return 0;
}
-#define MAX_ENVP 8
+#define MAX_ENVP 16
static char** build_envp(const char *seccomp, char **ocienvp)
{
static char *envp[MAX_ENVP];
static char preload_var[PATH_MAX];
static char seccomp_var[PATH_MAX];
+ static char seccomp_debug_var[20];
static char debug_var[] = "LD_DEBUG=all";
static char container_var[] = "container=ujail";
const char *preload_lib = find_lib("libpreload-seccomp.so");
if (seccomp) {
snprintf(seccomp_var, sizeof(seccomp_var), "SECCOMP_FILE=%s", seccomp);
envp[count++] = seccomp_var;
+ snprintf(seccomp_debug_var, sizeof(seccomp_debug_var), "SECCOMP_DEBUG=%2d", debug);
+ envp[count++] = seccomp_debug_var;
snprintf(preload_var, sizeof(preload_var), "LD_PRELOAD=%s", preload_lib);
envp[count++] = preload_var;
}
#include <string.h>
#include <dlfcn.h>
+#include "log.h"
#include "seccomp.h"
#include "../preload.h"
static main_t __main__;
+int debug;
static int __preload_main__(int argc, char **argv, char **envp)
{
char *env_file = getenv("SECCOMP_FILE");
+ char *env_debug = getenv("SECCOMP_DEBUG");
if (!env_file || !env_file[0]) {
ERROR("SECCOMP_FILE not specified\n");
return -1;
}
+ if (env_debug)
+ debug = atoi(env_debug);
+ else
+ debug = 0;
+
if (install_syscall_filter(*argv, env_file))
return -1;
unsetenv("LD_PRELOAD");
+ unsetenv("SECCOMP_DEBUG");
unsetenv("SECCOMP_FILE");
return (*__main__)(argc, argv, envp);
prog->len = (unsigned short) idx;
prog->filter = filter;
+ DEBUG("generated seccomp-bpf program:\n");
+ fprintf(stderr, " [idx]\tcode\t jt\t jf\tk\n");
+ if (debug)
+ for (idx=0; idx<sz; idx++)
+ fprintf(stderr, " [%03d]\t%04hx\t%3hhu\t%3hhu\t%08x\n", idx,
+ filter[idx].code,
+ filter[idx].jt,
+ filter[idx].jf,
+ filter[idx].k);
+
return prog;
errout1:
#include <libubox/blobmsg.h>
#include <libubox/blobmsg_json.h>
+#include "log.h"
#include "seccomp.h"
#include "seccomp-oci.h"
-int debug = 0;
-
int install_syscall_filter(const char *argv, const char *file)
{
struct blob_buf b = { 0 };
struct sock_fprog *prog = NULL;
- INFO("%s: setting up syscall filter\n", argv);
+ DEBUG("%s: setting up syscall filter\n", argv);
blob_buf_init(&b, 0);
if (!blobmsg_add_json_from_file(&b, file)) {
#include <stdio.h>
#include <syslog.h>
-#define INFO(fmt, ...) do { \
- syslog(LOG_INFO,"preload-seccomp: "fmt, ## __VA_ARGS__); \
- fprintf(stderr,"preload-seccomp: "fmt, ## __VA_ARGS__); \
- } while (0)
-#define ERROR(fmt, ...) do { \
- syslog(LOG_ERR,"preload-seccomp: "fmt, ## __VA_ARGS__); \
- fprintf(stderr,"preload-seccomp: "fmt, ## __VA_ARGS__); \
- } while (0)
-
int install_syscall_filter(const char *argv, const char *file);
#endif