seccomp: cleanup

src/lxc/af_unix.c

@@ -156,7 +156,8 @@ int lxc_abstract_unix_connect(const char *path)
 int lxc_abstract_unix_send_fds(int fd, int *sendfds, int num_sendfds,
 			       void *data, size_t size)
 {
-	__do_free char *cmsgbuf;
+	__do_free char *cmsgbuf = NULL;
+	int ret;
 	struct msghdr msg;
 	struct iovec iov;
 	struct cmsghdr *cmsg = NULL;
@@ -189,13 +190,19 @@ int lxc_abstract_unix_send_fds(int fd, int *sendfds, int num_sendfds,
 	msg.msg_iov = &iov;
 	msg.msg_iovlen = 1;
 
-	return sendmsg(fd, &msg, MSG_NOSIGNAL);
+again:
+	ret = sendmsg(fd, &msg, MSG_NOSIGNAL);
+	if (ret < 0)
+		if (errno == EINTR)
+			goto again;
+
+	return ret;
 }
 
 int lxc_abstract_unix_recv_fds(int fd, int *recvfds, int num_recvfds,
 			       void *data, size_t size)
 {
-	__do_free char *cmsgbuf;
+	__do_free char *cmsgbuf = NULL;
 	int ret;
 	struct msghdr msg;
 	struct iovec iov;
@@ -221,8 +228,15 @@ int lxc_abstract_unix_recv_fds(int fd, int *recvfds, int num_recvfds,
 	msg.msg_iov = &iov;
 	msg.msg_iovlen = 1;
 
+again:
 	ret = recvmsg(fd, &msg, 0);
-	if (ret <= 0)
+	if (ret < 0) {
+		if (errno == EINTR)
+			goto again;
+
+		goto out;
+	}
+	if (ret == 0)
 		goto out;
 
 	/*

src/lxc/attach.c

@@ -608,8 +608,8 @@ static bool fetch_seccomp(struct lxc_container *c, lxc_attach_options_t *options
 
 	if (!(options->namespaces & CLONE_NEWNS) ||
 	    !(options->attach_flags & LXC_ATTACH_LSM)) {
-		free(c->lxc_conf->seccomp);
-		c->lxc_conf->seccomp = NULL;
+		free(c->lxc_conf->seccomp.seccomp);
+		c->lxc_conf->seccomp.seccomp = NULL;
 		return true;
 	}
 
@@ -852,7 +852,7 @@ static int attach_child_main(struct attach_clone_payload *payload)
 	}
 
 	if (init_ctx->container && init_ctx->container->lxc_conf &&
-	    init_ctx->container->lxc_conf->seccomp) {
+	    init_ctx->container->lxc_conf->seccomp.seccomp) {
 		struct lxc_conf *conf = init_ctx->container->lxc_conf;
 
 		ret = lxc_seccomp_load(conf);
@@ -861,18 +861,9 @@ static int attach_child_main(struct attach_clone_payload *payload)
 
 		TRACE("Loaded seccomp profile");
 
-#if HAVE_DECL_SECCOMP_NOTIF_GET_FD
-		if (conf->has_seccomp_notify) {
-			ret = lxc_abstract_unix_send_fds(payload->ipc_socket,
-							 &conf->seccomp_notify_fd,
-							 1, NULL, 0);
-			close_prot_errno_disarm(conf->seccomp_notify_fd);
-			if (ret < 0)
-				goto on_error;
-
-			TRACE("Sent seccomp listener fd to parent");
-		}
-#endif
+		ret = lxc_seccomp_send_notifier_fd(&conf->seccomp, payload->ipc_socket);
+		if (ret < 0)
+			goto on_error;
 	}
 
 	close(payload->ipc_socket);
@@ -1326,24 +1317,13 @@ int lxc_attach(const char *name, const char *lxcpath,
 			TRACE("Sent LSM label file descriptor %d to child", labelfd);
 		}
 
-#if HAVE_DECL_SECCOMP_NOTIF_GET_FD
-		if (conf->seccomp && conf->has_seccomp_notify) {
-			ret = lxc_abstract_unix_recv_fds(ipc_sockets[0],
-							 &conf->seccomp_notify_fd,
-							 1, NULL, 0);
-			if (ret < 0)
-				goto close_mainloop;
+		ret = lxc_seccomp_recv_notifier_fd(&conf->seccomp, ipc_sockets[0]);
+		if (ret < 0)
+			goto close_mainloop;
 
