On 02/05/2013 06:02 AM, Michal Privoznik wrote:
Currently, it we call a not white listed system call, we get killed
immediately without reporting any error. It would be far more useful,
if we can at least shout something on stderr just before dying, so
users know it is because of sandbox, not just random quit.

Signed-off-by: Michal Privoznik <mpriv...@redhat.com>
---
  os-posix.c     | 8 ++++++++
  qemu-seccomp.c | 4 +++-
  2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/os-posix.c b/os-posix.c
index 5c64518..1d52306 100644
--- a/os-posix.c
+++ b/os-posix.c
@@ -62,6 +62,12 @@ void os_setup_early_signal_handling(void)
      sigaction(SIGPIPE, &act, NULL);
  }

+static void syssig_handler(int signal, siginfo_t *info, void *c)
+{
+    fprintf(stderr, "Bad system call\n");
+    exit(1);
+}
+
  static void termsig_handler(int signal, siginfo_t *info, void *c)
  {
      qemu_system_killed(info->si_signo, info->si_pid);
@@ -77,6 +83,8 @@ void os_setup_signal_handling(void)
      sigaction(SIGINT,  &act, NULL);
      sigaction(SIGHUP,  &act, NULL);
      sigaction(SIGTERM, &act, NULL);
+    act.sa_sigaction = syssig_handler;
+    sigaction(SIGSYS,  &act, NULL);
  }

  /* Find a likely location for support files using the location of the binary.
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index 031da1d..897d9b3 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -2,9 +2,11 @@
   * QEMU seccomp mode 2 support with libseccomp
   *
   * Copyright IBM, Corp. 2012
+ * Copyright (C) 2013 Red Hat, Inc.
   *
   * Authors:
   *  Eduardo Otubo    <eot...@br.ibm.com>
+ *  Michal Privoznik <mpriv...@redhat.com>
   *
   * This work is licensed under the terms of the GNU GPL, version 2.  See
   * the COPYING file in the top-level directory.
@@ -238,7 +240,7 @@ int seccomp_start(void)
      unsigned int i = 0;
      scmp_filter_ctx ctx;

-    ctx = seccomp_init(SCMP_ACT_KILL);
+    ctx = seccomp_init(SCMP_ACT_TRAP);
      if (ctx == NULL) {
          goto seccomp_return;
      }


Another thought.. When seccomp kills a task the exit status of the task will be SIGSYS. Here's the kernel documentation:

SECCOMP_RET_KILL:
        Results in the task exiting immediately without executing the
        system call.  The exit status of the task (status & 0x7f) will
        be SIGSYS, not SIGKILL.

Maybe the right solution is for libvirt to check qemu's exit status and issue a message based on it?

--
Regards,
Corey Bryant


Reply via email to