[pulseaudio-discuss] [PATCH 2/2] thread-mainloop: unblock SIGSYS on sandbox

Arun Raghavan arun at accosted.net
Sun Oct 18 20:35:17 PDT 2015


On Sat, 2015-10-10 at 20:11 +0100, Julien Isorce wrote:
> Seccomp-BPF actually uses SIGSYS to trigger
> the trap handler attached to sys_open.
> If the signal is blocked then the kernel kills
> the process whenever pulse audio calls 'open'.
> The result backtrace is terminating in sys_open.
> 
> This is required to have pulse audio working
> in a sandbox.
> ---
>  src/pulse/thread-mainloop.c | 10 ++++++++++
>  1 file changed, 10 insertions(+)
> 
> diff --git a/src/pulse/thread-mainloop.c b/src/pulse/thread
> -mainloop.c
> index afd0581..93582d2 100644
> --- a/src/pulse/thread-mainloop.c
> +++ b/src/pulse/thread-mainloop.c
> @@ -28,6 +28,8 @@
>  
>  #include <signal.h>
>  #include <stdio.h>
> +#include <sys/prctl.h>

This needs to be in a #ifdef HAVE_SYS_PRCTL_H (which is already
defined).

> +#include <linux/seccomp.h>

You need to add a configure-time header check for this one and then
make the include conditional, as we need to make sure we build on
machines without seccomp (which includes non-Linux systems too).

>  
>  #include <pulse/xmalloc.h>
>  #include <pulse/mainloop.h>
> @@ -81,6 +83,14 @@ static void thread(void *userdata) {
>      /* Make sure that signals are delivered to the main thread */
>      sigfillset(&mask);
>      pthread_sigmask(SIG_BLOCK, &mask, NULL);
> +
> +    /* If seccomp is in use, only filter mode has a chance to work.
> +     * Because pa requires sys_open. */
> +    if (prctl(PR_GET_SECCOMP, SECCOMP_MODE_FILTER, NULL) == 2) {

Is the second argument of PR_GET_SETCOMP ever used? The man page
suggests that it takes no arguments.

Also, I see that if prctl() is not allowed, the process will be killed.
Is there any condition where prctl() might not be allowed by seccomp,
but we might still be able to function correctly?

> +        /* TODO: unblock SIGSYS only if a trap is attached to
> sys_open. */

Could you clarify what needs to be done for this TODO to go away?

> +        int r = sigemptyset(&mask) || sigaddset(&mask, SIGSYS) ||
> pthread_sigmask(SIG_UNBLOCK, &mask, NULL);
> +        pa_assert(!r);
> +    }

This entire condition would then be within a conditional for the
presence of prctl.h and seccomp.h.

>  #endif
>  
>      pa_mutex_lock(m->mutex);

-- Arun


More information about the pulseaudio-discuss mailing list