privsep: Fix valgrind and hardened-malloc on Linux with SECCOMP

rsmarples · rsmarples · commit 0f62fdd014e4 · 2025-04-15T10:29:11.000+01:00
Valgrind will still error by default at exit as the syscall to unlink the pipe files is denied. This can be avoided by compiling with -DVALGRIND. The pipe files still won't be removed as dhcpcd has already dropped to the non root user. This is a Vagrind issue really. hardened-malloc should now run as well as their documented syscalls are now allowed by default. Fixes #497.
diff --git a/BUILDING.md b/BUILDING.md
@@ -129,6 +129,12 @@ still. If you do this, please report the issue so that we can adjust the
 SECCOMP filter so that dhcpcd can use SECCOMP once more.
 Or convince the libc/kernel people to adpot something more maintainable
 like FreeBSD's capsicum or OpenBSD's pledge.
+To test ASAN with privsep you need to add ASAN to CPPFLAGS.
+To test Valgrind with privsep you can optionally add VALGRIND to CPPFLAGS.
+For both they need some syscalls which are potentially dangerous and thus
+are disabled by default.
+For Valgrind, it needs to unlink the pipe files which it can't do anyway
+as it's dropped permissions. Otherwise it works fine.
 
 ## Init systems
 We try and detect how dhcpcd should interact with system services at runtime.
diff --git a/src/privsep-linux.c b/src/privsep-linux.c
@@ -468,9 +468,6 @@ static struct sock_filter ps_seccomp_filter[] = {
 
 /* These are for compiling with address sanitization */
 #ifdef ASAN
-#ifdef __NR_futex
-	SECCOMP_ALLOW(__NR_futex),
-#endif
 #ifdef __NR_openat
 	SECCOMP_ALLOW(__NR_openat),
 #endif
@@ -482,12 +479,42 @@ static struct sock_filter ps_seccomp_filter[] = {
 #endif
 
 /* coredumps */
+#ifdef __NR_tgkill
+	SECCOMP_ALLOW(__NR_tgkill),
+#endif
+#endif
+
+/* valgrind */
+#ifdef __NR_futex
+	SECCOMP_ALLOW(__NR_futex),
+#endif
 #ifdef __NR_gettid
 	SECCOMP_ALLOW(__NR_gettid),
 #endif
-#ifdef __NR_tgkill
-	SECCOMP_ALLOW(__NR_tgkill),
+#ifdef __NR_rt_sigtimedwait
+	SECCOMP_ALLOW(__NR_rt_sigtimedwait),
+#endif
+#ifdef VALGRIND
+#ifdef __NR_unlink
+	/* This is dangerous, and also pointless as in privsep
+	 * we are no longer root and thus cannot unlink the valgrind
+	 * pipes anyway. */
+	SECCOMP_ALLOW(__NR_unlink),
+#endif
+#endif
+
+/* hardened-malloc */
+#ifdef __NR_mprotect
+	SECCOMP_ALLOW(__NR_mprotect),
+#endif
+#ifdef __NR_mremap
+	SECCOMP_ALLOW(__NR_mremap),
+#endif
+#ifdef __NR_pkey_alloc
+	SECCOMP_ALLOW(__NR_pkey_alloc),
 #endif
+#ifdef __NR_pkey_mprotect
+	SECCOMP_ALLOW(__NR_pkey_mprotect),
 #endif
 
 	/* Deny everything else */
