[PATCH v6 1/3] Introduce seccomp-assisted syscall filtering

Dmitry V. Levin ldv at altlinux.org
Sun Sep 22 21:00:54 UTC 2019 

On Sun, Sep 22, 2019 at 10:13:29PM +0200, Paul Chaignon wrote:
[...]
> diff --git a/defs.h b/defs.h
> index 337c9bd7..95c5fad2 100644
> --- a/defs.h
> +++ b/defs.h
> @@ -289,7 +289,6 @@ struct tcb {
>  	struct tcb_wait_data *delayed_wait_data;
>  	struct list_item wait_list;
>  
> -
>  # ifdef HAVE_LINUX_KVM_H
>  	struct vcpu_info *vcpu_info_list;
>  # endif

I don't think this hunk is relevant.

> @@ -332,6 +331,9 @@ struct tcb {
>  # define TCB_DELAYED	0x2000	/* Current syscall has been delayed */
>  # define TCB_TAMPERED_NO_FAIL 0x4000	/* We tamper tcb with syscall
>  					   that should not fail. */
> +# define TCB_SECCOMP_FILTER	0x8000	/* This process has a seccomp filter
> +					 * attached

This needs a trailing dot.

[...]
> +void
> +init_seccomp_filter(void)
> +{
> +	struct sock_filter filter[BPF_MAXINSNS];
> +	unsigned short len;
> +
> +	len = init_sock_filter(filter);
> +
> +	struct sock_fprog prog = {
> +		.len = len,
> +		.filter = filter
> +	};
> +
> +	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0)
> +		perror_func_msg_and_die("prctl(PR_SET_NO_NEW_PRIVS)");
> +
> +	if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) < 0)
> +		perror_func_msg_and_die("prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER)");
> +}

I'm not sure we really want to terminate strace in this case.

[...]
> +	if (seccomp_filtering) {
> +		if ((opt_p && !argc) || debug_flag)

I think we can avoid introducing opt_p and check nprocs instead.

> +			error_msg("-n is ineffective on processes attached with -p");

It's not just ineffective, it's not enabled for these processes.

[...]
> +	case TE_SECCOMP:
> +		if (!has_seccomp_filter(current_tcp)) {
> +			/*
> +			 * We don't know if forks/clones have a seccomp
> +			 * filter when they are created, but we can detect
> +			 * it when we have a seccomp-stop.
> +			 * In such a case, if !seccomp_before_sysentry, we
> +			 * have already processed the syscall entry, so we
> +			 * break to avoid processing it a second time.

avoid processing it for the second time


-- 
ldv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20190923/95e9e292/attachment.bin>

More information about the Strace-devel mailing list