RE: dhcpcd dumplease reports "dhcpcd not running"
Matthew Clarkson
Wed Nov 18 19:55:52 2020
Hi Roy,
After looking at strace and digging around a bit, it looks like the ioctl is coming from the printf call in the script_dump function in script.c
Adding TCGETS to the ioctl options allowed appears to work, a patch is attached. I'm not sure if that is something that should always be in the filter or ifdef'd to limit to specific platforms, but it works for ours.
Here is the strace:
root@RCFA-1048515:~# dhcpcd --broadcast --background --timeout 10 br0
dhcpcd-9.3.2 starting
DUID 00:01:00:01:27:12:ea:1e:00:02:d9:1f:ff:c3
forked to background, child pid 916
root@RCFA-1048515:~# strace dhcpcd -d -4 --dumplease br0
execve("/usr/sbin/dhcpcd", ["dhcpcd", "-d", "-4", "--dumplease", "br0"], 0x7e94ee00 /* 13 vars */) = 0
brk(NULL) = 0x54b29000
uname({sysname="Linux", nodename="RCFA-1048515", ...}) = 0
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=3119, ...}) = 0
mmap2(NULL, 3119, PROT_READ, MAP_PRIVATE, 3, 0) = 0x76f93000
close(3) = 0
openat(AT_FDCWD, "/lib/libdl.so.2", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\08\v\0\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=9528, ...}) = 0
mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x76f91000
mmap2(NULL, 73780, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x76f59000
mprotect(0x76f5b000, 61440, PROT_NONE) = 0
mmap2(0x76f6a000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1000) = 0x76f6a000
close(3) = 0
openat(AT_FDCWD, "/lib/tls/v7l/vfp/libc.so.6", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/lib/tls/v7l/vfp", 0x7ee7c1e0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/tls/v7l/libc.so.6", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/lib/tls/v7l", 0x7ee7c1e0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/tls/vfp/libc.so.6", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/lib/tls/vfp", 0x7ee7c1e0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/tls/libc.so.6", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/lib/tls", 0x7ee7c1e0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/v7l/vfp/libc.so.6", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/lib/v7l/vfp", 0x7ee7c1e0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/v7l/libc.so.6", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/lib/v7l", 0x7ee7c1e0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/vfp/libc.so.6", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/lib/vfp", 0x7ee7c1e0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/libc.so.6", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3
read(3, "\177ELF\1\1\1\3\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0I\254\1\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=927804, ...}) = 0
mmap2(NULL, 997184, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x76e65000
mprotect(0x76f43000, 65536, PROT_NONE) = 0
mmap2(0x76f53000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xde000) = 0x76f53000
mmap2(0x76f57000, 5952, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x76f57000
close(3) = 0
set_tls(0x76f91fc0) = 0
mprotect(0x76f53000, 8192, PROT_READ) = 0
mprotect(0x76f6a000, 4096, PROT_READ) = 0
mprotect(0x54b24000, 4096, PROT_READ) = 0
mprotect(0x76f94000, 4096, PROT_READ) = 0
munmap(0x76f93000, 3119) = 0
brk(NULL) = 0x54b29000
brk(0x54b4a000) = 0x54b4a000
fcntl64(0, F_GETFD) = 0
fcntl64(1, F_GETFD) = 0
fcntl64(2, F_GETFD) = 0
openat(AT_FDCWD, "/etc/localtime", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
readlink("/proc/self/exe", "/usr/sbin/dhcpcd", 4097) = 16
socket(AF_INET, SOCK_DGRAM, IPPROTO_IP) = 3
close(3) = 0
socket(AF_INET6, SOCK_DGRAM, IPPROTO_IP) = -1 EAFNOSUPPORT (Address family not supported by protocol)
