minijail: improve debug and help text output
When reporting blocked syscalls, include the list of implicitly allowed
syscalls in the syslog report. This also improves the help text to
clarify where things are logged, and when -n is needed.
BUG=None
TEST=`minijail0 -L -S /dev/null /bin/ls` reports expected syscalls to syslog
Change-Id: I9c1104f34f55d807339106470f0b1611988ea0a5
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/236741
Reviewed-by: Peter Qiu <zqiu@chromium.org>
diff --git a/minijail0.c b/minijail0.c
index db413d8..3a60740 100644
--- a/minijail0.c
+++ b/minijail0.c
@@ -90,9 +90,9 @@
" -H: seccomp filter help message\n"
" -i: exit immediately after fork (do not act as init)\n"
" Not compatible with -p\n"
- " -L: log blocked syscalls when using seccomp filter. "
- "Forces the following syscalls to be allowed:\n"
- " ", progn);
+ " -L: report blocked syscalls to syslog when using seccomp filter.\n"
+ " Forces the following syscalls to be allowed:\n"
+ " ", progn);
for (i = 0; i < log_syscalls_len; i++)
printf("%s ", log_syscalls[i]);
@@ -103,6 +103,7 @@
" -s: use seccomp\n"
" -S <file>: set seccomp filter using <file>\n"
" E.g., -S /usr/share/filters/<prog>.$(uname -m)\n"
+ " Requires -n when not running as root\n"
" -t: mount tmpfs at /tmp inside chroot\n"
" -u <user>: change uid to <user>\n"
" -v: enter new mount namespace\n"
diff --git a/syscall_filter.c b/syscall_filter.c
index 70fff07..9ea5dca 100644
--- a/syscall_filter.c
+++ b/syscall_filter.c
@@ -125,8 +125,10 @@
void allow_log_syscalls(struct filter_block *head)
{
unsigned int i;
- for (i = 0; i < log_syscalls_len; i++)
+ for (i = 0; i < log_syscalls_len; i++) {
+ warn("allowing syscall: %s", log_syscalls[i]);
append_allow_syscall(head, lookup_syscall(log_syscalls[i]));
+ }
}
unsigned int get_label_id(struct bpf_labels *labels, const char *label_str)
