Re: 9.3.0 and later not working on my powerpc32 system
Roy Marples
Thu Oct 15 16:01:00 2020
On 15/10/2020 15:47, Tom Armistead wrote:
I think I may have made a mistake regarding strace.dump3. I think when I added
the second patch, I mistakenly wound up not applying any patch at all. So, if
strace.dump3 doesn't make sense, that is probably due to an error on my part..
I have applied your debugging patch and ran it. The output when I start dhcpcd
is attached as dhcpcd.debug.log. It looks like it does have the syscall
message that you were hoping for.
In case you might need it, I also did an strace with your new debug patch
applied and that output is attached as strace.dump4.
And what is *really* helpful is that strace was intelligent enough to translate
the syscall number into __NR_time for me :)
Attached is a replacement patch which now allows this.
Lets see how far we get now!
Roy
diff --git a/src/privsep-linux.c b/src/privsep-linux.c
index 5d35ae2c..9b10d6f6 100644
--- a/src/privsep-linux.c
+++ b/src/privsep-linux.c
@@ -39,6 +39,7 @@
#include <fcntl.h>
#include <stddef.h>
#include <stdio.h>
+#include <stdlib.h>
#include <string.h>
#include <unistd.h>
@@ -47,6 +48,9 @@
#include "logerr.h"
#include "privsep.h"
+/* Due to the complexity of SECCOMP, enable debugging by default. */
+#define SECCOMP_FILTER_DEBUG
+
static ssize_t
ps_root_dosendnetlink(int protocol, struct msghdr *msg)
{
@@ -125,7 +129,11 @@ ps_root_sendnetlink(struct dhcpcd_ctx *ctx, int protocol, struct msghdr *msg)
BPF_STMT(BPF_LD + BPF_W + BPF_ABS, \
offsetof(struct seccomp_data, nr))
+#ifdef SECCOMP_FILTER_DEBUG
+#define SECCOMP_FILTER_FAIL SECCOMP_RET_TRAP
+#else
#define SECCOMP_FILTER_FAIL SECCOMP_RET_KILL
+#endif
/* I personally find this quite nutty.
* Why can a system header not define a default for this? */
@@ -247,6 +255,9 @@ static struct sock_filter ps_seccomp_filter[] = {
#ifdef __NR_munmap
SECCOMP_ALLOW(__NR_munmap),
#endif
+#ifdef __NR_nanosleep
+ SECCOMP_ALLOW(__NR_nanosleep), /* XXX should use ppoll instead */
+#endif
#ifdef __NR_ppoll
SECCOMP_ALLOW(__NR_ppoll),
#endif
@@ -259,6 +270,9 @@ static struct sock_filter ps_seccomp_filter[] = {
#ifdef __NR_readv
SECCOMP_ALLOW(__NR_readv),
#endif
+#ifdef __NR_recv
+ SECCOMP_ALLOW(__NR_recv),
+#endif
#ifdef __NR_recvfrom
SECCOMP_ALLOW(__NR_recvfrom),
#endif
@@ -277,9 +291,15 @@ static struct sock_filter ps_seccomp_filter[] = {
#ifdef __NR_shutdown
SECCOMP_ALLOW(__NR_shutdown),
#endif
+#ifdef __NR_time
+ SECCOMP_ALLOW(__NR_time),
+#endif
#ifdef __NR_wait4
SECCOMP_ALLOW(__NR_wait4),
#endif
+#ifdef __NR_waitpid
+ SECCOMP_ALLOW(__NR_waitpid),
+#endif
#ifdef __NR_write
SECCOMP_ALLOW(__NR_write),
#endif
@@ -299,10 +319,44 @@ static struct sock_fprog ps_seccomp_prog = {
.filter = ps_seccomp_filter,
};
+#ifdef SECCOMP_FILTER_DEBUG
+static void
+ps_seccomp_violation(__unused int signum, siginfo_t *si, __unused void *context)
+{
+
+ logerrx("%s: unexpected syscall %d (arch=0x%x)",
+ __func__, si->si_syscall, si->si_arch);
+ _exit(EXIT_FAILURE);
+}
+
+static int
+ps_seccomp_debug(void)
+{
+ struct sigaction sa = {
+ .sa_flags = SA_SIGINFO,
+ .sa_sigaction = &ps_seccomp_violation,
+ };
+ sigset_t mask;
+
+ /* Install a signal handler to catch any issues with our filter. */
+ sigemptyset(&mask);
+ sigaddset(&mask, SIGSYS);
+ if (sigaction(SIGSYS, &sa, NULL) == -1 ||
+ sigprocmask(SIG_UNBLOCK, &mask, NULL) == -1)
+ return -1;
+
+ return 0;
+}
+#endif
+
int
ps_seccomp_enter(void)
{
+#ifdef SECCOMP_FILTER_DEBUG
+ ps_seccomp_debug();
+#endif
+
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1 ||
prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &ps_seccomp_prog) == -1)
{
Archive administrator: postmaster@marples.name