[PATCH RFC v2 0/3] Seccomp-assisted syscall filtering

Paul Chaignon paul.chaignon at gmail.com
Wed Jul 31 15:33:14 UTC 2019 

This patchset introduces syscall filtering in the kernel using
seccomp-bpf.  The first patch implements the main logic to reduce the
number of tracer stops.  The second let's strace skip the seccomp-bpf
setup when there aren't any syscalls to filter.  The last patch adds
tests.

Seccomp filtering is only enabled with the -n option.  The BPF program
implements a simple linear match of syscalls which can be improved in the
future without impacting user-observable behavior.

I am sending this v2 as an RFC to get quick feedback on the
PERSONALITYX_AUDIT_ARCH constructs used in filter_seccomp.c, in the first
patch.  I am planning to add one or two more tests for the non-RFC v3.

Changelogs:
  Changes in v2:
    - New tests with all syscalls but one and with several syscall
      classes.
    - -n now implies -f, with a warning if -f was explicitly specified.
    - seccomp-filter state is displayed in debug mode, warning emitted if
      seccomp-filter was requested but unavailable.
    - Removed arch-specific preprocessor directives from
      filter_seccomp.c.
    - Fixed support for x86's x32 personality in BPF program.
    - Reworked seccomp check on size of BPF program to avoid
      overestimating the required size.
    - Reworked rewriting of BPF jumps to use placeholders.
    - Added support for archs with several personalities (not tested yet).

Chen Jingpiao (2):
  Introduce seccomp-assisted syscall filtering
  tests: test cases for seccomp-assisted syscall filtering

Paul Chaignon (1):
  filter_seccomp: skip seccomp setup when there's nothing to filter

 Makefile.am                  |   2 +
 NEWS                         |   1 +
 defs.h                       |   9 +
 filter_seccomp.c             | 473 +++++++++++++++++++++++++++++++++++
 filter_seccomp.h             |  49 ++++
 linux/aarch64/arch_defs_.h   |   4 +
 linux/mips/arch_defs_.h      |   3 +
 linux/powerpc64/arch_defs_.h |   2 +
 linux/riscv/arch_defs_.h     |   6 +
 linux/s390x/arch_defs_.h     |   2 +
 linux/sparc/arch_defs_.h     |   1 +
 linux/sparc64/arch_defs_.h   |   3 +
 linux/tile/arch_defs_.h      |   2 +
 linux/x32/arch_defs_.h       |   2 +
 linux/x86_64/arch_defs_.h    |   3 +
 number_set.c                 |  13 +
 number_set.h                 |   4 +
 strace.1.in                  |  10 +
 strace.c                     |  41 ++-
 tests/.gitignore             |   1 +
 tests/Makefile.am            |   1 +
 tests/filter_seccomp.in      |   4 +
 tests/gen_tests.in           |   2 +
 tests/init.sh                |   5 +
 tests/pure_executables.list  |   1 +
 tests/status-none-f.c        |  20 ++
 trace_event.h                |   5 +
 27 files changed, 666 insertions(+), 3 deletions(-)
 create mode 100644 filter_seccomp.c
 create mode 100644 filter_seccomp.h
 create mode 100644 tests/filter_seccomp.in
 create mode 100644 tests/status-none-f.c

-- 
2.17.1

More information about the Strace-devel mailing list