| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
| |
This puts syscalls into the allow list that were triggered on latest
systems including extended usage tests, signal and systemd handling.
|
| |
|
|
|
|
|
|
|
|
|
| |
On PowerPC (and variants), Linux has its own ioctls.h which
defines `TCGETS` as `_IOR('t', 19, struct termios)`.
That means without having included `termios.h`, build will fail
with usage of incomplete type `struct termios` as soon as `TCGETS`
is used.
|
|
|
|
|
|
|
|
|
| |
When seccomp causes a crash, use a SIGSYS action and handle it to print
out an error. Most functions are not allowed at that point (no buffered
output, no ?printf functions, no abort, ...), so the implementation is
as minimal as possible.
Print out a message with the syscall number and exit the process (all
threads).
|
| |
|
|
|
|
| |
Allow worker threads to poll
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
Instead of denying access when a forbidden syscall is triggered, kill
the whole process.
This is good because it prevents silent failures when running into
issues with new/different libc implementations. This is also good,
because failures to follow the policy causes an immediate, loud KILL.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Musl-based distributions like Alpine didn't work with seccomp profile
enabled. This was due to musl using different syscalls than glibc under
the cover.
- writev/readv and epoll_pwait have been allowed
- specific ioctl has been allowed to enableprinting the error/exit
message
- brk has been allowed at runtime
- worker writes to stderr have been allowed (this was also broken on
glibc)
|
|
|
|
|
| |
Stats requires getpid now in the worker threads. Main thread requires it
to generate coverage in debug mode.
|
|
Implement an aggressive version of drop_privileges(). Additionally add
similar initialization function for threads drop_worker_privileges().
This version is similar to Solaris one and prohibits memcached from
making any not approved syscalls. Current list narrows down the allowed
calls to socket sends/recvs, accept, epoll handling, futex (and
dependencies - mmap), getrusage (for stats), and signal / exit
handling.
Any incorrect behaviour will result in EACCES returned. This should be
restricted further to KILL in the future (after more testing).
The feature is only tested for i386 and x86_64. It depends on bpf
filters and seccomp enabled in the kernel. It also requires libsecomp
for abstraction to seccomp filters. All are available since Linux 3.5.
Seccomp filtering can be enabled at compile time with --enable-seccomp.
In case of local customisations which require more rights, memcached
allows disabling drop_privileges() with "-o no_drop_privileges" at
startup.
Tests have to run with "-o relaxed_privileges", since they require
disk access after the tests complete. This adds a few allowed syscalls,
but does not disable the protection system completely.
|