commands: partially backport seccomp notify

This backports seccomp notify into various parts of the codebase as a pure nop to make maintenance easier. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commands: partially backport seccomp notify
85714791 · Christian Brauner · f3d279cc · 85714791 · 85714791 · 85714791
Unverified Commit 85714791 authored Apr 21, 2019 by Christian Brauner
7 changed files
--- a/src/lxc/af_unix.c
+++ b/src/lxc/af_unix.c
@@ -201,7 +201,8 @@ int lxc_abstract_unix_recv_fds(int fd, int *recvfds, int num_recvfds,
 	struct iovec iov;
 	struct cmsghdr *cmsg = NULL;
 	char buf[1] = {0};
-	size_t cmsgbufsize = CMSG_SPACE(num_recvfds * sizeof(int));
+	size_t cmsgbufsize = CMSG_SPACE(sizeof(struct ucred)) +
+			     CMSG_SPACE(num_recvfds * sizeof(int));

 	memset(&msg, 0, sizeof(msg));
 	memset(&iov, 0, sizeof(iov));
@@ -224,12 +225,20 @@ int lxc_abstract_unix_recv_fds(int fd, int *recvfds, int num_recvfds,
 	if (ret <= 0)
 		goto out;

-	cmsg = CMSG_FIRSTHDR(&msg);
-
-	memset(recvfds, -1, num_recvfds * sizeof(int));
-	if (cmsg && cmsg->cmsg_len == CMSG_LEN(num_recvfds * sizeof(int)) &&
-	    cmsg->cmsg_level == SOL_SOCKET && cmsg->cmsg_type == SCM_RIGHTS)
-		memcpy(recvfds, CMSG_DATA(cmsg), num_recvfds * sizeof(int));
+	/*
+	 * If SO_PASSCRED is set we will always get a ucred message.
+	 */
+	for (cmsg = CMSG_FIRSTHDR(&msg); cmsg; cmsg = CMSG_NXTHDR(&msg, cmsg)) {
+		if (cmsg->cmsg_type != SCM_RIGHTS)
+			continue;
+
+		memset(recvfds, -1, num_recvfds * sizeof(int));
+		if (cmsg &&
+		    cmsg->cmsg_len == CMSG_LEN(num_recvfds * sizeof(int)) &&
+		    cmsg->cmsg_level == SOL_SOCKET)
+			memcpy(recvfds, CMSG_DATA(cmsg), num_recvfds * sizeof(int));
+		break;
+	}

 out:
 	return ret;

--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -853,7 +853,9 @@ static int attach_child_main(struct attach_clone_payload *payload)

 	if (init_ctx->container && init_ctx->container->lxc_conf &&
 	    init_ctx->container->lxc_conf->seccomp) {
-		ret = lxc_seccomp_load(init_ctx->container->lxc_conf);
+		struct lxc_conf *conf = init_ctx->container->lxc_conf;
+
+		ret = lxc_seccomp_load(conf);
 		if (ret < 0)
 			goto on_error;


--- a/src/lxc/commands.c
+++ b/src/lxc/commands.c
--- a/src/lxc/commands.h
+++ b/src/lxc/commands.h
@@ -46,6 +46,7 @@ typedef enum {
 	LXC_CMD_ADD_STATE_CLIENT,
 	LXC_CMD_CONSOLE_LOG,
 	LXC_CMD_SERVE_STATE_CLIENTS,
+	LXC_CMD_SECCOMP_NOTIFY_ADD_LISTENER,
 	LXC_CMD_MAX,
 } lxc_cmd_t;

@@ -124,5 +125,10 @@ extern int lxc_cmd_mainloop_add(const char *name, struct lxc_epoll_descr *descr,
 extern int lxc_try_cmd(const char *name, const char *lxcpath);
 extern int lxc_cmd_console_log(const char *name, const char *lxcpath,
 			       struct lxc_console_log *log);
+extern int lxc_cmd_seccomp_notify_add_listener(const char *name,
+					       const char *lxcpath,
+					       int fd,
+					       /* unused */ unsigned int command,
+					       /* unused */ unsigned int flags);

 #endif /* __commands_h */
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -4948,6 +4948,28 @@ out:
 	return ret;
 }

+static int do_lxcapi_seccomp_notify(struct lxc_container *c, unsigned int cmd, int fd)
+{
+#if HAVE_DECL_SECCOMP_NOTIF_GET_FD
+	if (!c || !c->lxc_conf)
+		return minus_one_set_errno(-EINVAL);
+
+	switch (cmd) {
+	case LXC_SECCOMP_NOTIFY_GET_FD:
+		if (fd)
+			return minus_one_set_errno(EINVAL);
+
+		return c->lxc_conf->seccomp_notify_fd;
+	}
+
+	return minus_one_set_errno(EINVAL);
+#else
+	return minus_one_set_errno(ENOSYS);
+#endif
+}
+
+WRAP_API_2(int, lxcapi_seccomp_notify, unsigned int, int)
+
 struct lxc_container *lxc_container_new(const char *name, const char *configpath)
 {
 	struct lxc_container *c;

--- a/src/lxc/macro.h
+++ b/src/lxc/macro.h
@@ -407,4 +407,10 @@ enum {
 		__internal_fd__;            \
 	})

+#define minus_one_set_errno(__errno__) \
+	({                             \
+		errno = __errno__;     \
+		-1;                    \
+	})
+
 #endif /* __LXC_MACRO_H */
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -1085,6 +1085,9 @@ void lxc_abort(const char *name, struct lxc_handler *handler)

 static int do_start(void *data)
 {
+	struct lxc_handler *handler = data;
+	__do_close_prot_errno int data_sock0 = handler->data_sock[0],
+				  data_sock1 = handler->data_sock[1];
 	int ret;
 	char path[PATH_MAX];
 	uid_t new_uid;
@@ -1093,7 +1096,6 @@ static int do_start(void *data)
 	uid_t nsuid = 0;
 	gid_t nsgid = 0;
 	int devnull_fd = -1;
-	struct lxc_handler *handler = data;

 	lxc_sync_fini_parent(handler);

@@ -1269,8 +1271,6 @@ static int do_start(void *data)

 	/* Setup the container, ip, names, utsname, ... */
 	ret = lxc_setup(handler);
-	close(handler->data_sock[1]);
-	close(handler->data_sock[0]);
 	if (ret < 0) {
 		ERROR("Failed to setup container \"%s\"", handler->name);
 		goto out_warn_father;
@@ -1574,6 +1574,7 @@ static inline int do_share_ns(void *arg)
 */
 static int lxc_spawn(struct lxc_handler *handler)
 {
+	__do_close_prot_errno int data_sock0 = -EBADF, data_sock1 = -EBADF;
 	int i, ret;
 	char pidstr[20];
 	bool wants_to_map_ids;
@@ -1606,6 +1607,8 @@ static int lxc_spawn(struct lxc_handler *handler)
 			 handler->data_sock);
 	if (ret < 0)
 		goto out_sync_fini;
+	data_sock0 = handler->data_sock[0];
+	data_sock1 = handler->data_sock[1];

 	ret = resolve_clone_flags(handler);
 	if (ret < 0)
@@ -1962,11 +1965,6 @@ int __lxc_start(const char *name, struct lxc_handler *handler,
 		ERROR("Failed to spawn container \"%s\"", name);
 		goto out_detach_blockdev;
 	}
-	/* close parent side of data socket */
-	close(handler->data_sock[0]);
-	handler->data_sock[0] = -1;
-	close(handler->data_sock[1]);
-	handler->data_sock[1] = -1;

 	handler->conf->reboot = REBOOT_NONE;