woj/nsjail
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

subproc: refer users to dmesg in case si_syscall==31 (SIGSYS)

Browse Source
This commit is contained in:
Robert Swiecki 2021-02-01 23:22:43 +01:00
parent 88647a0819
commit e1e80e8efa
4 changed files with 21 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
caps.cc
View File

@ -256,8 +256,8 @@ bool initNs(nsjconf_t* nsjconf) {
if (getInheritable(cap_data, i.val)) { if (getInheritable(cap_data, i.val)) {
continue; continue;
} }
if (prctl(PR_CAPBSET_READ, (unsigned long)i.val, 0UL, 0UL, 0UL) == if (prctl(PR_CAPBSET_READ, (unsigned long)i.val, 0UL, 0UL, 0UL) == -1 &&
-1 && errno == EINVAL) { errno == EINVAL) {
LOG_D("Skipping unsupported capability: %s", i.name); LOG_D("Skipping unsupported capability: %s", i.name);
continue; continue;
} }

2
macros.h
View File

@ -58,7 +58,7 @@ static void __attribute__ ((unused)) __clang_cleanup_func(void (^*dfunc) (void))
#define _DEFER(a, count) \ #define _DEFER(a, count) \
auto void _STRMERGE(__defer_f_, count)(void* _defer_arg __attribute__((unused))); \ auto void _STRMERGE(__defer_f_, count)(void* _defer_arg __attribute__((unused))); \
int _STRMERGE(__defer_var_, count) __attribute__((cleanup(_STRMERGE(__defer_f_, count)))) \ int _STRMERGE(__defer_var_, count) __attribute__((cleanup(_STRMERGE(__defer_f_, count)))) \
__attribute__((unused)); \ __attribute__((unused)); \
void _STRMERGE(__defer_f_, count)(void* _defer_arg __attribute__((unused))) void _STRMERGE(__defer_f_, count)(void* _defer_arg __attribute__((unused)))
#define defer _DEFER(a, __COUNTER__) #define defer _DEFER(a, __COUNTER__)
#endif #endif

