main: Give a friendly message when we get a seccomp violation

If we receive SIGSYS and identify it as a seccomp violation then give friendly instructions on how to debug further. We are unable to decode the siginfo_t struct ourselves due to rust-lang/libc#716 Fixes: cloud-hypervisor#2139 Signed-off-by: Rob Bradford <robert.bradford@intel.com>
rbradford · Jan 11, 2021 · b55f227 · b55f227
1 parent ba7864e
commit b55f227
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 1 deletion.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -23,11 +23,12 @@ log = { version = "0.4.13", features = ["std"] }
 option_parser = { path = "option_parser" }
 seccomp = { git = "https://github.com/firecracker-microvm/firecracker", tag = "v0.22.0" }
 serde_json = "1.0.61"
+signal-hook = "0.3.3"
 thiserror = "1.0"
 vmm = { path = "vmm" }
 vmm-sys-util = "0.7.0"
-wait-timeout = "0.2.0"
 vm-memory = "0.4.0"
+wait-timeout = "0.2.0"
 
 [build-dependencies]
 clap = { version = "2.33.3", features = ["wrap_help"] }

diff --git a/src/main.rs b/src/main.rs
@@ -4,6 +4,7 @@
 //
 
 extern crate anyhow;
+extern crate signal_hook;
 extern crate vmm;
 extern crate vmm_sys_util;
 
@@ -14,9 +15,14 @@ use clap::{App, Arg, ArgGroup, ArgMatches};
 use libc::EFD_NONBLOCK;
 use log::LevelFilter;
 use seccomp::SeccompAction;
+use signal_hook::{
+    consts::SIGSYS,
+    iterator::{exfiltrator::WithRawSiginfo, SignalsInfo},
+};
 use std::env;
 use std::sync::mpsc::channel;
 use std::sync::{Arc, Mutex};
+use std::thread;
 use thiserror::Error;
 use vmm::config;
 use vmm_sys_util::eventfd::EventFd;
@@ -355,6 +361,31 @@ fn start_vmm(cmd_arguments: ArgMatches, api_socket_path: &str) -> Result<(), Err
     } else {
         SeccompAction::Trap
     };
+
+    // See https://github.com/rust-lang/libc/issues/716 why we can't get the details from siginfo_t
+    if seccomp_action == SeccompAction::Trap {
+        thread::Builder::new()
+            .name("seccomp_signal_handler".to_string())
+            .spawn(move || {
+                for si in SignalsInfo::<WithRawSiginfo>::new(&[SIGSYS])
+                    .unwrap()
+                    .forever()
+                {
+                    /* SYS_SECCOMP */
+                    if si.si_code == 1 {
+                        eprint!(
+                            "\n==== seccomp violation ====\n\
+                            Try running with `strace -ff` to identify the cause and open an issue: \
+                            https://github.com/cloud-hypervisor/cloud-hypervisor/issues/new\n"
+                        );
+
+                        signal_hook::low_level::emulate_default_handler(SIGSYS).unwrap();
+                    }
+                }
+            })
+            .unwrap();
+    }
+
     let hypervisor = hypervisor::new().map_err(Error::CreateHypervisor)?;
     let vmm_thread = vmm::start_vmm_thread(
         env!("CARGO_PKG_VERSION").to_string(),