commit: bcb6683c56d9646e12881a6b59bc740e6004e663 Author: Mike Frysinger <vapier <AT> gentoo <DOT> org> AuthorDate: Mon Aug 24 21:20:21 2015 +0000 Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org> CommitDate: Mon Aug 24 21:20:59 2015 +0000 URL: https://gitweb.gentoo.org/proj/pax-utils.git/commit/?id=bcb6683c
security: add a debug handler for seccomp If a bad syscall is hit, it can be hard to track down. Add a debug mode that people can enable to get useful error messages showing the failure. URL: https://bugs.gentoo.org/558482 porting.h | 3 +++ security.c | 27 ++++++++++++++++++++++++++- 2 files changed, 29 insertions(+), 1 deletion(-) diff --git a/porting.h b/porting.h index c93f0f8..1107b4e 100644 --- a/porting.h +++ b/porting.h @@ -30,6 +30,7 @@ #include <pwd.h> #include <regex.h> #include <sched.h> +#include <signal.h> #include <stdbool.h> #include <stdio.h> #include <stdlib.h> @@ -217,4 +218,6 @@ # define O_CLOEXEC 0 #endif +#define __unused__ __attribute__((__unused__)) + #endif /* _PORTING_H */ diff --git a/security.c b/security.c index ccecb90..a62c798 100644 --- a/security.c +++ b/security.c @@ -41,6 +41,28 @@ static int pax_seccomp_rules_add(scmp_filter_ctx ctx, int syscalls[], size_t num } #define pax_seccomp_rules_add(ctx, syscalls) pax_seccomp_rules_add(ctx, syscalls, ARRAY_SIZE(syscalls)) +static void +pax_seccomp_sigal(__unused__ int signo, siginfo_t *info, __unused__ void *context) +{ + warn("seccomp violated: syscall %i", info->si_syscall); + fflush(stderr); +#ifdef si_syscall + warn(" syscall = %s", + seccomp_syscall_resolve_num_arch(seccomp_arch_native(), info->si_syscall)); +#endif + kill(getpid(), SIGSYS); + _exit(1); +} + +static void pax_seccomp_signal_init(void) +{ + struct sigaction act; + sigemptyset(&act.sa_mask); + act.sa_sigaction = pax_seccomp_sigal, + act.sa_flags = SA_SIGINFO | SA_RESETHAND; + sigaction(SIGSYS, &act, NULL); +} + static void pax_seccomp_init(bool allow_forking) { /* Order determines priority (first == lowest prio). */ @@ -113,7 +135,7 @@ static void pax_seccomp_init(bool allow_forking) SCMP_SYS(waitid), SCMP_SYS(waitpid), }; - scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_TRAP); + scmp_filter_ctx ctx = seccomp_init(USE_DEBUG ? SCMP_ACT_TRAP : SCMP_ACT_KILL); if (!ctx) { warnp("seccomp_init failed"); return; @@ -129,6 +151,9 @@ static void pax_seccomp_init(bool allow_forking) /* We already called prctl. */ seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 0); + if (USE_DEBUG) + pax_seccomp_signal_init(); + #ifndef __SANITIZE_ADDRESS__ /* ASAN does some weird stuff. */ if (seccomp_load(ctx) < 0)
