Re: [libseccomp-discuss] allowing select() fails in i686
High level interface to the Linux Kernel's seccomp filter
Brought to you by:
pcmoore
Menu
▾
▴
Re: [libseccomp-discuss] allowing select() fails in i686
|
From: Paul M. <pa...@pa...> - 2015-01-30 15:45:10
|
On Thu, Jan 29, 2015 at 6:40 PM, Nikos Mavrogiannopoulos <nm...@re...> wrote: > ----- Original Message ----- >> After doing some additional testing using a default SCMP_ACT_KILL >> filter action on 32-bit x86 and looking at the syslog/audit log for >> seccomp kill notifications, I see the following record: >> >> Jan 29 16:09:48 [kernel] audit: type=1326 audit(1422565788.766:3): >> auid=1000 uid=1000 gid=100 ses=1 pid=314 comm="00-test" >> exe="/home/pmoore/sources/seccomp/libseccomp-upstream/tests/00-test" >> sig=31 syscall=142 compat=1 ip=0xf7705d10 code=0x0 >> >> ... if we lookup syscall #142 we see that it is for _newselect() and >> not select(): >> ... it would appear that the 32-bit x86 glibc uses _newselect() >> internally for the select() function. I suggest updating your filter >> accordingly by allowing both select() and _newselect(). > > Thank you... That is pretty interesting as strace shows select being called. Yes, it is. I suspect the strace authors chose to display select() instead of _newselect() to hide some glibc implementation details and make life easier for the majority of admins/devs; unfortunately this makes it a bit more difficult for those of us trying to craft syscall filters. Someday I hope to have some better tools for analyzing binaries, but that is still a ways off. -- paul moore www.paul-moore.com |
