[PATCH v6 0/3] Seccomp-assisted syscall filtering

Paul Chaignon paul.chaignon at gmail.com
Sun Sep 22 20:13:05 UTC 2019


This patchset introduces syscall filtering in the kernel using
seccomp-bpf.  The first patch implements the main logic to reduce the
number of tracer stops.  The second let's strace skip the seccomp-bpf
setup when there aren't any syscalls to filter.  The last patch adds
tests.

Seccomp filtering is only enabled with the -n option.  The BPF program
implements a simple linear match of syscalls which can be improved in the
future without impacting user-observable behavior.

This patchset has a single BPF generation strategy.  Other strategies will
come in subsequent patchset.  The generated BPF program also doesn't
support multiplexed syscalls (via ipc and socketcall), so these are always
traced in userspace.  Finally, seccomp-filter is disabled in case of
jump offset overflows in the BPF program.  Handling such overflows is a
bit tortuous and unlikely to happen in practice.

Changelogs:
  Changes in v6:
    - Fix -n when -p option is given and update man page.  Seccomp
      filtering is ineffective on processes attached with -p.  
    - Warn if seccomp filtering is disabled because there is nothing to
      filter.
    - Improve wording in comments.
  Changes in v4:
    - New test to check conflicts between seccomp-filter flags and syscall
      numbers.
    - Fix return code for filter_seccomp-perf test.
    - Skip filter_seccomp-perf test is seccomp-filter is unavailable.
    - Replace timeout(1) with alarm(2) in filter_seccomp-perf test.
    - Add reproducer script to first patch's description.
    - Add comment and improve error message for filter_seccomp-perf test.
    - Various fixes to code formatting, code comments, and patch
      descriptions.
  Changes in v3:
    - Prevented overflows in conditional jump offsets.
    - Added debug messages in case seccomp-filter is disabled because of
      program size or jump offset overflow.
    - Defined new syscall flag for syscalls traced by default under
      seccomp-filter.
    - Added audit_arch_t flag for IA-64.
    - Added test to check seccomp-filter is enabled.
    - Commented in detail restart_op and PTRACE_{CONT,SYSCALL} behavior.
    - Commented overall BPF program structure and generated instructions.
    - Relicensed filter_seccomp.{c,h} under LGPL 2.1+.
    - Removed fallback for PERSONALITY{0,1,2}_AUDIT_ARCH macros.
    - Refactored check_seccomp_order_trace.
    - Use bitwise OR for opcodes instead of additions.
    - Renamed audit_arch_t.mask to audit_arch_t.flag.
    - Improvements to documentation and comment texts from Eugene.
    - Fixed typos and formatting issues.
  Changes in v2:
    - New tests with all syscalls but one and with several syscall
      classes.
    - -n now implies -f, with a warning if -f was explicitly specified.
    - seccomp-filter state is displayed in debug mode, warning emitted if
      seccomp-filter was requested but unavailable.
    - Removed arch-specific preprocessor directives from
      filter_seccomp.c.
    - Fixed support for x86's x32 personality in BPF program.
    - Reworked seccomp check on size of BPF program to avoid
      overestimating the required size.
    - Reworked rewriting of BPF jumps to use placeholders.
    - Added support for archs with several personalities (not tested yet).

Chen Jingpiao (2):
  Introduce seccomp-assisted syscall filtering
  tests: check seccomp-assisted syscall filtering

Paul Chaignon (1):
  filter_seccomp: skip seccomp setup when there's nothing to filter

 Makefile.am                    |   2 +
 NEWS                           |   2 +
 defs.h                         |   5 +-
 filter_seccomp.c               | 626 +++++++++++++++++++++++++++++++++
 filter_seccomp.h               |  21 ++
 linux/aarch64/arch_defs_.h     |   2 +
 linux/ia64/arch_defs_.h        |   1 +
 linux/powerpc64/arch_defs_.h   |   2 +
 linux/riscv/arch_defs_.h       |   2 +
 linux/s390x/arch_defs_.h       |   2 +
 linux/sparc64/arch_defs_.h     |   2 +
 linux/tile/arch_defs_.h        |   2 +
 linux/x32/arch_defs_.h         |   2 +
 linux/x86_64/arch_defs_.h      |   3 +
 number_set.c                   |  12 +
 number_set.h                   |   4 +
 strace.1.in                    |  21 +-
 strace.c                       | 102 +++++-
 tests/.gitignore               |   3 +
 tests/Makefile.am              |   5 +
 tests/filter_seccomp-flag.c    |  83 +++++
 tests/filter_seccomp-perf.c    |  39 ++
 tests/filter_seccomp-perf.test |  26 ++
 tests/filter_seccomp.in        |   4 +
 tests/filter_seccomp.sh        |  14 +
 tests/gen_tests.in             |   2 +
 tests/init.sh                  |   5 +
 tests/pure_executables.list    |   1 +
 tests/status-none-f.c          |  19 +
 trace_event.h                  |   5 +
 30 files changed, 1013 insertions(+), 6 deletions(-)
 create mode 100644 filter_seccomp.c
 create mode 100644 filter_seccomp.h
 create mode 100644 tests/filter_seccomp-flag.c
 create mode 100644 tests/filter_seccomp-perf.c
 create mode 100755 tests/filter_seccomp-perf.test
 create mode 100644 tests/filter_seccomp.in
 create mode 100755 tests/filter_seccomp.sh
 create mode 100644 tests/status-none-f.c

-- 
2.17.1



More information about the Strace-devel mailing list