Skip to content

L
lxc
Commit 045ee721 by Wolfgang Bumiller
Options

seccomp: use SOCK_SEQPACKET for the notify proxy

The seccomp notify API has a few variables: The struct sizes are queried at runtime, and we now also have a user configured cookie. This means that with a SOCK_STREAM connection the proxy needs to carefully read() the right amount of data based on the contents of our proxy message struct to avoid ending up in the middle of a packet. While for now this may not be too tragic, since we currently only ever send a single packet and then wait for the response, we may at some point want to be able to handle multiple processes simultaneously, hence it makes sense to switch to a packet based connection. So switch to using SOCK_SEQPACKET which is packet based, (and also guarantees ordering). The `MSG_PEEK` flag can be used with `recvmsg()` to figure out a packet's size on the other end, and usually the size *should* not change after that for an existing connection from a running container. Signed-off-by: 's avatarWolfgang Bumiller <w.bumiller@proxmox.com>
parent f910c9e5
Showing with 4 additions and 2 deletions
src/lxc/seccomp.c
...@@ -1311,7 +1311,8 @@ static int seccomp_notify_reconnect(struct lxc_handler *handler) ...@@ -1311,7 +1311,8 @@ static int seccomp_notify_reconnect(struct lxc_handler *handler)
close_prot_errno_disarm(handler->conf->seccomp.notifier.proxy_fd); close_prot_errno_disarm(handler->conf->seccomp.notifier.proxy_fd);
notify_fd = lxc_unix_connect(&handler->conf->seccomp.notifier.proxy_addr); notify_fd = lxc_unix_connect_type(
&handler->conf->seccomp.notifier.proxy_addr, SOCK_SEQPACKET);
if (notify_fd < 0) { if (notify_fd < 0) {
SYSERROR("Failed to reconnect to seccomp proxy"); SYSERROR("Failed to reconnect to seccomp proxy");
return -1; return -1;
...@@ -1501,7 +1502,8 @@ int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp, ...@@ -1501,7 +1502,8 @@ int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp,
__do_close_prot_errno int notify_fd = -EBADF; __do_close_prot_errno int notify_fd = -EBADF;
int ret; int ret;
notify_fd = lxc_unix_connect(&seccomp->notifier.proxy_addr); notify_fd = lxc_unix_connect_type(&seccomp->notifier.proxy_addr,
SOCK_SEQPACKET);
if (notify_fd < 0) { if (notify_fd < 0) {
SYSERROR("Failed to connect to seccomp proxy"); SYSERROR("Failed to connect to seccomp proxy");
return -1; return -1;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment