. + +Alternatively, change the definition in linux_priv.c to: + + #define DENY_ACTION SCMP_ACT_TRAP + +and the process will crash with a coredump on all policy violations. +In strace output those can be seen as: + + SIGSYS {si_signo=SIGSYS, si_code=SYS_SECCOMP, + si_call_addr=0x358a443454d, si_syscall=__NR_write, + si_arch=AUDIT_ARCH_X86_64} --- + +In that output, the si_syscall shows which operation has been +blocked. In this case that's `write()`. + * Sending patches See current instructions at http://contributing.appspot.com/memcached |