Add enable-seccomp-debug option to configure in order to aid debugging

mptre · mptre · commit 3262498a6cd6 · 2018-01-03T19:01:12.000+01:00
diff --git a/compat-sandbox.c b/compat-sandbox.c
@@ -34,7 +34,10 @@ sandbox(int stage)
 
 #include <err.h>
 #include <seccomp.h>
+#include <signal.h>
+#include <stdio.h>
 #include <stdlib.h>
+#include <string.h>
 
 #include "compat.h"
 
@@ -45,13 +48,45 @@ sandbox(int stage)
 	(seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), x,	\
 	 SCMP_A1(SCMP_CMP_EQ, syscall, 0)) < 0)
 
+/*
+ * Print out the offending syscall and exit.
+ * Not thread-safe and shall only be used for debugging purposes.
+ */
+void
+handle_sigsys(int signum __attribute__((unused)), siginfo_t *info,
+    void *ctx __attribute__((unused)))
+{
+	errx(1, "disallowed syscall #%d", info->si_syscall);
+}
+
+void
+sandbox_sighandler(void)
+{
+	struct sigaction	act;
+	sigset_t		mask;
+
+	memset(&act, 0, sizeof(act));
+	sigemptyset(&mask);
+	sigaddset(&mask, SIGSYS);
+	act.sa_sigaction = &handle_sigsys;
+	act.sa_flags = SA_SIGINFO;
+	if (sigaction(SIGSYS, &act, NULL) == -1)
+		err(1, "sigaction");
+	if (sigprocmask(SIG_UNBLOCK, &mask, NULL) == -1)
+		err(1, "sigprocmask");
+}
+
 void
 sandbox(int stage)
 {
 	scmp_filter_ctx	ctx;
 
 	switch (stage) {
 	case SANDBOX_ENTER:
+#ifdef HAVE_SECCOMP_DEBUG
+		sandbox_sighandler();
+#endif
+
 		if ((ctx = seccomp_init(SCMP_ACT_TRAP)) == NULL)
 			err(1, "seccomp_init");
 
diff --git a/config.h.in b/config.h.in
@@ -12,6 +12,9 @@
 /* Define if seccomp is available */
 #undef HAVE_SECCOMP
 
+/* Define to debug seccomp */
+#undef HAVE_SECCOMP_DEBUG
+
 /* Define to 1 if you have the `strtonum' function. */
 #undef HAVE_STRTONUM
 
diff --git a/configure.ac b/configure.ac
@@ -4,6 +4,10 @@ AM_INIT_AUTOMAKE([subdir-objects])
 AC_CONFIG_HEADERS([config.h])
 AC_PROG_CC
 AM_PROG_CC_C_O
+AC_ARG_ENABLE([seccomp-debug],
+  [AS_HELP_STRING([--enable-seccomp-debug], [enable seccomp debugging])],
+  [AC_DEFINE([HAVE_SECCOMP_DEBUG], [1], [Define to debug seccomp])],
+  [])
 AC_CHECK_FUNCS([pledge reallocarray strtonum])
 AC_SEARCH_LIBS([seccomp_init], [seccomp],
   [AC_DEFINE([HAVE_SECCOMP], [1], [Define if seccomp is available])])
