Removed syscalls open and openat from policy defined in addExecutionControlRules

[mikimasn]

Syscalls open and openat were handled two times.

Once without any restrictions in

sio2jail/src/seccomp/policy/DefaultPolicy.cc

Lines 45 to 47 in b5903c6

	"open",
	"epoll_create1",
	"openat"});

And the second time with a check to enforce read-only mode on the file system

sio2jail/src/seccomp/policy/DefaultPolicy.cc

Lines 184 to 192 in b5903c6

	rules_.emplace_back(SeccompRule(
	"open",
	action::ActionAllow(),
	(filter::SyscallArg(1) & (O_RDWR | O_WRONLY)) == 0));
	rules_.emplace_back(SeccompRule(
	"openat",
	action::ActionAllow(),
	(filter::SyscallArg(2) & (O_RDWR | O_WRONLY)) == 0));

The first policy was more permissive and made the second one useless(it always allowed syscall open without checking access mode) so I removed it.

[Wolf480pl]

Looks like the duplicate open/openat were added by https://github.com/sio2project/sio2jail/pull/27/files?diff=unified&w=1

I looked through OI admins' internal chat logs and it looks like we allowed those syscalls in response to python3.9+numpy having an issue:

intercepted forbidden syscall openat(257) (4294967196, 47589183160736, 524481, 420, 0, 3346281667394566245)

which means

openat(-100, somepointer, 0o2000301, 0o644)

a.k.a.

openat(AT_FDCWD, somepointer, O_CLOEXEC | O_EXCL | O_CREAT | O_WRONLY, 0644 /* rw-r--r-- */)

but that error was difficult to reproduce (it only happened on old kernels)

In any case, I think the right thing to do would be to return either EPERM or EROFS when someone's trying to open a file for writing - the libraries that do it implicitly hopefully handle that error gracefully.

Unfortunately this means when a contestant's program explicitly tries to create a temporary file, we can't explicitly report that as a Rule Violation, instead the program will probably fail to handle the error and the contestant will see a generic Runtime Error. But that was already an issue with the changes introduced in #27 so I guess we'll have to live with it.

When I have time, I'll try to reproduce the error with python3.9+numpy.

Meanwhile, you can change this part

sio2jail/src/seccomp/policy/DefaultPolicy.cc

Lines 184 to 192 in b5903c6

	rules_.emplace_back(SeccompRule(
	"open",
	action::ActionAllow(),
	(filter::SyscallArg(1) & (O_RDWR | O_WRONLY)) == 0));
	rules_.emplace_back(SeccompRule(
	"openat",
	action::ActionAllow(),
	(filter::SyscallArg(2) & (O_RDWR | O_WRONLY)) == 0));

to return EROFS or EPERM when open is not read-only, maybe similar to this

sio2jail/src/limits/ThreadsLimitListener.cc

Lines 32 to 39 in 8e65e31

	syscallRules_.emplace_back(seccomp::SeccompRule(
	"clone",
	seccomp::action::ActionAllow{},
	(Arg(2) & CLONE_VM) == CLONE_VM));
	syscallRules_.emplace_back(seccomp::SeccompRule(
	"clone",
	seccomp::action::ActionKill(),
	(Arg(2) & CLONE_VM) == 0));

so that we don't have to worry which rules apply first.

[mikimasn]

Now attempts to open a file in write mode when read-only mode is enforced fail with EROFS error.

[mikimasn]

Sorry for taking so long to make changes but I was participating in the competition and didn't have time to do it.

[Wolf480pl]

no worries, it'll take me long to test it anyway :P

[mikimasn]

How is the testing going?