-
Notifications
You must be signed in to change notification settings - Fork 160
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix killing of tracees that haven't issued any syscall yet, previously we've used last_restart_how which was 0, which happened to be PTRACE_TRACEME which caused hang Suppress seccomp SIGSYS also when it happens on ptraced process and don't deliver SIGSYS to ptracer Improve logging, show detected syscall order when we detect seccomp
- Loading branch information
1 parent
47138da
commit 88b915e
Showing
3 changed files
with
30 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
88b915e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Michal,
I am a trying to understand something with regards to the Oreo 8.0+ issue. I understand most of what you have done, but I am curious what is the correct way to fully emulate a system call that has caused a SIGSYS because of the blocking of certain system calls. Specifically, I am working on one example... PR_symlink, but you can pick any one... like PR_chmod. I will later make it do the right thing, but for right now, I want to have restart the system call (done), do something in an extension at SYSENTER_END to emulate the behavior (done) and then I want and then change the sysnum to PR_void (done). All is behaving as I would expect, but PR_void is blocked when it is run and things are terminated. I want PR_void to be allowed to progress, like what you are doing for the use of PR_void when originally it was PR_ptrace. Can you describe the general approach to handling this for some other case than PR_ptrace?
Thanks,
Corbin
P.S. I sent an email to you about PRoot development. Tell me if you didn't get it. I just pulled your email from some info off github and I am not sure it is correct.
88b915e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
PR_ptrace
is in normal case (translate_syscall_enter/_exit
).SIGSYS
is unlike normal syscalls handled by proot,SIGSYS
happens after syscall was cancelled by system, so you don't need PR_void.See tracee/seccomp.c pull request where I've got support for
accept
->accept4
translation. This translation happens after syscall was blocked by system so nothing has to be cancelled (PR_void), Originally this mechanism was made to just replaceSIGSYS
signal withENOSYS
errno, above accept translation isn't completely transparent, doesn't restore regs, but libc generally isn't bothered by that. Note that in current implementationaccept4
syscall inserted by SIGSYS handler will be intercepted byproot
(so it can translate paths then, so this should be used to just switch syscall and path translation will happen later)Regarding your offer, thanks, but I'm happy with my current job. PRoot stays as my side project (which means not very much time I can spend on development, but I'm happy to answer questions/review not working patches/accept pull requests to this fork)
88b915e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I copied the example for accept->accept4 but did symlink->symlinkat and the kernel gave another sigsys. I have a pixel running 8.1.0
88b915e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, but I mucked with some of the sysargs in the same place to mat symlinkat
88b915e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here is specifically what I did.
case PR_symlink:
VERBOSE(tracee, 1, "In handle seccomp symlink");
But oddly, at sysenter start the syscall is still PR_symlink and then PRoot turns it into PR_void even though nothing has told it to do so. Then it runs PR_void and that cause things to terminate. See any obvious idiocy?
What I am doing now instead, is I am notifying extensions on a SIGSYS event. Then I am emulating the behavior withing an extension. I see the notify_extension(SIGSYS_OCC...) working and getting to the extension, now I need to do something with it. Does this sound reasonable to you?
88b915e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
specifically, fake_id0 is where a lot of the code will be for handling all the chown, chmod, etc etc
88b915e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
About working together professionally... that is cool. If there is any way we can help you keep proot moving along, just tell me.
88b915e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've tried your snippet and with minor customization got it working:
CURRENT
instead ofORIGINAL
, this handler currently doesn't fillORIGINAL
PR_symlink
and if it is called there it'll be seen asPR_void
, did you really seePR_symlink
atsysenter start
? And if yes then another reason forPR_void
is proot deciding syscall has failed and proot substituted error value and cancelled syscall (but in that case it shouldn't reachhandle_seccomp_event
88b915e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes. Even when fixing the CURRENT vs ORIGINAL issue, I still see PR_symlink at sysenter start, even though it should be PR_symlinkat now. Then at sysenter end I see PR_void.
My technique of fully emulating what I want inside an extension seems to be working though. Though I am not sure why the other method does not work for me.
88b915e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am using proot built for arm, not arm64 in this case.