From e9cb6ff5e2ed187c77259c86a8094e00d1eddc2d Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Fri, 4 Oct 2019 21:58:20 +0000 Subject: [PATCH] Fix -b execve when --seccomp-bpf option is specified As --seccomp-bpf does not support detaching, explicitly turn off this option when -b execve is specified. * strace.c (init): Turn off --seccomp-bpf when -b execve is specified. * NEWS: Mention this fix. * tests/bexecve.test: Check it. Fixes: v5.3~7 "Introduce seccomp-assisted syscall filtering" --- NEWS | 1 + strace.c | 6 ++++++ tests/bexecve.test | 14 ++++++++++++++ 3 files changed, 21 insertions(+) diff --git a/NEWS b/NEWS index 7c687710..e0dc7939 100644 --- a/NEWS +++ b/NEWS @@ -2,6 +2,7 @@ Noteworthy changes in release ?.? (????-??-??) ============================================== * Bug fixes + * Fixed -b execve when --seccomp-bpf option is specified. * Fixed build on no-MMU architectures. Noteworthy changes in release 5.3 (2019-09-25) diff --git a/strace.c b/strace.c index b52a3db3..a4de6ae3 100644 --- a/strace.c +++ b/strace.c @@ -1786,6 +1786,12 @@ init(int argc, char *argv[]) error_msg_and_help("PROG [ARGS] must be specified with -D"); } + if (seccomp_filtering && detach_on_execve) { + error_msg("--seccomp-bpf is not enabled because" + " it is not compatible with -b"); + seccomp_filtering = false; + } + if (seccomp_filtering) { if (nprocs && (!argc || debug_flag)) error_msg("--seccomp-bpf is not enabled for processes" diff --git a/tests/bexecve.test b/tests/bexecve.test index 7a135871..f74a9f9f 100755 --- a/tests/bexecve.test +++ b/tests/bexecve.test @@ -36,4 +36,18 @@ if LC_ALL=C grep -E -v -x "($pattern_detached|$pattern_personality)" "$LOG" > /d dump_log_and_fail_with "$STRACE $args: unexpected output" fi +run_strace_redir --seccomp-bpf -bexecve -enone ../set_ptracer_any false || + dump_log_and_fail_with "$STRACE $args: unexpected exit status" + +pattern_seccomp='[^:]*strace: --seccomp-bpf is not enabled because it is not compatible with -b' + +LC_ALL=C grep -x "$pattern_detached" "$LOG" > /dev/null && +LC_ALL=C grep -x "$pattern_seccomp" "$LOG" > /dev/null || + dump_log_and_fail_with "$STRACE $args: output mismatch" + +pattern_all="$pattern_detached|$pattern_seccomp|$pattern_personality" +if LC_ALL=C grep -E -v -x "$pattern_all" "$LOG" > /dev/null; then + dump_log_and_fail_with "$STRACE $args: unexpected output" +fi + exit 0 -- 2.40.0