openat(AT_FDCWD, "/etc/dhcpcd.conf", O_RDONLY|O_LARGEFILE) = 3
read(3, "# A sample configuration for dhc"..., 65536) = 1429
close(3) = 0
stat64("/etc/dhcpcd.conf", {st_mode=S_IFREG|0644, st_size=1429, ...}) = 0
chdir("/") = 0
clock_gettime(CLOCK_MONOTONIC, {tv_sec=69, tv_nsec=273294400}) = 0
rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[PIPE], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x76e8ef71}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [HUP INT USR1 USR2 ALRM TERM CHLD], [], 8) = 0
rt_sigaction(SIGTERM, {sa_handler=0x54ae7dbd, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x76e8ef81}, NULL, 8) = 0
rt_sigaction(SIGINT, {sa_handler=0x54ae7dbd, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x76e8ef81}, NULL, 8) = 0
rt_sigaction(SIGALRM, {sa_handler=0x54ae7dbd, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x76e8ef81}, NULL, 8) = 0
rt_sigaction(SIGHUP, {sa_handler=0x54ae7dbd, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x76e8ef81}, NULL, 8) = 0
rt_sigaction(SIGUSR1, {sa_handler=0x54ae7dbd, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x76e8ef81}, NULL, 8) = 0
rt_sigaction(SIGUSR2, {sa_handler=0x54ae7dbd, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x76e8ef81}, NULL, 8) = 0
rt_sigaction(SIGCHLD, {sa_handler=0x54ae7dbd, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x76e8ef81}, NULL, 8) = 0
socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
connect(3, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
close(3) = 0
socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
connect(3, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
close(3) = 0
openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=465, ...}) = 0
read(3, "# /etc/nsswitch.conf\n#\n# Example"..., 1024) = 465
read(3, "", 1024) = 0
close(3) = 0
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=3119, ...}) = 0
mmap2(NULL, 3119, PROT_READ, MAP_PRIVATE, 3, 0) = 0x76f93000
close(3) = 0
openat(AT_FDCWD, "/lib/libnss_compat.so.2", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0T\17\0\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=22040, ...}) = 0
mmap2(NULL, 87488, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x76e4f000
mprotect(0x76e54000, 61440, PROT_NONE) = 0
mmap2(0x76e63000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x4000) = 0x76e63000
close(3) = 0
mprotect(0x76e63000, 4096, PROT_READ) = 0
munmap(0x76f93000, 3119) = 0
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=3119, ...}) = 0
mmap2(NULL, 3119, PROT_READ, MAP_PRIVATE, 3, 0) = 0x76f93000
close(3) = 0
openat(AT_FDCWD, "/lib/libnss_nis.so.2", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/tls/v7l/vfp/libnss_nis.so.2", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/tls/v7l/vfp", 0x7ee7bec8) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/tls/v7l/libnss_nis.so.2", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/tls/v7l", 0x7ee7bec8) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/tls/vfp/libnss_nis.so.2", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/tls/vfp", 0x7ee7bec8) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/tls/libnss_nis.so.2", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/tls", 0x7ee7bec8) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/v7l/vfp/libnss_nis.so.2", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/v7l/vfp", 0x7ee7bec8) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/v7l/libnss_nis.so.2", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/v7l", 0x7ee7bec8) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/vfp/libnss_nis.so.2", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/vfp", 0x7ee7bec8) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/libnss_nis.so.2", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/usr/lib", {st_mode=S_IFDIR|0755, st_size=1113, ...}) = 0
