| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes following memory leak:
14 bytes in 1 blocks are definitely lost in loss record 1 of 5
at 0x4079514: malloc (vg_replace_malloc.c:309)
by 0x4049A04: vasprintf (vasprintf.c:13)
by 0x4046354: asprintf (asprintf.c:10)
by 0x80491A9: main (in /root/utrace)
134 bytes in 1 blocks are definitely lost in loss record 3 of 5
at 0x4079514: malloc (vg_replace_malloc.c:309)
by 0x4049A04: vasprintf (vasprintf.c:13)
by 0x4046354: asprintf (asprintf.c:10)
by 0x8049208: main (in /root/utrace)
Signed-off-by: Junnan Xu <junnanx.xu@gmail.com>
Reviewed-by: Rui Salvaterra <rsalvaterra@gmail.com>
|
|
|
|
|
| |
Coverity CID: 1491022 Resource leak
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
|
|
|
|
|
|
|
| |
Fix potential NULL-pointer derefence in trace/preload.c similar to how
it was fixed in jail/preload.c by commit b824a89
("jail: preload: avoid NULL-dereference in case things go wrong").
Coverity CID: 1446096 Dereference after null check
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
|
|
|
|
|
|
| |
char* tmp is used in the fprintf function altough it is already freed.
Fixes: e5b38fd1 ("trace: free memory allocated by blobmsg_format_json_indent()")
Signed-off-by: Nick Hainke <vincent@systemli.org>
|
|
|
|
|
|
|
|
|
| |
Only one out of two occurances have been addressed previously.
Close the other one now.
Coverity CID: 1446205
Fixes: 51f1cd23 ("trace: free string returned by blobmsg_format_json_indent()")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
|
|
|
|
| |
Coverity CID: 1446154 Argument cannot be negative
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
|
|
|
|
| |
Coverity CID: 1446205 Resource leak
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
|
|
| |
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
|
|
|
|
|
|
|
|
| |
Add support for Aarch64 in utrace and ujail.
Sort and unify architecture-specific definitions in headers.
Use new PTRACE_GET_SYSCALL_INFO call (available since Linux 5.3), for
now only for aarch64, but this may potentially unify things and get
rid of some #ifdef'ery for other platforms as well.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
|
|
|
|
|
|
| |
Generate JSON as specified on OCI runtime spec for seccomp syscall
filter instead of our previous OpenWrt-specific format.
[1]: https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#seccomp
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
|
|
|
|
|
|
|
|
| |
_GNU_SOURCE was missing.
Also defined two macros unavailable with uClibc-ng.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
[resolved conflict in jail.c]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
|
|
|
|
|
|
|
|
| |
According to manpage the syscall nr is stored in r0
and return value in r3 for powerpc. Define it so we
can use seccomp and utrace on powerpc.
Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@neratec.com>
|
|
|
|
|
|
|
| |
Without this, on 64-bit systems, ptrace call corrupts memory because
it stores 64bit value to 32bit pid_t variable.
Signed-off-by: Michal Sojka <michal.sojka@cvut.cz>
|
|
|
|
|
|
|
|
|
| |
Check asprintf() return value; fixes ignoring return value warnings:
warning: ignoring return value of 'asprintf', declared with attribute
warn_unused_result [-Wunused-result]
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
|
|
|
|
|
|
| |
Fixes compile issue when using glibc as INT_MAX is reported as
undeclared.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
|
|
|
|
|
| |
Saves 1496 bytes from compiled size under glibc. No functional difference.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
|
|
|
|
|
|
|
| |
Without this, early ptrace stops can be missed because they can happen
before the call to uloop_init().
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
|
|
|
|
|
|
|
| |
This unifies all logs messages produced by utrace and removes
duplicated functionality.
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ARM architecture does not have its system call numbers contiguous. So
far, utrace ignored the non-contiguous system calls, but it makes it
difficult to setup seccomp whitelists. This patch adds support for
these extra out-of-range syscalls.
It extends the generated file syscall_names.h to include a few
functions. Now, for ARM this file looks like:
#include <asm/unistd.h>
static const char *__syscall_names[] = {
[280] = "waitid",
[148] = "fdatasync",
...
[252] = "epoll_wait",
[74] = "sethostname",
};
static inline const char *syscall_name(unsigned i) {
if (i < ARRAY_SIZE(__syscall_names))
return __syscall_names[i];
switch (i) {
case 0x0f0001: return "breakpoint";
case 0x0f0003: return "usr26";
case 0x0f0004: return "usr32";
case 0x0f0005: return "set_tls";
case 0x0f0002: return "cacheflush";
default: return (void*)0;
}
}
static inline int syscall_index(unsigned i) {
if (i < ARRAY_SIZE(__syscall_names))
return i;
switch (i) {
case 0x0f0001: return ARRAY_SIZE(__syscall_names) + 0;
case 0x0f0003: return ARRAY_SIZE(__syscall_names) + 1;
case 0x0f0004: return ARRAY_SIZE(__syscall_names) + 2;
case 0x0f0005: return ARRAY_SIZE(__syscall_names) + 3;
case 0x0f0002: return ARRAY_SIZE(__syscall_names) + 4;
default: return -1;
}
}
static inline int syscall_index_to_number(unsigned i) {
if (i < ARRAY_SIZE(__syscall_names))
return i;
switch (i) {
case ARRAY_SIZE(__syscall_names) + 0: return 0x0f0001;
case ARRAY_SIZE(__syscall_names) + 1: return 0x0f0003;
case ARRAY_SIZE(__syscall_names) + 2: return 0x0f0004;
case ARRAY_SIZE(__syscall_names) + 3: return 0x0f0005;
case ARRAY_SIZE(__syscall_names) + 4: return 0x0f0002;
default: return -1;
}
}
#define SYSCALL_COUNT (ARRAY_SIZE(__syscall_names) + 5)
For x86, which does not have extra syscalls, the file looks this way:
#include <asm/unistd.h>
static const char *__syscall_names[] = {
[247] = "waitid",
[75] = "fdatasync",
...
