[lxc-devel] [lxc/master] seccomp: bugfixes

Thu Oct 15 08:58:59 UTC 2020

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 364 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20201015/3f5536ac/attachment.bin>
-------------- next part --------------
From a76fe490dc301fe1dca160dac34967566c4e1a02 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Thu, 15 Oct 2020 09:19:23 +0200
Subject: [PATCH 1/2] seccomp: log invalid seccomp notify ids

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 src/lxc/seccomp.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 61b9954a86..b19b46f53e 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -1377,7 +1377,7 @@ int seccomp_notify_handler(int fd, uint32_t events, void *data,
 	int listener_proxy_fd = conf->seccomp.notifier.proxy_fd;
 	struct seccomp_notify_proxy_msg msg = {0};
 	char *cookie = conf->seccomp.notifier.cookie;
-	uint64_t req_id;
+	__u64 req_id;
 
 	if (events & EPOLLHUP) {
 		lxc_mainloop_del_handler(descr, fd);
@@ -1409,6 +1409,7 @@ int seccomp_notify_handler(int fd, uint32_t events, void *data,
 
 	/* remember the ID in case we receive garbage from the proxy */
 	resp->id = req_id = req->id;
+	TRACE("Received seccomp notification with id(%llu)", req_id);
 
 	snprintf(mem_path, sizeof(mem_path), "/proc/%d", req->pid);
 	fd_pid = open(mem_path, O_RDONLY | O_DIRECTORY | O_CLOEXEC);
@@ -1433,7 +1434,7 @@ int seccomp_notify_handler(int fd, uint32_t events, void *data,
 	ret = seccomp_notify_id_valid(fd, req->id);
 	if (ret < 0) {
 		seccomp_notify_default_answer(fd, req, resp, hdlr);
-		SYSERROR("Invalid seccomp notify request id");
+		SYSERROR("Invalid seccomp notify request id(%llu)", req->id);
 		goto out;
 	}
 
@@ -1492,8 +1493,8 @@ int seccomp_notify_handler(int fd, uint32_t events, void *data,
 	}
 
 	if (resp->id != req_id) {
+		ERROR("Proxy returned response with illegal id(%llu) != id(%llu)", resp->id, req_id);
 		resp->id = req_id;
-		ERROR("Proxy returned response with illegal id");
 		seccomp_notify_default_answer(fd, req, resp, hdlr);
 		goto out;
 	}
@@ -1505,9 +1506,16 @@ int seccomp_notify_handler(int fd, uint32_t events, void *data,
 		goto out;
 	}
 
+	if (resp->id != req_id) {
+		ERROR("Proxy returned response with illegal id(%llu) != id(%llu)", resp->id, req_id);
+		resp->id = req_id;
+	}
+
 	ret = seccomp_notify_respond(fd, resp);
 	if (ret)
 		SYSERROR("Failed to send seccomp notification");
+	else
+		TRACE("Sent response for seccomp notification with id(%llu)", resp->id);
 
 out:
 #endif

From dc70d7e4fbb731201c3170e3b23079a74ceed6c1 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Thu, 15 Oct 2020 10:00:44 +0200
Subject: [PATCH 2/2] seccomp: improve default notification sending

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 src/lxc/seccomp.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index b19b46f53e..8ee68df52e 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -1347,9 +1347,14 @@ static void seccomp_notify_default_answer(int fd, struct seccomp_notif *req,
 {
 	resp->id = req->id;
 	resp->error = -ENOSYS;
+	resp->val = 0;
+	resp->flags = 0;
 
 	if (seccomp_notify_respond(fd, resp))
-		SYSERROR("Failed to send default message to seccomp");
+		SYSERROR("Failed to send default message to seccomp notification with id(%llu)", resp->id);
+	else
+		TRACE("Sent default response for seccomp notification with id(%llu)", resp->id);
+	memset(resp, 0, handler->conf->seccomp.notifier.sizes.seccomp_notif_resp);
 }
 #endif
 
@@ -1385,7 +1390,7 @@ int seccomp_notify_handler(int fd, uint32_t events, void *data,
 		return log_trace(0, "Removing seccomp notifier fd %d", fd);
 	}
 
-	memset(req, 0, sizeof(*req));
+	memset(req, 0, conf->seccomp.notifier.sizes.seccomp_notif);
 	ret = seccomp_notify_receive(fd, req);
 	if (ret) {
 		SYSERROR("Failed to read seccomp notification");
@@ -1516,6 +1521,7 @@ int seccomp_notify_handler(int fd, uint32_t events, void *data,
 		SYSERROR("Failed to send seccomp notification");
 	else
 		TRACE("Sent response for seccomp notification with id(%llu)", resp->id);
+	memset(resp, 0, conf->seccomp.notifier.sizes.seccomp_notif_resp);
 
 out:
 #endif
