Report seccomp violations
This commit is contained in:
Jagger
parent
27f7bf9a8c
commit
de9ff2382e
36
subproc.c
36
subproc.c
@ -139,24 +139,44 @@ void subprocDisplay(struct nsjconf_t *nsjconf)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static void subprocSeccompViolation(siginfo_t * si)
|
||||||
|
{
|
||||||
|
LOG_W("PID %d commited syscall/seccomp violation and exited with SIGSYS", si->si_pid);
|
||||||
|
}
|
||||||
|
|
||||||
int subprocReap(struct nsjconf_t *nsjconf)
|
int subprocReap(struct nsjconf_t *nsjconf)
|
||||||
{
|
{
|
||||||
int status;
|
int status;
|
||||||
int rv = 0;
|
int rv = 0;
|
||||||
pid_t pid;
|
siginfo_t si;
|
||||||
while ((pid = waitpid(-1, &status, WNOHANG)) > 0) {
|
|
||||||
|
for (;;) {
|
||||||
|
si.si_pid = 0;
|
||||||
|
if (waitid(P_ALL, 0, &si, WNOHANG | WNOWAIT | WEXITED) == -1) {
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
if (si.si_pid == 0) {
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
if (si.si_status == SIGSYS) {
|
||||||
|
subprocSeccompViolation(&si);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (waitpid(si.si_pid, &status, WNOHANG) == si.si_pid) {
|
||||||
if (WIFEXITED(status)) {
|
if (WIFEXITED(status)) {
|
||||||
subprocRemove(nsjconf, pid);
|
subprocRemove(nsjconf, si.si_pid);
|
||||||
LOG_I("PID: %d exited with status: %d, (PIDs left: %d)", pid,
|
LOG_I("PID: %d exited with status: %d, (PIDs left: %d)", si.si_pid,
|
||||||
WEXITSTATUS(status), subprocCount(nsjconf));
|
WEXITSTATUS(status), subprocCount(nsjconf));
|
||||||
if (rv == 0) {
|
if (rv == 0) {
|
||||||
rv = WEXITSTATUS(status);
|
rv = WEXITSTATUS(status);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (WIFSIGNALED(status)) {
|
if (WIFSIGNALED(status)) {
|
||||||
subprocRemove(nsjconf, pid);
|
subprocRemove(nsjconf, si.si_pid);
|
||||||
LOG_I("PID: %d terminated with signal: %d, (PIDs left: %d)", pid,
|
LOG_I("PID: %d terminated with signal: %d, (PIDs left: %d)",
|
||||||
WTERMSIG(status), subprocCount(nsjconf));
|
si.si_pid, WTERMSIG(status), subprocCount(nsjconf));
|
||||||
|
rv = 100 + WTERMSIG(status);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -166,7 +186,7 @@ int subprocReap(struct nsjconf_t *nsjconf)
|
|||||||
if (nsjconf->tlimit == 0) {
|
if (nsjconf->tlimit == 0) {
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
pid = p->pid;
|
pid_t pid = p->pid;
|
||||||
time_t diff = now - p->start;
|
time_t diff = now - p->start;
|
||||||
if (diff >= nsjconf->tlimit) {
|
if (diff >= nsjconf->tlimit) {
|
||||||
LOG_I("PID: %d run time >= time limit (%ld >= %ld) (%s). Killing it", pid,
|
LOG_I("PID: %d run time >= time limit (%ld >= %ld) (%s). Killing it", pid,
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user