I'd like to sandbox a Rust program using seccomp (libseccomp v2.3) on Linux.
The problem I'm running into is that Rust (or std) executes sigaltstack call after main() exits, and this causes the process to be killed for seccomp violation. I've tried to allow this call (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sigaltstack), 0)), but it doesn't seem to have effect.
How can I allow sigaltstack for Rust? Or is it possible to avoid Rust's runtime calling sigaltstack?
How are you setting up the sandbox?
As the first thing in fn main() I'm calling through FFI a C function with:
scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_KILL);
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sigaltstack), 0);
// [..bunch of other adds..]
seccomp_load(ctx);
This seems to work for me (i.e. exit cleanly) using the seccomp-sys crate as the FFI wrapper:
extern crate seccomp_sys as sc;
fn main() {
unsafe {
let ctx = sc::seccomp_init(sc::SCMP_ACT_KILL);
assert!(!ctx.is_null());
assert!(sc::seccomp_rule_add(ctx, sc::SCMP_ACT_ALLOW, 131, 0) == 0); // sigaltstack
assert!(sc::seccomp_rule_add(ctx, sc::SCMP_ACT_ALLOW, 11, 0) == 0); // munmap
assert!(sc::seccomp_rule_add(ctx, sc::SCMP_ACT_ALLOW, 231, 0) == 0); // exit_group
assert!(sc::seccomp_load(ctx) == 0);
}
}
It was instrumental to use strace to find out which syscalls had to be allowed.