[lxc-devel] [lxd/master] seccomp: handle mknodat

brauner on Github lxc-bot at linuxcontainers.org
Wed Jun 12 14:56:56 UTC 2019 

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 364 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20190612/304a5a29/attachment.bin>
-------------- next part --------------
From e33518d65d226e5b0b567d00e2636e67cfa44ca5 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Wed, 12 Jun 2019 16:56:10 +0200
Subject: [PATCH] seccomp: handle mknodat

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 lxd/seccomp.go | 49 ++++++++++++++++++++++++++++++++++---------------
 1 file changed, 34 insertions(+), 15 deletions(-)

diff --git a/lxd/seccomp.go b/lxd/seccomp.go
index b984f65ac9..6678738399 100644
--- a/lxd/seccomp.go
+++ b/lxd/seccomp.go
@@ -123,23 +123,41 @@ static int seccomp_notify_mknod_set_response(int fd_mem, struct seccomp_notify_p
 	resp->flags = req->flags;
 	resp->val = 0;
 
-	if (req->data.nr != __NR_mknod) {
-		resp->error = -ENOSYS;
+	switch (req->data.nr) {
+	case __NR_mknod:
+		resp->error = device_allowed(req->data.args[2], req->data.args[1]);
+		if (resp->error)
+			return -1;
+
+		bytes = pread(fd_mem, buf, size, req->data.args[0]);
+		if (bytes < 0)
+			return -1;
+
+		*mode = req->data.args[1];
+		*dev = req->data.args[2];
+		*pid = req->pid;
+
+		break;
+	case __NR_mknodat:
+		if (req->data.args[0] != AT_FDCWD)
+			return -EINVAL;
+		resp->error = device_allowed(req->data.args[3], req->data.args[2]);
+		if (resp->error)
+			return -1;
+
+		bytes = pread(fd_mem, buf, size, req->data.args[1]);
+		if (bytes < 0)
+			return -1;
+
+		*mode = req->data.args[2];
+		*dev = req->data.args[3];
+		*pid = req->pid;
+
+		break;
+	default:
 		return -1;
 	}
 
-	resp->error = device_allowed(req->data.args[2], req->data.args[1]);
-	if (resp->error)
-		return -1;
-
-	bytes = pread(fd_mem, buf, size, req->data.args[0]);
-	if (bytes < 0)
-		return -1;
-
-	*mode = req->data.args[1];
-	*dev = req->data.args[2];
-	*pid = req->pid;
-
 	return 0;
 }
 
@@ -178,7 +196,8 @@ init_module errno 38
 finit_module errno 38
 delete_module errno 38
 `
-const SECCOMP_NOTIFY_POLICY = `mknod notify`
+const SECCOMP_NOTIFY_POLICY = `mknod notify
+mknodat notify`
 
 const COMPAT_BLOCKING_POLICY = `[%s]
 compat_sys_rt_sigaction errno 38

More information about the lxc-devel mailing list