jail: improve seccomp log output

Pass loglevel to preloaded seccomp handler, output generated program
along with unresolved syscalls if debugging output is requested.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>

5 files changed, 25 insertions, 13 deletions

diff --git a/jail/jail.c b/jail/jail.c
index 529ac6b..385dbe7 100644
--- a/jail/jail.c
+++ b/jail/jail.c
@@ -896,12 +896,13 @@ static int apply_rlimits(void)
 	return 0;
 }
 
-#define MAX_ENVP	8
+#define MAX_ENVP	16
 static char** build_envp(const char *seccomp, char **ocienvp)
 {
 	static char *envp[MAX_ENVP];
 	static char preload_var[PATH_MAX];
 	static char seccomp_var[PATH_MAX];
+	static char seccomp_debug_var[20];
 	static char debug_var[] = "LD_DEBUG=all";
 	static char container_var[] = "container=ujail";
 	const char *preload_lib = find_lib("libpreload-seccomp.so");
@@ -916,6 +917,8 @@ static char** build_envp(const char *seccomp, char **ocienvp)
 	if (seccomp) {
 		snprintf(seccomp_var, sizeof(seccomp_var), "SECCOMP_FILE=%s", seccomp);
 		envp[count++] = seccomp_var;
+		snprintf(seccomp_debug_var, sizeof(seccomp_debug_var), "SECCOMP_DEBUG=%2d", debug);
+		envp[count++] = seccomp_debug_var;
 		snprintf(preload_var, sizeof(preload_var), "LD_PRELOAD=%s", preload_lib);
 		envp[count++] = preload_var;
 	}
diff --git a/jail/preload.c b/jail/preload.c
index 24358c6..9678ab6 100644
--- a/jail/preload.c
+++ b/jail/preload.c
@@ -18,24 +18,33 @@
 #include <string.h>
 #include <dlfcn.h>
 
+#include "log.h"
 #include "seccomp.h"
 #include "../preload.h"
 
 static main_t __main__;
+int debug;
 
 static int __preload_main__(int argc, char **argv, char **envp)
 {
 	char *env_file = getenv("SECCOMP_FILE");
+	char *env_debug = getenv("SECCOMP_DEBUG");
 
 	if (!env_file || !env_file[0]) {
 		ERROR("SECCOMP_FILE not specified\n");
 		return -1;
 	}
 
+	if (env_debug)
+		debug = atoi(env_debug);
+	else
+		debug = 0;
+
 	if (install_syscall_filter(*argv, env_file))
 		return -1;
 
 	unsetenv("LD_PRELOAD");
+	unsetenv("SECCOMP_DEBUG");
 	unsetenv("SECCOMP_FILE");
 
 	return (*__main__)(argc, argv, envp);
diff --git a/jail/seccomp-oci.c b/jail/seccomp-oci.c
index c82aebf..e85191e 100644
--- a/jail/seccomp-oci.c
+++ b/jail/seccomp-oci.c
@@ -406,6 +406,16 @@ struct sock_fprog *parseOCIlinuxseccomp(struct blob_attr *msg)
 	prog->len = (unsigned short) idx;
 	prog->filter = filter;
 
+	DEBUG("generated seccomp-bpf program:\n");
+	fprintf(stderr, " [idx]\tcode\t jt\t jf\tk\n");
+	if (debug)
+		for (idx=0; idx<sz; idx++)
+			fprintf(stderr, " [%03d]\t%04hx\t%3hhu\t%3hhu\t%08x\n", idx,
+				filter[idx].code,
+				filter[idx].jt,
+				filter[idx].jf,
+				filter[idx].k);
+
 	return prog;
 
 errout1:
diff --git a/jail/seccomp.c b/jail/seccomp.c
index c1b48e0..3eeb616 100644
--- a/jail/seccomp.c
+++ b/jail/seccomp.c
@@ -18,17 +18,16 @@
 #include <libubox/blobmsg.h>
 #include <libubox/blobmsg_json.h>
 
+#include "log.h"
 #include "seccomp.h"
 #include "seccomp-oci.h"
 
-int debug = 0;
-
 int install_syscall_filter(const char *argv, const char *file)
 {
 	struct blob_buf b = { 0 };
 	struct sock_fprog *prog = NULL;
 
-	INFO("%s: setting up syscall filter\n", argv);
+	DEBUG("%s: setting up syscall filter\n", argv);
 
 	blob_buf_init(&b, 0);
 	if (!blobmsg_add_json_from_file(&b, file)) {
diff --git a/jail/seccomp.h b/jail/seccomp.h
index 24c1dd7..b0c8d30 100644
--- a/jail/seccomp.h
+++ b/jail/seccomp.h
@@ -16,15 +16,6 @@
 #include <stdio.h>
 #include <syslog.h>
 
-#define INFO(fmt, ...) do { \
-	syslog(LOG_INFO,"preload-seccomp: "fmt, ## __VA_ARGS__); \
-	fprintf(stderr,"preload-seccomp: "fmt, ## __VA_ARGS__); \
-	} while (0)
-#define ERROR(fmt, ...) do { \
-	syslog(LOG_ERR,"preload-seccomp: "fmt, ## __VA_ARGS__); \
-	fprintf(stderr,"preload-seccomp: "fmt, ## __VA_ARGS__); \
-	} while (0)
-
 int install_syscall_filter(const char *argv, const char *file);
 
 #endif