git.archive.openwrt.org Git - project/procd.git/commit

author	Michal Sojka <sojkam1@fel.cvut.cz>
	Sun, 24 Sep 2017 22:56:33 +0000 (00:56 +0200)
committer	John Crispin <john@phrozen.org>
	Thu, 28 Sep 2017 06:26:56 +0000 (08:26 +0200)
commit	5e4ad0270bedf98da1d47e3e1306f7b66b6b29c7
tree	ed7ec1fa5b636f0195fab2f6c677df431bd57ba0	tree \| snapshot
parent	2661b2f7c1944c3fab1fba420e81fae1349644d3	commit \| diff

seccomp: Log seccomp violations with utrace

Older kernel version shipped by LEDE/OpenWrt contained patch
target/linux/generic/patches-3.18/999-seccomp_log.patch that logged
seccomp violations. For some reason, newer kernels do not have this
patch. Without this kind of logging, it is very hard to setup seccomp
whitelist properly, so this commit modifies utrace to serve as a
logger for seccomp violations.

With this patch, when utrace is executed via seccomp-trace symlink, it
does not trace normal syscalls but only seccomp violations and logs
them to syslog. For example:

seccomp-trace: uci[3955] tried to call non-whitelisted syscall: ftruncate64 (see /etc/seccomp/myservice.json)

Compared to the kernel-based logging, this approach gives users more
information - which json whitelist needs to be extended. This is
especially useful for services, which fork many diverse children such
as shell scripts.

Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>

jail/seccomp-bpf.h		diff \| blob \| history
jail/seccomp.c		diff \| blob \| history
trace/trace.c		diff \| blob \| history