[lxc-devel] [lxc/master] seccomp: add seccomp_notify_fd_active api extension

brauner on Github lxc-bot at linuxcontainers.org
Thu Aug 6 12:43:19 UTC 2020


A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 449 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20200806/81d5060b/attachment.bin>
-------------- next part --------------
From 2140576960c1cfc95db5724553b360f0b4daa247 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Thu, 6 Aug 2020 14:38:07 +0200
Subject: [PATCH] seccomp: add seccomp_notify_fd_active api extension

which allows to retrieve an active seccomp notifier fd from a running
container.

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 doc/api-extensions.md    |  4 ++++
 src/lxc/api_extensions.h |  1 +
 src/lxc/commands.c       | 52 ++++++++++++++++++++++++++++++++++++++++
 src/lxc/commands.h       |  2 ++
 src/lxc/lxccontainer.c   | 11 +++++++++
 src/lxc/lxccontainer.h   |  9 +++++++
 6 files changed, 79 insertions(+)

diff --git a/doc/api-extensions.md b/doc/api-extensions.md
index 21cb55d111..9a716e48ac 100644
--- a/doc/api-extensions.md
+++ b/doc/api-extensions.md
@@ -136,3 +136,7 @@ This adds the ability to use "denylist" and "allowlist" in seccomp v2 policies.
 
 This adds the ability to allocate a file descriptor for the devpts instance of
 the container.
+
+## seccomp\_notify\_fd\_active
+
+Retrieve the seccomp notifier fd from a running container.
diff --git a/src/lxc/api_extensions.h b/src/lxc/api_extensions.h
index 4d97504887..1b40e5d452 100644
--- a/src/lxc/api_extensions.h
+++ b/src/lxc/api_extensions.h
@@ -44,6 +44,7 @@ static char *api_extensions[] = {
 	"time_namespace",
 	"seccomp_allow_deny_syntax",
 	"devpts_fd",
+	"seccomp_notify_fd_active",
 };
 
 static size_t nr_api_extensions = sizeof(api_extensions) / sizeof(*api_extensions);
diff --git a/src/lxc/commands.c b/src/lxc/commands.c
index 22fbb04bb4..4ed84c3a02 100644
--- a/src/lxc/commands.c
+++ b/src/lxc/commands.c
@@ -87,6 +87,7 @@ static const char *lxc_cmd_str(lxc_cmd_t cmd)
 		[LXC_CMD_GET_LIMITING_CGROUP]		= "get_limiting_cgroup",
 		[LXC_CMD_GET_LIMITING_CGROUP2_FD]	= "get_limiting_cgroup2_fd",
 		[LXC_CMD_GET_DEVPTS_FD]			= "get_devpts_fd",
+		[LXC_CMD_GET_SECCOMP_NOTIFY_FD]		= "get_seccomp_notify_fd",
 	};
 
 	if (cmd >= LXC_CMD_MAX)
@@ -162,6 +163,11 @@ static int lxc_cmd_rsp_recv(int sock, struct lxc_cmd_rr *cmd)
 		rsp->data = INT_TO_PTR(devpts_fd);
 	}
 
+	if (cmd->req.cmd == LXC_CMD_GET_SECCOMP_NOTIFY_FD) {
+		int seccomp_notify_fd = move_fd(fd_rsp);
+		rsp->data = INT_TO_PTR(seccomp_notify_fd);
+	}
+
 	if (rsp->datalen == 0)
 		return log_debug(ret,
 				 "Response data length for command \"%s\" is 0",
@@ -490,6 +496,51 @@ static int lxc_cmd_get_devpts_fd_callback(int fd, struct lxc_cmd_req *req,
 	return 0;
 }
 
