seccomp-util: pass negative fds as is to fsync() and friends

Closes #34478. Co-authored-by: Mike Yuan <me@yhndnzj.com> (cherry picked from commit 144fbbac235b6b89d5d31795be1cc0dca9852ccc) (cherry picked from commit 4bbd6f589ad97a0df6ab59e03c8c535d298d05eb) (cherry picked from commit 04a54264be)
2025-01-07 17:17:44 +03:00 · 2024-09-20 03:52:19 +09:00 · 2024-09-20 03:52:19 +09:00 · c70e6577e1
commit c70e6577e1
parent 7bdcb23751
1 changed files with 20 additions and 7 deletions
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@ -863,6 +863,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                .name = "@sync",
                .help = "Synchronize files and memory to storage",
                .value =
+                /* Please also update the list in seccomp_suppress_sync(). */
                "fdatasync\0"
                "fsync\0"
                "msync\0"
@ -2337,8 +2338,10 @@ int seccomp_suppress_sync(void) {
        uint32_t arch;
        int r;

-        /* This is mostly identical to SystemCallFilter=~@sync:0, but simpler to use, and separately
-         * manageable, and also masks O_SYNC/O_DSYNC */
+        /* This behaves slightly differently from SystemCallFilter=~@sync:0, in that negative fds (which
+         * we can determine to be invalid) are still refused with EBADF. See #34478.
+         *
+         * Additionally, O_SYNC/O_DSYNC are masked. */

        SECCOMP_FOREACH_LOCAL_ARCH(arch) {
                _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;
@ -2356,11 +2359,21 @@ int seccomp_suppress_sync(void) {
                                continue;
                        }

-                        r = seccomp_rule_add_exact(
-                                        seccomp,
-                                        SCMP_ACT_ERRNO(0), /* success → we want this to be a NOP after all */
-                                        id,
-                                        0);
+                        if (STR_IN_SET(c, "fdatasync", "fsync", "sync_file_range", "sync_file_range2", "syncfs"))
+                                r = seccomp_rule_add_exact(
+                                                seccomp,
+                                                SCMP_ACT_ERRNO(0), /* success → we want this to be a NOP after all */
+                                                id,
+                                                1,
+                                                SCMP_A0(SCMP_CMP_LE, INT_MAX)); /* The rule handles arguments in unsigned. Hence, this
+                                                                                 * means non-negative fd matches the rule, and the negative
+                                                                                 * fd passed to the syscall (then it fails with EBADF). */
+                        else
+                                r = seccomp_rule_add_exact(
+                                                seccomp,
+                                                SCMP_ACT_ERRNO(0), /* success → we want this to be a NOP after all */
+                                                id,
+                                                0);
                        if (r < 0)
                                log_debug_errno(r, "Failed to add filter for system call %s, ignoring: %m", c);
                }