Gitiles
Code Review Sign In
gerrit.openfyde.cn / chromium.googlesource.com / chromiumos / platform / minijail / bda833cbcee330eab91561a9b50b6bc24c47f2e9^! / . / libminijail.c
commitbda833cbcee330eab91561a9b50b6bc24c47f2e9[log] [tgz]
authorJorge Lucangeli Obes <jorgelo@chromium.org>Tue Jul 31 16:25:56 2012 -0700
committerGerrit <chrome-bot@google.com>Fri Aug 10 18:07:49 2012 -0700
tree0ee5665a5e09e2a58c376b52fa8eca77aa164280
parenta6b034dedfb1109adcd88eb1bcea15a29067824c [diff] [blame]
Minijail: add logging for seccomp filter failures.

BUG=chromium-os:33361
TEST=unit tests
TEST=security_Minijail0, security_Minijail_seccomp, platform_CrosDisksArchive

Change-Id: I16cdb8fbcf1cb13f2dee5521f97fb8d0bdbdf93b
Reviewed-on: https://gerrit.chromium.org/gerrit/29053
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>

diff --git a/libminijail.c b/libminijail.c
index 2c3d5b3..4da1f66 100644
--- a/libminijail.c
+++ b/libminijail.c

@@ -35,6 +35,7 @@
 #include "libminijail.h"
 #include "libminijail-private.h"
 
+#include "signal.h"
 #include "syscall_filter.h"
 #include "util.h"
 
@@ -71,6 +72,7 @@
 		int ptrace:1;
 		int no_new_privs:1;
 		int seccomp_filter:1;
+		int log_seccomp_filter:1;
 		int chroot:1;
 	} flags;
 	uid_t uid;
@@ -185,6 +187,11 @@
 	j->flags.seccomp_filter = 1;
 }
 
+void API minijail_log_seccomp_filter_failures(struct minijail *j)
+{
+	j->flags.log_seccomp_filter = 1;
+}
+
 void API minijail_use_caps(struct minijail *j, uint64_t capmask)
 {
 	j->caps = capmask;
@@ -278,8 +285,9 @@
 	}
 
 	struct sock_fprog *fprog = malloc(sizeof(struct sock_fprog));
-	if (compile_filter(file, fprog)) {
-		die("failed to compile seccomp filter BPF program in '%s'", path);
+	if (compile_filter(file, fprog, j->flags.log_seccomp_filter)) {
+		die("failed to compile seccomp filter BPF program in '%s'",
+		    path);
 	}
 
 	j->filter_len = fprog->len;
@@ -334,7 +342,8 @@
 	for (b = j->bindings_head; b; b = b->next) {
 		marshal_append(state, b->src, strlen(b->src) + 1);
 		marshal_append(state, b->dest, strlen(b->dest) + 1);
-		marshal_append(state, (char *)&b->writeable, sizeof(b->writeable));
+		marshal_append(state, (char *)&b->writeable,
+				sizeof(b->writeable));
 	}
 }
 
@@ -640,6 +649,16 @@
 	}
 
 	/*
+	 * If we're logging seccomp filter failures,
+	 * install the SIGSYS handler first.
+	 */
+	if (j->flags.seccomp_filter && j->flags.log_seccomp_filter) {
+		if (install_sigsys_handler())
+			pdie("install SIGSYS handler");
+		warn("logging seccomp filter failures");
+	}
+
+	/*
 	 * Install seccomp filter before dropping root and caps.
 	 * WARNING: this means that filter policies *must* allow
 	 * setgroups()/setresgid()/setresuid() for dropping root and