Seccomp.md 1.6 KB
Seccomp
SECCOMP (secure computing) is a way for programs to declare to the Linux kernel that they will never make certain system calls, thus any attempt to make one of these calls is interpreted as a security penetration and the kernel can forcibly kill off the program, preventing harm to the computer.
Seccomp failures in cjdns
If you are reading this because cjdns is halting on you, you are probably getting a log message like the following:
Attempted banned syscall number [232] see docs/Seccomp.md for more information
This number (232 in the example) is specific to your system and you need to
run a command to convert it to a syscall name.
echo '#include <sys/syscall.h>' | cpp -dM | grep '#define __NR_.* 232'
Obviously you'll be replacing 232 with the actual syscall number which your system
printed. The Result might look something like the following:
#define __NR_epoll_wait 232
Which would tell you (for example) that the epoll_wait syscall was disallowed on
your system. In this case you'd need to go to util/Seccomp.c and inside of the
mkfilter() function where the actual SECCOMP rules are set up, you'll see a set
of entries such as the following.
#ifdef __NR_mmap2
IFEQ(__NR_mmap2, success),
#endif
Add a similar entry for the syscall (make sure you put it with the others and not)
below the RET(SECCOMP_RET_TRAP), line which triggers the failure). When you have
finished adding your system call rebuild and re-test cjdns. If it works well then
please make a Pull Request :-) If not then open a bug report and explain the problem.