Merge 37386b857a into cada1bcfd8

2024-11-21 21:20:04 +00:00 · 2024-10-14 22:59:28 -07:00 · 2024-10-14 22:59:28 -07:00 · 8b693e564e
commit 8b693e564e
parent cada1bcfd8 37386b857a
1 changed files with 22 additions and 1 deletions
--- a/src/sandbox/seccomp.cpp
+++ b/src/sandbox/seccomp.cpp
@ -54,7 +54,7 @@
    BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO|(_errno))

 #define KILL_PROCESS \
-    BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL_PROCESS)
+    BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_TRAP)

 /*
 * Macros adapted from openssh's sandbox-seccomp-filter.c
@ -302,6 +302,18 @@ int seccomp(unsigned int operation, unsigned int flags, void *args) {
    return syscall(__NR_seccomp, operation, flags, args);
 }

+void sig_sys_handler(int signo, siginfo_t *info, void *context)
+{
+    // report the unhandled syscall
+    std::cout << "[FATAL] Unhandled syscall: " << info->si_syscall << std::endl;
+
+    std::cout << "If you're unsure why this is happening, please read https://openfusion.dev/docs/development/the-sandbox/" << std::endl 
+              << "for more information and possibly open an issue at https://github.com/OpenFusionProject/OpenFusion/issues to report"
+              << " needed changes in our seccomp filter." << std::endl;
+
+    exit(1);
+}
+
 void sandbox_start() {
    if (!settings::SANDBOX) {
        std::cout << "[WARN] Running without a sandbox" << std::endl;
@ -310,6 +322,15 @@ void sandbox_start() {

    std::cout << "[INFO] Starting seccomp-bpf sandbox..." << std::endl;

+    // we listen to SIGSYS to report unhandled syscalls
+    struct sigaction sa = {};
+    sa.sa_flags = SA_SIGINFO;
+    sa.sa_sigaction = sig_sys_handler;
+    if (sigaction(SIGSYS, &sa, NULL) < 0) {
+        perror("sigaction");
+        exit(1);
+    }
+
    if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
        perror("prctl");
        exit(1);