Building minimal binaries

As part of my snapd work I was writing testcode to ensure the seccomp confinement we build is working correctly. One of the challenges is that even the most simple program (like /bin/true) uses a lot of syscalls (check with strace!) so targeted testing is a bit difficult. So I decided to build a really minimal binary that avoids as many syscalls as possible.

After some experimentation the following code is ideal for our testing of the seccomp confinement:

// build with:  gcc -Wall -Werror syscall_runner.c -o syscall_runner -static -static-libgcc -nostartfiles -nostdlib -lc
#define _GNU_SOURCE
void __syscall_error() {};
void _start() {
  // syscall under test with argument filtering, in this example "setpriority"
  syscall(SYS_setpriority, 1, 1, 0, 0, 0, 0);
  syscall(SYS_exit, 0, 0, 0, 0, 0, 0);

The above code only uses just two extra syscalls in addition to the one we want to test for:

$ strace ./syscall_runner 
execve("./syscall_runner", ["./syscall_runner"], [/* 67 vars */]) = 0
setpriority(PRIO_PGRP, 1, 0)            = -1 EPERM (Operation not permitted)
exit(0)                                 = ?



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: