|
@@ -15,21 +15,27 @@ a log message like the following:
|
|
|
This number (`232` in the example) is specific to your system and you need to
|
|
|
run a command to convert it to a syscall name.
|
|
|
|
|
|
- echo '#include <sys/syscall.h>' | cpp -dM | grep '#define __NR_.* 232'
|
|
|
+```bash
|
|
|
+echo '#include <sys/syscall.h>' | cpp -dM | grep '#define __NR_.* 232'
|
|
|
+```
|
|
|
|
|
|
Obviously you'll be replacing `232` with the actual syscall number which your system
|
|
|
printed. The Result might look something like the following:
|
|
|
|
|
|
- #define __NR_epoll_wait 232
|
|
|
+```c
|
|
|
+#define __NR_epoll_wait 232
|
|
|
+```
|
|
|
|
|
|
Which would tell you (for example) that the `epoll_wait` syscall was disallowed on
|
|
|
your system. In this case you'd need to go to `util/Seccomp.c` and inside of the
|
|
|
`mkfilter()` function where the actual SECCOMP rules are set up, you'll see a set
|
|
|
of entries such as the following.
|
|
|
|
|
|
- #ifdef __NR_mmap2
|
|
|
- IFEQ(__NR_mmap2, success),
|
|
|
- #endif
|
|
|
+```c
|
|
|
+#ifdef __NR_mmap2
|
|
|
+ IFEQ(__NR_mmap2, success),
|
|
|
+#endif
|
|
|
+```
|
|
|
|
|
|
Add a similar entry for the syscall (make sure you put it with the others and not)
|
|
|
below the `RET(SECCOMP_RET_TRAP),` line which triggers the failure). When you have
|