From 39656a6f79e48f86d31c53a939481c07aceca352 Mon Sep 17 00:00:00 2001 From: Julian Andres Klode Date: Wed, 25 Oct 2017 23:16:09 +0200 Subject: Print syscall number and arch to stderr when trapped by seccomp This should help debugging crashes. The signal handler is a C++11 lambda, yay! Special care has been taken to only use signal handler -safe functions inside there. --- methods/aptmethod.h | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) (limited to 'methods') diff --git a/methods/aptmethod.h b/methods/aptmethod.h index 6bbf3eb48..f88512564 100644 --- a/methods/aptmethod.h +++ b/methods/aptmethod.h @@ -22,6 +22,8 @@ #include #ifdef HAVE_SECCOMP +#include + #include #endif @@ -268,6 +270,37 @@ protected: Warning("aptMethod::Configuration: could not load seccomp policy: %s", strerror(-rc)); else if (rc != 0) return _error->FatalE("aptMethod::Configuration", "could not load seccomp policy: %s", strerror(-rc)); + + if (_config->FindB("APT::Sandbox::Seccomp::Print", true)) + { + struct sigaction action; + memset(&action, 0, sizeof(action)); + sigemptyset(&action.sa_mask); + action.sa_sigaction = [](int, siginfo_t *info, void *) { + // Formats a number into a 10 digit ASCII string + char buffer[10]; + int number = info->si_syscall; + + for (int i = sizeof(buffer) - 1; i >= 0; i--) + { + buffer[i] = (number % 10) + '0'; + number /= 10; + } + + constexpr const char *str1 = "\n **** Seccomp prevented execution of syscall "; + constexpr const char *str2 = " on architecture "; + constexpr const char *str3 = " ****\n"; + write(2, str1, strlen(str1)); + write(2, buffer, sizeof(buffer)); + write(2, str2, strlen(str2)); + write(2, COMMON_ARCH, strlen(COMMON_ARCH)); + write(2, str3, strlen(str3)); + _exit(31); + }; + action.sa_flags = SA_SIGINFO; + + sigaction(SIGSYS, &action, nullptr); + } #endif return true; } -- cgit v1.2.3