On Thu, Jan 29, 2015 at 6:40 PM, Nikos Mavrogiannopoulos <n...@redhat.com> wrote: > ----- Original Message ----- >> After doing some additional testing using a default SCMP_ACT_KILL >> filter action on 32-bit x86 and looking at the syslog/audit log for >> seccomp kill notifications, I see the following record: >> >> Jan 29 16:09:48 [kernel] audit: type=1326 audit(1422565788.766:3): >> auid=1000 uid=1000 gid=100 ses=1 pid=314 comm="00-test" >> exe="/home/pmoore/sources/seccomp/libseccomp-upstream/tests/00-test" >> sig=31 syscall=142 compat=1 ip=0xf7705d10 code=0x0 >> >> ... if we lookup syscall #142 we see that it is for _newselect() and >> not select(): >> ... it would appear that the 32-bit x86 glibc uses _newselect() >> internally for the select() function. I suggest updating your filter >> accordingly by allowing both select() and _newselect(). > > Thank you... That is pretty interesting as strace shows select being called.
Yes, it is. I suspect the strace authors chose to display select() instead of _newselect() to hide some glibc implementation details and make life easier for the majority of admins/devs; unfortunately this makes it a bit more difficult for those of us trying to craft syscall filters. Someday I hope to have some better tools for analyzing binaries, but that is still a ways off. -- paul moore www.paul-moore.com ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ libseccomp-discuss mailing list libseccomp-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/libseccomp-discuss
