[PATCH v4 2/4] Introduce seccomp-assisted syscall filtering

Dmitry V. Levin ldv at altlinux.org
Sat Aug 31 23:14:42 UTC 2019 

On Sat, Aug 31, 2019 at 09:56:55PM +0300, Dmitry V. Levin wrote:
> On Thu, Aug 29, 2019 at 04:00:24PM +0200, Paul Chaignon wrote:
> > From: Chen Jingpiao <chenjingpiao at gmail.com>
> > 
> > With this patch, strace can rely on seccomp to only be stopped at syscalls
> > of interest, instead of stopping at all syscalls.  The seccomp filtering
> > of syscalls is opt-in only; it must be enabled with the -n option.  Kernel
> > support is first checked with check_seccomp_filter(), which also ensures
> > the BPF program derived from the syscalls to filter is not larger than the
> > kernel's limit.
> > 
> > The -n option implies -f, but a warning is emitted if -f is not explicitly
> > specified.  Since a task's children inherit its seccomp filters, we want
> > to ensure all children are also traced to avoid their syscalls failing
> > with ENOSYS (cf. SECCOMP_RET_TRACE in seccomp man page).
> > 
> > The current BPF program implements a simple linear match of the syscall
> > numbers.  Contiguous sequences of syscall numbers are however matched as
> > an interval, with two instructions only.  The algorithm can be improved or
> > replaced in the future without impacting user-observed behavior.
> > 
> > The behavior of SECCOMP_RET_TRACE changed between Linux 4.7 and 4.8 (cf.
> > PTRACE_EVENT_SECCOMP in ptrace man page).  This patch supports both
> > behaviors by checking the kernel's actual behavior before installing the
> > seccomp filter.
> > 
> > * filter_seccomp.c: New file.
> > * filter_seccomp.h: New file.
> > * Makefile.am (strace_SOURCES): Add filter_seccomp.c and filter_seccomp.h.
> > * linux/aarch64/arch_defs_.h (PERSONALITY0_AUDIT_ARCH,
> > PERSONALITY1_AUDIT_ARCH): Define for aarch64.
> > * linux/powerpc64/arch_defs_.h (PERSONALITY0_AUDIT_ARCH,
> > PERSONALITY1_AUDIT_ARCH): Likewise for powerpc64.
> > * linux/riscv/arch_defs_.h (PERSONALITY0_AUDIT_ARCH,
> > PERSONALITY1_AUDIT_ARCH): Likewise for riscv.
> > * linux/s390x/arch_defs_.h (PERSONALITY0_AUDIT_ARCH,
> > * linux/sparc64/arch_defs_.h (PERSONALITY0_AUDIT_ARCH,
> > PERSONALITY1_AUDIT_ARCH): Likewise for sparc64.
> > PERSONALITY1_AUDIT_ARCH): Likewise for s390x.
> > * linux/tile/arch_defs_.h (PERSONALITY0_AUDIT_ARCH,
> > PERSONALITY1_AUDIT_ARCH): Likewise for tile.
> > * linux/x32/arch_defs_.h (PERSONALITY0_AUDIT_ARCH,
> > PERSONALITY1_AUDIT_ARCH): Likewise for x32.
> > * linux/x86_64/arch_defs_.h (PERSONALITY0_AUDIT_ARCH,
> > PERSONALITY1_AUDIT_ARCH, PERSONALITY2_AUDIT_ARCH): Likewise for x86_64.
> > * linux/ia64/arch_defs_.h (PERSONALITY0_AUDIT_ARCH): Likewise for IA64.
> > * strace.c (usage): Document -n option.
> > (exec_or_die): Initialize seccomp filtering if requested.
> > (init): Handle -n option and check that seccomp can be enabled.
> > (print_debug_info): Handle PTRACE_EVENT_SECCOMP.
> > (next_event): Capture PTRACE_EVENT_SECCOMP event.
> > (dispatch_event): Handle PTRACE_EVENT_SECCOMP event.
> > * trace_event.h (trace_event): New enumeration entity.
> > * strace.1.in: Document new -n option.
> > * NEWS: Mention this change.
> > 
> > Co-authored-by: Paul Chaignon <paul.chaignon at gmail.com>
> > ---
> >  Makefile.am                  |   2 +
> >  NEWS                         |   2 +
> >  filter_seccomp.c             | 488 +++++++++++++++++++++++++++++++++++