-			TRACE("Retrieved seccomp listener fd %d from child",
-			      conf->seccomp_notify_fd);
-			ret = lxc_cmd_seccomp_notify_add_listener(name, lxcpath,
-								  conf->seccomp_notify_fd,
-								  -1, 0);
-			close_prot_errno_disarm(conf->seccomp_notify_fd);
-			if (ret < 0)
-				goto close_mainloop;
-		}
-#endif
+		ret = lxc_seccomp_add_notifier(name, lxcpath, &conf->seccomp);
+		if (ret < 0)
+			goto close_mainloop;
 
 		/* We're done, the child process should now execute whatever it
 		 * is that the user requested. The parent can now track it with

src/lxc/commands.c

@@ -1053,7 +1053,7 @@ int lxc_cmd_seccomp_notify_add_listener(const char *name, const char *lxcpath,
 					/* unused */ unsigned int flags)
 {
 
-#if HAVE_DECL_SECCOMP_NOTIF_GET_FD
+#ifdef HAVE_SECCOMP_NOTIFY
 	int ret, stopped;
 	struct lxc_cmd_rr cmd = {
 		.req = {
@@ -1080,43 +1080,39 @@ static int lxc_cmd_seccomp_notify_add_listener_callback(int fd,
 							struct lxc_epoll_descr *descr)
 {
 	struct lxc_cmd_rsp rsp = {0};
-	int ret;
 
-#if HAVE_DECL_SECCOMP_NOTIF_GET_FD
+#ifdef HAVE_SECCOMP_NOTIFY
+	int ret;
 	__do_close_prot_errno int recv_fd = -EBADF;
 	int notify_fd = -EBADF;
 
-	if (!handler->conf->has_seccomp_notify ||
-	    handler->conf->seccomp_notify_proxy_fd < 0) {
-		rsp.ret = -EINVAL;
-		goto send_error;
+	ret = lxc_abstract_unix_recv_fds(fd, &recv_fd, 1, NULL, 0);
+	if (ret <= 0) {
+		rsp.ret = -errno;
+		goto out;
 	}
 
-	ret = lxc_abstract_unix_recv_fds(fd, &recv_fd, 1, NULL, 0);
-	if (ret <= 0)
-		goto reap_client_fd;
+	if (!handler->conf->seccomp.notifier.wants_supervision ||
+	    handler->conf->seccomp.notifier.proxy_fd < 0) {
+		SYSERROR("No seccomp proxy fd specified");
+		rsp.ret = -EINVAL;
+		goto out;
+	}
 
-	ret = lxc_mainloop_add_handler(descr, notify_fd, seccomp_notify_handler,
+	ret = lxc_mainloop_add_handler(descr, recv_fd, seccomp_notify_handler,
 				       handler);
+	if (ret < 0) {
+		rsp.ret = -errno;
+		goto out;
+	}
 	notify_fd = move_fd(recv_fd);
-	if (ret < 0)
-		goto reap_client_fd;
 
-send_error:
+out:
 #else
 	rsp.ret = -ENOSYS;
-#endif
-	ret = lxc_cmd_rsp_send(fd, &rsp);
-	if (ret < 0)
-		goto reap_client_fd;
-
-	return 0;
 
-reap_client_fd:
-	/* Special indicator to lxc_cmd_handler() to close the fd and do
-	 * related cleanup.
-	 */
-	return 1;
+#endif
+	return lxc_cmd_rsp_send(fd, &rsp);
 }
 
 static int lxc_cmd_process(int fd, struct lxc_cmd_req *req,

src/lxc/conf.c

@@ -2752,14 +2752,6 @@ struct lxc_conf *lxc_conf_init(void)
 	new->lsm_aa_profile = NULL;
 	lxc_list_init(&new->lsm_aa_raw);
 	new->lsm_se_context = NULL;
-#if HAVE_DECL_SECCOMP_NOTIF_GET_FD
-	new->has_seccomp_notify = false;
-	new->seccomp_notify_fd = -EBADF;
-	new->seccomp_notify_proxy_fd = -EBADF;
-	memset(&new->seccomp_notify_proxy_addr, 0, sizeof(new->seccomp_notify_proxy_addr));
-	new->seccomp_notify_req = NULL;
-	new->seccomp_notify_resp = NULL;
-#endif
 	new->tmp_umount_proc = false;
 	new->tmp_umount_proc = 0;
 	new->shmount.path_host = NULL;
@@ -2771,6 +2763,7 @@ struct lxc_conf *lxc_conf_init(void)
 	new->init_gid = 0;
 	memset(&new->cgroup_meta, 0, sizeof(struct lxc_cgroup));
 	memset(&new->ns_share, 0, sizeof(char *) * LXC_NS_MAX);
+	seccomp_conf_init(new);
 
