Fwd: PSA: Expanded seccomp filter debugging options

Skip to first unread message

Jorge Lucangeli Obes

Jul 10, 2019, 2:08:00 PM7/10/19
to Chromium OS dev
(Cross-posting to chromium.org.)

(If you don't normally need to debug seccomp filter failures, you can stop reading now.)

Hi folks,

With https://chromium-review.googlesource.com/c/chromiumos/overlays/chromiumos-overlay/+/1672750, Minijail now supports the SECCOMP_RET_LOG return action. This is currently available on 4.14+ kernels, but is being backported to 4.4 kernels.

SECCOMP_RET_LOG allows us to log all failing syscalls without interrupting the execution of the program. Compared to the previous logging mechanism, which would log only the first failing syscall, this is a notable improvement.

Because SECCOMP_RET_LOG disables the syscall blocking properties of the policy, this functionality is only available on dev images (i.e. cros_debug == 1). This was already the behaviour for the -L Minijail option so no changes there.

If you want to test this right away, you'll need this CL patched in to actually see the logs.

Example (on grunt):
# touch empty.policy
# minijail0 -S empty.policy -L -- /bin/true
# echo $?
# journalctl -g SECCOMP
... comm="true" exe="/usr/bin/coreutils" ... syscall=172
... comm="true" exe="/usr/bin/coreutils" ... syscall=172
... comm="true" exe="/usr/bin/coreutils" ... syscall=248

Which, for the record, happen to be prctl(2) and exit_group(2). Makes sense for something that only needs to exit(0).

Happy hacking!
Jorge, on behalf of the Chrome OS security team
Reply all
Reply to author
0 new messages