Merge pull request #3508 from brauner/2020-08-06/fixes

doc/api-extensions.md

@@ -136,3 +136,7 @@ This adds the ability to use "denylist" and "allowlist" in seccomp v2 policies.
 
 This adds the ability to allocate a file descriptor for the devpts instance of
 the container.
+
+## seccomp\_notify\_fd\_active
+
+Retrieve the seccomp notifier fd from a running container.

src/lxc/api_extensions.h

@@ -44,6 +44,7 @@ static char *api_extensions[] = {
 	"time_namespace",
 	"seccomp_allow_deny_syntax",
 	"devpts_fd",
+	"seccomp_notify_fd_active",
 };
 
 static size_t nr_api_extensions = sizeof(api_extensions) / sizeof(*api_extensions);

src/lxc/commands.c

@@ -87,6 +87,7 @@ static const char *lxc_cmd_str(lxc_cmd_t cmd)
 		[LXC_CMD_GET_LIMITING_CGROUP]		= "get_limiting_cgroup",
 		[LXC_CMD_GET_LIMITING_CGROUP2_FD]	= "get_limiting_cgroup2_fd",
 		[LXC_CMD_GET_DEVPTS_FD]			= "get_devpts_fd",
+		[LXC_CMD_GET_SECCOMP_NOTIFY_FD]		= "get_seccomp_notify_fd",
 	};
 
 	if (cmd >= LXC_CMD_MAX)
@@ -162,6 +163,11 @@ static int lxc_cmd_rsp_recv(int sock, struct lxc_cmd_rr *cmd)
 		rsp->data = INT_TO_PTR(devpts_fd);
 	}
 
+	if (cmd->req.cmd == LXC_CMD_GET_SECCOMP_NOTIFY_FD) {
+		int seccomp_notify_fd = move_fd(fd_rsp);
+		rsp->data = INT_TO_PTR(seccomp_notify_fd);
+	}
+
 	if (rsp->datalen == 0)
 		return log_debug(ret,
 				 "Response data length for command \"%s\" is 0",
@@ -490,6 +496,51 @@ static int lxc_cmd_get_devpts_fd_callback(int fd, struct lxc_cmd_req *req,
 	return 0;
 }
 
+int lxc_cmd_get_seccomp_notify_fd(const char *name, const char *lxcpath)
+{
+#if HAVE_DECL_SECCOMP_NOTIFY_FD
+	int ret, stopped;
+	struct lxc_cmd_rr cmd = {
+		.req = {
+			.cmd = LXC_CMD_GET_SECCOMP_NOTIFY_FD,
+		},
+	};
+
+	ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL);
+	if (ret < 0)
+		return log_debug_errno(-1, errno, "Failed to process seccomp notify fd command");
+
+	if (cmd.rsp.ret < 0)
+		return log_debug_errno(-EBADF, errno, "Failed to receive seccomp notify fd");
+
+	return PTR_TO_INT(cmd.rsp.data);
+#else
+	return ret_errno(EOPNOTSUPP);
+#endif
+}
+
+static int lxc_cmd_get_seccomp_notify_fd_callback(int fd, struct lxc_cmd_req *req,
+						  struct lxc_handler *handler,
+						  struct lxc_epoll_descr *descr)
+{
+#if HAVE_DECL_SECCOMP_NOTIFY_FD
+	struct lxc_cmd_rsp rsp = {
+		.ret = 0,
+	};
+	int ret;
+
+	if (!handler->conf || handler->conf->seccomp.notifier.notify_fd < 0)
+		rsp.ret = -EBADF;
+	ret = lxc_abstract_unix_send_fds(fd, &handler->conf->seccomp.notifier.notify_fd, 1, &rsp, sizeof(rsp));
+	if (ret < 0)
+		return log_error(LXC_CMD_REAP_CLIENT_FD, "Failed to send seccomp notify fd");
+
+	return 0;
+#else
+	return ret_errno(EOPNOTSUPP);
+#endif
+}
+
 /*
  * lxc_cmd_get_clone_flags: Get clone flags container was spawned with
  *
@@ -1549,6 +1600,7 @@ static int lxc_cmd_process(int fd, struct lxc_cmd_req *req,
 		[LXC_CMD_GET_LIMITING_CGROUP]           = lxc_cmd_get_limiting_cgroup_callback,
 		[LXC_CMD_GET_LIMITING_CGROUP2_FD]       = lxc_cmd_get_limiting_cgroup2_fd_callback,
 		[LXC_CMD_GET_DEVPTS_FD]			= lxc_cmd_get_devpts_fd_callback,
+		[LXC_CMD_GET_SECCOMP_NOTIFY_FD]		= lxc_cmd_get_seccomp_notify_fd_callback,
 	};
 
