From: Daniel Golle Date: Tue, 1 Dec 2020 22:45:15 +0000 (+0000) Subject: jail: improve seccomp log output X-Git-Url: http://git.openwrt.org/?a=commitdiff_plain;h=09478ba23019ec5cbfc1068a7a632215c946b679;p=project%2Fprocd.git jail: improve seccomp log output Pass loglevel to preloaded seccomp handler, output generated program along with unresolved syscalls if debugging output is requested. Signed-off-by: Daniel Golle --- diff --git a/jail/jail.c b/jail/jail.c index 529ac6b..385dbe7 100644 --- a/jail/jail.c +++ b/jail/jail.c @@ -896,12 +896,13 @@ static int apply_rlimits(void) return 0; } -#define MAX_ENVP 8 +#define MAX_ENVP 16 static char** build_envp(const char *seccomp, char **ocienvp) { static char *envp[MAX_ENVP]; static char preload_var[PATH_MAX]; static char seccomp_var[PATH_MAX]; + static char seccomp_debug_var[20]; static char debug_var[] = "LD_DEBUG=all"; static char container_var[] = "container=ujail"; const char *preload_lib = find_lib("libpreload-seccomp.so"); @@ -916,6 +917,8 @@ static char** build_envp(const char *seccomp, char **ocienvp) if (seccomp) { snprintf(seccomp_var, sizeof(seccomp_var), "SECCOMP_FILE=%s", seccomp); envp[count++] = seccomp_var; + snprintf(seccomp_debug_var, sizeof(seccomp_debug_var), "SECCOMP_DEBUG=%2d", debug); + envp[count++] = seccomp_debug_var; snprintf(preload_var, sizeof(preload_var), "LD_PRELOAD=%s", preload_lib); envp[count++] = preload_var; } diff --git a/jail/preload.c b/jail/preload.c index 24358c6..9678ab6 100644 --- a/jail/preload.c +++ b/jail/preload.c @@ -18,24 +18,33 @@ #include #include +#include "log.h" #include "seccomp.h" #include "../preload.h" static main_t __main__; +int debug; static int __preload_main__(int argc, char **argv, char **envp) { char *env_file = getenv("SECCOMP_FILE"); + char *env_debug = getenv("SECCOMP_DEBUG"); if (!env_file || !env_file[0]) { ERROR("SECCOMP_FILE not specified\n"); return -1; } + if (env_debug) + debug = atoi(env_debug); + else + debug = 0; + if (install_syscall_filter(*argv, env_file)) return -1; unsetenv("LD_PRELOAD"); + unsetenv("SECCOMP_DEBUG"); unsetenv("SECCOMP_FILE"); return (*__main__)(argc, argv, envp); diff --git a/jail/seccomp-oci.c b/jail/seccomp-oci.c index c82aebf..e85191e 100644 --- a/jail/seccomp-oci.c +++ b/jail/seccomp-oci.c @@ -406,6 +406,16 @@ struct sock_fprog *parseOCIlinuxseccomp(struct blob_attr *msg) prog->len = (unsigned short) idx; prog->filter = filter; + DEBUG("generated seccomp-bpf program:\n"); + fprintf(stderr, " [idx]\tcode\t jt\t jf\tk\n"); + if (debug) + for (idx=0; idx #include +#include "log.h" #include "seccomp.h" #include "seccomp-oci.h" -int debug = 0; - int install_syscall_filter(const char *argv, const char *file) { struct blob_buf b = { 0 }; struct sock_fprog *prog = NULL; - INFO("%s: setting up syscall filter\n", argv); + DEBUG("%s: setting up syscall filter\n", argv); blob_buf_init(&b, 0); if (!blobmsg_add_json_from_file(&b, file)) { diff --git a/jail/seccomp.h b/jail/seccomp.h index 24c1dd7..b0c8d30 100644 --- a/jail/seccomp.h +++ b/jail/seccomp.h @@ -16,15 +16,6 @@ #include #include -#define INFO(fmt, ...) do { \ - syslog(LOG_INFO,"preload-seccomp: "fmt, ## __VA_ARGS__); \ - fprintf(stderr,"preload-seccomp: "fmt, ## __VA_ARGS__); \ - } while (0) -#define ERROR(fmt, ...) do { \ - syslog(LOG_ERR,"preload-seccomp: "fmt, ## __VA_ARGS__); \ - fprintf(stderr,"preload-seccomp: "fmt, ## __VA_ARGS__); \ - } while (0) - int install_syscall_filter(const char *argv, const char *file); #endif