From mboxrd@z Thu Jan 1 00:00:00 1970 From: Stefano Brivio To: passt-user@passt.top Subject: Re: qemu couldn't connect the unix domain socket Date: Fri, 29 Oct 2021 09:44:24 +0200 Message-ID: <20211029094424.7da1a817@elisabeth> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0912649896196794263==" --===============0912649896196794263== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Feng Li, On Fri, 29 Oct 2021 13:27:44 +0800 Li Feng wrote: > Hi Stefano, >=20 > I got the coredump file, it reports the `fork` syscall is bad: >=20 > Program terminated with signal SIGSYS, Bad system call. > #0 __GI__Fork () at ../sysdeps/nptl/_Fork.c:50 > 50 return pid; > (gdb) bt > #0 __GI__Fork () at ../sysdeps/nptl/_Fork.c:50 > #1 0x00007f8c04fdc02a in __libc_fork () at fork.c:73 > #2 0x00007f8c05009f8b in daemon (nochdir=3D0, noclose=3D0) at daemon.c:48 > #3 0x000000000040c1e9 in main (argc=3D1, argv=3D0x7ffd10b5cd78) at passt.c= :368 > quit) That's not necessarily because of fork() -- fork() is already in the list of allowed syscalls. The signal is asynchronous, it might be received a bit before or after passt is executing what you see in gdb. This is probably another syscall triggered by daemon() in the specific glibc version (2.34-7.fc35) on your system -- I haven't tested Fedora 35 yet. An easy way to find out which one is the syscall causing this is using strace. For example, suppose I forgot to add listen() to the list of allowed syscalls: diff --git a/passt.c b/passt.c index 6436a45..43249cf 100644 --- a/passt.c +++ b/passt.c @@ -277,3 +277,3 @@ static void pid_file(struct ctx *c) { * #syscalls read write open close fork dup2 exit chdir ioctl writev syslog - * #syscalls prlimit64 epoll_ctl epoll_create1 epoll_wait accept4 accept lis= ten + * #syscalls prlimit64 epoll_ctl epoll_create1 epoll_wait accept4 accept * #syscalls socket bind connect getsockopt setsockopt recvfrom sendto shutd= own Then: $ strace ./passt [...] setsockopt(6, SOL_SOCKET, SO_SNDBUF, [1073741823], 4) =3D 0 getsockopt(6, SOL_SOCKET, SO_SNDBUF, [268435456], [4]) =3D 0 setsockopt(6, SOL_SOCKET, SO_RCVBUF, [1073741823], 4) =3D 0 getsockopt(6, SOL_SOCKET, SO_RCVBUF, [268435456], [4]) =3D 0 close(6) =3D 0 socket(AF_UNIX, SOCK_STREAM, 0) =3D 6 socket(AF_UNIX, SOCK_STREAM|SOCK_NONBLOCK, 0) =3D 7 connect(7, {sa_family=3DAF_UNIX, sun_path=3D"/tmp/passt_1.socket"}, 110) =3D = -1 ENOENT (No such file or directory) close(7) =3D 0 unlink("/tmp/passt_1.socket") =3D -1 ENOENT (No such file or direct= ory) bind(6, {sa_family=3DAF_UNIX, sun_path=3D"/tmp/passt_1.socket"}, 110) =3D 0 write(2, "UNIX domain socket bound at /tmp"..., 48UNIX domain socket bound at= /tmp/passt_1.socket ) =3D 48 write(2, "\n", 1 ) =3D 1 listen(6, 0) =3D ? +++ killed by SIGSYS +++ Bad system call you would see that listen() is the first syscall not returning here (strace can't see a return from there). It's around daemon(), and the process might have forked already, so you should run strace with the -f option, which also traces child processes: strace -f ./passt the missing syscall should now be obvious from the output. > Looks like the seccomp is still badly configured. > I have little knowledge about the seccomp. Short summary: this is seccomp in filter mode (seccomp-bpf), it's a mechanism to block the system call (terminating the process, here) in case it's a syscall we didn't expect to be executed. It's a security feature: that's to avoid that an attacker, who already gained some control on the process execution, is able to potentially exploit a further vulnerability (e.g. in the kernel) by executing a particular syscall. This is a relatively famous example of it: https://reverse.put.as/2017/11/07/exploiting-cve-2017-5123/ passt implements this as a list of syscalls in code comments, those are translated by seccomp.sh into a BPF program, which is then loaded by seccomp() in passt.c. If a syscall not included in the resulting list is triggered, the kernel will terminate the process with a SYGSYS signal. However, different C libraries (on different architectures) might issue different syscalls to implement the same function (daemon(), here), and the list I made was just tested on the systems I use and the reports of a few other users, so some are surely missing right now. While adding tests for OpenSUSE and Debian, I already found a few alternative syscalls for some functions (I'll prepare a patch soon) -- I haven't started with Fedora 35 tests yet. --=20 Stefano --===============0912649896196794263==--