[lxc-devel] [lxc/master] seccomp: bugfixes
brauner on Github
lxc-bot at linuxcontainers.org
Thu Oct 15 08:58:59 UTC 2020
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 364 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20201015/3f5536ac/attachment.bin>
-------------- next part --------------
From a76fe490dc301fe1dca160dac34967566c4e1a02 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Thu, 15 Oct 2020 09:19:23 +0200
Subject: [PATCH 1/2] seccomp: log invalid seccomp notify ids
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
src/lxc/seccomp.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 61b9954a86..b19b46f53e 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -1377,7 +1377,7 @@ int seccomp_notify_handler(int fd, uint32_t events, void *data,
int listener_proxy_fd = conf->seccomp.notifier.proxy_fd;
struct seccomp_notify_proxy_msg msg = {0};
char *cookie = conf->seccomp.notifier.cookie;
- uint64_t req_id;
+ __u64 req_id;
if (events & EPOLLHUP) {
lxc_mainloop_del_handler(descr, fd);
@@ -1409,6 +1409,7 @@ int seccomp_notify_handler(int fd, uint32_t events, void *data,
/* remember the ID in case we receive garbage from the proxy */
resp->id = req_id = req->id;
+ TRACE("Received seccomp notification with id(%llu)", req_id);
snprintf(mem_path, sizeof(mem_path), "/proc/%d", req->pid);
fd_pid = open(mem_path, O_RDONLY | O_DIRECTORY | O_CLOEXEC);
@@ -1433,7 +1434,7 @@ int seccomp_notify_handler(int fd, uint32_t events, void *data,
ret = seccomp_notify_id_valid(fd, req->id);
if (ret < 0) {
seccomp_notify_default_answer(fd, req, resp, hdlr);
- SYSERROR("Invalid seccomp notify request id");
+ SYSERROR("Invalid seccomp notify request id(%llu)", req->id);
goto out;
}
@@ -1492,8 +1493,8 @@ int seccomp_notify_handler(int fd, uint32_t events, void *data,
}
if (resp->id != req_id) {
+ ERROR("Proxy returned response with illegal id(%llu) != id(%llu)", resp->id, req_id);
resp->id = req_id;
- ERROR("Proxy returned response with illegal id");
seccomp_notify_default_answer(fd, req, resp, hdlr);
goto out;
}
@@ -1505,9 +1506,16 @@ int seccomp_notify_handler(int fd, uint32_t events, void *data,
goto out;
}
+ if (resp->id != req_id) {
+ ERROR("Proxy returned response with illegal id(%llu) != id(%llu)", resp->id, req_id);
+ resp->id = req_id;
+ }
+
ret = seccomp_notify_respond(fd, resp);
if (ret)
SYSERROR("Failed to send seccomp notification");
+ else
+ TRACE("Sent response for seccomp notification with id(%llu)", resp->id);
out:
#endif
From dc70d7e4fbb731201c3170e3b23079a74ceed6c1 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Thu, 15 Oct 2020 10:00:44 +0200
Subject: [PATCH 2/2] seccomp: improve default notification sending
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
src/lxc/seccomp.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index b19b46f53e..8ee68df52e 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -1347,9 +1347,14 @@ static void seccomp_notify_default_answer(int fd, struct seccomp_notif *req,
{
resp->id = req->id;
resp->error = -ENOSYS;
+ resp->val = 0;
+ resp->flags = 0;
if (seccomp_notify_respond(fd, resp))
- SYSERROR("Failed to send default message to seccomp");
+ SYSERROR("Failed to send default message to seccomp notification with id(%llu)", resp->id);
+ else
+ TRACE("Sent default response for seccomp notification with id(%llu)", resp->id);
+ memset(resp, 0, handler->conf->seccomp.notifier.sizes.seccomp_notif_resp);
}
#endif
@@ -1385,7 +1390,7 @@ int seccomp_notify_handler(int fd, uint32_t events, void *data,
return log_trace(0, "Removing seccomp notifier fd %d", fd);
}
- memset(req, 0, sizeof(*req));
+ memset(req, 0, conf->seccomp.notifier.sizes.seccomp_notif);
ret = seccomp_notify_receive(fd, req);
if (ret) {
SYSERROR("Failed to read seccomp notification");
@@ -1516,6 +1521,7 @@ int seccomp_notify_handler(int fd, uint32_t events, void *data,
SYSERROR("Failed to send seccomp notification");
else
TRACE("Sent response for seccomp notification with id(%llu)", resp->id);
+ memset(resp, 0, conf->seccomp.notifier.sizes.seccomp_notif_resp);
out:
#endif
More information about the lxc-devel
mailing list