summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJulian Andres Klode <jak@debian.org>2017-10-25 23:16:09 +0200
committerJulian Andres Klode <jak@debian.org>2017-10-26 00:02:33 +0200
commit39656a6f79e48f86d31c53a939481c07aceca352 (patch)
treeca6480572246c46d84857a108a4b294ac5825235
parent230b0570532bf2f419608b2043a9d6e02b9467e3 (diff)
Print syscall number and arch to stderr when trapped by seccomp
This should help debugging crashes. The signal handler is a C++11 lambda, yay! Special care has been taken to only use signal handler -safe functions inside there.
-rw-r--r--doc/examples/configure-index1
-rw-r--r--methods/aptmethod.h33
2 files changed, 34 insertions, 0 deletions
diff --git a/doc/examples/configure-index b/doc/examples/configure-index
index f0d81bb7a..a765fbe42 100644
--- a/doc/examples/configure-index
+++ b/doc/examples/configure-index
@@ -640,6 +640,7 @@ apt::system "<STRING>";
apt::acquire::translation "<STRING>"; // deprecated in favor of Acquire::Languages
apt::sandbox::user "<STRING>";
apt::sandbox::seccomp "<BOOL>";
+apt::sandbox::seccomp::print "<BOOL>"; // print what syscall was trapped
apt::sandbox::seccomp::allow "<LIST>";
apt::sandbox::seccomp::trap "<LIST>";
apt::color::highlight "<STRING>";
diff --git a/methods/aptmethod.h b/methods/aptmethod.h
index 6bbf3eb48..f88512564 100644
--- a/methods/aptmethod.h
+++ b/methods/aptmethod.h
@@ -22,6 +22,8 @@
#include <apti18n.h>
#ifdef HAVE_SECCOMP
+#include <signal.h>
+
#include <seccomp.h>
#endif
@@ -268,6 +270,37 @@ protected:
Warning("aptMethod::Configuration: could not load seccomp policy: %s", strerror(-rc));
else if (rc != 0)
return _error->FatalE("aptMethod::Configuration", "could not load seccomp policy: %s", strerror(-rc));
+
+ if (_config->FindB("APT::Sandbox::Seccomp::Print", true))
+ {
+ struct sigaction action;
+ memset(&action, 0, sizeof(action));
+ sigemptyset(&action.sa_mask);
+ action.sa_sigaction = [](int, siginfo_t *info, void *) {
+ // Formats a number into a 10 digit ASCII string
+ char buffer[10];
+ int number = info->si_syscall;
+
+ for (int i = sizeof(buffer) - 1; i >= 0; i--)
+ {
+ buffer[i] = (number % 10) + '0';
+ number /= 10;
+ }
+
+ constexpr const char *str1 = "\n **** Seccomp prevented execution of syscall ";
+ constexpr const char *str2 = " on architecture ";
+ constexpr const char *str3 = " ****\n";
+ write(2, str1, strlen(str1));
+ write(2, buffer, sizeof(buffer));
+ write(2, str2, strlen(str2));
+ write(2, COMMON_ARCH, strlen(COMMON_ARCH));
+ write(2, str3, strlen(str3));
+ _exit(31);
+ };
+ action.sa_flags = SA_SIGINFO;
+
+ sigaction(SIGSYS, &action, nullptr);
+ }
#endif
return true;
}