With this patch, strace can rely on seccomp to only be stopped at syscalls
of interest, instead of stopping at all syscalls. The seccomp filtering
of syscalls is opt-in only; it must be enabled with the --seccomp-bpf
option. Kernel support is first checked with check_seccomp_filter(),
which also ensures the BPF program derived from the syscalls to filter
is not larger than the kernel's limit.
The --seccomp-bpf option implies -f, but a warning is emitted if -f is not
explicitly specified. Since a task's children inherit its seccomp
filters, we want to ensure all children are also traced to avoid their
syscalls failing with ENOSYS (cf. SECCOMP_RET_TRACE in seccomp man page).
Fork/vfork/clone children of traced processes are marked as not having a
seccomp filter until we receive a first seccomp-stop. They are therefore
stopped at every syscall entries and exits until that first seccomp-stop.
The current BPF program implements a simple linear match of the syscall
numbers. Contiguous sequences of syscall numbers are however matched as
an interval, with two instructions only. The algorithm can be improved
or replaced in the future without impacting user-observed behavior.
The behavior of SECCOMP_RET_TRACE changed between Linux 4.7 and 4.8
(cf. PTRACE_EVENT_SECCOMP in ptrace man page). This patch supports both
behaviors by checking the kernel's actual behavior before installing the
seccomp filter.
* filter_seccomp.c: New file.
* filter_seccomp.h: New file.
* Makefile.am (strace_SOURCES): Add filter_seccomp.c and
filter_seccomp.h.
* linux/aarch64/arch_defs_.h (PERSONALITY0_AUDIT_ARCH,
PERSONALITY1_AUDIT_ARCH): Define for aarch64.
* linux/powerpc64/arch_defs_.h (PERSONALITY0_AUDIT_ARCH,
PERSONALITY1_AUDIT_ARCH): Likewise for powerpc64.
* linux/s390x/arch_defs_.h (PERSONALITY0_AUDIT_ARCH,
* linux/sparc64/arch_defs_.h (PERSONALITY0_AUDIT_ARCH,
PERSONALITY1_AUDIT_ARCH): Likewise for sparc64.
PERSONALITY1_AUDIT_ARCH): Likewise for s390x.
* linux/tile/arch_defs_.h (PERSONALITY0_AUDIT_ARCH,
PERSONALITY1_AUDIT_ARCH): Likewise for tile.
* linux/x32/arch_defs_.h (PERSONALITY0_AUDIT_ARCH,
PERSONALITY1_AUDIT_ARCH): Likewise for x32.
* linux/x86_64/arch_defs_.h (PERSONALITY0_AUDIT_ARCH,
PERSONALITY1_AUDIT_ARCH, PERSONALITY2_AUDIT_ARCH): Likewise for x86_64.
* linux/ia64/arch_defs_.h (PERSONALITY0_AUDIT_ARCH): Likewise for IA64.
* strace.c (usage): Document --seccomp-bpf option.
(startup_child): Mark process has having seccomp filter.
(exec_or_die): Initialize seccomp filtering if requested.
(init): Handle --seccomp-bpf option and check that seccomp can be
enabled.
(print_debug_info): Handle PTRACE_EVENT_SECCOMP.
(next_event): Capture PTRACE_EVENT_SECCOMP event.
(dispatch_event): Handle PTRACE_EVENT_SECCOMP event.
* trace_event.h (trace_event): New enumeration entity.
* strace.1.in: Document new --seccomp-bpf option.
* NEWS: Mention this change.
Co-authored-by: Paul Chaignon <paul.chaignon@gmail.com> Co-Authored-by: Dmitry V. Levin <ldv@altlinux.org>
projects / strace / commit