[232] = "epoll_wait",
[170] = "sethostname",
};
static inline const char *syscall_name(unsigned i) {
if (i < ARRAY_SIZE(__syscall_names))
return __syscall_names[i];
switch (i) {
default: return (void*)0;
}
}
static inline int syscall_index(unsigned i) {
if (i < ARRAY_SIZE(__syscall_names))
return i;
switch (i) {
default: return -1;
}
}
static inline int syscall_index_to_number(unsigned i) {
if (i < ARRAY_SIZE(__syscall_names))
return i;
switch (i) {
default: return -1;
}
}
#define SYSCALL_COUNT (ARRAY_SIZE(__syscall_names) + 0)
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
|
|
|
|
|
|
|
|
|
|
| |
When a service is started with "/etc/init.d/<service> trace" or when
it has seccomp enabled (i.e. runs under seccomp-trace), stopping the
service with "/etc/init.d/<service> stop" stops only the tracer. The
service itself continue executing. This patch ensures that the service
is terminated as well.
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Older kernel version shipped by LEDE/OpenWrt contained patch
target/linux/generic/patches-3.18/999-seccomp_log.patch that logged
seccomp violations. For some reason, newer kernels do not have this
patch. Without this kind of logging, it is very hard to setup seccomp
whitelist properly, so this commit modifies utrace to serve as a
logger for seccomp violations.
With this patch, when utrace is executed via seccomp-trace symlink, it
does not trace normal syscalls but only seccomp violations and logs
them to syslog. For example:
seccomp-trace: uci[3955] tried to call non-whitelisted syscall: ftruncate64 (see /etc/seccomp/myservice.json)
Compared to the kernel-based logging, this approach gives users more
information - which json whitelist needs to be extended. This is
especially useful for services, which fork many diverse children such
as shell scripts.
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
|
|
|
|
|
|
|
|
|
| |
This makes it easier to handle initial ptrace-stops (after
fork/clone/...), because we don't need to distinguish whether SIGSTOP
is from user or from ptrace. Also execve() does not deliver an extra
SIGTRAP, which we would have to handle.
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
|
|
|
|
|
|
|
| |
Without this change, traced processes do not receive any signal,
because all the signals are "eaten" by the tracer.
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
|
|
|
|
| |
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Without this change, utrace can trace only a single process. When the
process forks, syscalls of its children do not appear in utrace
output. This is a problem, because seccomp filters are inherited by
children and therefore filters generated by utrace may lack legitimate
syscalls.
This commit enables utrace to trace processes across forks. The
functionality can be demonstrated by the following examples:
utrace /bin/touch /tmp/xxx
produces:
{
"whitelist": [
"rt_sigaction",
"rt_sigreturn",
"exit",
"getuid",
"exit_group",
"utimensat"
],
"policy": 1
}
The command:
utrace /bin/sh -c 'touch /tmp/xxx'
without this commit produces:
{
"whitelist": [
"stat",
"rt_sigaction",
"rt_sigprocmask",
"rt_sigreturn",
"getpid",
"fork",
"exit",
"wait4",
"uname",
"getcwd",
"getuid",
"getppid",
"exit_group"
],
"policy": 1
}
but with this commit, the output is the following:
{
"whitelist": [
"read",
"open",
"close",
"stat",
"fstat",
"mmap",
"mprotect",
"rt_sigaction",
"rt_sigprocmask",
"rt_sigreturn",
"getpid",
"fork",
"execve",
"exit",
"wait4",
"uname",
"fcntl",
"getcwd",
"getuid",
"getppid",
"arch_prctl",
"gettid",
"set_tid_address",
"exit_group",
"utimensat"
],
"policy": 1
}
Note that in addition to utimensat syscall from touch, this output
contains more syscalls than what is in the union of single-process sh
and touch traces. The reason is that single-process traces do not
include syscalls from dynamic linker (due to preload trick), but the
trace of forked processes includes the dynamic linker syscalls. This
is unavoidable, because dynamic linker of the forked processes will be
subject to seccomp filters of the parent process.
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
|
|
|
|
|
|
|
|
|
|
| |
seccomp and service jailing announce email [1] mentioned that "utrace
tool will sort the syscalls by the number of invocations". The code
did not do that until this commit.
[1] https://lists.openwrt.org/pipermail/openwrt-devel/2015-March/032197.html
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes two errors:
1) memcpy() copies envc elements starting from index 1, so the number
of elements in target array should be envc + 1. But only envc was
allocated.
2) If original environment envp is empty, i.e. it contains only a NULL
element, the while loop misses it.
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
|
|
|
|
|
|
|
| |
We want to copy the existing environment instead of the new one to
itself. Other bugs in this code are fixed in the next commit.
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
|
|
|
|
|
|
|
| |
Fixes an issue where it would overwrite the first environment variable
with the preload one
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
|
|
| |
Signed-off by: Rosen Penev <rosenp@gmail.com>
|
|
|
|
|
|
| |
otherwise LOG_USER/LOG_EMERG is used
Signed-off-by: Ulrich Weber <uw@ocedo.com>
|
|
|
|
| |
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
|
|
|
|
| |
this broke x86_64 builds on uclibc
Signed-off-by: John Crispin <blogic@openwrt.org>
|
|
|
|
| |
Signed-off-by: John Crispin <blogic@openwrt.org>
|
|
Signed-off-by: John Crispin <blogic@openwrt.org>
|