From 19dbf7abebe58af6b61e5b63f6e30aa2de595fe7 Mon Sep 17 00:00:00 2001
From: cpunch <sethtstubbs@gmail.com>
Date: Tue, 1 Oct 2024 21:47:59 -0500
Subject: [PATCH 1/2] seccomp: report unhandled syscalls

---
 src/sandbox/seccomp.cpp | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/src/sandbox/seccomp.cpp b/src/sandbox/seccomp.cpp
index 6d930fd..9f145d8 100644
--- a/src/sandbox/seccomp.cpp
+++ b/src/sandbox/seccomp.cpp
@@ -54,7 +54,7 @@
     BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO|(_errno))
 
 #define KILL_PROCESS \
-    BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL_PROCESS)
+    BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_TRAP)
 
 /*
  * Macros adapted from openssh's sandbox-seccomp-filter.c
@@ -302,6 +302,18 @@ int seccomp(unsigned int operation, unsigned int flags, void *args) {
     return syscall(__NR_seccomp, operation, flags, args);
 }
 
+void sig_sys_handler(int signo, siginfo_t *info, void *context)
+{
+    // report the unhandled syscall
+    std::cout << "[FATAL] Unhandled syscall: " << info->si_syscall << std::endl;
+
+    std::cout << "If you're unsure why this is happening, please read https://github.com/OpenFusionProject/OpenFusion/wiki/The-Sandbox" << std::endl 
+              << "for more information and possibly open an issue at https://github.com/OpenFusionProject/OpenFusion/issues to report"
+              << " needed changes in our seccomp filter." << std::endl;
+
+    exit(1);
+}
+
 void sandbox_start() {
     if (!settings::SANDBOX) {
         std::cout << "[WARN] Running without a sandbox" << std::endl;
@@ -310,6 +322,15 @@ void sandbox_start() {
 
     std::cout << "[INFO] Starting seccomp-bpf sandbox..." << std::endl;
 
+    // we listen to SIGSYS to report unhandled syscalls
+    struct sigaction sa = {};
+    sa.sa_flags = SA_SIGINFO;
+    sa.sa_sigaction = sig_sys_handler;
+    if (sigaction(SIGSYS, &sa, NULL) < 0) {
+        perror("sigaction");
+        exit(1);
+    }
+
     if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
         perror("prctl");
         exit(1);

From 37386b857aea6affa883940bed6b241bfcc039aa Mon Sep 17 00:00:00 2001
From: cpunch <sethtstubbs@gmail.com>
Date: Wed, 2 Oct 2024 18:27:41 -0500
Subject: [PATCH 2/2] change wiki sandbox link to openfusion.dev mirror

---
 src/sandbox/seccomp.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/sandbox/seccomp.cpp b/src/sandbox/seccomp.cpp
index 9f145d8..0680d6a 100644
--- a/src/sandbox/seccomp.cpp
+++ b/src/sandbox/seccomp.cpp
@@ -307,7 +307,7 @@ void sig_sys_handler(int signo, siginfo_t *info, void *context)
     // report the unhandled syscall
     std::cout << "[FATAL] Unhandled syscall: " << info->si_syscall << std::endl;
 
-    std::cout << "If you're unsure why this is happening, please read https://github.com/OpenFusionProject/OpenFusion/wiki/The-Sandbox" << std::endl 
+    std::cout << "If you're unsure why this is happening, please read https://openfusion.dev/docs/development/the-sandbox/" << std::endl 
               << "for more information and possibly open an issue at https://github.com/OpenFusionProject/OpenFusion/issues to report"
               << " needed changes in our seccomp filter." << std::endl;