Paul Chaignon's GSoC status report - summary

[Paul Chaignon]

Hi all,

This email is a summary of the work done during GSoC 2019, with a few
ideas for improvement of seccomp-filter at the end.

- I reworked the z-option patchset [1] submitted by Burkhard Kohl to the
  mailing list 2 years ago.  The initial goal was to fix the -z option, to
  print only successful syscalls, and introduce a new -Z option, to print
  only failing syscalls.  The -z option would sometimes print the entry of
  failing syscalls.  To fix this, we needed to stage the output of strace
  until the syscall's return status is known.
  This patchset then evolved to introduce a comprehensive status
  qualifier, to match syscall return statuses other than failed and
  successful (i.e., unfinished, detached, and unavailable).
  The last patchset, which was merged into master, is available on the
  mailing list [2], with a complete changelog.

- I reworked the seccomp-filter proof-of-concept [3] developed by Chen
  Jingpiao during GSoC 2018.  That patchset leverages seccomp-bpf to
  filter syscalls in the kernel instead of in userspace, as currently
  implemented by strace, when users only want to see a subset of all
  syscalls.  The patchset introduces a basic BPF program to match
  syscalls.  Its last version, with complete changelogs, is available on
  the mailing list [4], but hasn't been merged yet.

- I worked on improvements to the BPF matching algorithm. Specifically, I
  developed two new matching algorithms. The first is based on the basic,
  linear algorithm, but attempts to match unwanted syscalls instead of
  traced syscalls.  The second uses bitwise operations to match syscalls
  against the set of traced syscalls, encoded in bit arrays.  strace then
  chooses the best algorithm (i.e., the shortest program) at startup time.
  I then evaluated these different algorithms to better understand in what
  situation each algorithm is most appropriate and whether the code
  complexity they introduce is worth it.
  All BPF algorithms, as well as their evaluations, are available on the
  mailing list as an RFC patchset [5].


Besides the last fixes to the seccomp-filter patchset and the new
algorithms (once we've chosen which to keep), there are several
opportunities for improvement:

- The current BPF programs don't handle multiplexing syscalls such as ipc
  and socketcall.  A special case is needed here to match the first
  argument of these syscalls (generally called "call", used to determine
  the actual function to call).

- seccomp-filter currently requires -f in strace as the seccomp-bpf
  filters are inherited by children of the traced process, and syscalls
  will fail if a seccomp-bpf program attempts to trace them (i.e., returns
  SECCOMP_RET_TRACE) but there is no userspace tracer.  We could remove
  the need for -f if the kernel could take a new SECCOMP_SET_MODE_FILTER
  flag to indicate seccomp-bpf filters shouldn't be inherited by children
  processes.

- In debug mode, the selected BPF program is printed by
  dump_seccomp_bpf(), which implements its own parsing logic.  It should
  be possible to reuse print_bpf_fprog() instead, at the cost of some
  heavy refactoring.


Thank you Dmitry and Eugene for all your reviews!
Paul

1 - https://lists.strace.io/pipermail/strace-devel/2017-June/006510.html
2 - https://lists.strace.io/pipermail/strace-devel/2019-July/008945.html
3 - https://github.com/strace/strace/tree/ppiao/gsoc-2018-final
4 - https://lists.strace.io/pipermail/strace-devel/2019-August/009040.html
5 - https://lists.strace.io/pipermail/strace-devel/2019-August/009058.html