integration/container: Add socketcall AF_ALG denial tests

vvoland · vvoland · commit 5a345809bc9b · 2026-05-01T02:41:56.000+02:00
Test that AF_ALG is also denied through the socketcall(2) multiplexer,
which is used by glibc on i386 instead of direct socket(2) syscalls.

Two subtests:
- AF_ALG_socketcall_int80: uses int $0x80 inline assembly from a native
  64-bit binary to invoke the ia32 socketcall path, with MAP_32BIT to
  keep the args pointer below 4 GB (ia32 compat truncates registers).
- AF_ALG_socketcall_i386: cross-compiles a static i386 binary using
  gcc-i686-linux-gnu where glibc naturally routes socket() through
  socketcall(2).

Both are amd64-only.

Signed-off-by: Paweł Gronowski &lt;pawel.gronowski@docker.com&gt;
diff --git a/integration/container/exec_afalg_linux_test.go b/integration/container/exec_afalg_linux_test.go
@@ -19,13 +19,15 @@ var (
 
 	//go:embed testdata/af_vsock.c
 	afVSOCKSource string
+
+	//go:embed testdata/af_alg_socketcall.c
+	afALGSocketcallSource string
 )
 
 // compileAndExecSocketDenied writes a C source file into the container,
 // compiles it with the given compiler command, runs the binary as uid 1000,
-// and asserts that socket creation fails with a permission or
-// address-family error (not EFAULT or other unrelated failures).
-func compileAndExecSocketDenied(ctx context.Context, t *testing.T, apiClient client.APIClient, cID string, name string, src string, cc []string) {
+// and asserts that socket creation fails with the expected error.
+func compileAndExecSocketDenied(ctx context.Context, t *testing.T, apiClient client.APIClient, cID string, name string, src string, cc []string, expectedErr string) {
 	t.Helper()
 
 	binPath := "/tmp/" + name
@@ -50,12 +52,7 @@ func compileAndExecSocketDenied(ctx context.Context, t *testing.T, apiClient cli
 
 	out := strings.ToLower(res.Combined())
 	assert.Check(t, is.Contains(out, "socket"), "expected socket-related error message")
-
-	// Seccomp blocks return either EPERM ("operation not permitted") or
-	// EAFNOSUPPORT ("address family not supported"). Make sure the failure
-	// is from seccomp, not from a bogus pointer (EFAULT) or other issue.
-	permErr := strings.Contains(out, "not permitted") || strings.Contains(out, "not supported")
-	assert.Check(t, permErr, "expected EPERM or EAFNOSUPPORT, got: %s", res.Combined())
+	assert.Check(t, is.Contains(out, expectedErr), "expected %s, got: %s", expectedErr, res.Combined())
 }
 
 // TestExecSocketDenied verifies that AF_ALG and AF_VSOCK sockets cannot be
@@ -77,10 +74,39 @@ func TestExecSocketDenied(t *testing.T) {
 
 	gcc := []string{"gcc"}
 
+	arch := testEnv.DaemonInfo.Architecture
+	isAmd64 := arch == "amd64" || arch == "x86_64"
+
 	t.Run("AF_ALG", func(t *testing.T) {
-		compileAndExecSocketDenied(ctx, t, apiClient, cID, "AF_ALG", afALGSource, gcc)
+		compileAndExecSocketDenied(ctx, t, apiClient, cID, "AF_ALG", afALGSource, gcc, "not permitted")
 	})
 	t.Run("AF_VSOCK", func(t *testing.T) {
-		compileAndExecSocketDenied(ctx, t, apiClient, cID, "AF_VSOCK", afVSOCKSource, gcc)
+		compileAndExecSocketDenied(ctx, t, apiClient, cID, "AF_VSOCK", afVSOCKSource, gcc, "not permitted")
+	})
+
+	// Test AF_ALG via the socketcall(2) multiplexer using int $0x80 to
+	// invoke the ia32 compat syscall path from a native 64-bit binary.
+	// MAP_32BIT is used to place the args array below 4 GB, since the
+	// ia32 compat path truncates all registers to 32 bits.
+	t.Run("AF_ALG_socketcall_int80", func(t *testing.T) {
+		skip.If(t, !isAmd64, "int $0x80 ia32 compat only available on amd64")
+
+		compileAndExecSocketDenied(ctx, t, apiClient, cID, "AF_ALG_socketcall_int80", afALGSocketcallSource, gcc, "not implemented")
+	})
+
+	// Test AF_ALG with a real i386 binary cross-compiled from amd64. glibc
+	// on i386 routes socket() through the socketcall(2) multiplexer, which
+	// is a different seccomp path than the native socket(2) syscall.
+	t.Run("AF_ALG_socketcall_i386", func(t *testing.T) {
+		skip.If(t, !isAmd64, "i386 cross-compilation only available on amd64")
+
+		res := container.ExecT(ctx, t, apiClient, cID, []string{
+			"sh", "-c", "apt-get install -y --no-install-recommends gcc-i686-linux-gnu libc6-dev-i386-cross linux-libc-dev-i386-cross",
+		})
+		res.AssertSuccess(t)
+
+		compileAndExecSocketDenied(ctx, t, apiClient, cID, "AF_ALG_socketcall_i386", afALGSource,
+			[]string{"i686-linux-gnu-gcc", "-static"}, "not implemented",
+		)
 	})
 }
diff --git a/integration/container/testdata/af_alg_socketcall.c b/integration/container/testdata/af_alg_socketcall.c
@@ -0,0 +1,43 @@
+#include <stdio.h>
+#include <errno.h>
+#include <sys/mman.h>
+
+#define SYS_SOCKETCALL_I386 102
+#define SYS_SOCKET 1
+#define AF_ALG 38
+#define SOCK_SEQPACKET 5
+
+int main() {
+    /*
+     * The int $0x80 ia32 compat path truncates all registers to 32 bits.
+     * The args pointer must live below 4 GB, so allocate it with MAP_32BIT.
+     */
+    unsigned int *args = mmap(NULL, 4096,
+        PROT_READ | PROT_WRITE,
+        MAP_PRIVATE | MAP_ANONYMOUS | MAP_32BIT,
+        -1, 0);
+    if (args == MAP_FAILED) {
+        perror("mmap");
+        return 2;
+    }
+    args[0] = AF_ALG;
+    args[1] = SOCK_SEQPACKET;
+    args[2] = 0;
+
+    int ret;
+    asm volatile (
+        "int $0x80"
+        : "=a"(ret)
+        : "a"(SYS_SOCKETCALL_I386), "b"(SYS_SOCKET), "c"(args)
+        : "memory"
+    );
+
+    if (ret < 0) {
+        errno = -ret;
+        perror("socket");
+        return 1;
+    }
+
+    printf("AF_ALG socket created via socketcall\n");
+    return 0;
+}