munmap(0x76f93000, 3119) = 0
openat(AT_FDCWD, "/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
_llseek(3, 0, [0], SEEK_CUR) = 0
fstat64(3, {st_mode=S_IFREG|0644, st_size=889, ...}) = 0
mmap2(NULL, 889, PROT_READ, MAP_SHARED, 3, 0) = 0x76f93000
_llseek(3, 889, [889], SEEK_SET) = 0
munmap(0x76f93000, 889) = 0
close(3) = 0
stat64("/var/lib/dhcpcd", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
ioctl(0, FIONREAD, [0]) = 0
socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
connect(3, {sa_family=AF_UNIX, sun_path="/var/run/dhcpcd/br0-4.unpriv.sock"}, 35) = 0
chroot("/var/lib/dhcpcd") = 0
chdir("/") = 0
setgroups32(1, [52]) = 0
setgid32(52) = 0
setuid32(52) = 0
getpid() = 957
prlimit64(0, RLIMIT_NOFILE, {rlim_cur=1, rlim_max=1}, NULL) = 0
ioctl(2, TCGETS, {B115200 opost isig icanon echo ...}) = 0
prlimit64(0, RLIMIT_FSIZE, {rlim_cur=0, rlim_max=0}, NULL) = 0
prlimit64(0, RLIMIT_NPROC, {rlim_cur=0, rlim_max=0}, NULL) = 0
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) = 0
prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, {len=100, filter=0x54b27020}) = 0
write(3, "dhcpcd\0-d\0-4\0--dumplease\0br0\0", 29) = 29
write(2, "send OK\n", 8send OK
) = 8
clock_gettime(CLOCK_MONOTONIC, {tv_sec=69, tv_nsec=657808160}) = 0
clock_gettime(CLOCK_MONOTONIC, {tv_sec=69, tv_nsec=658039680}) = 0
ppoll([{fd=3, events=POLLIN}], 1, {tv_sec=4, tv_nsec=999768480}, [], 8) = 1 ([{fd=3, revents=POLLIN}], left {tv_sec=4, tv_nsec=999751360})
read(3, "\1\0\0\0", 4) = 4
clock_gettime(CLOCK_MONOTONIC, {tv_sec=69, tv_nsec=658786400}) = 0
ppoll([{fd=3, events=POLLIN}], 1, {tv_sec=4, tv_nsec=999021760}, [], 8) = 1 ([{fd=3, revents=POLLIN}], left {tv_sec=4, tv_nsec=999008960})
read(3, "\220\1\0\0", 4) = 4
clock_gettime(CLOCK_MONOTONIC, {tv_sec=69, tv_nsec=659478720}) = 0
ppoll([{fd=3, events=POLLIN}], 1, {tv_sec=4, tv_nsec=998329440}, [], 8) = 1 ([{fd=3, revents=POLLIN}], left {tv_sec=4, tv_nsec=998319840})
read(3, "reason=BOUND\0interface=br0\0proto"..., 400) = 400
fstat64(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(0x4, 0x44), ...}) = 0
ioctl(1, TCGETS <unfinished ...>) = ?
+++ killed by SIGSYS +++
Bad system call
-----Original Message-----
From: Roy Marples <roy@xxxxxxxxxxxx>
Sent: Friday, November 13, 2020 9:07 AM
To: Matthew Clarkson <mclarkson@xxxxxxxxxxxxxxxxxxxx>
Cc: dhcpcd-discuss@xxxxxxxxxxxx
Subject: Re: dhcpcd dumplease reports "dhcpcd not running"
On 13/11/2020 16:43, Matthew Clarkson wrote:
> Oh I may have spoken too soon. It looks like it is working when I have
> the master process running with the --nobackground option and use a
> second ssh connection to dump the lease. This is the output when
> repeatedly dumping the lease (all the control command messages are expected):
>
> But if I run the master process with --background and try in the same
> console there is another seccomp violation. This time it looks like
> ioctl, which appears to be more granular in the seccomp filter. Is
> there a way to determine which argument is being used that causes the violation?
>
> root@RCFA-1048515:~# dhcpcd -d --dumplease -4 br0
>
> send OK
>
> ps_seccomp_violation: unexpected syscall 54 (arch=0x40000028)
This looks like the foreground process violating the sandbox.
If it send OK, which it claims, there are zero ioctls dhcpcd makes itself.
If you disable SECCOMP_FILTER_DEBUG, systrace might be able to pinpoint the error better.
systrace dhcpcd -d --dumplease -4 br0
For reference, it works fine on amd64 :/
Roy
Attachment:
seccomp_printf_ioctl.patch
Description: seccomp_printf_ioctl.patch
Archive administrator: postmaster@marples.name