privsep: Fix valgrind and hardened-malloc on Linux with SECCOMP

Valgrind will still error by default at exit as the syscall to unlink the pipe files is denied. This can be avoided by compiling with -DVALGRIND. The pipe files still won't be removed as dhcpcd has already dropped to the non root user. This is a Vagrind issue really. hardened-malloc should now run as well as their documented syscalls are now allowed by default. Fixes #497.
2026-01-26 06:07:57 +00:00 · 2025-04-15 10:29:11 +01:00 · 2025-04-15 10:29:11 +01:00 · 0f62fdd014
commit 0f62fdd014
parent 4db8dddf51
2 changed files with 39 additions and 6 deletions
--- a/BUILDING.md
+++ b/BUILDING.md
@ -129,6 +129,12 @@ still. If you do this, please report the issue so that we can adjust the
 SECCOMP filter so that dhcpcd can use SECCOMP once more.
 Or convince the libc/kernel people to adpot something more maintainable
 like FreeBSD's capsicum or OpenBSD's pledge.
+To test ASAN with privsep you need to add ASAN to CPPFLAGS.
+To test Valgrind with privsep you can optionally add VALGRIND to CPPFLAGS.
+For both they need some syscalls which are potentially dangerous and thus
+are disabled by default.
+For Valgrind, it needs to unlink the pipe files which it can't do anyway
+as it's dropped permissions. Otherwise it works fine.

 ## Init systems
 We try and detect how dhcpcd should interact with system services at runtime.
--- a/src/privsep-linux.c
+++ b/src/privsep-linux.c
@ -468,9 +468,6 @@ static struct sock_filter ps_seccomp_filter[] = {

 /* These are for compiling with address sanitization */
 #ifdef ASAN
-#ifdef __NR_futex
-	SECCOMP_ALLOW(__NR_futex),
-#endif
 #ifdef __NR_openat
 	SECCOMP_ALLOW(__NR_openat),
 #endif
@ -482,14 +479,44 @@ static struct sock_filter ps_seccomp_filter[] = {
 #endif

 /* coredumps */
-#ifdef __NR_gettid
-	SECCOMP_ALLOW(__NR_gettid),
-#endif
 #ifdef __NR_tgkill
 	SECCOMP_ALLOW(__NR_tgkill),
 #endif
 #endif

+/* valgrind */
+#ifdef __NR_futex
+	SECCOMP_ALLOW(__NR_futex),
+#endif
+#ifdef __NR_gettid
+	SECCOMP_ALLOW(__NR_gettid),
+#endif
+#ifdef __NR_rt_sigtimedwait
+	SECCOMP_ALLOW(__NR_rt_sigtimedwait),
+#endif
+#ifdef VALGRIND
+#ifdef __NR_unlink
+	/* This is dangerous, and also pointless as in privsep
+	 * we are no longer root and thus cannot unlink the valgrind
+	 * pipes anyway. */
+	SECCOMP_ALLOW(__NR_unlink),
+#endif
+#endif
+
+/* hardened-malloc */
+#ifdef __NR_mprotect
+	SECCOMP_ALLOW(__NR_mprotect),
+#endif
+#ifdef __NR_mremap
+	SECCOMP_ALLOW(__NR_mremap),
+#endif
+#ifdef __NR_pkey_alloc
+	SECCOMP_ALLOW(__NR_pkey_alloc),
+#endif
+#ifdef __NR_pkey_mprotect
+	SECCOMP_ALLOW(__NR_pkey_mprotect),
+#endif
+
 	/* Deny everything else */
 	BPF_STMT(BPF_RET + BPF_K, SECCOMP_FILTER_FAIL),
 };