Skip to content

Remove SYS_futex, SYS_write, SYS_close, and SYS_mmap from list of default allowed syscalls for seccomp on Linux #183

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
danbugs opened this issue Jan 29, 2025 · 0 comments
Open

Remove SYS_futex, SYS_write, SYS_close, and SYS_mmap from list of default allowed syscalls for seccomp on Linux #183

danbugs opened this issue Jan 29, 2025 · 0 comments
Labels
area/security Involves security-related changes or fixes lifecycle/confirmed Bug is verified or proposal seems reasonable
Milestone
Upcoming

Comments

@danbugs
Copy link
Contributor

danbugs commented Jan 29, 2025

Currently, we allow SYS_futex, SYS_write, SYS_close, and SYS_mmap (

hyperlight/src/hyperlight_host/src/seccomp/guest.rs

Line 56 in b9c67fb

(libc::SYS_futex, vec![]),
) by default beause they are needed by some writer functions we have. Writer functions are not registered like normal host functions. Instead, they are passed in as a parameter to UninitializedSandbox::new (

hyperlight/src/hyperlight_host/src/sandbox/uninitialized.rs

Line 125 in b9c67fb

host_print_writer: Option<&dyn HostFunction1<String, i32>>,
) and, so, allowing extra syscalls to it is a bit cumbersome. We should consider refactoring UninitializedSandbox::new to leverage a builder pattern.
@danbugs danbugs added lifecycle/confirmed Bug is verified or proposal seems reasonable area/security Involves security-related changes or fixes labels Jan 29, 2025
@github-actions github-actions bot added the lifecycle/needs-review The issue has not yet been reviewed. label Jan 29, 2025
@syntactically syntactically removed the lifecycle/needs-review The issue has not yet been reviewed. label Jan 29, 2025
@danbugs danbugs mentioned this issue Jan 29, 2025
Open
@danbugs danbugs added this to the Backlog milestone Mar 4, 2025
@danbugs danbugs modified the milestones: Backlog, Upcoming Mar 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/security Involves security-related changes or fixes lifecycle/confirmed Bug is verified or proposal seems reasonable
Projects
Hyperlight Milestones
Status: No status
Milestone
Upcoming
Development

No branches or pull requests
2 participants
@danbugs @syntactically