+int lxc_cmd_get_seccomp_notify_fd(const char *name, const char *lxcpath)
+{
+#if HAVE_DECL_SECCOMP_NOTIFY_FD
+	int ret, stopped;
+	struct lxc_cmd_rr cmd = {
+		.req = {
+			.cmd = LXC_CMD_GET_SECCOMP_NOTIFY_FD,
+		},
+	};
+
+	ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL);
+	if (ret < 0)
+		return log_debug_errno(-1, errno, "Failed to process seccomp notify fd command");
+
+	if (cmd.rsp.ret < 0)
+		return log_debug_errno(-EBADF, errno, "Failed to receive seccomp notify fd");
+
+	return PTR_TO_INT(cmd.rsp.data);
+#else
+	return ret_errno(EOPNOTSUPP);
+#endif
+}
+
+static int lxc_cmd_get_seccomp_notify_fd_callback(int fd, struct lxc_cmd_req *req,
+						  struct lxc_handler *handler,
+						  struct lxc_epoll_descr *descr)
+{
+#if HAVE_DECL_SECCOMP_NOTIFY_FD
+	struct lxc_cmd_rsp rsp = {
+		.ret = 0,
+	};
+	int ret;
+
+	if (!handler->conf || handler->conf->seccomp.notifier.notify_fd < 0)
+		rsp.ret = -EBADF;
+	ret = lxc_abstract_unix_send_fds(fd, &handler->conf->seccomp.notifier.notify_fd, 1, &rsp, sizeof(rsp));
+	if (ret < 0)
+		return log_error(LXC_CMD_REAP_CLIENT_FD, "Failed to send seccomp notify fd");
+
+	return 0;
+#else
+	return ret_errno(EOPNOTSUPP);
+#endif
+}
+
 /*
  * lxc_cmd_get_clone_flags: Get clone flags container was spawned with
  *
@@ -1549,6 +1600,7 @@ static int lxc_cmd_process(int fd, struct lxc_cmd_req *req,
 		[LXC_CMD_GET_LIMITING_CGROUP]           = lxc_cmd_get_limiting_cgroup_callback,
 		[LXC_CMD_GET_LIMITING_CGROUP2_FD]       = lxc_cmd_get_limiting_cgroup2_fd_callback,
 		[LXC_CMD_GET_DEVPTS_FD]			= lxc_cmd_get_devpts_fd_callback,
+		[LXC_CMD_GET_SECCOMP_NOTIFY_FD]		= lxc_cmd_get_seccomp_notify_fd_callback,
 	};
 
 	if (req->cmd >= LXC_CMD_MAX)
diff --git a/src/lxc/commands.h b/src/lxc/commands.h
index ef545e23ae..c87dad4e90 100644
--- a/src/lxc/commands.h
+++ b/src/lxc/commands.h
@@ -42,6 +42,7 @@ typedef enum {
 	LXC_CMD_GET_LIMITING_CGROUP,
 	LXC_CMD_GET_LIMITING_CGROUP2_FD,
 	LXC_CMD_GET_DEVPTS_FD,
+	LXC_CMD_GET_SECCOMP_NOTIFY_FD,
 	LXC_CMD_MAX,
 } lxc_cmd_t;
 
@@ -120,6 +121,7 @@ __hidden extern int lxc_cmd_mainloop_add(const char *name, struct lxc_epoll_desc
 __hidden extern int lxc_try_cmd(const char *name, const char *lxcpath);
 __hidden extern int lxc_cmd_console_log(const char *name, const char *lxcpath,
 					struct lxc_console_log *log);
+__hidden extern int lxc_cmd_get_seccomp_notify_fd(const char *name, const char *lxcpath);
 __hidden extern int lxc_cmd_seccomp_notify_add_listener(const char *name, const char *lxcpath, int fd,
 							/* unused */ unsigned int command,
 							/* unused */ unsigned int flags);
diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index 8d854aaf13..673cf2483d 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -5240,6 +5240,16 @@ static int do_lxcapi_seccomp_notify_fd(struct lxc_container *c)
 
 WRAP_API(int, lxcapi_seccomp_notify_fd)
 
+static int do_lxcapi_seccomp_notify_fd_active(struct lxc_container *c)
+{
+	if (!c || !c->lxc_conf)
+		return ret_set_errno(-1, -EINVAL);
+
+	return lxc_cmd_get_seccomp_notify_fd(c->name, c->config_path);
+}
+
+WRAP_API(int, lxcapi_seccomp_notify_fd_active)
+
 struct lxc_container *lxc_container_new(const char *name, const char *configpath)
 {
 	struct lxc_container *c;
@@ -5382,6 +5392,7 @@ struct lxc_container *lxc_container_new(const char *name, const char *configpath
 	c->mount = lxcapi_mount;
 	c->umount = lxcapi_umount;
 	c->seccomp_notify_fd = lxcapi_seccomp_notify_fd;
+	c->seccomp_notify_fd_active = lxcapi_seccomp_notify_fd_active;
 
 	return c;
 
diff --git a/src/lxc/lxccontainer.h b/src/lxc/lxccontainer.h
index 3437550d7e..1229a1f349 100644
--- a/src/lxc/lxccontainer.h
+++ b/src/lxc/lxccontainer.h
@@ -857,6 +857,15 @@ struct lxc_container {
 	 */
 	int (*seccomp_notify_fd)(struct lxc_container *c);
 
+	/*!
+	 * \brief Retrieve a file descriptor for the running container's seccomp filter.
+	 *
+	 * \param c Container
+	 *
+	 * \return file descriptor for the running container's seccomp filter
+	 */
+	int (*seccomp_notify_fd_active)(struct lxc_container *c);
+
 	/*!
 	 * \brief Retrieve a pidfd for the container's init process.
 	 *


More information about the lxc-devel mailing list