Use Linux 5.4's seccomp-bpf userspace notifications

This change finally gets rid of all the weird SIGSYS detectors in favor
of seccomp-bpf userspace notifications. Now all the forbidden syscalls
are being tracked, regardless of which process triggered it, since
before only the first process in the tree would get the correct SIGSYS
notification to the pid1 process.

This also now works with a debugger and `strace(1)`, since `ptrace(2)`
is now officially supported!

Author: lhchavez

.gitignore

@@ -4,7 +4,6 @@
 *.stamp
 java-compile
 omegajail
-sigsys-tracer
 stdio-mux
 .mypy_cache/
 

.gitmodules

@@ -1,7 +1,7 @@
 [submodule "minijail"]
 	path = minijail
 	url = https://android.googlesource.com/platform/external/minijail
-	branch = master
+	branch = refs/changes/98/1538098/17
 [submodule "cxxopts"]
 	path = cxxopts
 	url = https://github.com/jarro2783/cxxopts.git

Makefile

@@ -1,4 +1,4 @@
-BINARIES := omegajail sigsys-tracer stdio-mux java-compile
+BINARIES := omegajail stdio-mux java-compile
 POLICIES := policies/gcc.bpf policies/cpp.bpf policies/ghc.bpf policies/hs.bpf \
             policies/javac.bpf policies/java.bpf policies/fpc.bpf policies/pas.bpf \
             policies/pyc.bpf policies/py.bpf policies/ruby.bpf policies/lua.bpf \
@@ -19,11 +19,11 @@ ARCH ?= $(shell uname -m)
 CXX ?= g++
 CFLAGS += -Wall -Werror -O2
 CXXFLAGS += -std=c++2a
-LDFLAGS += -lcap -fPIE -fstack-protector
+LDFLAGS += -lcap -pthread -fPIE -fstack-protector
 
 TEST_CFLAGS += $(CFLAGS)
 TEST_CXXFLAGS += $(CXXFLAGS) -isystem googletest/googletest/include
-TEST_LDFLAGS += $(LDFLAGS) -pthread
+TEST_LDFLAGS += $(LDFLAGS)
 
 .PHONY: all
 all: ${BINARIES} ${POLICIES}
@@ -51,19 +51,18 @@ args.o: args.cpp args.h logging.h version.h
 omegajail: main.cpp ${MINIJAIL_CORE_OBJECT_FILES} args.o util.o logging.o version.o
 	$(CXX) $(CFLAGS) $(CXXFLAGS) -fno-exceptions $^ $(LDFLAGS) -o $@
 
-sigsys-tracer: sigsys_tracer.cpp ${MINIJAIL_CORE_OBJECT_FILES} util.o logging.o
-	$(CXX) $(CFLAGS) $(CXXFLAGS) -fno-exceptions $^ $(LDFLAGS) -o $@
-
 stdio-mux: stdio_mux.cpp util.o logging.o
 	$(CXX) $(CFLAGS) $(CXXFLAGS) -fno-exceptions $^ $(LDFLAGS) -o $@
 
 java-compile: java_compile.cpp util.o logging.o
 	$(CXX) $(CFLAGS) $(CXXFLAGS) -Os -fno-exceptions $^ $(LDFLAGS) -static -o $@
 
-policies/%.bpf: policies/%.policy | minijail/constants.json
+policies/%.bpf: policies/%.policy policies/omegajail.policy | minijail/constants.json
 	./minijail/tools/compile_seccomp_policy.py \
-		--use-kill-process --arch-json=minijail/constants.json \
-		$^ $@
+		--use-kill-process \
+		--default-action=user-notify \
+		--arch-json=minijail/constants.json \
+		$< $@
 
 .PHONY: install
 install: ${BINARIES} tools/omegajail-setup ${POLICIES}

args.cpp

@@ -104,8 +104,6 @@ ParseArgs(int argc, char* argv[], const std::string_view cwd) throw() {
      cxxopts::value<int64_t>()->default_value("-1"), "bytes")
     ("cgroup-memory-limit", "sets the memory limit with cgroups",
      cxxopts::value<ssize_t>(), "bytes")
-    ("sigsys-detector", "one of 'sigsys_tracer' (default), 'ptrace', 'none'.",
-     cxxopts::value<std::string>())
     ("disable-sandboxing",
      "completely disable containerization. This is very insecure and should "
      "only be used when omegajail is already being run in a container",
@@ -210,20 +208,6 @@ bool Args::Parse(int argc, char* argv[], struct minijail* j) throw() {
     stderr_redirect = MakeAbsolute(options["stderr"].as<std::string>(), cwd);
   if (options.count("meta"))
     meta = options["meta"].as<std::string>();
-  if (options.count("sigsys-detector")) {
-    std::string detector = options["sigsys-detector"].as<std::string>();
-    if (detector == "sigsys_tracer") {
-      sigsys_detector = SigsysDetector::SIGSYS_TRACER;
-    } else if (detector == "ptrace") {
-      sigsys_detector = SigsysDetector::PTRACE;
-    } else if (detector == "none") {
-      sigsys_detector = SigsysDetector::NONE;
-    } else {
-      std::cerr << "invalid value for --sigsys-detector: \"" << detector
-                << "\"";
-      return false;
-    }
-  }
 
   if (options.count("time-limit")) {
     uint64_t raw_limit_msec = options["time-limit"].as<uint64_t>();
@@ -630,7 +614,8 @@ std::string Args::UseSeccompProgram(const std::string_view seccomp_program_path,
 
   if (!disable_sandboxing) {
     minijail_use_seccomp_filter(j);
-    minijail_set_seccomp_filter_tsync(j);
+    minijail_use_seccomp_filter_tsync(j);
+    minijail_set_seccomp_filter_install_user_notification(j);
     minijail_set_seccomp_filters(j, &seccomp_program);
   }
   return std::string(seccomp_program_path.substr(

args.h

@@ -11,12 +11,6 @@
 
 struct minijail;
 
-enum class SigsysDetector {
-  SIGSYS_TRACER,
-  PTRACE,
-  NONE,
-};
-
 struct ResourceLimit {
   __rlimit_resource resource;
   struct rlimit rlim;
@@ -37,7 +31,6 @@ struct Args {
   ssize_t memory_limit_in_bytes = -1;
   size_t vm_memory_size_in_bytes = 0;
   uint64_t wall_time_limit_msec = kMaxWallTimeLimitMsec;
-  SigsysDetector sigsys_detector = SigsysDetector::PTRACE;
   bool disable_sandboxing = false;
   std::vector<ResourceLimit> rlimits{
       ResourceLimit{RLIMIT_STACK, {RLIM_INFINITY, RLIM_INFINITY}}};