whitelist socket for logging purposes
Since minijail runs inprocess, it needs to whitelist syslog related
syscalls when using the -L option. Thus far we've only whitelisted
calls needed to log messages while assuming the syslog connection
stays open/active. There are scenarios though where syslog needs to
be re-opened (the program called closelog, or there was a temporary
failure in writing, etc...) in which case the C lib will use socket
to reconnect. If we don't whitelist, we end up crashing when we try
to log the program's crash.
Simple reproduction:
$ cat seccomp
prctl: 1
close: 1
$ cat test.c
main() { closelog(); unlink(); }
$ gcc test.c
$ sudo minijail -L -S ./seccomp ./a.out
<syslog doesn't say anything about unlink, just a crash>
Now after enabling socket(), we get a message about the unlink syscall
violating the filter.
BUG=chromium:769047
TEST=ran a test program with closelog() and checked minijail could still log
Change-Id: Ic7a2aa4ea4b841315e5a44b8293654efca2e11fb
diff --git a/util.c b/util.c
index f228ff7..14c028a 100644
--- a/util.c
+++ b/util.c
@@ -34,7 +34,7 @@
#if defined(__ANDROID__)
const char *log_syscalls[] = {"socket", "connect", "fcntl", "writev"};
#else
-const char *log_syscalls[] = {"connect", "sendto"};
+const char *log_syscalls[] = {"socket", "connect", "sendto"};
#endif
#elif defined(__i386__)
#if defined(__ANDROID__)
@@ -48,17 +48,17 @@
const char *log_syscalls[] = {"clock_gettime", "connect", "fcntl64", "socket",
"writev"};
#else
-const char *log_syscalls[] = {"connect", "gettimeofday", "send"};
+const char *log_syscalls[] = {"socket", "connect", "gettimeofday", "send"};
#endif
#elif defined(__aarch64__)
#if defined(__ANDROID__)
const char *log_syscalls[] = {"connect", "fcntl", "sendto", "socket", "writev"};
#else
-const char *log_syscalls[] = {"connect", "send"};
+const char *log_syscalls[] = {"socket", "connect", "send"};
#endif
#elif defined(__powerpc__) || defined(__ia64__) || defined(__hppa__) || \
defined(__sparc__) || defined(__mips__)
-const char *log_syscalls[] = {"connect", "send"};
+const char *log_syscalls[] = {"socket", "connect", "send"};
#else
#error "Unsupported platform"
#endif