[lxc-devel] [lxc/master] seccomp: notifier fixes
brauner on Github
lxc-bot at linuxcontainers.org
Tue Apr 30 22:37:31 UTC 2019
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 364 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20190430/26e208a9/attachment.bin>
-------------- next part --------------
From 2ac0f627f5e010eadd24665d10d206f03b0a2a14 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Wed, 1 May 2019 00:36:41 +0200
Subject: [PATCH] seccomp: notifier fixes
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
src/lxc/af_unix.c | 15 ++++++++++-----
src/lxc/attach.c | 14 ++++++++------
src/lxc/lxcseccomp.h | 12 ++++++------
src/lxc/seccomp.c | 37 ++++++++++++++++++++-----------------
src/lxc/start.c | 6 ++++--
5 files changed, 48 insertions(+), 36 deletions(-)
diff --git a/src/lxc/af_unix.c b/src/lxc/af_unix.c
index 275430a52a..7f0711ed22 100644
--- a/src/lxc/af_unix.c
+++ b/src/lxc/af_unix.c
@@ -365,18 +365,23 @@ int lxc_unix_connect(struct sockaddr_un *addr)
int ret;
ssize_t len;
- fd = socket(PF_UNIX, SOCK_STREAM, SOCK_CLOEXEC);
- if (fd < 0)
+ fd = socket(AF_UNIX, SOCK_STREAM, 0);
+ if (fd < 0) {
+ SYSERROR("Failed to open new AF_UNIX socket");
return -1;
+ }
if (addr->sun_path[0] == '\0')
len = strlen(&addr->sun_path[1]);
else
len = strlen(&addr->sun_path[0]);
- ret = connect(fd, (struct sockaddr *)&addr,
- offsetof(struct sockaddr_un, sun_path) + len + 1);
- if (ret < 0)
+
+ ret = connect(fd, (struct sockaddr *)addr,
+ offsetof(struct sockaddr_un, sun_path) + len);
+ if (ret < 0) {
+ SYSERROR("Failed to bind new AF_UNIX socket");
return -1;
+ }
return move_fd(fd);
}
diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index 331434b268..9d37793e5c 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -1317,13 +1317,15 @@ int lxc_attach(const char *name, const char *lxcpath,
TRACE("Sent LSM label file descriptor %d to child", labelfd);
}
- ret = lxc_seccomp_recv_notifier_fd(&conf->seccomp, ipc_sockets[0]);
- if (ret < 0)
- goto close_mainloop;
+ if (conf && conf->seccomp.seccomp) {
+ ret = lxc_seccomp_recv_notifier_fd(&conf->seccomp, ipc_sockets[0]);
+ if (ret < 0)
+ goto close_mainloop;
- ret = lxc_seccomp_add_notifier(name, lxcpath, &conf->seccomp);
- if (ret < 0)
- goto close_mainloop;
+ ret = lxc_seccomp_add_notifier(name, lxcpath, &conf->seccomp);
+ if (ret < 0)
+ goto close_mainloop;
+ }
/* We're done, the child process should now execute whatever it
* is that the user requested. The parent can now track it with
diff --git a/src/lxc/lxcseccomp.h b/src/lxc/lxcseccomp.h
index aafe09f127..afb3e73527 100644
--- a/src/lxc/lxcseccomp.h
+++ b/src/lxc/lxcseccomp.h
@@ -79,9 +79,9 @@ extern void lxc_seccomp_free(struct lxc_seccomp *seccomp);
extern int seccomp_notify_handler(int fd, uint32_t events, void *data,
struct lxc_epoll_descr *descr);
extern void seccomp_conf_init(struct lxc_conf *conf);
-extern int lxc_seccomp_setup_notifier(struct lxc_seccomp *seccomp,
- struct lxc_epoll_descr *descr,
- struct lxc_handler *handler);
+extern int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp,
+ struct lxc_epoll_descr *descr,
+ struct lxc_handler *handler);
extern int lxc_seccomp_send_notifier_fd(struct lxc_seccomp *seccomp,
int socket_fd);
