subproc: refer users to dmesg in case si_syscall==31 (SIGSYS)

diff --git a/caps.cc b/caps.cc
index 9c4a93763b78be6c1abb8b0786a51ebd58e38471..ca5745beef1441c3de7bc98fbd0c9d65ee60cb39 100644 (file)
--- a/caps.cc
+++ b/caps.cc
@@ -256,8 +256,8 @@ bool initNs(nsjconf_t* nsjconf) {
                        if (getInheritable(cap_data, i.val)) {
                                continue;
                        }
-                       if (prctl(PR_CAPBSET_READ, (unsigned long)i.val, 0UL, 0UL, 0UL) ==
-                               -1 && errno == EINVAL) {
+                       if (prctl(PR_CAPBSET_READ, (unsigned long)i.val, 0UL, 0UL, 0UL) == -1 &&
+                           errno == EINVAL) {
                                LOG_D("Skipping unsupported capability: %s", i.name);
                                continue;
                        }

diff --git a/macros.h b/macros.h
index c86735c008f09729495b0051e30e451f010dcc7f..80e4b618ef9b1c15651a5d42c7c78a6d035b2095 100644 (file)
--- a/macros.h
+++ b/macros.h
@@ -58,7 +58,7 @@ static void __attribute__ ((unused)) __clang_cleanup_func(void (^*dfunc) (void))
 #define _DEFER(a, count)                                                                          \
        auto void _STRMERGE(__defer_f_, count)(void* _defer_arg __attribute__((unused)));         \
        int _STRMERGE(__defer_var_, count) __attribute__((cleanup(_STRMERGE(__defer_f_, count)))) \
-           __attribute__((unused));                                                              \
+       __attribute__((unused));                                                                  \
        void _STRMERGE(__defer_f_, count)(void* _defer_arg __attribute__((unused)))
 #define defer _DEFER(a, __COUNTER__)
 #endif

diff --git a/subproc.cc b/subproc.cc
index 6da7a515eb13c19c3e25115e1cc482502336f877..dd39fa114f751443e27fa7ea6432b0b2c1d99c71 100644 (file)
--- a/subproc.cc
+++ b/subproc.cc
@@ -194,7 +194,7 @@ static void subprocNewProc(
 #if defined(__NR_execveat)
                util::syscall(__NR_execveat, nsjconf->exec_fd, (uintptr_t) "",
                    (uintptr_t)argv.data(), (uintptr_t)environ, AT_EMPTY_PATH);
-#else /* defined(__NR_execveat) */
+#else  /* defined(__NR_execveat) */
                LOG_E("Your system doesn't support execveat() syscall");
                return;
 #endif /* defined(__NR_execveat) */
@@ -259,8 +259,11 @@ static void seccompViolation(nsjconf_t* nsjconf, siginfo_t* si) {
 
        const auto& p = nsjconf->pids.find(si->si_pid);
        if (p == nsjconf->pids.end()) {
-               LOG_W("pid=%d SiSyscall: %d, SiCode: %d, SiErrno: %d, SiSigno: %d", (int)si->si_pid,
-                   si->si_syscall, si->si_code, si->si_errno, si->si_signo);
+               LOG_W(
+                   "pid=%d SiSyscall: %d, SiCode: %d, SiErrno: %d, SiSigno: %d. (If "
+                   "SiSyscall==31, then it's most likely the SIGSYS value. See 'dmesg' or "
+                   "'journalctl -ek' for possible auditd report with more data)",
+                   (int)si->si_pid, si->si_syscall, si->si_code, si->si_errno, si->si_signo);
                LOG_E("Couldn't find pid element in the subproc list for pid=%d", (int)si->si_pid);
                return;
        }
@@ -268,7 +271,10 @@ static void seccompViolation(nsjconf_t* nsjconf, siginfo_t* si) {
        char buf[4096];
        ssize_t rdsize = util::readFromFd(p->second.pid_syscall_fd, buf, sizeof(buf) - 1);
        if (rdsize < 1) {
-               LOG_W("pid=%d, SiSyscall: %d, SiCode: %d, SiErrno: %d, SiSigno: %d",
+               LOG_W(
+                   "pid=%d, SiSyscall: %d, SiCode: %d, SiErrno: %d, SiSigno: %d. (If "
+                   "SiSyscall==31, then it's most likely the SIGSYS value. See 'dmesg' or "
+                   "'journalctl -ek' for possible auditd report with more data)",
                    (int)si->si_pid, si->si_syscall, si->si_code, si->si_errno, si->si_signo);
                return;
        }
@@ -287,11 +293,15 @@ static void seccompViolation(nsjconf_t* nsjconf, siginfo_t* si) {
        } else if (ret == 3) {
                LOG_W(
                    "pid=%d, SiSyscall: %d, SiCode: %d, SiErrno: %d, SiSigno: %d, SP: %#tx, PC: "
-                   "%#tx",
+                   "%#tx (If SiSyscall==31, then it's most likely the SIGSYS value. See 'dmesg' "
+                   "or 'journalctl -ek' for possible auditd report with more data)",
                    (int)si->si_pid, si->si_syscall, si->si_code, si->si_errno, si->si_signo, arg1,
                    arg2);
        } else {
-               LOG_W("pid=%d, SiSyscall: %d, SiCode: %d, SiErrno: %d, Syscall string '%s'",
+               LOG_W(
+                   "pid=%d, SiSyscall: %d, SiCode: %d, SiErrno: %d, Syscall string '%s'. (If "
+                   "SiSyscall==31, then it's most likely the SIGSYS value. See 'dmesg' or "
+                   "'journalctl -ek' for possible auditd report with more data)",
                    (int)si->si_pid, si->si_syscall, si->si_code, si->si_errno, buf);
        }
 }

diff --git a/user.cc b/user.cc
index d6264dd8d37915672e739a62a9b22821dcc012e5..a335e2d20017c9d8ac3bc25ea3161bb946c0279d 100644 (file)
--- a/user.cc
+++ b/user.cc
@@ -68,7 +68,7 @@ static bool setResGid(gid_t gid) {
                PLOG_W("setresgid32(%d)", (int)gid);
                return false;
        }
-#else /* defined(__NR_setresgid32) */
+#else  /* defined(__NR_setresgid32) */
        if (util::syscall(__NR_setresgid, (uintptr_t)gid, (uintptr_t)gid, (uintptr_t)gid) == -1) {
                PLOG_W("setresgid(%d)", gid);
                return false;
@@ -84,7 +84,7 @@ static bool setResUid(uid_t uid) {
                PLOG_W("setresuid32(%d)", (int)uid);
                return false;
        }
-#else /* defined(__NR_setresuid32) */
+#else  /* defined(__NR_setresuid32) */
        if (util::syscall(__NR_setresuid, (uintptr_t)uid, (uintptr_t)uid, (uintptr_t)uid) == -1) {
                PLOG_W("setresuid(%d)", uid);
                return false;