[lxc-devel] [lxc/master] seccomp: notifier fixes

brauner on Github lxc-bot at linuxcontainers.org
Tue Apr 30 22:37:31 UTC 2019 

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 364 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20190430/26e208a9/attachment.bin>
-------------- next part --------------
From 2ac0f627f5e010eadd24665d10d206f03b0a2a14 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Wed, 1 May 2019 00:36:41 +0200
Subject: [PATCH] seccomp: notifier fixes

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 src/lxc/af_unix.c    | 15 ++++++++++-----
 src/lxc/attach.c     | 14 ++++++++------
 src/lxc/lxcseccomp.h | 12 ++++++------
 src/lxc/seccomp.c    | 37 ++++++++++++++++++++-----------------
 src/lxc/start.c      |  6 ++++--
 5 files changed, 48 insertions(+), 36 deletions(-)

diff --git a/src/lxc/af_unix.c b/src/lxc/af_unix.c
index 275430a52a..7f0711ed22 100644
--- a/src/lxc/af_unix.c
+++ b/src/lxc/af_unix.c
@@ -365,18 +365,23 @@ int lxc_unix_connect(struct sockaddr_un *addr)
 	int ret;
 	ssize_t len;
 
-	fd = socket(PF_UNIX, SOCK_STREAM, SOCK_CLOEXEC);
-	if (fd < 0)
+	fd = socket(AF_UNIX, SOCK_STREAM, 0);
+	if (fd < 0) {
+		SYSERROR("Failed to open new AF_UNIX socket");
 		return -1;
+	}
 
 	if (addr->sun_path[0] == '\0')
 		len = strlen(&addr->sun_path[1]);
 	else
 		len = strlen(&addr->sun_path[0]);
-	ret = connect(fd, (struct sockaddr *)&addr,
-		      offsetof(struct sockaddr_un, sun_path) + len + 1);
-	if (ret < 0)
+
+	ret = connect(fd, (struct sockaddr *)addr,
+		      offsetof(struct sockaddr_un, sun_path) + len);
+	if (ret < 0) {
+		SYSERROR("Failed to bind new AF_UNIX socket");
 		return -1;
+	}
 
 	return move_fd(fd);
 }
diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index 331434b268..9d37793e5c 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -1317,13 +1317,15 @@ int lxc_attach(const char *name, const char *lxcpath,
 			TRACE("Sent LSM label file descriptor %d to child", labelfd);
 		}
 
-		ret = lxc_seccomp_recv_notifier_fd(&conf->seccomp, ipc_sockets[0]);
-		if (ret < 0)
-			goto close_mainloop;
+		if (conf && conf->seccomp.seccomp) {
+			ret = lxc_seccomp_recv_notifier_fd(&conf->seccomp, ipc_sockets[0]);
+			if (ret < 0)
+				goto close_mainloop;
 
-		ret = lxc_seccomp_add_notifier(name, lxcpath, &conf->seccomp);
-		if (ret < 0)
-			goto close_mainloop;
+			ret = lxc_seccomp_add_notifier(name, lxcpath, &conf->seccomp);
+			if (ret < 0)
+				goto close_mainloop;
+		}
 
 		/* We're done, the child process should now execute whatever it
 		 * is that the user requested. The parent can now track it with
diff --git a/src/lxc/lxcseccomp.h b/src/lxc/lxcseccomp.h
index aafe09f127..afb3e73527 100644
--- a/src/lxc/lxcseccomp.h
+++ b/src/lxc/lxcseccomp.h
@@ -79,9 +79,9 @@ extern void lxc_seccomp_free(struct lxc_seccomp *seccomp);
 extern int seccomp_notify_handler(int fd, uint32_t events, void *data,
 				  struct lxc_epoll_descr *descr);
 extern void seccomp_conf_init(struct lxc_conf *conf);
-extern int lxc_seccomp_setup_notifier(struct lxc_seccomp *seccomp,
-				      struct lxc_epoll_descr *descr,
-				      struct lxc_handler *handler);
+extern int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp,
+				   struct lxc_epoll_descr *descr,
+				   struct lxc_handler *handler);
 extern int lxc_seccomp_send_notifier_fd(struct lxc_seccomp *seccomp,
 					int socket_fd);
 extern int lxc_seccomp_recv_notifier_fd(struct lxc_seccomp *seccomp,
@@ -129,9 +129,9 @@ static inline void seccomp_conf_init(struct lxc_conf *conf)
 {
 }
 
