{ { "proc_rw", no_argument, NULL, 0x0606 }, "Is procfs mounted as R/W (default: R/O)" },
{ { "seccomp_policy", required_argument, NULL, 'P' }, "Path to file containing seccomp-bpf policy (see kafel/)" },
{ { "seccomp_string", required_argument, NULL, 0x0901 }, "String with kafel seccomp-bpf policy (see kafel/)" },
+ { { "seccomp_log", no_argument, NULL, 0x0902 }, "Use SECCOMP_FILTER_FLAG_LOG. Log all actions except SECCOMP_RET_ALLOW)" },
{ { "cgroup_mem_max", required_argument, NULL, 0x0801 }, "Maximum number of bytes to use in the group (default: '0' - disabled)" },
{ { "cgroup_mem_mount", required_argument, NULL, 0x0802 }, "Location of memory cgroup FS (default: '/sys/fs/cgroup/memory')" },
{ { "cgroup_mem_parent", required_argument, NULL, 0x0803 }, "Which pre-existing memory cgroup to use as a parent (default: 'NSJAIL')" },
nsjconf->num_cpus = sysconf(_SC_NPROCESSORS_ONLN);
nsjconf->seccomp_fprog.filter = NULL;
nsjconf->seccomp_fprog.len = 0;
+ nsjconf->seccomp_log = false;
nsjconf->openfds.push_back(STDIN_FILENO);
nsjconf->openfds.push_back(STDOUT_FILENO);
case 0x901:
nsjconf->kafel_string = optarg;
break;
+ case 0x902:
+ nsjconf->seccomp_log = true;
+ break;
default:
cmdlineUsage(argv[0]);
return nullptr;
std::string kafel_file_path;
std::string kafel_string;
struct sock_fprog seccomp_fprog;
+ bool seccomp_log;
long num_cpus;
uid_t orig_uid;
std::vector<mount_t> mountpts;
#include <stddef.h>
#include <stdlib.h>
#include <sys/prctl.h>
+#include <sys/syscall.h>
+#include <unistd.h>
extern "C" {
#include "kafel.h"
#define PR_SET_NO_NEW_PRIVS 38
#endif /* PR_SET_NO_NEW_PRIVS */
+#ifndef SECCOMP_FILTER_FLAG_TSYNC
+#define SECCOMP_FILTER_FLAG_TSYNC (1UL << 0)
+#endif /* SECCOMP_FILTER_FLAG_TSYNC */
+
+#ifndef SECCOMP_FILTER_FLAG_LOG
+#define SECCOMP_FILTER_FLAG_LOG (1UL << 1)
+#endif /* SECCOMP_FILTER_FLAG_LOG */
+
static bool prepareAndCommit(nsjconf_t* nsjconf) {
if (nsjconf->kafel_file_path.empty() && nsjconf->kafel_string.empty()) {
return true;
PLOG_W("prctl(PR_SET_NO_NEW_PRIVS, 1) failed");
return false;
}
- if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &nsjconf->seccomp_fprog, 0, 0)) {
+ if (nsjconf->seccomp_log) {
+#ifndef __NR_seccomp
+ LOG_E(
+ "The __NR_seccomp is not defined with this kernel header files (kernel headers "
+ "too old?)");
+ return false;
+#else
+ if (syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER,
+ SECCOMP_FILTER_FLAG_TSYNC | SECCOMP_FILTER_FLAG_LOG,
+ &nsjconf->seccomp_fprog) == -1) {
+ PLOG_E(
+ "seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC | "
+ "SECCOMP_FILTER_FLAG_LOG) failed");
+ return false;
+ }
+ return true;
+#endif /* __NR_seccomp */
+ }
+
+ if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &nsjconf->seccomp_fprog, 0UL, 0UL)) {
PLOG_W("prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER) failed");
return false;
}
projects / platform / upstream / nsjail.git / commitdiff