jail: improve seccomp log output

Pass loglevel to preloaded seccomp handler, output generated program
along with unresolved syscalls if debugging output is requested.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>

diff --git a/jail/jail.c b/jail/jail.c
index 529ac6b9ff53abe0fde209bd1a2151a34b396d98..385dbe7b0336346360ee93e408c6795874e0a14d 100644 (file)
--- a/jail/jail.c
+++ b/jail/jail.c
@@ -896,12 +896,13 @@ static int apply_rlimits(void)
        return 0;
 }
 
-#define MAX_ENVP       8
+#define MAX_ENVP       16
 static char** build_envp(const char *seccomp, char **ocienvp)
 {
        static char *envp[MAX_ENVP];
        static char preload_var[PATH_MAX];
        static char seccomp_var[PATH_MAX];
+       static char seccomp_debug_var[20];
        static char debug_var[] = "LD_DEBUG=all";
        static char container_var[] = "container=ujail";
        const char *preload_lib = find_lib("libpreload-seccomp.so");
@@ -916,6 +917,8 @@ static char** build_envp(const char *seccomp, char **ocienvp)
        if (seccomp) {
                snprintf(seccomp_var, sizeof(seccomp_var), "SECCOMP_FILE=%s", seccomp);
                envp[count++] = seccomp_var;
+               snprintf(seccomp_debug_var, sizeof(seccomp_debug_var), "SECCOMP_DEBUG=%2d", debug);
+               envp[count++] = seccomp_debug_var;
                snprintf(preload_var, sizeof(preload_var), "LD_PRELOAD=%s", preload_lib);
                envp[count++] = preload_var;
        }

diff --git a/jail/preload.c b/jail/preload.c
index 24358c6bc30482a97a26c6b4999004ca3d2d822c..9678ab6e9c24c83f0384035db8e726b27f6018b5 100644 (file)
--- a/jail/preload.c
+++ b/jail/preload.c
@@ -18,24 +18,33 @@
 #include <string.h>
 #include <dlfcn.h>
 
+#include "log.h"
 #include "seccomp.h"
 #include "../preload.h"
 
 static main_t __main__;
+int debug;
 
 static int __preload_main__(int argc, char **argv, char **envp)
 {
        char *env_file = getenv("SECCOMP_FILE");
+       char *env_debug = getenv("SECCOMP_DEBUG");
 
        if (!env_file || !env_file[0]) {
                ERROR("SECCOMP_FILE not specified\n");
                return -1;
        }
 
+       if (env_debug)
+               debug = atoi(env_debug);
+       else
+               debug = 0;
+
        if (install_syscall_filter(*argv, env_file))
                return -1;
 
        unsetenv("LD_PRELOAD");
+       unsetenv("SECCOMP_DEBUG");
        unsetenv("SECCOMP_FILE");
 
        return (*__main__)(argc, argv, envp);

diff --git a/jail/seccomp-oci.c b/jail/seccomp-oci.c
index c82aebfa1eedaef81789a186d9483180bf882d2d..e85191e9c03e906bc09c8887de7e11aa4d6d4aca 100644 (file)
--- a/jail/seccomp-oci.c
+++ b/jail/seccomp-oci.c
@@ -406,6 +406,16 @@ struct sock_fprog *parseOCIlinuxseccomp(struct blob_attr *msg)
        prog->len = (unsigned short) idx;
        prog->filter = filter;
 
+       DEBUG("generated seccomp-bpf program:\n");
+       fprintf(stderr, " [idx]\tcode\t jt\t jf\tk\n");
+       if (debug)
+               for (idx=0; idx<sz; idx++)
+                       fprintf(stderr, " [%03d]\t%04hx\t%3hhu\t%3hhu\t%08x\n", idx,
+                               filter[idx].code,
+                               filter[idx].jt,
+                               filter[idx].jf,
+                               filter[idx].k);
+
        return prog;
 
 errout1:

diff --git a/jail/seccomp.c b/jail/seccomp.c
index c1b48e02342cf9b2f2519ac2d397052a9518267d..3eeb61605af1e15853e7cade8771d4cd07ea73c3 100644 (file)
--- a/jail/seccomp.c
+++ b/jail/seccomp.c
@@ -18,17 +18,16 @@
 #include <libubox/blobmsg.h>
 #include <libubox/blobmsg_json.h>
 
+#include "log.h"
 #include "seccomp.h"
 #include "seccomp-oci.h"
 
-int debug = 0;
-
 int install_syscall_filter(const char *argv, const char *file)
 {
        struct blob_buf b = { 0 };
        struct sock_fprog *prog = NULL;
 
-       INFO("%s: setting up syscall filter\n", argv);
+       DEBUG("%s: setting up syscall filter\n", argv);
 
        blob_buf_init(&b, 0);
        if (!blobmsg_add_json_from_file(&b, file)) {

diff --git a/jail/seccomp.h b/jail/seccomp.h
index 24c1dd7d3363cc475a21815c0324bedcaf547c7a..b0c8d305694294f2468ebcb30542c7cb8eb94744 100644 (file)
--- a/jail/seccomp.h
+++ b/jail/seccomp.h
@@ -16,15 +16,6 @@
 #include <stdio.h>
 #include <syslog.h>
 
-#define INFO(fmt, ...) do { \
-       syslog(LOG_INFO,"preload-seccomp: "fmt, ## __VA_ARGS__); \
-       fprintf(stderr,"preload-seccomp: "fmt, ## __VA_ARGS__); \
-       } while (0)
-#define ERROR(fmt, ...) do { \
-       syslog(LOG_ERR,"preload-seccomp: "fmt, ## __VA_ARGS__); \
-       fprintf(stderr,"preload-seccomp: "fmt, ## __VA_ARGS__); \
-       } while (0)
-
 int install_syscall_filter(const char *argv, const char *file);
 
 #endif