From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Fri, 5 Jul 2019 09:30:24 +0000 (+0200)
Subject: seccomp: keep retrying to reconnect to proxy
X-Git-Tag: lxc-3.2.0~9^2~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ed3a98c4c260fea0886da822fb5a11304cfa8d4d;p=thirdparty%2Flxc.git

seccomp: keep retrying to reconnect to proxy

If a syscall happens after we already failed to communicate
with the proxy, proxy_fd was -1.
Before the previous commit we'd then be stuck in the state
where there was no proxy registered. With the previous
commit we'd send a default reply and only then try to
reconnect.
Improve this even further by trying to reconnect right at
the start.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---

diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 12e6dbe78..ebbdc0732 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -1374,8 +1374,18 @@ int seccomp_notify_handler(int fd, uint32_t events, void *data,
 	}
 
 	if (listener_proxy_fd < 0) {
-		ERROR("No seccomp proxy registered");
-		return seccomp_notify_default_answer(fd, req, resp, hdlr);
+		ret = -1;
+		/* Same condition as for the initial setup_proxy() */
+		if (conf->seccomp.notifier.wants_supervision &&
+		    conf->seccomp.notifier.proxy_addr.sun_path[1] != '\0') {
+			ret = seccomp_notify_reconnect(hdlr);
+		}
+		if (ret) {
+			ERROR("No seccomp proxy registered");
+			return seccomp_notify_default_answer(fd, req, resp,
+							     hdlr);
+		}
+		listener_proxy_fd = conf->seccomp.notifier.proxy_fd;
 	}
 
 	/* remember the ID in case we receive garbage from the proxy */