Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 11 additions & 11 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,9 @@ jobs:
id-token: write
contents: read
steps:
- uses: actions/checkout@v4
- uses: DeterminateSystems/determinate-nix-action@v3
- uses: DeterminateSystems/magic-nix-cache-action@main
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- uses: DeterminateSystems/determinate-nix-action@bafaa638b9d5ec0e7e3ac1a7fc80453ef1fd265f # v3
- uses: DeterminateSystems/magic-nix-cache-action@908b263ff629f4cc17666315b7fd3ec127c6244d # main
- name: Run checks (clippy, fmt, test, doc)
run: nix flake check -L

Expand All @@ -40,9 +40,9 @@ jobs:
# matrix:
# distro: [ubuntu:24.04, fedora:41, alpine:3.21]
# steps:
# - uses: actions/checkout@v4
# - uses: DeterminateSystems/determinate-nix-action@v3
# - uses: DeterminateSystems/magic-nix-cache-action@main
# - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
# - uses: DeterminateSystems/determinate-nix-action@bafaa638b9d5ec0e7e3ac1a7fc80453ef1fd265f # v3
# - uses: DeterminateSystems/magic-nix-cache-action@908b263ff629f4cc17666315b7fd3ec127c6244d # main
# - name: Build security test binary
# run: nix build -L .#security-test-bin
# - name: Run security tests in ${{ matrix.distro }}
Expand All @@ -57,15 +57,15 @@ jobs:
name: Cargo Deny
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: EmbarkStudios/cargo-deny-action@v2
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- uses: EmbarkStudios/cargo-deny-action@6c8f9facfa5047ec02d8485b6bf52b587b7777d1 # v2

semver-check:
name: SemVer Check
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: Swatinem/rust-cache@v2
- uses: obi1kenobi/cargo-semver-checks-action@v2
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
- uses: obi1kenobi/cargo-semver-checks-action@6b69fcf40e9b5fb17adeb57e4b6ecd020649a239 # v2
with:
package: evalbox
8 changes: 4 additions & 4 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,13 +13,13 @@ jobs:
name: Release-plz
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
fetch-depth: 0
- uses: dtolnay/rust-toolchain@stable
- uses: Swatinem/rust-cache@v2
- uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
- uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
- name: Run release-plz
uses: MarcoIeni/release-plz-action@v0.5
uses: MarcoIeni/release-plz-action@064f4d1e36c843611ddf013be726beaa4ad804db # v0.5
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
5 changes: 4 additions & 1 deletion .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,7 @@ fuzz/corpus/
fuzz/artifacts/

# Local cargo config
.cargo/
.cargo/

# SBOM (generated by cargo-cyclonedx)
*.cdx.json
2 changes: 1 addition & 1 deletion crates/evalbox-sys/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@
//! ## Seccomp-BPF
//!
//! Seccomp-BPF allows filtering syscalls via BPF programs. This crate provides
//! an architecture-aware whitelist-based filter (x86_64 and aarch64) that allows
//! an architecture-aware whitelist-based filter (`x86_64` and `aarch64`) that allows
//! safe syscalls and kills the process on any other syscall.
//!
//! ## Seccomp User Notify
Expand Down
18 changes: 9 additions & 9 deletions crates/evalbox-sys/src/seccomp.rs
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
//!
//! The BPF filter runs on every syscall:
//!
//! 1. Verify architecture is supported (x86_64 or aarch64, kill otherwise)
//! 1. Verify architecture is supported (`x86_64` or `aarch64`, kill otherwise)
//! 2. Load syscall number from `seccomp_data`
//! 3. Block `clone3` entirely (cannot inspect flags in struct)
//! 4. For `clone`, inspect flags and block namespace creation
Expand Down Expand Up @@ -166,7 +166,7 @@ pub struct SockFprog {
pub filter: *const SockFilter,
}

/// Base syscalls allowed on all architectures (x86_64 and aarch64).
/// Base syscalls allowed on all architectures (`x86_64` and `aarch64`).
///
/// **Ordering**: Hot syscalls first for faster BPF linear scan.
/// The kernel checks each JEQ instruction sequentially, so placing
Expand Down Expand Up @@ -352,11 +352,11 @@ const BASE_WHITELIST: &[i64] = &[
libc::SYS_recvmmsg,
];

/// Legacy x86_64 syscalls not available on aarch64.
/// Legacy `x86_64` syscalls not available on `aarch64`.
///
/// On aarch64, glibc always uses the modern `*at()` equivalents
/// On `aarch64`, glibc always uses the modern `*at()` equivalents
/// (e.g., `openat` instead of `open`, `newfstatat` instead of `stat`).
/// These legacy syscalls only exist in the x86_64 syscall table.
/// These legacy syscalls only exist in the `x86_64` syscall table.
#[cfg(target_arch = "x86_64")]
const LEGACY_WHITELIST: &[i64] = &[
libc::SYS_fstat,
Expand Down Expand Up @@ -393,15 +393,15 @@ const LEGACY_WHITELIST: &[i64] = &[
libc::SYS_signalfd,
];

/// On aarch64, all equivalent functionality is provided by the modern
/// On `aarch64`, all equivalent functionality is provided by the modern
/// syscalls already in `BASE_WHITELIST`.
#[cfg(target_arch = "aarch64")]
const LEGACY_WHITELIST: &[i64] = &[];

/// Returns the default syscall whitelist for the current architecture.
///
/// Combines `BASE_WHITELIST` (common to all architectures) with
/// `LEGACY_WHITELIST` (x86_64-only legacy syscalls).
/// `LEGACY_WHITELIST` (`x86_64`-only legacy syscalls).
pub fn default_whitelist() -> Vec<i64> {
[BASE_WHITELIST, LEGACY_WHITELIST].concat()
}
Expand All @@ -411,7 +411,7 @@ pub fn default_whitelist() -> Vec<i64> {
/// ## Filter Layout
///
/// ```text
/// [0-2] Architecture check (x86_64)
/// [0-2] Architecture check (`x86_64`)
/// [3] Load syscall number
/// [4] clone3 -> KILL
/// [5] clone -> clone_handler
Expand Down Expand Up @@ -681,7 +681,7 @@ const BASE_NOTIFY_FS_SYSCALLS: &[i64] = &[
libc::SYS_readlinkat,
];

/// Legacy FS syscalls intercepted on x86_64 only.
/// Legacy FS syscalls intercepted on `x86_64` only.
#[cfg(target_arch = "x86_64")]
const LEGACY_NOTIFY_FS_SYSCALLS: &[i64] = &[
libc::SYS_open,
Expand Down
31 changes: 31 additions & 0 deletions fuzz/oss-fuzz-build.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
#!/bin/bash -eu
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
################################################################################

cd $SRC/evalbox

if [ "$SANITIZER" = "coverage" ]; then
export RUSTFLAGS="$RUSTFLAGS -C debug-assertions=no"
export CFLAGS=""
fi

cargo fuzz build -O --debug-assertions

FUZZ_TARGET_OUTPUT_DIR=fuzz/target/x86_64-unknown-linux-gnu/release
for f in fuzz/fuzz_targets/*.rs; do
FUZZ_TARGET_NAME=$(basename ${f%.*})
cp $FUZZ_TARGET_OUTPUT_DIR/$FUZZ_TARGET_NAME $OUT/
done
1 change: 1 addition & 0 deletions nix/devshell.nix
Original file line number Diff line number Diff line change
Expand Up @@ -25,5 +25,6 @@
];
RUST_BACKTRACE = "1";
};

};
}
Loading