Hi all, this patch series enhances seccomp sandboxing of procd services. It introduces two main features:
1. Support for multi-threaded and multi-process services (previously, utrace which creates seccomp whitelists was usable only for single-threaded processes) and 2. logging of seccomp violations via a user-space tracer rather than via kernel patch. In addition to that, there are many bug fixes and smaller enhancements such as support for tracing non-contiguous syscalls on ARM. libubox patches (2): uloop: Fix race condition in SIGCHLD handling uloop: Enable utracing of multi-threaded programs procd patches (17): utrace: Fix environment initialization utrace: Fix off-by-one errors Do not disable seccomp when configuration is not found Update trace attribute utrace: Sort syscalls by number of invocations utrace: Trace processes across forks utrace: Support tracing multi-threaded processes and vfork utrace: Deliver signals to traced processes utrace: Use PTHREAD_SEIZE instead of PTHREAD_TRACEME seccomp: Log seccomp violations with utrace Start seccomp-enabled services via seccomp-trace preload-seccomp: Use proper log level for error messages seccomp: Improve error message utrace: Report ptrace errors utrace: Forward SIGTERM to the traced process utrace: Support non-contiguous syscall numbers utrace: Switch all logging to ulog source patches (1): procd: Install seccomp-trace symlink procd diffstat: jail/preload.c | 5 + jail/seccomp-bpf.h | 1 + jail/seccomp.c | 24 ++--- jail/seccomp.h | 4 + make_syscall_h.sh | 48 ++++++++- service/instance.c | 21 ++-- trace/preload.c | 1 - trace/trace.c | 279 +++++++++++++++++++++++++++++++++++++++++------------ 8 files changed, 291 insertions(+), 92 deletions(-) -- 2.14.1 _______________________________________________ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
