agent: Log unknown seccomp system calls

Kata agent logs unknown system calls given by seccomp profiles in advance before the log file descriptor closes. Fixes: #2957 Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
2025-06-26 23:38:31 +00:00 · 2021-11-05 21:00:03 +09:00 · 2021-11-05 21:00:03 +09:00 · 7b35615191
commit 7b35615191
parent c66b56683b
2 changed files with 101 additions and 65 deletions
--- a/src/agent/rustjail/src/container.rs
+++ b/src/agent/rustjail/src/container.rs
@ -600,6 +600,14 @@ fn do_init_child(cwfd: RawFd) -> Result<()> {
        capctl::prctl::set_no_new_privs().map_err(|_| anyhow!("cannot set no new privileges"))?;
    }

+    // Log unknown seccomp system calls in advance before the log file descriptor closes.
+    #[cfg(feature = "seccomp")]
+    if let Some(ref scmp) = linux.seccomp {
+        if let Some(syscalls) = seccomp::get_unknown_syscalls(scmp) {
+            log_child!(cfd_log, "unknown seccomp system calls: {:?}", syscalls);
+        }
+    }
+
    // Without NoNewPrivileges, we need to set seccomp
    // before dropping capabilities because the calling thread
    // must have the CAP_SYS_ADMIN.
--- a/src/agent/rustjail/src/seccomp.rs
+++ b/src/agent/rustjail/src/seccomp.rs
@ -39,6 +39,24 @@ fn get_rule_conditions(args: &[LinuxSeccompArg]) -> Result<Vec<ScmpArgCompare>>
    Ok(conditions)
 }

+pub fn get_unknown_syscalls(scmp: &LinuxSeccomp) -> Option<Vec<String>> {
+    let mut unknown_syscalls: Vec<String> = Vec::new();
+
+    for syscall in &scmp.syscalls {
+        for name in &syscall.names {
+            if get_syscall_from_name(name, None).is_err() {
+                unknown_syscalls.push(name.to_string());
+            }
+        }
+    }
+
+    if unknown_syscalls.is_empty() {
+        None
+    } else {
+        Some(unknown_syscalls)
+    }
+}
+
 // init_seccomp creates a seccomp filter and loads it for the current process
 // including all the child processes.
 pub fn init_seccomp(scmp: &LinuxSeccomp) -> Result<()> {
@ -116,23 +134,7 @@ mod tests {
        };
    }

-    #[test]
-    fn test_get_filter_attr_from_flag() {
-        skip_if_not_root!();
-
-        assert_eq!(
-            get_filter_attr_from_flag("SECCOMP_FILTER_FLAG_TSYNC").unwrap(),
-            ScmpFilterAttr::CtlTsync
-        );
-
-        assert_eq!(get_filter_attr_from_flag("ERROR").is_err(), true);
-    }
-
-    #[test]
-    fn test_init_seccomp() {
-        skip_if_not_root!();
-
-        let data = r#"{
+    const TEST_DATA: &str = r#"{
          "defaultAction": "SCMP_ACT_ALLOW",
          "architectures": [
          ],
@ -142,7 +144,9 @@ mod tests {
          "syscalls": [
              {
                 "names": [
-                        "dup3"
+                      "dup3",
+                      "invalid_syscall1",
+                      "invalid_syscall2"
                  ],
                  "action": "SCMP_ACT_ERRNO"
              },
@ -196,7 +200,31 @@ mod tests {
          ]
      }"#;

-        let mut scmp: oci::LinuxSeccomp = serde_json::from_str(data).unwrap();
+    #[test]
+    fn test_get_filter_attr_from_flag() {
+        skip_if_not_root!();
+
+        assert_eq!(
+            get_filter_attr_from_flag("SECCOMP_FILTER_FLAG_TSYNC").unwrap(),
+            ScmpFilterAttr::CtlTsync
+        );
+
+        assert_eq!(get_filter_attr_from_flag("ERROR").is_err(), true);
+    }
+
+    #[test]
+    fn test_get_unknown_syscalls() {
+        let scmp: oci::LinuxSeccomp = serde_json::from_str(TEST_DATA).unwrap();
+        let syscalls = get_unknown_syscalls(&scmp).unwrap();
+
+        assert_eq!(syscalls, vec!["invalid_syscall1", "invalid_syscall2"]);
+    }
+
+    #[test]
+    fn test_init_seccomp() {
+        skip_if_not_root!();
+
+        let mut scmp: oci::LinuxSeccomp = serde_json::from_str(TEST_DATA).unwrap();
        let mut arch: Vec<oci::Arch>;

        if cfg!(target_endian = "little") {