[PATCH v3 0/4] Seccomp-assisted syscall filtering

Paul Chaignon paul.chaignon at gmail.com
Thu Aug 15 17:51:02 UTC 2019 

This patchset introduces syscall filtering in the kernel using
seccomp-bpf.  The first patch introduces the new TRACE_SECCOMP_DEFAULT
syscall flag to prepare for seccomp-filter.  The second patch implements
the main logic to reduce the number of tracer stops.  The third let's
strace skip the seccomp-bpf setup when there aren't any syscalls to
filter.  The last patch adds tests.

Seccomp filtering is only enabled with the -n option.  The BPF program
implements a simple linear match of syscalls which can be improved in the
future without impacting user-observable behavior.

This patchset has a single BPF generation strategy.  Other strategies will
come in subsequent patchset.  The generated BPF program also doesn't
support multiplexed syscalls (via ipc and socketcall), so these are always
traced in userspace.  Finally, seccomp-filter is disabled in case of
(unlikely) jump offset overflows in the BPF program.  Handling such
overflows is a bit tortuous and may come in a later patch.

I still need to add a test case or static check to compare
audit_arch_vec[p].flag to the number of syscalls, as per:
https://lists.strace.io/pipermail/strace-devel/2019-August/009038.html

Changelogs:
  Changes in v3:
    - Prevented overflows in conditional jump offsets.
    - Added debug messages in case seccomp-filter is disabled because of
      program size or jump offset overflow.
    - Defined new syscall flag for syscalls traced by default under
      seccomp-filter.
    - Added audit_arch_t flag for IA-64.
    - Added test to check seccomp-filter is enabled.
    - Commented in detail restart_op and PTRACE_{CONT,SYSCALL} behavior.
    - Commented overall BPF program structure and generated instructions.
    - Relicensed filter_seccomp.{c,h} under LGPL 2.1+.
    - Removed fallback for PERSONALITY{0,1,2}_AUDIT_ARCH macros.
    - Refactored check_seccomp_order_trace.
    - Use bitwise OR for opcodes instead of additions.
    - Renamed audit_arch_t.mask to audit_arch_t.flag.
    - Improvements to documentation and comment texts from Eugene.
    - Fixed typos and formatting issues.
  Changes in v2:
    - New tests with all syscalls but one and with several syscall
      classes.
    - -n now implies -f, with a warning if -f was explicitly specified.
    - seccomp-filter state is displayed in debug mode, warning emitted if
      seccomp-filter was requested but unavailable.
    - Removed arch-specific preprocessor directives from
      filter_seccomp.c.
    - Fixed support for x86's x32 personality in BPF program.
    - Reworked seccomp check on size of BPF program to avoid
      overestimating the required size.
    - Reworked rewriting of BPF jumps to use placeholders.
    - Added support for archs with several personalities (not tested yet).

Chen Jingpiao (2):
  Introduce seccomp-assisted syscall filtering
  tests: test cases for seccomp-assisted syscall filtering

Paul Chaignon (2):
  Add seccomp-filter syscall flag
  filter_seccomp: skip seccomp setup when there's nothing to filter

 Makefile.am                    |   2 +
 NEWS                           |   2 +
 filter_seccomp.c               | 492 +++++++++++++++++++++++++++++++++
 filter_seccomp.h               |  21 ++
 linux/32/syscallent.h          |   4 +-
 linux/64/syscallent.h          |   4 +-
 linux/aarch64/arch_defs_.h     |   2 +
 linux/alpha/syscallent.h       |   4 +-
 linux/arch_defs_.h             |   4 +
 linux/arm/syscallent.h         |   8 +-
 linux/avr32/syscallent.h       |   6 +-
 linux/bfin/syscallent.h        |   8 +-
 linux/hppa/syscallent.h        |   4 +-
 linux/i386/syscallent.h        |   8 +-
 linux/ia64/arch_defs_.h        |   1 +
 linux/ia64/syscallent.h        |   4 +-
 linux/m68k/syscallent.h        |   8 +-
 linux/microblaze/syscallent.h  |   8 +-
 linux/mips/syscallent-n32.h    |   4 +-
 linux/mips/syscallent-n64.h    |   4 +-
 linux/mips/syscallent-o32.h    |  10 +-
 linux/powerpc/syscallent.h     |   8 +-
 linux/powerpc64/arch_defs_.h   |   2 +
 linux/powerpc64/syscallent.h   |   8 +-
 linux/riscv/arch_defs_.h       |   2 +
 linux/s390/syscallent.h        |   8 +-
 linux/s390x/arch_defs_.h       |   2 +
 linux/s390x/syscallent.h       |   8 +-
 linux/sh/syscallent.h          |   8 +-
 linux/sh64/syscallent.h        |   8 +-
 linux/sparc/syscallent.h       |  10 +-
 linux/sparc64/arch_defs_.h     |   2 +
 linux/sparc64/syscallent.h     |  10 +-
 linux/tile/arch_defs_.h        |   2 +
 linux/x32/arch_defs_.h         |   2 +
 linux/x32/syscallent.h         |   4 +-
 linux/x86_64/arch_defs_.h      |   3 +
 linux/x86_64/syscallent.h      |   4 +-
 linux/xtensa/syscallent.h      |   4 +-
 number_set.c                   |  12 +
 number_set.h                   |   4 +
 strace.1.in                    |  17 +-
 strace.c                       |  76 ++++-
 sysent.h                       |   1 +
 sysent_shorthand_defs.h        |   2 +
 tests/.gitignore               |   2 +
 tests/Makefile.am              |   3 +
 tests/filter_seccomp-perf.c    |  33 +++
 tests/filter_seccomp-perf.test |  17 ++
 tests/filter_seccomp.in        |   4 +
 tests/gen_tests.in             |   2 +
 tests/init.sh                  |   5 +
 tests/pure_executables.list    |   1 +
 tests/status-none-f.c          |  19 ++
 trace_event.h                  |   5 +
 55 files changed, 819 insertions(+), 87 deletions(-)
 create mode 100644 filter_seccomp.c
 create mode 100644 filter_seccomp.h
 create mode 100644 tests/filter_seccomp-perf.c
 create mode 100755 tests/filter_seccomp-perf.test
 create mode 100644 tests/filter_seccomp.in
 create mode 100644 tests/status-none-f.c

-- 
2.17.1

More information about the Strace-devel mailing list