aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAvatar Ali Polatel <alip@exherbo.org> 2013-09-21 09:45:04 +0300
committerAvatar Ali Polatel <alip@exherbo.org> 2013-09-21 09:45:04 +0300
commitcb9bcdbf92d36c7078dd7267faa2fcc21a9d789b (patch)
tree0ee9c17a86b996c688da5c8a74d6efa88104f0f5
parenta1fc5bafdae976f4a8ed7a9bef7876be6eceb65d (diff)
downloadsydbox-1-cb9bcdbf92d36c7078dd7267faa2fcc21a9d789b.tar.gz
sydbox-1-cb9bcdbf92d36c7078dd7267faa2fcc21a9d789b.tar.xz
New magic command core/trace/exit_kill
This magic command allows the underlying ptrace() architecture to kill tracees when Sydbox exits. (Supported on Linux-3.8 or newer)
-rw-r--r--man/sydbox.xml16
-rw-r--r--src/config.c1
-rw-r--r--src/magic-trace.c15
-rw-r--r--src/magic.c8
-rw-r--r--src/sydbox.c4
-rw-r--r--src/sydbox.h4
6 files changed, 48 insertions, 0 deletions
diff --git a/man/sydbox.xml b/man/sydbox.xml
index 0294039..0b3becf 100644
--- a/man/sydbox.xml
+++ b/man/sydbox.xml
@@ -598,6 +598,22 @@
</varlistentry>
<varlistentry>
+ <term><option id="core-trace-exit_kill">core/trace/exit_kill</option></term>
+ <listitem>
+ <para>type: <type>boolean</type></para>
+ <para>default: <varname>false</varname></para>
+ <para>
+ A boolean specifying whether traced processes should be killed when Sydbox exits.
+ </para>
+ <note>
+ <para>
+ This is supported on Linux-3.8 or newer via <constant>PTRACE_O_EXITKILL</constant>.
+ </para>
+ </note>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><option id="core-trace-exit_wait_all">core/trace/exit_wait_all</option></term>
<listitem>
<para>type: <type>boolean</type></para>
diff --git a/src/config.c b/src/config.c
index 5d7f4f1..143c35b 100644
--- a/src/config.c
+++ b/src/config.c
@@ -39,6 +39,7 @@ void config_init(void)
/* set sane defaults for configuration */
sydbox->config.follow_fork = true;
+ sydbox->config.exit_kill = false;
sydbox->config.exit_wait_all = true;
sydbox->config.trace_interrupt = TRACE_INTR_WHILE_WAIT;
sydbox->config.use_seccomp = false;
diff --git a/src/magic-trace.c b/src/magic-trace.c
index a840f96..2af6d93 100644
--- a/src/magic-trace.c
+++ b/src/magic-trace.c
@@ -25,6 +25,21 @@ int magic_query_trace_follow_fork(syd_proc_t *current)
return MAGIC_BOOL(sydbox->config.follow_fork);
}
+int magic_set_trace_exit_kill(const void *val, syd_proc_t *current)
+{
+#if PINK_HAVE_OPTION_EXITKILL
+ sydbox->config.exit_kill = PTR_TO_BOOL(val);
+#else
+ log_magic("PTRACE_O_EXITKILL not supported, ignoring magic");
+#endif
+ return MAGIC_RET_OK;
+}
+
+int magic_query_trace_exit_kill(syd_proc_t *current)
+{
+ return MAGIC_BOOL(sydbox->config.exit_kill);
+}
+
int magic_set_trace_exit_wait_all(const void *val, syd_proc_t *current)
{
#if SYDBOX_HAVE_SECCOMP
diff --git a/src/magic.c b/src/magic.c
index 80830a9..fdc3699 100644
--- a/src/magic.c
+++ b/src/magic.c
@@ -304,6 +304,14 @@ static const struct key key_table[] = {
.set = magic_set_trace_follow_fork,
.query = magic_query_trace_follow_fork
},
+ [MAGIC_KEY_CORE_TRACE_EXIT_KILL] = {
+ .name = "exit_kill",
+ .lname = "core.trace.exit_kill",
+ .parent = MAGIC_KEY_CORE_TRACE,
+ .type = MAGIC_TYPE_BOOLEAN,
+ .set = magic_set_trace_exit_kill,
+ .query = magic_query_trace_exit_kill,
+ },
[MAGIC_KEY_CORE_TRACE_EXIT_WAIT_ALL] = {
.name = "exit_wait_all",
.lname = "core.trace.exit_wait_all",
diff --git a/src/sydbox.c b/src/sydbox.c
index a0aeefe..e764824 100644
--- a/src/sydbox.c
+++ b/src/sydbox.c
@@ -1323,6 +1323,10 @@ int main(int argc, char **argv)
ptrace_options |= (PINK_TRACE_OPTION_FORK |
PINK_TRACE_OPTION_VFORK |
PINK_TRACE_OPTION_CLONE);
+#if PINK_HAVE_OPTION_EXITKILL
+ if (sydbox->config.exit_kill)
+ ptrace_options |= PINK_TRACE_OPTION_EXITKILL;
+#endif
if (sydbox->config.use_seccomp) {
#if SYDBOX_HAVE_SECCOMP
if (os_release >= KERNEL_VERSION(3,5,0)) {
diff --git a/src/sydbox.h b/src/sydbox.h
index 225aca0..b2469d7 100644
--- a/src/sydbox.h
+++ b/src/sydbox.h
@@ -220,6 +220,7 @@ enum magic_key {
MAGIC_KEY_CORE_TRACE,
MAGIC_KEY_CORE_TRACE_FOLLOW_FORK,
+ MAGIC_KEY_CORE_TRACE_EXIT_KILL,
MAGIC_KEY_CORE_TRACE_EXIT_WAIT_ALL,
MAGIC_KEY_CORE_TRACE_MAGIC_LOCK,
MAGIC_KEY_CORE_TRACE_INTERRUPT,
@@ -413,6 +414,7 @@ typedef struct {
bool violation_raise_safe;
bool follow_fork;
+ bool exit_kill;
bool exit_wait_all;
enum trace_interrupt trace_interrupt;
bool use_seccomp;
@@ -619,6 +621,8 @@ int magic_set_violation_raise_safe(const void *val, syd_proc_t *current);
int magic_query_violation_raise_safe(syd_proc_t *current);
int magic_set_trace_follow_fork(const void *val, syd_proc_t *current);
int magic_query_trace_follow_fork(syd_proc_t *current);
+int magic_set_trace_exit_kill(const void *val, syd_proc_t *current);
+int magic_query_trace_exit_kill(syd_proc_t *current);
int magic_set_trace_exit_wait_all(const void *val, syd_proc_t *current);
int magic_query_trace_exit_wait_all(syd_proc_t *current);
int magic_set_trace_interrupt(const void *val, syd_proc_t *current);