subproc: refer users to dmesg in case si_syscall==31 (SIGSYS)
This commit is contained in:
parent
88647a0819
commit
e1e80e8efa
4
caps.cc
4
caps.cc
@ -256,8 +256,8 @@ bool initNs(nsjconf_t* nsjconf) {
|
||||
if (getInheritable(cap_data, i.val)) {
|
||||
continue;
|
||||
}
|
||||
if (prctl(PR_CAPBSET_READ, (unsigned long)i.val, 0UL, 0UL, 0UL) ==
|
||||
-1 && errno == EINVAL) {
|
||||
if (prctl(PR_CAPBSET_READ, (unsigned long)i.val, 0UL, 0UL, 0UL) == -1 &&
|
||||
errno == EINVAL) {
|
||||
LOG_D("Skipping unsupported capability: %s", i.name);
|
||||
continue;
|
||||
}
|
||||
|
2
macros.h
2
macros.h
@ -58,7 +58,7 @@ static void __attribute__ ((unused)) __clang_cleanup_func(void (^*dfunc) (void))
|
||||
#define _DEFER(a, count) \
|
||||
auto void _STRMERGE(__defer_f_, count)(void* _defer_arg __attribute__((unused))); \
|
||||
int _STRMERGE(__defer_var_, count) __attribute__((cleanup(_STRMERGE(__defer_f_, count)))) \
|
||||
__attribute__((unused)); \
|
||||
__attribute__((unused)); \
|
||||
void _STRMERGE(__defer_f_, count)(void* _defer_arg __attribute__((unused)))
|
||||
#define defer _DEFER(a, __COUNTER__)
|
||||
#endif
|
||||
|
22
subproc.cc
22
subproc.cc
@ -194,7 +194,7 @@ static void subprocNewProc(
|
||||
#if defined(__NR_execveat)
|
||||
util::syscall(__NR_execveat, nsjconf->exec_fd, (uintptr_t) "",
|
||||
(uintptr_t)argv.data(), (uintptr_t)environ, AT_EMPTY_PATH);
|
||||
#else /* defined(__NR_execveat) */
|
||||
#else /* defined(__NR_execveat) */
|
||||
LOG_E("Your system doesn't support execveat() syscall");
|
||||
return;
|
||||
#endif /* defined(__NR_execveat) */
|
||||
@ -259,8 +259,11 @@ static void seccompViolation(nsjconf_t* nsjconf, siginfo_t* si) {
|
||||
|
||||
const auto& p = nsjconf->pids.find(si->si_pid);
|
||||
if (p == nsjconf->pids.end()) {
|
||||
LOG_W("pid=%d SiSyscall: %d, SiCode: %d, SiErrno: %d, SiSigno: %d", (int)si->si_pid,
|
||||
si->si_syscall, si->si_code, si->si_errno, si->si_signo);
|
||||
LOG_W(
|
||||
"pid=%d SiSyscall: %d, SiCode: %d, SiErrno: %d, SiSigno: %d. (If "
|
||||
"SiSyscall==31, then it's most likely the SIGSYS value. See 'dmesg' or "
|
||||
"'journalctl -ek' for possible auditd report with more data)",
|
||||
(int)si->si_pid, si->si_syscall, si->si_code, si->si_errno, si->si_signo);
|
||||
LOG_E("Couldn't find pid element in the subproc list for pid=%d", (int)si->si_pid);
|
||||
return;
|
||||
}
|
||||
@ -268,7 +271,10 @@ static void seccompViolation(nsjconf_t* nsjconf, siginfo_t* si) {
|
||||
char buf[4096];
|
||||
ssize_t rdsize = util::readFromFd(p->second.pid_syscall_fd, buf, sizeof(buf) - 1);
|
||||
if (rdsize < 1) {
|
||||
LOG_W("pid=%d, SiSyscall: %d, SiCode: %d, SiErrno: %d, SiSigno: %d",
|
||||
LOG_W(
|
||||
"pid=%d, SiSyscall: %d, SiCode: %d, SiErrno: %d, SiSigno: %d. (If "
|
||||
"SiSyscall==31, then it's most likely the SIGSYS value. See 'dmesg' or "
|
||||
"'journalctl -ek' for possible auditd report with more data)",
|
||||
(int)si->si_pid, si->si_syscall, si->si_code, si->si_errno, si->si_signo);
|
||||
return;
|
||||
}
|
||||
@ -287,11 +293,15 @@ static void seccompViolation(nsjconf_t* nsjconf, siginfo_t* si) {
|
||||
} else if (ret == 3) {
|
||||
LOG_W(
|
||||
"pid=%d, SiSyscall: %d, SiCode: %d, SiErrno: %d, SiSigno: %d, SP: %#tx, PC: "
|
||||
"%#tx",
|
||||
"%#tx (If SiSyscall==31, then it's most likely the SIGSYS value. See 'dmesg' "
|
||||
"or 'journalctl -ek' for possible auditd report with more data)",
|
||||
(int)si->si_pid, si->si_syscall, si->si_code, si->si_errno, si->si_signo, arg1,
|
||||
arg2);
|
||||
} else {
|
||||
LOG_W("pid=%d, SiSyscall: %d, SiCode: %d, SiErrno: %d, Syscall string '%s'",
|
||||
LOG_W(
|
||||
"pid=%d, SiSyscall: %d, SiCode: %d, SiErrno: %d, Syscall string '%s'. (If "
|
||||
"SiSyscall==31, then it's most likely the SIGSYS value. See 'dmesg' or "
|
||||
"'journalctl -ek' for possible auditd report with more data)",
|
||||
(int)si->si_pid, si->si_syscall, si->si_code, si->si_errno, buf);
|
||||
}
|
||||
}
|
||||
|
4
user.cc
4
user.cc
@ -68,7 +68,7 @@ static bool setResGid(gid_t gid) {
|
||||
PLOG_W("setresgid32(%d)", (int)gid);
|
||||
return false;
|
||||
}
|
||||
#else /* defined(__NR_setresgid32) */
|
||||
#else /* defined(__NR_setresgid32) */
|
||||
if (util::syscall(__NR_setresgid, (uintptr_t)gid, (uintptr_t)gid, (uintptr_t)gid) == -1) {
|
||||
PLOG_W("setresgid(%d)", gid);
|
||||
return false;
|
||||
@ -84,7 +84,7 @@ static bool setResUid(uid_t uid) {
|
||||
PLOG_W("setresuid32(%d)", (int)uid);
|
||||
return false;
|
||||
}
|
||||
#else /* defined(__NR_setresuid32) */
|
||||
#else /* defined(__NR_setresuid32) */
|
||||
if (util::syscall(__NR_setresuid, (uintptr_t)uid, (uintptr_t)uid, (uintptr_t)uid) == -1) {
|
||||
PLOG_W("setresuid(%d)", uid);
|
||||
return false;
|
||||
|
Loading…
Reference in New Issue
Block a user