From e0ab3591757e7f50c0d3522ed9f2d1068244aaed Mon Sep 17 00:00:00 2001 From: qua3k Date: Fri, 17 Jun 2022 13:18:02 -0400 Subject: [PATCH] Print error message on empty BPF This is useful when we're not sure if a filter is installed or not --- lib/seccomp-tools/dumper.rb | 6 +++++- spec/cli/dump_spec.rb | 13 ++++++++++++- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/lib/seccomp-tools/dumper.rb b/lib/seccomp-tools/dumper.rb index 821bf796..fd711a9f 100644 --- a/lib/seccomp-tools/dumper.rb +++ b/lib/seccomp-tools/dumper.rb @@ -181,7 +181,11 @@ def dump_by_pid(pid, limit, &block) while limit.negative? || i < limit begin bpf = Ptrace.seccomp_get_filter(pid, i) - rescue Errno::ENOENT, Errno::EINVAL + rescue Errno::EINVAL + Logger.error('No seccomp filters installed') + break + rescue Errno::ENOENT + Logger.error('No filter exists at this index') break end collect << (block.nil? ? bpf : yield(bpf, nil)) diff --git a/spec/cli/dump_spec.rb b/spec/cli/dump_spec.rb index d55327e0..5ad9989d 100644 --- a/spec/cli/dump_spec.rb +++ b/spec/cli/dump_spec.rb @@ -34,11 +34,22 @@ break if line.start_with?('Welcome') end expect { described_class.new(['-f', 'inspect', '-p', pid.to_s]).handle }.to output(@bpf_inspect).to_stdout - expect { described_class.new(['-l', '2', '-p', pid.to_s]).handle }.to output(@bpf_disasm).to_stdout + expect { described_class.new(['-l', '2', '-p', pid.to_s]).handle }.to output(@bpf_disasm+"[ERROR] No filter exists at this index\n").to_stdout i.write("0\n") end end + it 'by pid without filter' do + pid = Process.spawn('sleep 60') + begin + error = /No seccomp filters installed/ + expect { described_class.new(['-p', pid.to_s]).handle }.to output(error).to_stdout + ensure + Process.kill('TERM', pid) + Process.wait(pid) + end + end + it 'by pid without root' do pid = Process.spawn('sleep 60') begin