From 6a0d8ca4364db84ba337cccb58f878035634f3e0 Mon Sep 17 00:00:00 2001
From: dongresource <dongresource@protonmail.com>
Date: Sun, 13 Oct 2024 00:54:21 +0200
Subject: [PATCH] [sandbox] Print error message on seccomp sandbox violation

Co-authored-by: cpunch <sethtstubbs@gmail.com>
---
 src/sandbox/seccomp.cpp | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/src/sandbox/seccomp.cpp b/src/sandbox/seccomp.cpp
index 3b75dc6..61578b8 100644
--- a/src/sandbox/seccomp.cpp
+++ b/src/sandbox/seccomp.cpp
@@ -61,7 +61,7 @@
     BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO|(_errno))
 
 #define KILL_PROCESS \
-    BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL_PROCESS)
+    BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_TRAP)
 
 /*
  * Macros adapted from openssh's sandbox-seccomp-filter.c
@@ -435,12 +435,35 @@ static void landlock_init() {
 
 #endif // !CONFIG_NOLANDLOCK
 
+static void sigsys_handler(int signo, siginfo_t *info, void *context) {
+    // report the unhandled syscall
+    std::cout << "[FATAL] Unhandled syscall " << info->si_syscall
+       << " at " << std::hex << info->si_call_addr << " on arch " << info->si_arch << std::endl;
+
+    std::cout << "If you're unsure why this is happening, please read https://openfusion.dev/docs/development/the-sandbox/" << std::endl
+              << "for more information and possibly open an issue at https://github.com/OpenFusionProject/OpenFusion/issues to report"
+              << " needed changes in our seccomp filter." << std::endl;
+
+    exit(1);
+}
+
 void sandbox_init() {
     if (!settings::SANDBOX) {
         std::cout << "[WARN] Running without a sandbox" << std::endl;
         return;
     }
 
+    // listen to SIGSYS to report unhandled syscalls
+    struct sigaction sa = {};
+
+    sa.sa_flags = SA_SIGINFO;
+    sa.sa_sigaction = sigsys_handler;
+
+    if (sigaction(SIGSYS, &sa, NULL) < 0) {
+        perror("sigaction");
+        exit(1);
+    }
+
 #ifndef CONFIG_NOLANDLOCK
     landlock_init();
 #else