This fails to compile on old operating systems like RHEL6
with the following diagnostics:

filter_seccomp.c:16:27: error: linux/seccomp.h: No such file or directory
filter_seccomp.c:50: error: '__X32_SYSCALL_BIT' undeclared here (not in a function)
filter_seccomp.c: In function 'check_seccomp_order_do_child':
filter_seccomp.c:63: error: invalid use of undefined type 'struct seccomp_data'
filter_seccomp.c:66: error: 'SECCOMP_RET_TRACE' undeclared (first use in this function)
filter_seccomp.c:66: error: (Each undeclared identifier is reported only once
filter_seccomp.c:66: error: for each function it appears in.)
filter_seccomp.c:67: error: 'SECCOMP_RET_ALLOW' undeclared (first use in this function)
filter_seccomp.c:75: error: 'PR_SET_NO_NEW_PRIVS' undeclared (first use in this function)
filter_seccomp.c:75: warning: passing argument 1 of 'prctl' makes integer from pointer without a cast
/usr/include/sys/prctl.h:28: note: expected 'int' but argument is of type 'const struct sock_filter *'
filter_seccomp.c:77: error: 'SECCOMP_MODE_FILTER' undeclared (first use in this function)
filter_seccomp.c: In function 'check_seccomp_filter':
filter_seccomp.c:342: error: 'SECCOMP_MODE_FILTER' undeclared (first use in this function)
filter_seccomp.c: In function 'dump_seccomp_bpf':
filter_seccomp.c:364: error: invalid use of undefined type 'struct seccomp_data'
filter_seccomp.c:367: error: invalid use of undefined type 'struct seccomp_data'
filter_seccomp.c:377: error: 'SECCOMP_RET_TRACE' undeclared (first use in this function)
filter_seccomp.c:380: error: 'SECCOMP_RET_ALLOW' undeclared (first use in this function)
filter_seccomp.c: In function 'init_sock_filter':
filter_seccomp.c:465: error: invalid use of undefined type 'struct seccomp_data'
filter_seccomp.c:465: warning: initialization makes integer from pointer without a cast
filter_seccomp.c:487: error: invalid use of undefined type 'struct seccomp_data'
filter_seccomp.c:487: warning: initialization makes integer from pointer without a cast
filter_seccomp.c:495: error: invalid use of undefined type 'struct seccomp_data'
filter_seccomp.c:495: warning: initialization makes integer from pointer without a cast
filter_seccomp.c:526: error: 'SECCOMP_RET_ALLOW' undeclared (first use in this function)
filter_seccomp.c:526: warning: initialization makes integer from pointer without a cast
filter_seccomp.c:528: error: 'SECCOMP_RET_TRACE' undeclared (first use in this function)
filter_seccomp.c:528: warning: initialization makes integer from pointer without a cast
filter_seccomp.c:547: warning: initialization makes integer from pointer without a cast
filter_seccomp.c: In function 'init_seccomp_filter':
filter_seccomp.c:569: error: 'PR_SET_NO_NEW_PRIVS' undeclared (first use in this function)
filter_seccomp.c:569: warning: passing argument 1 of 'prctl' makes integer from pointer without a cast
/usr/include/sys/prctl.h:28: note: expected 'int' but argument is of type 'const struct sock_filter *'
filter_seccomp.c:574: error: 'SECCOMP_MODE_FILTER' undeclared (first use in this function)

(line numbers might differ slightly)


-- 
ldv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20190901/5efea35e/attachment.bin>

More information about the Strace-devel mailing list