Skip to content
This repository has been archived by the owner on Jan 8, 2024. It is now read-only.

Update seccomp patch, based on staging patch #9

Merged
merged 1 commit into from
Nov 8, 2020
Merged

Update seccomp patch, based on staging patch #9

merged 1 commit into from
Nov 8, 2020

Conversation

gasinvein
Copy link
Member

@gasinvein gasinvein commented Nov 6, 2020
edited
Loading

Adopted patch from ValveSoftware/wine#99 (comment)

Original Wine code from Proton (as before #5) 
    int ret;
    if (!(ret = prctl(PR_GET_SECCOMP, 0, NULL, 0, 0)))
    {
        if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0))
        {
            perror("prctl(PR_SET_NO_NEW_PRIVS, ...)");
            exit(1);
        }

        if (sc_seccomp(SECCOMP_SET_MODE_FILTER, flags, &prog))

        {
            perror("prctl(PR_SET_SECCOMP, ...)");
            exit(1);
        }

        check_bpf_jit_enable();
    }
    else
    {
        if (ret == 2)
            TRACE("Seccomp filters already installed.\n");
        else
            ERR("Seccomp filters cannot be installed, ret %d, error %s.\n", ret, strerror(errno));
    }

    sigaction(SIGSYS, sig_act, NULL);
Patched code (after this PR) 
    NTSTATUS status;
    sigaction(SIGSYS, sig_act, NULL);

    if ((status = syscall(0xffff)) == STATUS_INVALID_PARAMETER)
    {
        TRACE("Seccomp filters already installed.\n");
        return;
    }
    if (status != -ENOSYS && (status != -1 || errno != ENOSYS))
    {
        ERR("Unexpected status %#x, errno %d.\n", status, errno);
        return;
    }


    if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0))
    {
        perror("prctl(PR_SET_NO_NEW_PRIVS, ...)");
        exit(1);
    }
    if (sc_seccomp(SECCOMP_SET_MODE_FILTER, flags, &prog))
    {
        perror("prctl(PR_SET_SECCOMP, ...)");
        exit(1);
    }
    check_bpf_jit_enable();

Since I'm not familiar with C and not sure if got everything right, a review from someone more knowledgeable would be very useful.

@flathubbot
Copy link
Contributor

Started test build 31985

@flathubbot
Copy link
Contributor

Build 31985 successful
To test this build, install it from the testing repository:

flatpak install --user https://dl.flathub.org/build-repo/30801/com.valvesoftware.Steam.CompatibilityTool.Proton.flatpakref

@nanonyme
Copy link
Collaborator

nanonyme commented Nov 7, 2020

LGTM. If hasn't gone through battle testing yet, maybe let's get it tested by end-users while n beta.

@gasinvein
Copy link
Member Author

Ok, let's merge this to beta. Review is still wanted before it lands to master.

@gasinvein gasinvein merged commit 15623b6 into beta Nov 8, 2020
@gasinvein gasinvein deleted the better-seccomp-fix branch November 8, 2020 10:05
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@gasinvein @flathubbot @nanonyme