 	return new;
 }
@@ -4074,7 +4067,7 @@ void lxc_conf_free(struct lxc_conf *conf)
 	free(conf->lsm_aa_profile);
 	free(conf->lsm_aa_profile_computed);
 	free(conf->lsm_se_context);
-	lxc_seccomp_free(conf);
+	lxc_seccomp_free(&conf->seccomp);
 	lxc_clear_config_caps(conf);
 	lxc_clear_config_keepcaps(conf);
 	lxc_clear_cgroups(conf, "lxc.cgroup", CGROUP_SUPER_MAGIC);

src/lxc/conf.h

@@ -38,6 +38,7 @@
 #include "compiler.h"
 #include "config.h"
 #include "list.h"
+#include "lxcseccomp.h"
 #include "ringbuf.h"
 #include "start.h"
 #include "terminal.h"
@@ -295,19 +296,7 @@ struct lxc_conf {
 	struct lxc_list lsm_aa_raw;
 	char *lsm_se_context;
 	bool tmp_umount_proc;
-	char *seccomp;  /* filename with the seccomp rules */
-	unsigned int seccomp_allow_nesting;
-#if HAVE_SCMP_FILTER_CTX
-	scmp_filter_ctx seccomp_ctx;
-#endif
-#if HAVE_DECL_SECCOMP_NOTIF_GET_FD
-	bool has_seccomp_notify;
-	int seccomp_notify_fd;
-	int seccomp_notify_proxy_fd;
-	struct sockaddr_un seccomp_notify_proxy_addr;
-	struct seccomp_notif *seccomp_notify_req;
-	struct seccomp_notif_resp *seccomp_notify_resp;
-#endif
+	struct lxc_seccomp seccomp;
 	int maincmd_fd;
 	unsigned int autodev;  /* if 1, mount and fill a /dev at start */
 	int haltsignal; /* signal used to halt container */

src/lxc/confile.c

@@ -780,22 +780,27 @@ static int add_hook(struct lxc_conf *lxc_conf, int which, char *hook)
 static int set_config_seccomp_allow_nesting(const char *key, const char *value,
 					    struct lxc_conf *lxc_conf, void *data)
 {
+#ifdef HAVE_SECCOMP
 	if (lxc_config_value_empty(value))
 		return clr_config_seccomp_allow_nesting(key, lxc_conf, NULL);
 
-	if (lxc_safe_uint(value, &lxc_conf->seccomp_allow_nesting) < 0)
+	if (lxc_safe_uint(value, &lxc_conf->seccomp.allow_nesting) < 0)
 		return -1;
 
-	if (lxc_conf->seccomp_allow_nesting > 1)
+	if (lxc_conf->seccomp.allow_nesting > 1)
 		return minus_one_set_errno(EINVAL);
 
 	return 0;
+#else
+	errno = ENOSYS;
+	return -1;
+#endif
 }
 
 static int set_config_seccomp_notify_proxy(const char *key, const char *value,
 					   struct lxc_conf *lxc_conf, void *data)
 {
-#if HAVE_DECL_SECCOMP_NOTIF_GET_FD
+#ifdef HAVE_SECCOMP_NOTIFY
 	const char *offset;
 
 	if (lxc_config_value_empty(value))
@@ -805,7 +810,7 @@ static int set_config_seccomp_notify_proxy(const char *key, const char *value,
 		return minus_one_set_errno(EINVAL);
 
 	offset = value + 5;
-	if (lxc_unix_sockaddr(&lxc_conf->seccomp_notify_proxy_addr, offset) < 0)
+	if (lxc_unix_sockaddr(&lxc_conf->seccomp.notifier.proxy_addr, offset) < 0)
 		return -1;
 
