Using Rust programs inside seccomp sandbox

kornel · July 2, 2018, 6:57pm

I’d like to sandbox a Rust program using seccomp (libseccomp v2.3) on Linux.

The problem I’m running into is that Rust (or std) executes sigaltstack call after main() exits, and this causes the process to be killed for seccomp violation. I’ve tried to allow this call (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sigaltstack), 0)), but it doesn’t seem to have effect.

How can I allow sigaltstack for Rust? Or is it possible to avoid Rust’s runtime calling sigaltstack?

birkenfeld · July 2, 2018, 7:51pm

How are you setting up the sandbox?

kornel · July 2, 2018, 7:56pm

As the first thing in fn main() I’m calling through FFI a C function with:

scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_KILL);
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sigaltstack), 0);
// [..bunch of other adds..]
seccomp_load(ctx);

birkenfeld · July 3, 2018, 5:32am

This seems to work for me (i.e. exit cleanly) using the seccomp-sys crate as the FFI wrapper:

extern crate seccomp_sys as sc;

fn main() {
    unsafe {
        let ctx = sc::seccomp_init(sc::SCMP_ACT_KILL);
        assert!(!ctx.is_null());
        assert!(sc::seccomp_rule_add(ctx, sc::SCMP_ACT_ALLOW, 131, 0) == 0); // sigaltstack
        assert!(sc::seccomp_rule_add(ctx, sc::SCMP_ACT_ALLOW, 11, 0) == 0);  // munmap
        assert!(sc::seccomp_rule_add(ctx, sc::SCMP_ACT_ALLOW, 231, 0) == 0); // exit_group
        assert!(sc::seccomp_load(ctx) == 0);
    }
}

It was instrumental to use strace to find out which syscalls had to be allowed.