Skip to content

Deny process_vm_readv in BPF filter from guest #47

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jserv merged 1 commit into from
Apr 3, 2026
+49 −0
Merged

Deny process_vm_readv in BPF filter from guest #47

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions scripts/run-tests.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -350,6 +350,12 @@ else
SKIP=$((SKIP + 1))
fi

if require_guest_test "process-vm-deny-test"; then
expect_output "process-vm-deny-test" "PASS: process_vm_readv denied" \
"$KBOX" image -S "$ROOTFS" --syscall-mode=seccomp \
-- "/opt/tests/process-vm-deny-test"
fi

echo ""
echo "--- Rewrite security ---"

Expand Down
2 changes: 2 additions & 0 deletions src/seccomp-bpf.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ static const int deny_nrs[] = {

/* Tracing: supervisor memory/process access attacks */
101, /* ptrace */
310, /* process_vm_readv */
311, /* process_vm_writev */
440, /* process_madvise */
448, /* process_mrelease */
Expand Down Expand Up @@ -148,6 +149,7 @@ static const int deny_nrs[] = {

/* Tracing */
117, /* ptrace */
270, /* process_vm_readv */
271, /* process_vm_writev */
440, /* process_madvise */
448, /* process_mrelease */
Expand Down
41 changes: 41 additions & 0 deletions tests/guest/process-vm-deny-test.c
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
/* SPDX-License-Identifier: MIT */
/* Guest test: verify process_vm_readv is blocked by the seccomp BPF deny list.
*
* The guest has no legitimate need to read another process's address space.
* kbox itself uses process_vm_readv in the supervisor -> child direction only.
* The guest-side syscall must therefore fail with EPERM before reaching the
* seccomp-unotify supervisor path.
*/

#include <errno.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/syscall.h>
#include <sys/uio.h>
#include <unistd.h>

#define CHECK(cond, msg) \
do { \
if (!(cond)) { \
fprintf(stderr, "FAIL: %s (%s)\n", msg, #cond); \
exit(1); \
} \
} while (0)

int main(void)
{
uint32_t src = 0x12345678u;
uint32_t dst = 0;
struct iovec local = {.iov_base = &dst, .iov_len = sizeof(dst)};
struct iovec remote = {.iov_base = &src, .iov_len = sizeof(src)};
long rc;

errno = 0;
rc = syscall(__NR_process_vm_readv, getpid(), &local, 1, &remote, 1, 0);
CHECK(rc < 0, "process_vm_readv should fail");
CHECK(errno == EPERM, "process_vm_readv errno should be EPERM");
printf("PASS: process_vm_readv denied\n");
return 0;
}
Loading