From: Christian Brauner Date: Tue, 30 Apr 2019 22:36:41 +0000 (+0200) Subject: seccomp: notifier fixes X-Git-Tag: lxc-3.2.0~83^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2ac0f627f5e010eadd24665d10d206f03b0a2a14;p=thirdparty%2Flxc.git seccomp: notifier fixes Signed-off-by: Christian Brauner --- diff --git a/src/lxc/af_unix.c b/src/lxc/af_unix.c index 275430a52..7f0711ed2 100644 --- a/src/lxc/af_unix.c +++ b/src/lxc/af_unix.c @@ -365,18 +365,23 @@ int lxc_unix_connect(struct sockaddr_un *addr) int ret; ssize_t len; - fd = socket(PF_UNIX, SOCK_STREAM, SOCK_CLOEXEC); - if (fd < 0) + fd = socket(AF_UNIX, SOCK_STREAM, 0); + if (fd < 0) { + SYSERROR("Failed to open new AF_UNIX socket"); return -1; + } if (addr->sun_path[0] == '\0') len = strlen(&addr->sun_path[1]); else len = strlen(&addr->sun_path[0]); - ret = connect(fd, (struct sockaddr *)&addr, - offsetof(struct sockaddr_un, sun_path) + len + 1); - if (ret < 0) + + ret = connect(fd, (struct sockaddr *)addr, + offsetof(struct sockaddr_un, sun_path) + len); + if (ret < 0) { + SYSERROR("Failed to bind new AF_UNIX socket"); return -1; + } return move_fd(fd); } diff --git a/src/lxc/attach.c b/src/lxc/attach.c index 331434b26..9d37793e5 100644 --- a/src/lxc/attach.c +++ b/src/lxc/attach.c @@ -1317,13 +1317,15 @@ int lxc_attach(const char *name, const char *lxcpath, TRACE("Sent LSM label file descriptor %d to child", labelfd); } - ret = lxc_seccomp_recv_notifier_fd(&conf->seccomp, ipc_sockets[0]); - if (ret < 0) - goto close_mainloop; + if (conf && conf->seccomp.seccomp) { + ret = lxc_seccomp_recv_notifier_fd(&conf->seccomp, ipc_sockets[0]); + if (ret < 0) + goto close_mainloop; - ret = lxc_seccomp_add_notifier(name, lxcpath, &conf->seccomp); - if (ret < 0) - goto close_mainloop; + ret = lxc_seccomp_add_notifier(name, lxcpath, &conf->seccomp); + if (ret < 0) + goto close_mainloop; + } /* We're done, the child process should now execute whatever it * is that the user requested. The parent can now track it with diff --git a/src/lxc/lxcseccomp.h b/src/lxc/lxcseccomp.h index aafe09f12..afb3e7352 100644 --- a/src/lxc/lxcseccomp.h +++ b/src/lxc/lxcseccomp.h @@ -79,9 +79,9 @@ extern void lxc_seccomp_free(struct lxc_seccomp *seccomp); extern int seccomp_notify_handler(int fd, uint32_t events, void *data, struct lxc_epoll_descr *descr); extern void seccomp_conf_init(struct lxc_conf *conf); -extern int lxc_seccomp_setup_notifier(struct lxc_seccomp *seccomp, - struct lxc_epoll_descr *descr, - struct lxc_handler *handler); +extern int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp, + struct lxc_epoll_descr *descr, + struct lxc_handler *handler); extern int lxc_seccomp_send_notifier_fd(struct lxc_seccomp *seccomp, int socket_fd); extern int lxc_seccomp_recv_notifier_fd(struct lxc_seccomp *seccomp, @@ -129,9 +129,9 @@ static inline void seccomp_conf_init(struct lxc_conf *conf) { } -static inline int lxc_seccomp_setup_notifier(struct lxc_seccomp *seccomp, - struct lxc_epoll_descr *descr, - struct lxc_handler *handler) +static inline int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp, + struct lxc_epoll_descr *descr, + struct lxc_handler *handler) { return 0; } diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c index a63b6d69f..34abda16a 100644 --- a/src/lxc/seccomp.c +++ b/src/lxc/seccomp.c @@ -1410,9 +1410,9 @@ void seccomp_conf_init(struct lxc_conf *conf) #endif } -int lxc_seccomp_setup_notifier(struct lxc_seccomp *seccomp, - struct lxc_epoll_descr *descr, - struct lxc_handler *handler) +int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp, + struct lxc_epoll_descr *descr, + struct lxc_handler *handler) { #if HAVE_DECL_SECCOMP_NOTIF_GET_FD if (seccomp->notifier.wants_supervision && @@ -1421,20 +1421,32 @@ int lxc_seccomp_setup_notifier(struct lxc_seccomp *seccomp, int ret; notify_fd = lxc_unix_connect(&seccomp->notifier.proxy_addr); - if (notify_fd < 0) + if (notify_fd < 0) { + SYSERROR("Failed to connect to seccomp proxy"); return -1; + } /* 30 second timeout */ ret = lxc_socket_set_timeout(notify_fd, 30, 30); - if (ret) + if (ret) { + SYSERROR("Failed to set timeouts for seccomp proxy"); return -1; + } + + ret = seccomp_notif_alloc(&seccomp->notifier.req_buf, + &seccomp->notifier.rsp_buf); + if (ret) { + ERROR("Failed to allocate seccomp notify request and response buffers"); + errno = ret; + return -1; + } ret = lxc_mainloop_add_handler(descr, seccomp->notifier.notify_fd, seccomp_notify_handler, handler); if (ret < 0) { ERROR("Failed to add seccomp notify handler for %d to mainloop", - seccomp->notifier.notify_fd); + notify_fd); return -1; } @@ -1469,15 +1481,6 @@ int lxc_seccomp_recv_notifier_fd(struct lxc_seccomp *seccomp, int socket_fd) 1, NULL, 0); if (ret < 0) return -1; - - if (seccomp->notifier.proxy_fd >= 0) { - ret = seccomp_notif_alloc(&seccomp->notifier.req_buf, - &seccomp->notifier.rsp_buf); - if (ret) { - errno = ret; - return -1; - } - } } #endif return 0; @@ -1488,11 +1491,11 @@ int lxc_seccomp_add_notifier(const char *name, const char *lxcpath, { #if HAVE_DECL_SECCOMP_NOTIF_GET_FD - if (seccomp->notifier.proxy_fd >= 0) { + if (seccomp->notifier.wants_supervision) { int ret; ret = lxc_cmd_seccomp_notify_add_listener(name, lxcpath, - seccomp->notifier.notify_fd, + seccomp->notifier.notify_fd, -1, 0); close_prot_errno_disarm(seccomp->notifier.notify_fd); if (ret < 0) diff --git a/src/lxc/start.c b/src/lxc/start.c index a72970fdf..5209af358 100644 --- a/src/lxc/start.c +++ b/src/lxc/start.c @@ -591,9 +591,11 @@ int lxc_poll(const char *name, struct lxc_handler *handler) goto out_mainloop_console; } - ret = lxc_seccomp_setup_notifier(&handler->conf->seccomp, &descr, handler); - if (ret < 0) + ret = lxc_seccomp_setup_proxy(&handler->conf->seccomp, &descr, handler); + if (ret < 0) { + ERROR("Failed to setup seccomp proxy"); goto out_mainloop_console; + } if (has_console) { struct lxc_terminal *console = &handler->conf->console;