3

What's the best way to enumerate all available Linux syscalls?

To clarify, I'm asking how to discover which syscalls are being filtered by seccomp while running in a containerized environment.

Mick
  • 131
  • 6
  • Perhaps you already know about [syzkaller?](https://github.com/google/syzkaller) It's a testing tool that seems to do something similar to what you're doing. It has an extensive [list of syscall descriptions](https://github.com/google/syzkaller/tree/master/sys/linux). There's also a [headerparser](https://github.com/google/syzkaller/blob/master/docs/headerparser_usage.md) that can discover new syscall information; one or both might be useful to you. – telcoM Jul 30 '18 at 05:36
  • This is not a duplicate question. I'm asking how to discover which syscalls are being filtered by seccomp while running in a containerized environment. – Mick Sep 06 '18 at 17:15
  • I ended up writing my own program to do this: https://github.com/micksmix/syscallenum – Mick Dec 12 '18 at 19:57

1 Answers1

2

I have found two possible methods to enumerate Linux syscalls. One involves a bash one-liner, but is dependent on your distro shipping all of the relevant manpages. The other, strace, a tool that can be used to discover and track any and all possible syscalls.

strace

strace can be found on GitHub and GitLab. I cannot vouch for your environment, and if you wish to check for syscalls inside a container this solution would not be ideal, however it works better than the bash one-liner as manpages may not be installed.

Filter by type of syscall:

strace -e trace=%desc     Trace all file descriptor related system calls.
                %file     Trace all system calls which take a file name as an argument.
                %fstat    Trace fstat and fstatat syscall variants.
                %fstatfs  Trace fstatfs, fstatfs64, fstatvfs, osf_fstatfs, and osf_fstatfs64 system calls.
                %ipc      Trace all IPC related system calls.
                %lstat    Trace lstat syscall variants.
                %memory   Trace all memory mapping related system calls.
                %network  Trace all the network related system calls.
                %process  Trace all system calls which involve process management.
                %pure     Trace syscalls that always succeed and have no arguments.
                %signal   Trace all signal related system calls.
                %stat     Trace stat syscall variants.
                %statfs   Trace statfs, statfs64, statvfs, osf_statfs, and osf_statfs64 system calls.
                %%stat    Trace syscalls used for requesting file status.
                %%statfs  Trace syscalls related to file system statistics.

However you if you have a list of specific syscalls you wish to look for you can use the following command:

strace -e [syscall1],[syscall2],[syscall3],...,[syscalln]

I am also including this blog for more information on strace.

Bash one-liner

I will be referencing the syscalls manpage, Link 1 Link 2, as well as this webpage with advice on how to complete the task of enumerating all available syscalls for a given Linux system.

The individual on the webpage suggest you can reference your manpages for a full list of syscalls. This example gives output in an annotated list.

ls /usr/share/man/man2 | sed -e s/.2.gz//g | xargs man -s 2 -k  | sort | grep -v 'unimplemented system calls'

Conclusion

Again, I would note that if your distribution fails to ship all of your packages with all of their relevant manpages then the bash one-liner would fall short. If the annotated list output is not needed and this solution does not fit with your desired output, please update your post to better define what your goal is.

I will also include a link to a python tool used to look up syscalls. This could potentially be a good reference to compare what syscalls you discover with what is available.

Please comment if you have any questions or issues with this answer. I highly suggest you read through each link I have provided thoroughly before attempting the commands. I appreciate feedback to correct any misconceptions and to improve my posts. I can update my answer as needed.

Best of Luck!

kemotep
  • 5,140
  • 7
  • 19
  • 35
  • 1
    I'm asking how to discover which syscalls are being filtered by seccomp while running in a containerized environment. I cannot rely on strace or man pages in a tightly locked down containerized environment. – Mick Sep 06 '18 at 17:17
  • @Mick [Is this the sort of thing you are looking for in an answer?](https://docs.docker.com/v17.09/engine/security/seccomp/#significant-syscalls-blocked-by-the-default-profile) I imagine the containerization solution you are using documents what a default profile uses or at least can tell you how to create a `seccomp` policy. You can also add the needed tools to a container to verify for yourself. Alternatively, if you use Docker: `docker exec -ti [container] sh -c "[Bash One-Liner from answer]"`. Please let me know, and I can edit this post or delete it if it is not salvageable. – kemotep Sep 06 '18 at 17:58
  • Not quite, but you are closer. When running code inside of a container that I did not create (think AWS Lambda or any old Docker container someone runs my code in), I want to be able to see what syscalls are being filtered via a seccomp profile. I did ultimately solve this problem by calling every syscall and checking return codes. – Mick Sep 07 '18 at 02:59
  • I solved this myself and put the code on github: https://github.com/micksmix/syscallenum – Mick Dec 12 '18 at 19:58