main: Give a friendly message when we get a seccomp violation

If we receive SIGSYS and identify it as a seccomp violation then give friendly instructions on how to debug further. We are unable to decode the siginfo_t struct ourselves due to https://github.com/rust-lang/libc/issues/716 Fixes: #2139 Signed-off-by: Rob Bradford <robert.bradford@intel.com>
2025-03-20 07:58:55 +00:00 · 2021-01-11 18:32:35 +00:00 · 2021-01-11 18:32:35 +00:00 · 39d080e0c1
commit 39d080e0c1
parent d83c9a74f4
3 changed files with 34 additions and 1 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -226,6 +226,7 @@ dependencies = [
 "option_parser",
 "seccomp",
 "serde_json",
+ "signal-hook",
 "ssh2",
 "tempdir",
 "tempfile",
--- a/Cargo.toml
+++ b/Cargo.toml
@ -23,11 +23,12 @@ log = { version = "0.4.13", features = ["std"] }
 option_parser = { path = "option_parser" }
 seccomp = { git = "https://github.com/firecracker-microvm/firecracker", tag = "v0.22.0" }
 serde_json = "1.0.61"
+signal-hook = "0.3.3"
 thiserror = "1.0"
 vmm = { path = "vmm" }
 vmm-sys-util = "0.7.0"
-wait-timeout = "0.2.0"
 vm-memory = "0.4.0"
+wait-timeout = "0.2.0"

 [build-dependencies]
 clap = { version = "2.33.3", features = ["wrap_help"] }
--- a/src/main.rs
+++ b/src/main.rs
@ -4,6 +4,7 @@
 //

 extern crate anyhow;
+extern crate signal_hook;
 extern crate vmm;
 extern crate vmm_sys_util;

@ -14,9 +15,14 @@ use clap::{App, Arg, ArgGroup, ArgMatches};
 use libc::EFD_NONBLOCK;
 use log::LevelFilter;
 use seccomp::SeccompAction;
+use signal_hook::{
+    consts::SIGSYS,
+    iterator::{exfiltrator::WithRawSiginfo, SignalsInfo},
+};
 use std::env;
 use std::sync::mpsc::channel;
 use std::sync::{Arc, Mutex};
+use std::thread;
 use thiserror::Error;
 use vmm::config;
 use vmm_sys_util::eventfd::EventFd;
@ -355,6 +361,31 @@ fn start_vmm(cmd_arguments: ArgMatches, api_socket_path: &str) -> Result<(), Err
    } else {
        SeccompAction::Trap
    };
+
+    // See https://github.com/rust-lang/libc/issues/716 why we can't get the details from siginfo_t
+    if seccomp_action == SeccompAction::Trap {
+        thread::Builder::new()
+            .name("seccomp_signal_handler".to_string())
+            .spawn(move || {
+                for si in SignalsInfo::<WithRawSiginfo>::new(&[SIGSYS])
+                    .unwrap()
+                    .forever()
+                {
+                    /* SYS_SECCOMP */
+                    if si.si_code == 1 {
+                        eprint!(
+                            "\n==== seccomp violation ====\n\
+                            Try running with `strace -ff` to identify the cause and open an issue: \
+                            https://github.com/cloud-hypervisor/cloud-hypervisor/issues/new\n"
+                        );
+
+                        signal_hook::low_level::emulate_default_handler(SIGSYS).unwrap();
+                    }
+                }
+            })
+            .unwrap();
+    }
+
    let hypervisor = hypervisor::new().map_err(Error::CreateHypervisor)?;
    let vmm_thread = vmm::start_vmm_thread(
        env!("CARGO_PKG_VERSION").to_string(),