I wrote and tested this on a bleeding-edge Ubuntu box. I have yet to
try this on other Linux flavors.
I also have a patch that can incrementally tighten the syscall filter
to calls listed in a text file. I will work on that one a bit more
first, however. The code for both is also at
https://gitlab.com/na280/ntpsec/-/commits/23B27-seccomp
From 8b99fd609647ff0567c83d0d05991c874ce8278e Mon Sep 17 00:00:00 2001
From: James Browning <jamesb.f...@gmail.com>
Date: Mon, 27 Feb 2023 16:30:51 -0800
Subject: [PATCH 1/2] Attempt to make seccomp errors useful not Lassie
---
ntpd/ntp_sandbox.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/ntpd/ntp_sandbox.c b/ntpd/ntp_sandbox.c
index 369602357..8d82c8edd 100644
--- a/ntpd/ntp_sandbox.c
+++ b/ntpd/ntp_sandbox.c
@@ -568,8 +568,11 @@ static void catchTrap(int sig, siginfo_t *si, void *u)
UNUSED_ARG(u); /* unused ucontext_t */
msyslog(LOG_ERR, "ERR: SIGSYS: got a trap.\n");
if ( si->si_syscall ) {
- msyslog(LOG_ERR, "ERR: SIGSYS/seccomp bad syscall %d/%#x\n",
- si->si_syscall, si->si_arch);
+ char *call = seccomp_syscall_resolve_num_arch(
+ si->si_arch, si->si_syscall);
+ msyslog(LOG_ERR, "ERR: SIGSYS/seccomp bad syscall %d(%s)/%#x\n",
+ si->si_syscall, call, si->si_arch);
+ free(call);
}
#ifndef BACKTRACE_DISABLED
backtrace_log();
--
2.38.1
_______________________________________________
devel mailing list
devel@ntpsec.org
https://lists.ntpsec.org/mailman/listinfo/devel
