int ret;
ssize_t len;
- fd = socket(PF_UNIX, SOCK_STREAM, SOCK_CLOEXEC);
- if (fd < 0)
+ fd = socket(AF_UNIX, SOCK_STREAM, 0);
+ if (fd < 0) {
+ SYSERROR("Failed to open new AF_UNIX socket");
return -1;
+ }
if (addr->sun_path[0] == '\0')
len = strlen(&addr->sun_path[1]);
else
len = strlen(&addr->sun_path[0]);
- ret = connect(fd, (struct sockaddr *)&addr,
- offsetof(struct sockaddr_un, sun_path) + len + 1);
- if (ret < 0)
+
+ ret = connect(fd, (struct sockaddr *)addr,
+ offsetof(struct sockaddr_un, sun_path) + len);
+ if (ret < 0) {
+ SYSERROR("Failed to bind new AF_UNIX socket");
return -1;
+ }
return move_fd(fd);
}
TRACE("Sent LSM label file descriptor %d to child", labelfd);
}
- ret = lxc_seccomp_recv_notifier_fd(&conf->seccomp, ipc_sockets[0]);
- if (ret < 0)
- goto close_mainloop;
+ if (conf && conf->seccomp.seccomp) {
+ ret = lxc_seccomp_recv_notifier_fd(&conf->seccomp, ipc_sockets[0]);
+ if (ret < 0)
+ goto close_mainloop;
- ret = lxc_seccomp_add_notifier(name, lxcpath, &conf->seccomp);
- if (ret < 0)
- goto close_mainloop;
+ ret = lxc_seccomp_add_notifier(name, lxcpath, &conf->seccomp);
+ if (ret < 0)
+ goto close_mainloop;
+ }
/* We're done, the child process should now execute whatever it
* is that the user requested. The parent can now track it with
extern int seccomp_notify_handler(int fd, uint32_t events, void *data,
struct lxc_epoll_descr *descr);
extern void seccomp_conf_init(struct lxc_conf *conf);
-extern int lxc_seccomp_setup_notifier(struct lxc_seccomp *seccomp,
- struct lxc_epoll_descr *descr,
- struct lxc_handler *handler);
+extern int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp,
+ struct lxc_epoll_descr *descr,
+ struct lxc_handler *handler);
extern int lxc_seccomp_send_notifier_fd(struct lxc_seccomp *seccomp,
int socket_fd);
extern int lxc_seccomp_recv_notifier_fd(struct lxc_seccomp *seccomp,
{
}
-static inline int lxc_seccomp_setup_notifier(struct lxc_seccomp *seccomp,
- struct lxc_epoll_descr *descr,
- struct lxc_handler *handler)
+static inline int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp,
+ struct lxc_epoll_descr *descr,
+ struct lxc_handler *handler)
{
return 0;
}
#endif
}
-int lxc_seccomp_setup_notifier(struct lxc_seccomp *seccomp,
- struct lxc_epoll_descr *descr,
- struct lxc_handler *handler)
+int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp,
+ struct lxc_epoll_descr *descr,
+ struct lxc_handler *handler)
{
#if HAVE_DECL_SECCOMP_NOTIF_GET_FD
if (seccomp->notifier.wants_supervision &&
int ret;
notify_fd = lxc_unix_connect(&seccomp->notifier.proxy_addr);
- if (notify_fd < 0)
+ if (notify_fd < 0) {
+ SYSERROR("Failed to connect to seccomp proxy");
return -1;
+ }
/* 30 second timeout */
ret = lxc_socket_set_timeout(notify_fd, 30, 30);
- if (ret)
+ if (ret) {
+ SYSERROR("Failed to set timeouts for seccomp proxy");
return -1;
+ }
+
+ ret = seccomp_notif_alloc(&seccomp->notifier.req_buf,
+ &seccomp->notifier.rsp_buf);
+ if (ret) {
+ ERROR("Failed to allocate seccomp notify request and response buffers");
+ errno = ret;
+ return -1;
+ }
ret = lxc_mainloop_add_handler(descr,
seccomp->notifier.notify_fd,
seccomp_notify_handler, handler);
if (ret < 0) {
ERROR("Failed to add seccomp notify handler for %d to mainloop",
- seccomp->notifier.notify_fd);
+ notify_fd);
return -1;
}
1, NULL, 0);
if (ret < 0)
return -1;
-
- if (seccomp->notifier.proxy_fd >= 0) {
- ret = seccomp_notif_alloc(&seccomp->notifier.req_buf,
- &seccomp->notifier.rsp_buf);
- if (ret) {
- errno = ret;
- return -1;
- }
- }
}
#endif
return 0;
{
#if HAVE_DECL_SECCOMP_NOTIF_GET_FD
- if (seccomp->notifier.proxy_fd >= 0) {
+ if (seccomp->notifier.wants_supervision) {
int ret;
ret = lxc_cmd_seccomp_notify_add_listener(name, lxcpath,
- seccomp->notifier.notify_fd,
+ seccomp->notifier.notify_fd,
-1, 0);
close_prot_errno_disarm(seccomp->notifier.notify_fd);
if (ret < 0)
goto out_mainloop_console;
}
- ret = lxc_seccomp_setup_notifier(&handler->conf->seccomp, &descr, handler);
- if (ret < 0)
+ ret = lxc_seccomp_setup_proxy(&handler->conf->seccomp, &descr, handler);
+ if (ret < 0) {
+ ERROR("Failed to setup seccomp proxy");
goto out_mainloop_console;
+ }
if (has_console) {
struct lxc_terminal *console = &handler->conf->console;
projects / thirdparty / lxc.git / commitdiff
