Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / minijail / 0956086b299a7f206854bbaff0ec58810c60d055^! / . / util.c
commit0956086b299a7f206854bbaff0ec58810c60d055[log] [tgz]
authorMike Frysinger <vapier@google.com>Wed Sep 27 01:13:15 2017 -0400
committerMike Frysinger <vapier@google.com>Wed Sep 27 01:13:15 2017 -0400
treef093a596115e7b3dd925fb730b1f3ea7a15250ab
parentac981fc673a09c541f0f9f6c3d8f51a1b6432368 [diff] [blame]
whitelist socket for logging purposes

Since minijail runs inprocess, it needs to whitelist syslog related
syscalls when using the -L option.  Thus far we've only whitelisted
calls needed to log messages while assuming the syslog connection
stays open/active.  There are scenarios though where syslog needs to
be re-opened (the program called closelog, or there was a temporary
failure in writing, etc...) in which case the C lib will use socket
to reconnect.  If we don't whitelist, we end up crashing when we try
to log the program's crash.

Simple reproduction:
$ cat seccomp
prctl: 1
close: 1
$ cat test.c
main() { closelog(); unlink(); }
$ gcc test.c
$ sudo minijail -L -S ./seccomp ./a.out
<syslog doesn't say anything about unlink, just a crash>

Now after enabling socket(), we get a message about the unlink syscall
violating the filter.

BUG=chromium:769047
TEST=ran a test program with closelog() and checked minijail could still log

Change-Id: Ic7a2aa4ea4b841315e5a44b8293654efca2e11fb

diff --git a/util.c b/util.c
index f228ff7..14c028a 100644
--- a/util.c
+++ b/util.c

@@ -34,7 +34,7 @@
 #if defined(__ANDROID__)
 const char *log_syscalls[] = {"socket", "connect", "fcntl", "writev"};
 #else
-const char *log_syscalls[] = {"connect", "sendto"};
+const char *log_syscalls[] = {"socket", "connect", "sendto"};
 #endif
 #elif defined(__i386__)
 #if defined(__ANDROID__)
@@ -48,17 +48,17 @@
 const char *log_syscalls[] = {"clock_gettime", "connect", "fcntl64", "socket",
 			      "writev"};
 #else
-const char *log_syscalls[] = {"connect", "gettimeofday", "send"};
+const char *log_syscalls[] = {"socket", "connect", "gettimeofday", "send"};
 #endif
 #elif defined(__aarch64__)
 #if defined(__ANDROID__)
 const char *log_syscalls[] = {"connect", "fcntl", "sendto", "socket", "writev"};
 #else
-const char *log_syscalls[] = {"connect", "send"};
+const char *log_syscalls[] = {"socket", "connect", "send"};
 #endif
 #elif defined(__powerpc__) || defined(__ia64__) || defined(__hppa__) ||        \
       defined(__sparc__) || defined(__mips__)
-const char *log_syscalls[] = {"connect", "send"};
+const char *log_syscalls[] = {"socket", "connect", "send"};
 #else
 #error "Unsupported platform"
 #endif