I was looking for some documentation on using seccomp and procd jails. Some time ago i found this link, but it apears to be offline (moved out of the email archive?) now.
I can't find any reference as to how implent this. Do you guys know of anything?
Hello,
Sorry for bringing this old post up, but I found it while trying to enable seccomp in my custom kernel. I did what @anomeome suggested in my menuconfig, but that led to some odd build errors. My platform is imx6.
In file included from /home/worker/building/build_dir/target-arm_cortex-a9+neon_glibc_eabi/procd-2020-03-07-09b9bd82/trace/trace.c:41:
/home/worker/building/build_dir/target-arm_cortex-a9+neon_glibc_eabi/procd-2020-03-07-09b9bd82/trace/../syscall-names.h:3:4: error: '__NR_' undeclared here (not in a function); did you mean '__id_t'?
[(__NR_] = "waitid",
^~~~~
__id_t
/home/worker/building/build_dir/target-arm_cortex-a9+neon_glibc_eabi/procd-2020-03-07-09b9bd82/trace/../syscall-names.h:3:9: error: expected ')' before ']' token
[(__NR_] = "waitid",
~ ^
)
/home/worker/building/build_dir/target-arm_cortex-a9+neon_glibc_eabi/procd-2020-03-07-09b9bd82/trace/../syscall-names.h:3:3: error: array index in initializer not of integer type
[(__NR_] = "waitid",
^
/home/worker/building/build_dir/target-arm_cortex-a9+neon_glibc_eabi/procd-2020-03-07-09b9bd82/trace/../syscall-names.h:3:3: note: (near initialization for '__syscall_names')
/home/worker/building/build_dir/target-arm_cortex-a9+neon_glibc_eabi/procd-2020-03-07-09b9bd82/trace/../syscall-names.h:4:9: error: expected ')' before ']' token
[(__NR_] = "fdatasync",
~ ^
)
/home/worker/building/build_dir/target-arm_cortex-a9+neon_glibc_eabi/procd-2020-03-07-09b9bd82/trace/../syscall-names.h:4:3: error: array index in initializer not of integer type
[(__NR_] = "fdatasync",
^
/home/worker/building/build_dir/target-arm_cortex-a9+neon_glibc_eabi/procd-2020-03-07-09b9bd82/trace/../syscall-names.h:4:3: note: (near initialization for '__syscall_names')
/home/worker/building/build_dir/target-arm_cortex-a9+neon_glibc_eabi/procd-2020-03-07-09b9bd82/trace/../syscall-names.h:5:9: error: expected ')' before ']' token
[(__NR_] = "mq_getsetattr",
~ ^
)
and so on and so forth for about another 300 lines, going through every syscall defined in that file. Does anybody have any idea for what might be going on?
Thanks for the reply. I nuked my build dir and am trying again fresh. In the meantime, I don't suppose there's much of an answer to the original question of how to use seccomp and ujail. I'm RTFM'ing at the moment, but I could just be on a wild goose chase.
As of OpenWrt 21.02, setup of seccomp and ujail has become much simpler. You don't need to do a custom build anymore. You can simply install the packages procd-ujail and procd-seccomp and you're good to go.
The only requirement is that you have a device with sufficient flash space (8MB or more). On devices with less flash space, these features are still disabled by default and would require a custom build.