mirror of
https://github.com/cloud-hypervisor/cloud-hypervisor.git
synced 2024-10-01 11:05:46 +00:00
main: Give a friendly message when we get a seccomp violation
If we receive SIGSYS and identify it as a seccomp violation then give friendly instructions on how to debug further. We are unable to decode the siginfo_t struct ourselves due to https://github.com/rust-lang/libc/issues/716 Fixes: #2139 Signed-off-by: Rob Bradford <robert.bradford@intel.com>
This commit is contained in:
parent
d83c9a74f4
commit
39d080e0c1
1
Cargo.lock
generated
1
Cargo.lock
generated
@ -226,6 +226,7 @@ dependencies = [
|
|||||||
"option_parser",
|
"option_parser",
|
||||||
"seccomp",
|
"seccomp",
|
||||||
"serde_json",
|
"serde_json",
|
||||||
|
"signal-hook",
|
||||||
"ssh2",
|
"ssh2",
|
||||||
"tempdir",
|
"tempdir",
|
||||||
"tempfile",
|
"tempfile",
|
||||||
|
@ -23,11 +23,12 @@ log = { version = "0.4.13", features = ["std"] }
|
|||||||
option_parser = { path = "option_parser" }
|
option_parser = { path = "option_parser" }
|
||||||
seccomp = { git = "https://github.com/firecracker-microvm/firecracker", tag = "v0.22.0" }
|
seccomp = { git = "https://github.com/firecracker-microvm/firecracker", tag = "v0.22.0" }
|
||||||
serde_json = "1.0.61"
|
serde_json = "1.0.61"
|
||||||
|
signal-hook = "0.3.3"
|
||||||
thiserror = "1.0"
|
thiserror = "1.0"
|
||||||
vmm = { path = "vmm" }
|
vmm = { path = "vmm" }
|
||||||
vmm-sys-util = "0.7.0"
|
vmm-sys-util = "0.7.0"
|
||||||
wait-timeout = "0.2.0"
|
|
||||||
vm-memory = "0.4.0"
|
vm-memory = "0.4.0"
|
||||||
|
wait-timeout = "0.2.0"
|
||||||
|
|
||||||
[build-dependencies]
|
[build-dependencies]
|
||||||
clap = { version = "2.33.3", features = ["wrap_help"] }
|
clap = { version = "2.33.3", features = ["wrap_help"] }
|
||||||
|
31
src/main.rs
31
src/main.rs
@ -4,6 +4,7 @@
|
|||||||
//
|
//
|
||||||
|
|
||||||
extern crate anyhow;
|
extern crate anyhow;
|
||||||
|
extern crate signal_hook;
|
||||||
extern crate vmm;
|
extern crate vmm;
|
||||||
extern crate vmm_sys_util;
|
extern crate vmm_sys_util;
|
||||||
|
|
||||||
@ -14,9 +15,14 @@ use clap::{App, Arg, ArgGroup, ArgMatches};
|
|||||||
use libc::EFD_NONBLOCK;
|
use libc::EFD_NONBLOCK;
|
||||||
use log::LevelFilter;
|
use log::LevelFilter;
|
||||||
use seccomp::SeccompAction;
|
use seccomp::SeccompAction;
|
||||||
|
use signal_hook::{
|
||||||
|
consts::SIGSYS,
|
||||||
|
iterator::{exfiltrator::WithRawSiginfo, SignalsInfo},
|
||||||
|
};
|
||||||
use std::env;
|
use std::env;
|
||||||
use std::sync::mpsc::channel;
|
use std::sync::mpsc::channel;
|
||||||
use std::sync::{Arc, Mutex};
|
use std::sync::{Arc, Mutex};
|
||||||
|
use std::thread;
|
||||||
use thiserror::Error;
|
use thiserror::Error;
|
||||||
use vmm::config;
|
use vmm::config;
|
||||||
use vmm_sys_util::eventfd::EventFd;
|
use vmm_sys_util::eventfd::EventFd;
|
||||||
@ -355,6 +361,31 @@ fn start_vmm(cmd_arguments: ArgMatches, api_socket_path: &str) -> Result<(), Err
|
|||||||
} else {
|
} else {
|
||||||
SeccompAction::Trap
|
SeccompAction::Trap
|
||||||
};
|
};
|
||||||
|
|
||||||
|
// See https://github.com/rust-lang/libc/issues/716 why we can't get the details from siginfo_t
|
||||||
|
if seccomp_action == SeccompAction::Trap {
|
||||||
|
thread::Builder::new()
|
||||||
|
.name("seccomp_signal_handler".to_string())
|
||||||
|
.spawn(move || {
|
||||||
|
for si in SignalsInfo::<WithRawSiginfo>::new(&[SIGSYS])
|
||||||
|
.unwrap()
|
||||||
|
.forever()
|
||||||
|
{
|
||||||
|
/* SYS_SECCOMP */
|
||||||
|
if si.si_code == 1 {
|
||||||
|
eprint!(
|
||||||
|
"\n==== seccomp violation ====\n\
|
||||||
|
Try running with `strace -ff` to identify the cause and open an issue: \
|
||||||
|
https://github.com/cloud-hypervisor/cloud-hypervisor/issues/new\n"
|
||||||
|
);
|
||||||
|
|
||||||
|
signal_hook::low_level::emulate_default_handler(SIGSYS).unwrap();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
})
|
||||||
|
.unwrap();
|
||||||
|
}
|
||||||
|
|
||||||
let hypervisor = hypervisor::new().map_err(Error::CreateHypervisor)?;
|
let hypervisor = hypervisor::new().map_err(Error::CreateHypervisor)?;
|
||||||
let vmm_thread = vmm::start_vmm_thread(
|
let vmm_thread = vmm::start_vmm_thread(
|
||||||
env!("CARGO_PKG_VERSION").to_string(),
|
env!("CARGO_PKG_VERSION").to_string(),
|
||||||
|
Loading…
Reference in New Issue
Block a user