diff options
author | Julian Andres Klode <jak@debian.org> | 2017-10-25 23:16:09 +0200 |
---|---|---|
committer | Julian Andres Klode <jak@debian.org> | 2017-10-26 00:02:33 +0200 |
commit | 39656a6f79e48f86d31c53a939481c07aceca352 (patch) | |
tree | ca6480572246c46d84857a108a4b294ac5825235 | |
parent | 230b0570532bf2f419608b2043a9d6e02b9467e3 (diff) |
Print syscall number and arch to stderr when trapped by seccomp
This should help debugging crashes. The signal handler is a C++11
lambda, yay! Special care has been taken to only use signal handler
-safe functions inside there.
-rw-r--r-- | doc/examples/configure-index | 1 | ||||
-rw-r--r-- | methods/aptmethod.h | 33 |
2 files changed, 34 insertions, 0 deletions
diff --git a/doc/examples/configure-index b/doc/examples/configure-index index f0d81bb7a..a765fbe42 100644 --- a/doc/examples/configure-index +++ b/doc/examples/configure-index @@ -640,6 +640,7 @@ apt::system "<STRING>"; apt::acquire::translation "<STRING>"; // deprecated in favor of Acquire::Languages apt::sandbox::user "<STRING>"; apt::sandbox::seccomp "<BOOL>"; +apt::sandbox::seccomp::print "<BOOL>"; // print what syscall was trapped apt::sandbox::seccomp::allow "<LIST>"; apt::sandbox::seccomp::trap "<LIST>"; apt::color::highlight "<STRING>"; diff --git a/methods/aptmethod.h b/methods/aptmethod.h index 6bbf3eb48..f88512564 100644 --- a/methods/aptmethod.h +++ b/methods/aptmethod.h @@ -22,6 +22,8 @@ #include <apti18n.h> #ifdef HAVE_SECCOMP +#include <signal.h> + #include <seccomp.h> #endif @@ -268,6 +270,37 @@ protected: Warning("aptMethod::Configuration: could not load seccomp policy: %s", strerror(-rc)); else if (rc != 0) return _error->FatalE("aptMethod::Configuration", "could not load seccomp policy: %s", strerror(-rc)); + + if (_config->FindB("APT::Sandbox::Seccomp::Print", true)) + { + struct sigaction action; + memset(&action, 0, sizeof(action)); + sigemptyset(&action.sa_mask); + action.sa_sigaction = [](int, siginfo_t *info, void *) { + // Formats a number into a 10 digit ASCII string + char buffer[10]; + int number = info->si_syscall; + + for (int i = sizeof(buffer) - 1; i >= 0; i--) + { + buffer[i] = (number % 10) + '0'; + number /= 10; + } + + constexpr const char *str1 = "\n **** Seccomp prevented execution of syscall "; + constexpr const char *str2 = " on architecture "; + constexpr const char *str3 = " ****\n"; + write(2, str1, strlen(str1)); + write(2, buffer, sizeof(buffer)); + write(2, str2, strlen(str2)); + write(2, COMMON_ARCH, strlen(COMMON_ARCH)); + write(2, str3, strlen(str3)); + _exit(31); + }; + action.sa_flags = SA_SIGINFO; + + sigaction(SIGSYS, &action, nullptr); + } #endif return true; } |