diff options
| author |   Mike Frysinger <vapier@gentoo.org> | 2015-08-24 17:20:21 -0400 |
|---|---|---|
| committer | Mike Frysinger <vapier@gentoo.org> | 2015-08-24 17:20:59 -0400 |
| commit | bcb6683c56d9646e12881a6b59bc740e6004e663 (patch) | |
| tree | 0b1eadc432d4dca58866545625386f71ff7dec98 | |
| parent | build: add plumbing for building w/debug code (diff) | |
| download | pax-utils-bcb6683c56d9646e12881a6b59bc740e6004e663.tar.gz pax-utils-bcb6683c56d9646e12881a6b59bc740e6004e663.tar.bz2 pax-utils-bcb6683c56d9646e12881a6b59bc740e6004e663.zip | |
security: add a debug handler for seccomp
If a bad syscall is hit, it can be hard to track down. Add a debug mode
that people can enable to get useful error messages showing the failure.
URL: https://bugs.gentoo.org/558482
| -rw-r--r-- | porting.h | 3 | ||||
| -rw-r--r-- | security.c | 27 |
2 files changed, 29 insertions, 1 deletions
@@ -30,6 +30,7 @@ #include <pwd.h> #include <regex.h> #include <sched.h> +#include <signal.h> #include <stdbool.h> #include <stdio.h> #include <stdlib.h> @@ -217,4 +218,6 @@ # define O_CLOEXEC 0 #endif +#define __unused__ __attribute__((__unused__)) + #endif /* _PORTING_H */ @@ -41,6 +41,28 @@ static int pax_seccomp_rules_add(scmp_filter_ctx ctx, int syscalls[], size_t num } #define pax_seccomp_rules_add(ctx, syscalls) pax_seccomp_rules_add(ctx, syscalls, ARRAY_SIZE(syscalls)) +static void +pax_seccomp_sigal(__unused__ int signo, siginfo_t *info, __unused__ void *context) +{ + warn("seccomp violated: syscall %i", info->si_syscall); + fflush(stderr); +#ifdef si_syscall + warn(" syscall = %s", + seccomp_syscall_resolve_num_arch(seccomp_arch_native(), info->si_syscall)); +#endif + kill(getpid(), SIGSYS); + _exit(1); +} + +static void pax_seccomp_signal_init(void) +{ + struct sigaction act; + sigemptyset(&act.sa_mask); + act.sa_sigaction = pax_seccomp_sigal, + act.sa_flags = SA_SIGINFO | SA_RESETHAND; + sigaction(SIGSYS, &act, NULL); +} + static void pax_seccomp_init(bool allow_forking) { /* Order determines priority (first == lowest prio). */ @@ -113,7 +135,7 @@ static void pax_seccomp_init(bool allow_forking) SCMP_SYS(waitid), SCMP_SYS(waitpid), }; - scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_TRAP); + scmp_filter_ctx ctx = seccomp_init(USE_DEBUG ? SCMP_ACT_TRAP : SCMP_ACT_KILL); if (!ctx) { warnp("seccomp_init failed"); return; @@ -129,6 +151,9 @@ static void pax_seccomp_init(bool allow_forking) /* We already called prctl. */ seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 0); + if (USE_DEBUG) + pax_seccomp_signal_init(); + #ifndef __SANITIZE_ADDRESS__ /* ASAN does some weird stuff. */ if (seccomp_load(ctx) < 0) |