 	if (req->cmd >= LXC_CMD_MAX)

src/lxc/commands.h

@@ -42,6 +42,7 @@ typedef enum {
 	LXC_CMD_GET_LIMITING_CGROUP,
 	LXC_CMD_GET_LIMITING_CGROUP2_FD,
 	LXC_CMD_GET_DEVPTS_FD,
+	LXC_CMD_GET_SECCOMP_NOTIFY_FD,
 	LXC_CMD_MAX,
 } lxc_cmd_t;
 
@@ -120,6 +121,7 @@ __hidden extern int lxc_cmd_mainloop_add(const char *name, struct lxc_epoll_desc
 __hidden extern int lxc_try_cmd(const char *name, const char *lxcpath);
 __hidden extern int lxc_cmd_console_log(const char *name, const char *lxcpath,
 					struct lxc_console_log *log);
+__hidden extern int lxc_cmd_get_seccomp_notify_fd(const char *name, const char *lxcpath);
 __hidden extern int lxc_cmd_seccomp_notify_add_listener(const char *name, const char *lxcpath, int fd,
 							/* unused */ unsigned int command,
 							/* unused */ unsigned int flags);

src/lxc/lxccontainer.c

@@ -5240,6 +5240,16 @@ static int do_lxcapi_seccomp_notify_fd(struct lxc_container *c)
 
 WRAP_API(int, lxcapi_seccomp_notify_fd)
 
+static int do_lxcapi_seccomp_notify_fd_active(struct lxc_container *c)
+{
+	if (!c || !c->lxc_conf)
+		return ret_set_errno(-1, -EINVAL);
+
+	return lxc_cmd_get_seccomp_notify_fd(c->name, c->config_path);
+}
+
+WRAP_API(int, lxcapi_seccomp_notify_fd_active)
+
 struct lxc_container *lxc_container_new(const char *name, const char *configpath)
 {
 	struct lxc_container *c;
@@ -5382,6 +5392,7 @@ struct lxc_container *lxc_container_new(const char *name, const char *configpath
 	c->mount = lxcapi_mount;
 	c->umount = lxcapi_umount;
 	c->seccomp_notify_fd = lxcapi_seccomp_notify_fd;
+	c->seccomp_notify_fd_active = lxcapi_seccomp_notify_fd_active;
 
 	return c;
 

src/lxc/lxccontainer.h

@@ -858,6 +858,15 @@ struct lxc_container {
 	int (*seccomp_notify_fd)(struct lxc_container *c);
 
 	/*!
+	 * \brief Retrieve a file descriptor for the running container's seccomp filter.
+	 *
+	 * \param c Container
+	 *
+	 * \return file descriptor for the running container's seccomp filter
+	 */
+	int (*seccomp_notify_fd_active)(struct lxc_container *c);
+
+	/*!
 	 * \brief Retrieve a pidfd for the container's init process.
 	 *
 	 * \param c Container.

src/lxc/seccomp.c

@@ -1357,7 +1357,7 @@ int seccomp_notify_handler(int fd, uint32_t events, void *data,
 	__do_close int fd_mem = -EBADF;
 	int ret;
 	ssize_t bytes;
-	int send_fd_list[2];
+	int send_fd_list[3];
 	struct iovec iov[4];
 	size_t iov_len, msg_base_size, msg_full_size;
 	char mem_path[6 /* /proc/ */
@@ -1460,10 +1460,10 @@ int seccomp_notify_handler(int fd, uint32_t events, void *data,
 
 	send_fd_list[0] = fd_pid;
 	send_fd_list[1] = fd_mem;
+	send_fd_list[2] = fd;
 
 retry:
-	bytes = lxc_abstract_unix_send_fds_iov(listener_proxy_fd, send_fd_list,
-					       2, iov, iov_len);
+	bytes = lxc_abstract_unix_send_fds_iov(listener_proxy_fd, send_fd_list, 3, iov, iov_len);
 	if (bytes != (ssize_t)msg_full_size) {
 		SYSERROR("Failed to forward message to seccomp proxy");
 		if (!reconnected) {