-static inline int lxc_seccomp_setup_notifier(struct lxc_seccomp *seccomp,
-					     struct lxc_epoll_descr *descr,
-					     struct lxc_handler *handler)
+static inline int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp,
+					  struct lxc_epoll_descr *descr,
+					  struct lxc_handler *handler)
 {
 	return 0;
 }
diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index a63b6d69fb..34abda16a9 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -1410,9 +1410,9 @@ void seccomp_conf_init(struct lxc_conf *conf)
 #endif
 }
 
-int lxc_seccomp_setup_notifier(struct lxc_seccomp *seccomp,
-			       struct lxc_epoll_descr *descr,
-			       struct lxc_handler *handler)
+int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp,
+			    struct lxc_epoll_descr *descr,
+			    struct lxc_handler *handler)
 {
 #if HAVE_DECL_SECCOMP_NOTIF_GET_FD
 	if (seccomp->notifier.wants_supervision &&
@@ -1421,20 +1421,32 @@ int lxc_seccomp_setup_notifier(struct lxc_seccomp *seccomp,
 		int ret;
 
 		notify_fd = lxc_unix_connect(&seccomp->notifier.proxy_addr);
-		if (notify_fd < 0)
+		if (notify_fd < 0) {
+			SYSERROR("Failed to connect to seccomp proxy");
 			return -1;
+		}
 
 		/* 30 second timeout */
 		ret = lxc_socket_set_timeout(notify_fd, 30, 30);
-		if (ret)
+		if (ret) {
+			SYSERROR("Failed to set timeouts for seccomp proxy");
 			return -1;
+		}
+
+		ret = seccomp_notif_alloc(&seccomp->notifier.req_buf,
+					  &seccomp->notifier.rsp_buf);
+		if (ret) {
+			ERROR("Failed to allocate seccomp notify request and response buffers");
+			errno = ret;
+			return -1;
+		}
 
 		ret = lxc_mainloop_add_handler(descr,
 					       seccomp->notifier.notify_fd,
 					       seccomp_notify_handler, handler);
 		if (ret < 0) {
 			ERROR("Failed to add seccomp notify handler for %d to mainloop",
-			      seccomp->notifier.notify_fd);
+			      notify_fd);
 			return -1;
 		}
 
@@ -1469,15 +1481,6 @@ int lxc_seccomp_recv_notifier_fd(struct lxc_seccomp *seccomp, int socket_fd)
 						 1, NULL, 0);
 		if (ret < 0)
 			return -1;
-
-		if (seccomp->notifier.proxy_fd >= 0) {
-			ret = seccomp_notif_alloc(&seccomp->notifier.req_buf,
-						  &seccomp->notifier.rsp_buf);
-			if (ret) {
-				errno = ret;
-				return -1;
-			}
-		}
 	}
 #endif
 	return 0;
@@ -1488,11 +1491,11 @@ int lxc_seccomp_add_notifier(const char *name, const char *lxcpath,
 {
 
 #if HAVE_DECL_SECCOMP_NOTIF_GET_FD
-	if (seccomp->notifier.proxy_fd >= 0) {
+	if (seccomp->notifier.wants_supervision) {
 		int ret;
 
 		ret = lxc_cmd_seccomp_notify_add_listener(name, lxcpath,
-		          				  seccomp->notifier.notify_fd,
+							  seccomp->notifier.notify_fd,
 							  -1, 0);
 		close_prot_errno_disarm(seccomp->notifier.notify_fd);
 		if (ret < 0)
diff --git a/src/lxc/start.c b/src/lxc/start.c
index a72970fdf1..5209af3586 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -591,9 +591,11 @@ int lxc_poll(const char *name, struct lxc_handler *handler)
 		goto out_mainloop_console;
 	}
 
-	ret = lxc_seccomp_setup_notifier(&handler->conf->seccomp, &descr, handler);
-	if (ret < 0)
+	ret = lxc_seccomp_setup_proxy(&handler->conf->seccomp, &descr, handler);
+	if (ret < 0) {
+		ERROR("Failed to setup seccomp proxy");
 		goto out_mainloop_console;
+	}
 
 	if (has_console) {
 		struct lxc_terminal *console = &handler->conf->console;

More information about the lxc-devel mailing list