Hi Feng Li, On Fri, 29 Oct 2021 13:27:44 +0800 Li Feng wrote: > Hi Stefano, > > I got the coredump file, it reports the `fork` syscall is bad: > > Program terminated with signal SIGSYS, Bad system call. > #0 __GI__Fork () at ../sysdeps/nptl/_Fork.c:50 > 50 return pid; > (gdb) bt > #0 __GI__Fork () at ../sysdeps/nptl/_Fork.c:50 > #1 0x00007f8c04fdc02a in __libc_fork () at fork.c:73 > #2 0x00007f8c05009f8b in daemon (nochdir=0, noclose=0) at daemon.c:48 > #3 0x000000000040c1e9 in main (argc=1, argv=0x7ffd10b5cd78) at passt.c:368 > quit) That's not necessarily because of fork() -- fork() is already in the list of allowed syscalls. The signal is asynchronous, it might be received a bit before or after passt is executing what you see in gdb. This is probably another syscall triggered by daemon() in the specific glibc version (2.34-7.fc35) on your system -- I haven't tested Fedora 35 yet. An easy way to find out which one is the syscall causing this is using strace. For example, suppose I forgot to add listen() to the list of allowed syscalls: diff --git a/passt.c b/passt.c index 6436a45..43249cf 100644 --- a/passt.c +++ b/passt.c @@ -277,3 +277,3 @@ static void pid_file(struct ctx *c) { * #syscalls read write open close fork dup2 exit chdir ioctl writev syslog - * #syscalls prlimit64 epoll_ctl epoll_create1 epoll_wait accept4 accept listen + * #syscalls prlimit64 epoll_ctl epoll_create1 epoll_wait accept4 accept * #syscalls socket bind connect getsockopt setsockopt recvfrom sendto shutdown Then: $ strace ./passt [...] setsockopt(6, SOL_SOCKET, SO_SNDBUF, [1073741823], 4) = 0 getsockopt(6, SOL_SOCKET, SO_SNDBUF, [268435456], [4]) = 0 setsockopt(6, SOL_SOCKET, SO_RCVBUF, [1073741823], 4) = 0 getsockopt(6, SOL_SOCKET, SO_RCVBUF, [268435456], [4]) = 0 close(6) = 0 socket(AF_UNIX, SOCK_STREAM, 0) = 6 socket(AF_UNIX, SOCK_STREAM|SOCK_NONBLOCK, 0) = 7 connect(7, {sa_family=AF_UNIX, sun_path="/tmp/passt_1.socket"}, 110) = -1 ENOENT (No such file or directory) close(7) = 0 unlink("/tmp/passt_1.socket") = -1 ENOENT (No such file or directory) bind(6, {sa_family=AF_UNIX, sun_path="/tmp/passt_1.socket"}, 110) = 0 write(2, "UNIX domain socket bound at /tmp"..., 48UNIX domain socket bound at /tmp/passt_1.socket ) = 48 write(2, "\n", 1 ) = 1 listen(6, 0) = ? +++ killed by SIGSYS +++ Bad system call you would see that listen() is the first syscall not returning here (strace can't see a return from there). It's around daemon(), and the process might have forked already, so you should run strace with the -f option, which also traces child processes: strace -f ./passt the missing syscall should now be obvious from the output. > Looks like the seccomp is still badly configured. > I have little knowledge about the seccomp. Short summary: this is seccomp in filter mode (seccomp-bpf), it's a mechanism to block the system call (terminating the process, here) in case it's a syscall we didn't expect to be executed. It's a security feature: that's to avoid that an attacker, who already gained some control on the process execution, is able to potentially exploit a further vulnerability (e.g. in the kernel) by executing a particular syscall. This is a relatively famous example of it: https://reverse.put.as/2017/11/07/exploiting-cve-2017-5123/ passt implements this as a list of syscalls in code comments, those are translated by seccomp.sh into a BPF program, which is then loaded by seccomp() in passt.c. If a syscall not included in the resulting list is triggered, the kernel will terminate the process with a SYGSYS signal. However, different C libraries (on different architectures) might issue different syscalls to implement the same function (daemon(), here), and the list I made was just tested on the systems I use and the reports of a few other users, so some are surely missing right now. While adding tests for OpenSUSE and Debian, I already found a few alternative syscalls for some functions (I'll prepare a patch soon) -- I haven't started with Fedora 35 tests yet. -- Stefano