Skip to content

Commit 84f36c8

Browse files
mptremptre
committed
Add enable-seccomp-debug option to configure in order to aid debugging
1 parent fbf167f commit 84f36c8

File tree

3 files changed

+42
-0
lines changed

3 files changed

+42
-0
lines changed

compat-sandbox.c

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,10 @@ sandbox(int stage)
3434

3535
#include <err.h>
3636
#include <seccomp.h>
37+
#include <signal.h>
38+
#include <stdio.h>
3739
#include <stdlib.h>
40+
#include <string.h>
3841

3942
#include "compat.h"
4043

@@ -45,13 +48,45 @@ sandbox(int stage)
4548
(seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), x, \
4649
SCMP_A1(SCMP_CMP_EQ, syscall, 0)) < 0)
4750

51+
/*
52+
* Print out the offending syscall and exit.
53+
* Not thread-safe and shall only be used for debugging purposes.
54+
*/
55+
void
56+
handle_sigsys(int signum __attribute__((unused)), siginfo_t *info,
57+
void *ctx __attribute__((unused)))
58+
{
59+
errx(1, "disallowed syscall #%d", info->si_syscall);
60+
}
61+
62+
void
63+
sandbox_sighandler(void)
64+
{
65+
struct sigaction act;
66+
sigset_t mask;
67+
68+
memset(&act, 0, sizeof(act));
69+
sigemptyset(&mask);
70+
sigaddset(&mask, SIGSYS);
71+
act.sa_sigaction = &handle_sigsys;
72+
act.sa_flags = SA_SIGINFO;
73+
if (sigaction(SIGSYS, &act, NULL) == -1)
74+
err(1, "sigaction");
75+
if (sigprocmask(SIG_UNBLOCK, &mask, NULL) == -1)
76+
err(1, "sigprocmask");
77+
}
78+
4879
void
4980
sandbox(int stage)
5081
{
5182
scmp_filter_ctx ctx;
5283

5384
switch (stage) {
5485
case SANDBOX_ENTER:
86+
#ifdef HAVE_SECCOMP_DEBUG
87+
sandbox_sighandler();
88+
#endif
89+
5590
if ((ctx = seccomp_init(SCMP_ACT_TRAP)) == NULL)
5691
err(1, "seccomp_init");
5792

config.h.in

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,9 @@
1212
/* Define if seccomp is available */
1313
#undef HAVE_SECCOMP
1414

15+
/* Define to debug seccomp */
16+
#undef HAVE_SECCOMP_DEBUG
17+
1518
/* Define to 1 if you have the `strtonum' function. */
1619
#undef HAVE_STRTONUM
1720

configure.ac

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,10 @@ AM_INIT_AUTOMAKE([subdir-objects])
44
AC_CONFIG_HEADERS([config.h])
55
AC_PROG_CC
66
AM_PROG_CC_C_O
7+
AC_ARG_ENABLE([seccomp-debug],
8+
[AS_HELP_STRING([--enable-seccomp-debug], [enable seccomp debugging])],
9+
[AC_DEFINE([HAVE_SECCOMP_DEBUG], [1], [Define to debug seccomp])],
10+
[])
711
AC_CHECK_FUNCS([pledge reallocarray strtonum])
812
AC_SEARCH_LIBS([seccomp_init], [seccomp],
913
[AC_DEFINE([HAVE_SECCOMP], [1], [Define if seccomp is available])])

0 commit comments

Comments
 (0)