Continue syscalls normally for no matches

If no rule matches, there is no reason to proxy the syscall with identical arguments: Just continue the syscall normally in the supervised process.
vimpostor · Dec 10, 2024 · 851ef82 · 851ef82
1 parent e4c11e9
commit 851ef82
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 10 deletions.
diff --git a/src/bin/seccomp/seccomp_exec.c b/src/bin/seccomp/seccomp_exec.c
@@ -170,7 +170,7 @@ int handle_req(struct seccomp_notif *req,
 
 	int dirfd = -1, proxy_dirfd = -1;
 	char pathname[PATH_MAX];
-	char proxy_pathname[PATH_MAX];
+	const char *proxy_pathname = NULL;
 	int flags;
 	mode_t mode;
 	struct open_how how;
@@ -191,7 +191,7 @@ int handle_req(struct seccomp_notif *req,
 	}
 	if (!found) {
 		fprintf(stderr, "huh? trapped system call %d that does not appear on our list?\n", req->data.nr);
-		// allow target to continue the syscall normally
+		// continue the syscall normally
 		resp->flags |= SECCOMP_USER_NOTIF_FLAG_CONTINUE;
 		resp->error = 0;
 		resp->val = 0;
@@ -242,7 +242,17 @@ int handle_req(struct seccomp_notif *req,
 		goto out;
 	}
 	// Get the redirected file path
-	strcpy(proxy_pathname, find_match(pathname));
+	if (!find_match(&proxy_pathname, pathname)) {
+		// continue the syscall normally
+		resp->flags |= SECCOMP_USER_NOTIF_FLAG_CONTINUE;
+		resp->error = 0;
+		resp->val = 0;
+		if (ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, resp) < 0 && errno != ENOENT) {
+			ret = -1;
+			perror("ioctl send");
+		}
+		goto out;
+	}
 
 	if (nr == __NR_openat2) {
 		// read the special how struct

diff --git a/src/lib/copycat.c b/src/lib/copycat.c
@@ -101,29 +101,32 @@ void read_config() {
 	fclose(f);
 }
 
-const char *find_match(const char *source) {
+// Returns true if a match was found
+bool find_match(const char **match, const char *query) {
 	for (size_t i = 0; i < rules.size; ++i) {
 		size_t rulesrc_len = strlen(rules.table[i].source);
 		// check if we have a recursive rule (match only prefix) or if we have to check for a literal match
 		size_t chars_to_compare = rulesrc_len;
 		if (!rules.table[i].match_prefix) {
-			chars_to_compare = MAX(chars_to_compare, strlen(source));
+			chars_to_compare = MAX(chars_to_compare, strlen(query));
 		}
 
 		// does the rule match?
-		if (!strncmp(source, rules.table[i].source, chars_to_compare)) {
+		if (!strncmp(query, rules.table[i].source, chars_to_compare)) {
 			char *result = (char *) rules.table[i].dest;
 			if (rules.table[i].replace_prefix_only) {
 				// extend result with rest of the input source
 				// this means we have just replaced the prefix
 				strcpy(path_buffer, result);
 				result = path_buffer;
-				strcat(result, source + rulesrc_len);
+				strcat(result, query + rulesrc_len);
 			}
-			return result;
+			*match = result;
+			return true;
 		}
 	}
-	return source;
+	*match = query;
+	return false;
 }
 
 

diff --git a/src/lib/copycat.h b/src/lib/copycat.h
@@ -22,7 +22,7 @@ void add_rule(char *source, char *destination);
 void parse_rule(char *line);
 void parse_rules(char *rls);
 void read_config();
-const char *find_match(const char *source);
+bool find_match(const char **match, const char *query);
 
 long original_openat2(int dirfd, const char *pathname, struct open_how *how, size_t size);