Building minimal binaries

As part of my snapd work I was writing testcode to ensure the seccomp confinement we build is working correctly. One of the challenges is that even the most simple program (like /bin/true) uses a lot of syscalls (check with strace!) so targeted testing is a bit difficult. So I decided to build a really minimal binary that avoids as many syscalls as possible.

After some experimentation the following code is ideal for our testing of the seccomp confinement:

// build with:  gcc -Wall -Werror syscall_runner.c -o syscall_runner -static -static-libgcc -nostartfiles -nostdlib -lc
#define _GNU_SOURCE
#include<unistd.h>
#include<sys/syscall.h>
void __syscall_error() {};
void _start() {
  // syscall under test with argument filtering, in this example "setpriority"
  syscall(SYS_setpriority, 1, 1, 0, 0, 0, 0);
  syscall(SYS_exit, 0, 0, 0, 0, 0, 0);
}

The above code only uses just two extra syscalls in addition to the one we want to test for:

$ strace ./syscall_runner 
execve("./syscall_runner", ["./syscall_runner"], [/* 67 vars */]) = 0
setpriority(PRIO_PGRP, 1, 0)            = -1 EPERM (Operation not permitted)
exit(0)                                 = ?

Fun!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: