Hi Yifei, On Sun, Oct 11, 2020 at 8:08 PM YiFei Zhu <zhuyifei1999@xxxxxxxxx> wrote: > From: YiFei Zhu <yifeifz2@xxxxxxxxxxxx> > > Currently the kernel does not provide an infrastructure to translate > architecture numbers to a human-readable name. Translating syscall > numbers to syscall names is possible through FTRACE_SYSCALL > infrastructure but it does not provide support for compat syscalls. > > This will create a file for each PID as /proc/pid/seccomp_cache. > The file will be empty when no seccomp filters are loaded, or be > in the format of: > <arch name> <decimal syscall number> <ALLOW | FILTER> > where ALLOW means the cache is guaranteed to allow the syscall, > and filter means the cache will pass the syscall to the BPF filter. > > For the docker default profile on x86_64 it looks like: > x86_64 0 ALLOW > x86_64 1 ALLOW > x86_64 2 ALLOW > x86_64 3 ALLOW > [...] > x86_64 132 ALLOW > x86_64 133 ALLOW > x86_64 134 FILTER > x86_64 135 FILTER > x86_64 136 FILTER > x86_64 137 ALLOW > x86_64 138 ALLOW > x86_64 139 FILTER > x86_64 140 ALLOW > x86_64 141 ALLOW > [...] > > This file is guarded by CONFIG_SECCOMP_CACHE_DEBUG with a default > of N because I think certain users of seccomp might not want the > application to know which syscalls are definitely usable. For > the same reason, it is also guarded by CAP_SYS_ADMIN. > > Suggested-by: Jann Horn <jannh@xxxxxxxxxx> > Link: https://lore.kernel.org/lkml/CAG48ez3Ofqp4crXGksLmZY6=fGrF_tWyUCg7PBkAetvbbOPeOA@xxxxxxxxxxxxxx/ > Signed-off-by: YiFei Zhu <yifeifz2@xxxxxxxxxxxx> > @@ -2311,3 +2314,59 @@ static int __init seccomp_sysctl_init(void) > device_initcall(seccomp_sysctl_init) > > #endif /* CONFIG_SYSCTL */ > + > +#ifdef CONFIG_SECCOMP_CACHE_DEBUG > +/* Currently CONFIG_SECCOMP_CACHE_DEBUG implies SECCOMP_ARCH_NATIVE */ Should there be a dependency on SECCOMP_ARCH_NATIVE? Should all architectures that implement seccomp have this? E.g. mips does select HAVE_ARCH_SECCOMP_FILTER, but doesn't have SECCOMP_ARCH_NATIVE? (noticed with preliminary out-of-tree seccomp implementation for m68k, which doesn't have SECCOMP_ARCH_NATIVE > +static void proc_pid_seccomp_cache_arch(struct seq_file *m, const char *name, > + const void *bitmap, size_t bitmap_size) > +{ > + int nr; > + > + for (nr = 0; nr < bitmap_size; nr++) { > + bool cached = test_bit(nr, bitmap); > + char *status = cached ? "ALLOW" : "FILTER"; > + > + seq_printf(m, "%s %d %s\n", name, nr, status); > + } > +} > + > +int proc_pid_seccomp_cache(struct seq_file *m, struct pid_namespace *ns, > + struct pid *pid, struct task_struct *task) > +{ > + struct seccomp_filter *f; > + unsigned long flags; > + > + /* > + * We don't want some sandboxed process to know what their seccomp > + * filters consist of. > + */ > + if (!file_ns_capable(m->file, &init_user_ns, CAP_SYS_ADMIN)) > + return -EACCES; > + > + if (!lock_task_sighand(task, &flags)) > + return -ESRCH; > + > + f = READ_ONCE(task->seccomp.filter); > + if (!f) { > + unlock_task_sighand(task, &flags); > + return 0; > + } > + > + /* prevent filter from being freed while we are printing it */ > + __get_seccomp_filter(f); > + unlock_task_sighand(task, &flags); > + > + proc_pid_seccomp_cache_arch(m, SECCOMP_ARCH_NATIVE_NAME, > + f->cache.allow_native, error: ‘struct action_cache’ has no member named ‘allow_native’ struct action_cache is empty if SECCOMP_ARCH_NATIVE is not defined (so there are checks for it). > + SECCOMP_ARCH_NATIVE_NR); > + > +#ifdef SECCOMP_ARCH_COMPAT > + proc_pid_seccomp_cache_arch(m, SECCOMP_ARCH_COMPAT_NAME, > + f->cache.allow_compat, > + SECCOMP_ARCH_COMPAT_NR); > +#endif /* SECCOMP_ARCH_COMPAT */ > + > + __put_seccomp_filter(f); > + return 0; > +} > +#endif /* CONFIG_SECCOMP_CACHE_DEBUG */ > -- > 2.28.0 > -- Gr{oetje,eeting}s, Geert -- Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@xxxxxxxxxxxxxx In personal conversations with technical people, I call myself a hacker. But when I'm talking to journalists I just say "programmer" or something like that. -- Linus Torvalds _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
