Bad system call #7
Comments
|
Hey @gu3sst ! Thanks for letting me know! If you can strace the process, it should show the system call that is failing: diff --git a/examples/bot.sh b/examples/bot.sh
index 1ebb101..b132c51 100755
--- a/examples/bot.sh
+++ b/examples/bot.sh
@@ -77,4 +77,4 @@ bot() {
}
bot >"$in" &
-xmppipe "$@" <"$in" >"$out"
+strace -f -o xmppipe.trace xmppipe "$@" <"$in" >"$out"The last 2 lines in the trace file should show the bad system call. Something like (commenting out Let me know the results and I can update the filter. If you would like to test out whether allowing the system call now works (adding more than one system call may be necessary), you can add the system call. For example, if diff --git a/src/restrict_process_seccomp.c b/src/restrict_process_seccomp.c
index 7f74e99..49bd071 100644
--- a/src/restrict_process_seccomp.c
+++ b/src/restrict_process_seccomp.c
@@ -164,6 +164,9 @@ int restrict_process_init(xmppipe_state_t *state) {
#ifdef __NR_newfstatat
SC_ALLOW(newfstatat),
#endif
+#ifdef __NR_fstatat64
+ SC_ALLOW(fstatat64),
+#endif
/* uuid */
#ifdef __NR_gettimeofday
Note: there are 2 filters. The system call may need to be added to both. If you just want to try xmppipe, you can disable the seccomp process restrictions: |
|
@gu3sst remembered I had a raspberry pi running bullseye. Should be fixed on master, let me know if it is still broken for you. |
|
Hi @msantos thanks for your support, here are the last lines with strace: rt_sigprocmask(SIG_BLOCK, [HUP USR1 USR2 PIPE ALRM CHLD TSTP URG VTALRM PROF WINCH IO], <unfinished ...>) = ? If I compile with rlimit or null, all tests work fine. Let me know what else I can do to help. Greetings |
|
@gu3sst thanks for the trace! That's a really interesting result. xmppipe doesn't do any signal handling related calls. Something else is inserting the system calls. It could be one of the linked libraries but haven't seen it so far on the debian systems I've tested on. Are you running debian in a virtualized environment or using any LD_PRELOAD libraries? I'd suggest disabling the seccomp process restrictions. However if you want to enable them, this patch might work: diff --git a/src/restrict_process_seccomp.c b/src/restrict_process_seccomp.c
index 5462a6c..ed21238 100644
--- a/src/restrict_process_seccomp.c
+++ b/src/restrict_process_seccomp.c
@@ -310,6 +310,22 @@ int restrict_process_init(xmppipe_state_t *state) {
SC_ALLOW(sysinfo),
#endif
+#ifdef __NR_rt_sigaction
+ SC_ALLOW(rt_sigaction),
+#endif
+#ifdef __NR_rt_sigprocmask
+ SC_ALLOW(rt_sigprocmask),
+#endif
+#ifdef __NR_sigprocmask
+ SC_ALLOW(sigprocmask),
+#endif
+#ifdef __NR_rt_sigreturn
+ SC_ALLOW(rt_sigreturn),
+#endif
+#ifdef __NR_sigreturn
+ SC_ALLOW(sigreturn),
+#endif
+
#ifdef __NR_restart_syscall
SC_ALLOW(restart_syscall),
#endif
@@ -438,6 +454,23 @@ int restrict_process_stdin(xmppipe_state_t *state) {
#ifdef __NR_writev
SC_ALLOW(writev),
#endif
+
+#ifdef __NR_rt_sigaction
+ SC_ALLOW(rt_sigaction),
+#endif
+#ifdef __NR_rt_sigprocmask
+ SC_ALLOW(rt_sigprocmask),
+#endif
+#ifdef __NR_sigprocmask
+ SC_ALLOW(sigprocmask),
+#endif
+#ifdef __NR_rt_sigreturn
+ SC_ALLOW(rt_sigreturn),
+#endif
+#ifdef __NR_sigreturn
+ SC_ALLOW(sigreturn),
+#endif
+
#ifdef __NR_restart_syscall
SC_ALLOW(restart_syscall),
#endif
|
|
Hi, I'm running a Debian installation and no LD_PRELOAD libraries, thanks for the patch! By the way thanks for the app, its very useful and complete. |
Hi, when I execute the bot example I get
./bot.sh: line 127: 17047 Bad system call xmppipe "$@" < "$in" > "$out"
I'm running it in Debian Bullseye,
Thanks
The text was updated successfully, but these errors were encountered: