Archive for July, 2017

Building minimal binaries

July 10, 2017

As part of my snapd work I was writing testcode to ensure the seccomp confinement we build is working correctly. One of the challenges is that even the most simple program (like /bin/true) uses a lot of syscalls (check with strace!) so targeted testing is a bit difficult. So I decided to build a really minimal binary that avoids as many syscalls as possible.

After some experimentation the following code is ideal for our testing of the seccomp confinement:

// build with:  gcc -Wall -Werror syscall_runner.c -o syscall_runner -static -static-libgcc -nostartfiles -nostdlib -lc
#define _GNU_SOURCE
#include<unistd.h>
#include<sys/syscall.h>
void __syscall_error() {};
void _start() {
  // syscall under test with argument filtering, in this example "setpriority"
  syscall(SYS_setpriority, 1, 1, 0, 0, 0, 0);
  syscall(SYS_exit, 0, 0, 0, 0, 0, 0);
}

The above code only uses just two extra syscalls in addition to the one we want to test for:

$ strace ./syscall_runner 
execve("./syscall_runner", ["./syscall_runner"], [/* 67 vars */]) = 0
setpriority(PRIO_PGRP, 1, 0)            = -1 EPERM (Operation not permitted)
exit(0)                                 = ?

Fun!

Advertisements