Merge pull request #3572 from brauner/2020-11-02/seccomp_nonblocking

src/lxc/file_utils.c

@@ -577,3 +577,15 @@ int open_beneath(int dir_fd, const char *path, unsigned int flags)
 
 	return openat(dir_fd, path, O_NOFOLLOW | flags);
 }
+
+int fd_make_nonblocking(int fd)
+{
+	int flags;
+
+	flags = fcntl(fd, F_GETFL);
+	if (flags < 0)
+		return -1;
+
+	flags &= ~O_NONBLOCK;
+	return fcntl(fd, F_SETFL, flags);
+}

src/lxc/file_utils.h

@@ -76,5 +76,6 @@ __hidden extern int timens_offset_write(clockid_t clk_id, int64_t s_offset, int6
 __hidden extern bool exists_dir_at(int dir_fd, const char *path);
 __hidden extern bool exists_file_at(int dir_fd, const char *path);
 __hidden extern int open_beneath(int dir_fd, const char *path, unsigned int flags);
+__hidden int fd_make_nonblocking(int fd);
 
 #endif /* __LXC_FILE_UTILS_H */

src/lxc/seccomp.c

@@ -1280,6 +1280,9 @@ int lxc_seccomp_load(struct lxc_conf *conf)
 			return -1;
 		}
 
+		if (fd_make_nonblocking(ret))
+			return log_error_errno(-1, errno, "Failed to make seccomp listener fd non-blocking");;
+
 		conf->seccomp.notifier.notify_fd = ret;
 		TRACE("Retrieved new seccomp listener fd %d", ret);
 	}
@@ -1387,7 +1390,10 @@ int seccomp_notify_handler(int fd, uint32_t events, void *data,
 	memset(req, 0, conf->seccomp.notifier.sizes.seccomp_notif);
 	ret = seccomp_notify_receive(fd, req);
 	if (ret) {
-		SYSERROR("Failed to read seccomp notification");
+		if (errno == ENOENT)
+			TRACE("Intercepted system call aborted");
+		else
+			SYSERROR("Failed to read seccomp notification");
 		goto out;
 	}