Minijail: add logging for seccomp filter failures.
BUG=chromium-os:33361
TEST=unit tests
TEST=security_Minijail0, security_Minijail_seccomp, platform_CrosDisksArchive
Change-Id: I16cdb8fbcf1cb13f2dee5521f97fb8d0bdbdf93b
Reviewed-on: https://gerrit.chromium.org/gerrit/29053
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
diff --git a/signal.c b/signal.c
new file mode 100644
index 0000000..85103c7
--- /dev/null
+++ b/signal.c
@@ -0,0 +1,70 @@
+/* Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#include <asm/siginfo.h>
+#define __have_siginfo_t 1
+#define __have_sigval_t 1
+#define __have_sigevent_t 1
+
+#include <signal.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "signal.h"
+
+#include "util.h"
+
+struct local_sigsys {
+ void *ip;
+ int nr;
+ unsigned int arch;
+};
+
+void log_sigsys_handler(int nr, siginfo_t *info, void *void_context)
+{
+ struct local_sigsys sigsys;
+ const char *syscall_name;
+ memcpy(&sigsys, &info->_sifields, sizeof(sigsys));
+ syscall_name = lookup_syscall_name(sigsys.nr);
+
+ if (syscall_name)
+ warn("blocked syscall: %s", syscall_name);
+ else
+ warn("blocked syscall: %d", nr);
+
+ (void) void_context;
+
+ /*
+ * We trapped on a syscall that should have killed the process.
+ * This should never ever return, but we're paranoid.
+ */
+ for (;;)
+ _exit(1);
+}
+
+int install_sigsys_handler()
+{
+ int ret = 0;
+ struct sigaction act;
+ sigset_t mask;
+
+ memset(&act, 0, sizeof(act));
+ act.sa_sigaction = &log_sigsys_handler;
+ act.sa_flags = SA_SIGINFO;
+
+ sigemptyset(&mask);
+ sigaddset(&mask, SIGSYS);
+
+ ret = sigaction(SIGSYS, &act, NULL);
+ if (ret < 0)
+ return ret;
+
+ ret = sigprocmask(SIG_UNBLOCK, &mask, NULL);
+ if (ret < 0)
+ return ret;
+
+ return 0;
+}