[Git][NTPsec/ntpsec][master] seccomp: print failed syscall number.

Wed May 31 22:59:59 UTC 2017

Gary E. Miller pushed to branch master at NTPsec / ntpsec


Commits:
99df9ac9 by Gary E. Miller at 2017-05-31T15:58:59-07:00
seccomp: print failed syscall number.

I'm guessing this will fail to compile on many OS...

- - - - -


3 changed files:

- include/ntp_stdlib.h
- libntp/syssignal.c
- ntpd/ntp_sandbox.c


Changes:

=====================================
include/ntp_stdlib.h
=====================================

--- a/include/ntp_stdlib.h
+++ b/include/ntp_stdlib.h
@@ -7,6 +7,7 @@
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <string.h>
+#include <signal.h>
 #include <errno.h>
 #include <stdarg.h>
 
@@ -129,6 +130,7 @@ extern	const char *refid_str	(uint32_t, int);
 extern	int	decodenetnum	(const char *, sockaddr_u *);
 
 extern	void	signal_no_reset (int, void (*func)(int));
+extern void signal_no_reset1(int, void (*func)(int, siginfo_t *, void *));
 
 extern	void	getauthkeys 	(const char *);
 


=====================================
libntp/syssignal.c
=====================================
--- a/libntp/syssignal.c
+++ b/libntp/syssignal.c
@@ -13,6 +13,7 @@
 #  define Z_SA_RESTART		0
 # endif
 
+/* set an sa_handler */
 void
 signal_no_reset(
 	int sig,
@@ -21,7 +22,6 @@ signal_no_reset(
 {
 	int n;
 	struct sigaction vec;
-	struct sigaction ovec;
 
 	ZERO(vec);
 	sigemptyset(&vec.sa_mask);
@@ -38,10 +38,32 @@ signal_no_reset(
 # endif
 
 	do
-		n = sigaction(sig, &vec, &ovec);
+		n = sigaction(sig, &vec, NULL);
 	while (-1 == n && EINTR == errno);
 	if (-1 == n) {
-		perror("sigaction");
+		perror("ERROR: signal_no_reset() sigaction");
+		exit(1);
+	}
+}
+
+/* set an sa_sigaction */
+void
+signal_no_reset1(
+	int sig,
+	void (*func)(int, siginfo_t *, void *)
+	)
+{
+	int n;
+	struct sigaction vec;
+
+	ZERO(vec);
+	sigemptyset(&vec.sa_mask);
+	vec.sa_sigaction = func;
+	vec.sa_flags = SA_SIGINFO;
+
+	n = sigaction(sig, &vec, NULL);
+	if (-1 == n) {
+		perror("ERROR: signal_no_reset1() sigaction");
 		exit(1);
 	}
 }


=====================================
ntpd/ntp_sandbox.c
=====================================
--- a/ntpd/ntp_sandbox.c
+++ b/ntpd/ntp_sandbox.c
@@ -49,7 +49,7 @@ static struct passwd *pw;
 #include "ntp_stdlib.h"
 
 #ifdef HAVE_SECCOMP_H
-static void catchTrap(int sig);
+static void catchTrap(int sig, siginfo_t *, void *);
 #endif
 
 bool sandbox(const bool droproot,
@@ -275,7 +275,7 @@ getgroup:
 #endif
 	scmp_filter_ctx ctx = seccomp_init(MY_SCMP_ACT);
 
-        signal_no_reset(SIGSYS, catchTrap);
+        signal_no_reset1(SIGSYS, catchTrap);
 
 
 	if (NULL == ctx) {
@@ -441,10 +441,12 @@ int scmp_sc[] = {
  *  when it crashes, the last syscall will be at the end of the log file
  *
  */
-static void catchTrap(int sig)
+static void catchTrap(int sig, siginfo_t *si, void *u)
 {
 	UNUSED_ARG(sig);	/* signal number */
-	msyslog(LOG_ERR, "SIGSYS: got a trap. Probably seccomp omission. Bailing.");
+	UNUSED_ARG(u);	        /* unused ucontext_t */
+	msyslog(LOG_ERR, "ERROR: SIGSYS: got a trap.\n");
+	msyslog(LOG_ERR, "ERROR: Bad syscall %d\n", si->si_syscall);
 	exit(1);
 }
 #endif /* HAVE_SECCOMP_H */



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/99df9ac91a01a254ca19bbf72d1c2f0fe297d522

---
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/99df9ac91a01a254ca19bbf72d1c2f0fe297d522
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20170531/de430865/attachment.html>
