Re: 9.3.0 and later not working on my powerpc32 system
Roy Marples
Thu Oct 15 12:57:41 2020
On 15/10/2020 11:47, Tom Armistead wrote:
It seems like it's probably a little closer but not there yet. No longer hangs
during net start but doesn't get the network up.
Attached is an strace dump of it with both patches applied.
it's fairly easy for me to switch back and forth between 9.2 and the test
versions of 9.3.1. So, no worries...
OK, so we didn't really get anywhere with the last patch.
I've attached a new patch (which replaces all others) which allows debugging of
seccomp.
You should see a message like:
ps_seccomp_violation: unexpected syscall 271 (arch=0xc000003e)
That *should* give me enough to then add to the filter to allow it to proceed.
This might take a few attempts though, depending on the number of syscalls that
need adding.
Roy
diff --git a/src/privsep-linux.c b/src/privsep-linux.c
index 5d35ae2c..0e2fdcc9 100644
--- a/src/privsep-linux.c
+++ b/src/privsep-linux.c
@@ -39,6 +39,7 @@
#include <fcntl.h>
#include <stddef.h>
#include <stdio.h>
+#include <stdlib.h>
#include <string.h>
#include <unistd.h>
@@ -47,6 +48,9 @@
#include "logerr.h"
#include "privsep.h"
+/* Due to the complexity of SECCOMP, enable debugging by default. */
+#define SECCOMP_FILTER_DEBUG
+
static ssize_t
ps_root_dosendnetlink(int protocol, struct msghdr *msg)
{
@@ -125,7 +129,11 @@ ps_root_sendnetlink(struct dhcpcd_ctx *ctx, int protocol, struct msghdr *msg)
BPF_STMT(BPF_LD + BPF_W + BPF_ABS, \
offsetof(struct seccomp_data, nr))
+#ifdef SECCOMP_FILTER_DEBUG
+#define SECCOMP_FILTER_FAIL SECCOMP_RET_TRAP
+#else
#define SECCOMP_FILTER_FAIL SECCOMP_RET_KILL
+#endif
/* I personally find this quite nutty.
* Why can a system header not define a default for this? */
@@ -247,6 +255,9 @@ static struct sock_filter ps_seccomp_filter[] = {
#ifdef __NR_munmap
SECCOMP_ALLOW(__NR_munmap),
#endif
+#ifdef __NR_nanosleep
+ SECCOMP_ALLOW(__NR_nanosleep), /* XXX should use ppoll instead */
+#endif
#ifdef __NR_ppoll
SECCOMP_ALLOW(__NR_ppoll),
#endif
@@ -259,6 +270,9 @@ static struct sock_filter ps_seccomp_filter[] = {
#ifdef __NR_readv
SECCOMP_ALLOW(__NR_readv),
#endif
+#ifdef __NR_recv
+ SECCOMP_ALLOW(__NR_recv),
+#endif
#ifdef __NR_recvfrom
SECCOMP_ALLOW(__NR_recvfrom),
#endif
@@ -280,6 +294,9 @@ static struct sock_filter ps_seccomp_filter[] = {
#ifdef __NR_wait4
SECCOMP_ALLOW(__NR_wait4),
#endif
+#ifdef __NR_waitpid
+ SECCOMP_ALLOW(__NR_waitpid),
+#endif
#ifdef __NR_write
SECCOMP_ALLOW(__NR_write),
#endif
@@ -299,10 +316,44 @@ static struct sock_fprog ps_seccomp_prog = {
.filter = ps_seccomp_filter,
};
+#ifdef SECCOMP_FILTER_DEBUG
+static void
+ps_seccomp_violation(__unused int signum, siginfo_t *si, __unused void *context)
+{
+
+ logerrx("%s: unexpected syscall %d (arch=0x%x)",
+ __func__, si->si_syscall, si->si_arch);
+ _exit(EXIT_FAILURE);
+}
+
+static int
+ps_seccomp_debug(void)
+{
+ struct sigaction sa = {
+ .sa_flags = SA_SIGINFO,
+ .sa_sigaction = &ps_seccomp_violation,
+ };
+ sigset_t mask;
+
+ /* Install a signal handler to catch any issues with our filter. */
+ sigemptyset(&mask);
+ sigaddset(&mask, SIGSYS);
+ if (sigaction(SIGSYS, &sa, NULL) == -1 ||
+ sigprocmask(SIG_UNBLOCK, &mask, NULL) == -1)
+ return -1;
+
+ return 0;
+}
+#endif
+
int
ps_seccomp_enter(void)
{
+#ifdef SECCOMP_FILTER_DEBUG
+ ps_seccomp_debug();
+#endif
+
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1 ||
prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &ps_seccomp_prog) == -1)
{
Archive administrator: postmaster@marples.name