[LEDE-DEV] [PATCH procd 10/17] seccomp: Log seccomp violations with utrace

Michal Sojka sojkam1 at fel.cvut.cz
Sun Sep 24 15:54:17 PDT 2017 

On Tue, Sep 12 2017, Michal Sojka wrote:
> Older kernel version shipped by LEDE/OpenWrt contained patch
> target/linux/generic/patches-3.18/999-seccomp_log.patch that logged
> seccomp violations. For some reason, newer kernels do not have this
> patch. Without this kind of logging, it is very hard to setup seccomp
> whitelist properly, so this commit modifies utrace to serve as a
> logger for seccomp violations.
>
> With this patch, when utrace is executed via seccomp-trace symlink, it
> does not trace normal syscalls but only seccomp violations and logs
> them to syslog. For example:
>
>     seccomp-trace: uci[3955] tried to call non-whitelisted syscall: ftruncate64 (see /etc/seccomp/myservice.json)

It turns out that this patch has its problems too. It works properly
only on x86. On ARM, it reports the violations, but fails to block the
non-whitelisted syscalls. I don't have other hardware at hand so I
cannot test it on other archs.

The change needed for ARM is shown bellow and I'll send v2 patch
with this change soon.

I'm testing this on ARM with 4.1+ kernel and on x86 with 4.4.86. There
were some changes in seccomp/ptrace in Linux 4.8 - I believe this patch
will work the same even with the newer Linux, but this has not been
tested (yet).

-Michal

diff --git a/trace/trace.c b/trace/trace.c
index 6fb9335..d022079 100644
--- a/trace/trace.c
+++ b/trace/trace.c
@@ -52,7 +52,11 @@
 # endif
 #define reg_syscall_nr  (EF_REG2 / 4)
 #elif defined(__arm__)
+#include <asm/ptrace.h>         /* for PTRACE_SET_SYSCALL */
 #define reg_syscall_nr  _offsetof(struct user, regs.uregs[7])
+# if defined(__ARM_EABI__)
+# define reg_retval_nr  _offsetof(struct user, regs.uregs[0])
+# endif
 #else
 #error tracing is not supported on this architecture
 #endif
@@ -216,7 +220,12 @@ static void tracer_cb(struct uloop_process *c, int ret)
                         /* Nothing special to do here */
                 } else if ((ret >> 8) == (SIGTRAP | (PTRACE_EVENT_SECCOMP << 8))) {
                         int syscall = ptrace(PTRACE_PEEKUSER, c->pid, reg_syscall_nr);
+#if defined(__arm__)
+                        ptrace(PTRACE_SET_SYSCALL, c->pid, 0, -1);
+                        ptrace(PTRACE_POKEUSER, c->pid, reg_retval_nr, -ENOSYS);
+#else
                         ptrace(PTRACE_POKEUSER, c->pid, reg_syscall_nr, -1);
+#endif
                         report_seccomp_vialation(c->pid, syscall);
                 } else {
                         inject_signal = WSTOPSIG(ret);

More information about the Lede-dev mailing list