Using seccomp and ujail

Hi everyone!

I was looking for some documentation on using seccomp and procd jails. Some time ago i found this link, but it apears to be offline (moved out of the email archive?) now.

I can't find any reference as to how implent this. Do you guys know of anything?

Thanks in advance!

I assume you mean when building an image with make menuconfig:

Global Build Setting->Kernel Build Options
[*]Enable kernel namespaces
[*]Enable seccomp support

should yield two New selections under

Base System

basic gist of getting things into ones build.

Well, thanks for The reply. But I meant using those features. How to jail processes, using utrace, etc. Sorry for not expressing it correctly.

Here, i found this reference, dating back to 2015.

It does, however, seems to be quite outdated. I have already flashed firmware with this options, just dont know how to use then

1 Like

Sorry for bringing this old post up, but I found it while trying to enable seccomp in my custom kernel. I did what @anomeome suggested in my menuconfig, but that led to some odd build errors. My platform is imx6.

In file included from /home/worker/building/build_dir/target-arm_cortex-a9+neon_glibc_eabi/procd-2020-03-07-09b9bd82/trace/trace.c:41:
/home/worker/building/build_dir/target-arm_cortex-a9+neon_glibc_eabi/procd-2020-03-07-09b9bd82/trace/../syscall-names.h:3:4: error: '__NR_' undeclared here (not in a function); did you mean '__id_t'?
  [(__NR_] = "waitid",
/home/worker/building/build_dir/target-arm_cortex-a9+neon_glibc_eabi/procd-2020-03-07-09b9bd82/trace/../syscall-names.h:3:9: error: expected ')' before ']' token
  [(__NR_] = "waitid",
   ~     ^
/home/worker/building/build_dir/target-arm_cortex-a9+neon_glibc_eabi/procd-2020-03-07-09b9bd82/trace/../syscall-names.h:3:3: error: array index in initializer not of integer type
  [(__NR_] = "waitid",
/home/worker/building/build_dir/target-arm_cortex-a9+neon_glibc_eabi/procd-2020-03-07-09b9bd82/trace/../syscall-names.h:3:3: note: (near initialization for '__syscall_names')
/home/worker/building/build_dir/target-arm_cortex-a9+neon_glibc_eabi/procd-2020-03-07-09b9bd82/trace/../syscall-names.h:4:9: error: expected ')' before ']' token
  [(__NR_] = "fdatasync",
   ~     ^
/home/worker/building/build_dir/target-arm_cortex-a9+neon_glibc_eabi/procd-2020-03-07-09b9bd82/trace/../syscall-names.h:4:3: error: array index in initializer not of integer type
  [(__NR_] = "fdatasync",
/home/worker/building/build_dir/target-arm_cortex-a9+neon_glibc_eabi/procd-2020-03-07-09b9bd82/trace/../syscall-names.h:4:3: note: (near initialization for '__syscall_names')
/home/worker/building/build_dir/target-arm_cortex-a9+neon_glibc_eabi/procd-2020-03-07-09b9bd82/trace/../syscall-names.h:5:9: error: expected ')' before ']' token
  [(__NR_] = "mq_getsetattr",
   ~     ^

and so on and so forth for about another 300 lines, going through every syscall defined in that file. Does anybody have any idea for what might be going on?

If you made that change on a preexisting build, and have not cleaned up, you might try cleaning up to see if things get fixed up:

rm -rf bin tmp build_dir
make defconfig

some of this has been defaulted since this thread was created.

1 Like

Thanks for the reply. I nuked my build dir and am trying again fresh. In the meantime, I don't suppose there's much of an answer to the original question of how to use seccomp and ujail. I'm RTFM'ing at the moment, but I could just be on a wild goose chase.

Just failed building. Same issue. Any other ideas?

I believe I'm based off of 19.07, and we have a custom .config file. Pardon my ignorance, but what precisely does make defconfig do?

Just my work habit(in context just for rebuilding dirrectories), see explanation.. What do you mean by custom kernel above.

Just in case anyone stumbles upon this topic:

As of OpenWrt 21.02, setup of seccomp and ujail has become much simpler. You don't need to do a custom build anymore. You can simply install the packages procd-ujail and procd-seccomp and you're good to go.

The only requirement is that you have a device with sufficient flash space (8MB or more). On devices with less flash space, these features are still disabled by default and would require a custom build.

1 Like

Wow thanks!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.