extern int lxc_seccomp_recv_notifier_fd(struct lxc_seccomp *seccomp,
@@ -129,9 +129,9 @@ static inline void seccomp_conf_init(struct lxc_conf *conf)
{
}
-static inline int lxc_seccomp_setup_notifier(struct lxc_seccomp *seccomp,
- struct lxc_epoll_descr *descr,
- struct lxc_handler *handler)
+static inline int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp,
+ struct lxc_epoll_descr *descr,
+ struct lxc_handler *handler)
{
return 0;
}
diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index a63b6d69fb..34abda16a9 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -1410,9 +1410,9 @@ void seccomp_conf_init(struct lxc_conf *conf)
#endif
}
-int lxc_seccomp_setup_notifier(struct lxc_seccomp *seccomp,
- struct lxc_epoll_descr *descr,
- struct lxc_handler *handler)
+int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp,
+ struct lxc_epoll_descr *descr,
+ struct lxc_handler *handler)
{
#if HAVE_DECL_SECCOMP_NOTIF_GET_FD
if (seccomp->notifier.wants_supervision &&
@@ -1421,20 +1421,32 @@ int lxc_seccomp_setup_notifier(struct lxc_seccomp *seccomp,
int ret;
notify_fd = lxc_unix_connect(&seccomp->notifier.proxy_addr);
- if (notify_fd < 0)
+ if (notify_fd < 0) {
+ SYSERROR("Failed to connect to seccomp proxy");
return -1;
+ }
/* 30 second timeout */
ret = lxc_socket_set_timeout(notify_fd, 30, 30);
- if (ret)
+ if (ret) {
+ SYSERROR("Failed to set timeouts for seccomp proxy");
return -1;
+ }
+
+ ret = seccomp_notif_alloc(&seccomp->notifier.req_buf,
+ &seccomp->notifier.rsp_buf);
+ if (ret) {
+ ERROR("Failed to allocate seccomp notify request and response buffers");
+ errno = ret;
+ return -1;
+ }
ret = lxc_mainloop_add_handler(descr,
seccomp->notifier.notify_fd,
seccomp_notify_handler, handler);
if (ret < 0) {
ERROR("Failed to add seccomp notify handler for %d to mainloop",
- seccomp->notifier.notify_fd);
+ notify_fd);
return -1;
}
@@ -1469,15 +1481,6 @@ int lxc_seccomp_recv_notifier_fd(struct lxc_seccomp *seccomp, int socket_fd)
1, NULL, 0);
if (ret < 0)
return -1;
-
- if (seccomp->notifier.proxy_fd >= 0) {
- ret = seccomp_notif_alloc(&seccomp->notifier.req_buf,
- &seccomp->notifier.rsp_buf);
- if (ret) {
- errno = ret;
- return -1;
- }
- }
}
#endif
return 0;
@@ -1488,11 +1491,11 @@ int lxc_seccomp_add_notifier(const char *name, const char *lxcpath,
{
#if HAVE_DECL_SECCOMP_NOTIF_GET_FD
- if (seccomp->notifier.proxy_fd >= 0) {
+ if (seccomp->notifier.wants_supervision) {
int ret;
ret = lxc_cmd_seccomp_notify_add_listener(name, lxcpath,
- seccomp->notifier.notify_fd,
+ seccomp->notifier.notify_fd,
-1, 0);
close_prot_errno_disarm(seccomp->notifier.notify_fd);
if (ret < 0)
diff --git a/src/lxc/start.c b/src/lxc/start.c
index a72970fdf1..5209af3586 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -591,9 +591,11 @@ int lxc_poll(const char *name, struct lxc_handler *handler)
goto out_mainloop_console;
}
- ret = lxc_seccomp_setup_notifier(&handler->conf->seccomp, &descr, handler);
- if (ret < 0)
+ ret = lxc_seccomp_setup_proxy(&handler->conf->seccomp, &descr, handler);
+ if (ret < 0) {
+ ERROR("Failed to setup seccomp proxy");
goto out_mainloop_console;
+ }
if (has_console) {
struct lxc_terminal *console = &handler->conf->console;
More information about the lxc-devel
mailing list