minijail: improve debug and help text output When reporting blocked syscalls, include the list of implicitly allowed syscalls in the syslog report. This also improves the help text to clarify where things are logged, and when -n is needed. BUG=None TEST=`minijail0 -L -S /dev/null /bin/ls` reports expected syscalls to syslog Change-Id: I9c1104f34f55d807339106470f0b1611988ea0a5 Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/236741 Reviewed-by: Peter Qiu <zqiu@chromium.org>

commit: 03b2af22a2170e9130c8df9e5e92a4d79e91ac0e [log] [tgz]
author: Kees Cook <keescook@chromium.org> Thu Dec 18 17:11:13 2014 -0800
committer: ChromeOS Commit Bot <chromeos-commit-bot@chromium.org> Tue Jan 06 03:40:35 2015 +0000
tree: 85f20aee5255525bbcea4d054d7b2beb032ed023
parent: 8b488a5b1f0b5eab62516b50e638c1484409bb87 [diff] [blame]
diff --git a/syscall_filter.c b/syscall_filter.c
index 70fff07..9ea5dca 100644
--- a/syscall_filter.c
+++ b/syscall_filter.c

@@ -125,8 +125,10 @@
 void allow_log_syscalls(struct filter_block *head)
 {
 	unsigned int i;
-	for (i = 0; i < log_syscalls_len; i++)
+	for (i = 0; i < log_syscalls_len; i++) {
+		warn("allowing syscall: %s", log_syscalls[i]);
 		append_allow_syscall(head, lookup_syscall(log_syscalls[i]));
+	}
 }
 
 unsigned int get_label_id(struct bpf_labels *labels, const char *label_str)
commit	03b2af22a2170e9130c8df9e5e92a4d79e91ac0e	[log] [tgz]
author	Kees Cook <keescook@chromium.org>	Thu Dec 18 17:11:13 2014 -0800
committer	ChromeOS Commit Bot <chromeos-commit-bot@chromium.org>	Tue Jan 06 03:40:35 2015 +0000
tree	85f20aee5255525bbcea4d054d7b2beb032ed023
parent	8b488a5b1f0b5eab62516b50e638c1484409bb87 [diff] [blame]