22
subproc.cc
View File

@ -194,7 +194,7 @@ static void subprocNewProc(
#if defined(__NR_execveat) #if defined(__NR_execveat)
util::syscall(__NR_execveat, nsjconf->exec_fd, (uintptr_t) "", util::syscall(__NR_execveat, nsjconf->exec_fd, (uintptr_t) "",
(uintptr_t)argv.data(), (uintptr_t)environ, AT_EMPTY_PATH); (uintptr_t)argv.data(), (uintptr_t)environ, AT_EMPTY_PATH);
#else /* defined(__NR_execveat) */ #else /* defined(__NR_execveat) */
LOG_E("Your system doesn't support execveat() syscall"); LOG_E("Your system doesn't support execveat() syscall");
return; return;
#endif /* defined(__NR_execveat) */ #endif /* defined(__NR_execveat) */
@ -259,8 +259,11 @@ static void seccompViolation(nsjconf_t* nsjconf, siginfo_t* si) {
const auto& p = nsjconf->pids.find(si->si_pid); const auto& p = nsjconf->pids.find(si->si_pid);
if (p == nsjconf->pids.end()) { if (p == nsjconf->pids.end()) {
LOG_W("pid=%d SiSyscall: %d, SiCode: %d, SiErrno: %d, SiSigno: %d", (int)si->si_pid, LOG_W(
si->si_syscall, si->si_code, si->si_errno, si->si_signo); "pid=%d SiSyscall: %d, SiCode: %d, SiErrno: %d, SiSigno: %d. (If "
"SiSyscall==31, then it's most likely the SIGSYS value. See 'dmesg' or "
"'journalctl -ek' for possible auditd report with more data)",
(int)si->si_pid, si->si_syscall, si->si_code, si->si_errno, si->si_signo);
LOG_E("Couldn't find pid element in the subproc list for pid=%d", (int)si->si_pid); LOG_E("Couldn't find pid element in the subproc list for pid=%d", (int)si->si_pid);
return; return;
} }
@ -268,7 +271,10 @@ static void seccompViolation(nsjconf_t* nsjconf, siginfo_t* si) {
char buf[4096]; char buf[4096];
ssize_t rdsize = util::readFromFd(p->second.pid_syscall_fd, buf, sizeof(buf) - 1); ssize_t rdsize = util::readFromFd(p->second.pid_syscall_fd, buf, sizeof(buf) - 1);
if (rdsize < 1) { if (rdsize < 1) {
LOG_W("pid=%d, SiSyscall: %d, SiCode: %d, SiErrno: %d, SiSigno: %d", LOG_W(
"pid=%d, SiSyscall: %d, SiCode: %d, SiErrno: %d, SiSigno: %d. (If "
"SiSyscall==31, then it's most likely the SIGSYS value. See 'dmesg' or "
"'journalctl -ek' for possible auditd report with more data)",
(int)si->si_pid, si->si_syscall, si->si_code, si->si_errno, si->si_signo); (int)si->si_pid, si->si_syscall, si->si_code, si->si_errno, si->si_signo);
return; return;
} }
@ -287,11 +293,15 @@ static void seccompViolation(nsjconf_t* nsjconf, siginfo_t* si) {
} else if (ret == 3) { } else if (ret == 3) {
LOG_W( LOG_W(
"pid=%d, SiSyscall: %d, SiCode: %d, SiErrno: %d, SiSigno: %d, SP: %#tx, PC: " "pid=%d, SiSyscall: %d, SiCode: %d, SiErrno: %d, SiSigno: %d, SP: %#tx, PC: "
"%#tx", "%#tx (If SiSyscall==31, then it's most likely the SIGSYS value. See 'dmesg' "
"or 'journalctl -ek' for possible auditd report with more data)",
(int)si->si_pid, si->si_syscall, si->si_code, si->si_errno, si->si_signo, arg1, (int)si->si_pid, si->si_syscall, si->si_code, si->si_errno, si->si_signo, arg1,
arg2); arg2);
} else { } else {
LOG_W("pid=%d, SiSyscall: %d, SiCode: %d, SiErrno: %d, Syscall string '%s'", LOG_W(
"pid=%d, SiSyscall: %d, SiCode: %d, SiErrno: %d, Syscall string '%s'. (If "
"SiSyscall==31, then it's most likely the SIGSYS value. See 'dmesg' or "
"'journalctl -ek' for possible auditd report with more data)",
(int)si->si_pid, si->si_syscall, si->si_code, si->si_errno, buf); (int)si->si_pid, si->si_syscall, si->si_code, si->si_errno, buf);
} }
} }

4
user.cc
View File

@ -68,7 +68,7 @@ static bool setResGid(gid_t gid) {
PLOG_W("setresgid32(%d)", (int)gid); PLOG_W("setresgid32(%d)", (int)gid);
return false; return false;
} }
#else /* defined(__NR_setresgid32) */ #else /* defined(__NR_setresgid32) */
if (util::syscall(__NR_setresgid, (uintptr_t)gid, (uintptr_t)gid, (uintptr_t)gid) == -1) { if (util::syscall(__NR_setresgid, (uintptr_t)gid, (uintptr_t)gid, (uintptr_t)gid) == -1) {
PLOG_W("setresgid(%d)", gid); PLOG_W("setresgid(%d)", gid);
return false; return false;
@ -84,7 +84,7 @@ static bool setResUid(uid_t uid) {
PLOG_W("setresuid32(%d)", (int)uid); PLOG_W("setresuid32(%d)", (int)uid);
return false; return false;
} }
#else /* defined(__NR_setresuid32) */ #else /* defined(__NR_setresuid32) */
if (util::syscall(__NR_setresuid, (uintptr_t)uid, (uintptr_t)uid, (uintptr_t)uid) == -1) { if (util::syscall(__NR_setresuid, (uintptr_t)uid, (uintptr_t)uid, (uintptr_t)uid) == -1) {
PLOG_W("setresuid(%d)", uid); PLOG_W("setresuid(%d)", uid);
return false; return false;