 	return 0;
@@ -817,7 +822,7 @@ static int set_config_seccomp_notify_proxy(const char *key, const char *value,
 static int set_config_seccomp_profile(const char *key, const char *value,
 				      struct lxc_conf *lxc_conf, void *data)
 {
-	return set_config_path_item(&lxc_conf->seccomp, value);
+	return set_config_path_item(&lxc_conf->seccomp.seccomp, value);
 }
 
 static int set_config_execute_cmd(const char *key, const char *value,
@@ -3726,17 +3731,22 @@ static int get_config_seccomp_allow_nesting(const char *key, char *retv,
 					    int inlen, struct lxc_conf *c,
 					    void *data)
 {
-	return lxc_get_conf_int(c, retv, inlen, c->seccomp_allow_nesting);
+#ifdef HAVE_SECCOMP
+	return lxc_get_conf_int(c, retv, inlen, c->seccomp.allow_nesting);
+#else
+	errno = ENOSYS;
+	return -1;
+#endif
 }
 
 static int get_config_seccomp_notify_proxy(const char *key, char *retv, int inlen,
 					   struct lxc_conf *c, void *data)
 {
-#if HAVE_DECL_SECCOMP_NOTIF_GET_FD
+#ifdef HAVE_SECCOMP_NOTIFY
 	return lxc_get_conf_str(retv, inlen,
-				(c->seccomp_notify_proxy_addr.sun_path[0]) == '/'
-				    ? &c->seccomp_notify_proxy_addr.sun_path[0]
-				    : &c->seccomp_notify_proxy_addr.sun_path[1]);
+				(c->seccomp.notifier.proxy_addr.sun_path[0]) == '/'
+				    ? &c->seccomp.notifier.proxy_addr.sun_path[0]
+				    : &c->seccomp.notifier.proxy_addr.sun_path[1]);
 #else
 	return minus_one_set_errno(ENOSYS);
 #endif
@@ -3745,7 +3755,7 @@ static int get_config_seccomp_notify_proxy(const char *key, char *retv, int inle
 static int get_config_seccomp_profile(const char *key, char *retv, int inlen,
 				      struct lxc_conf *c, void *data)
 {
-	return lxc_get_conf_str(retv, inlen, c->seccomp);
+	return lxc_get_conf_str(retv, inlen, c->seccomp.seccomp);
 }
 
 static int get_config_autodev(const char *key, char *retv, int inlen,
@@ -4328,16 +4338,21 @@ static inline int clr_config_console_size(const char *key, struct lxc_conf *c,
 static inline int clr_config_seccomp_allow_nesting(const char *key,
 						   struct lxc_conf *c, void *data)
 {
-	c->seccomp_allow_nesting = 0;
+#ifdef HAVE_SECCOMP
+	c->seccomp.allow_nesting = 0;
 	return 0;
+#else
+	errno = ENOSYS;
+	return -1;
+#endif
 }
 
 static inline int clr_config_seccomp_notify_proxy(const char *key,
 						   struct lxc_conf *c, void *data)
 {
-#if HAVE_DECL_SECCOMP_NOTIF_GET_FD
-	memset(&c->seccomp_notify_proxy_addr, 0,
-	       sizeof(c->seccomp_notify_proxy_addr));
+#ifdef HAVE_SECCOMP_NOTIFY
+	memset(&c->seccomp.notifier.proxy_addr, 0,
+	       sizeof(c->seccomp.notifier.proxy_addr));
 	return 0;
 #else
 	return minus_one_set_errno(ENOSYS);
@@ -4347,8 +4362,8 @@ static inline int clr_config_seccomp_notify_proxy(const char *key,
 static inline int clr_config_seccomp_profile(const char *key,
 					     struct lxc_conf *c, void *data)
 {
-	free(c->seccomp);
-	c->seccomp = NULL;
+	free(c->seccomp.seccomp);
+	c->seccomp.seccomp = NULL;
 	return 0;
 }
 

src/lxc/lxccontainer.c

@@ -5229,7 +5229,6 @@ out:
 
 static int do_lxcapi_seccomp_notify(struct lxc_container *c, unsigned int cmd, int fd)
 {
-#if HAVE_DECL_SECCOMP_NOTIF_GET_FD
 	if (!c || !c->lxc_conf)
 		return minus_one_set_errno(-EINVAL);
 
@@ -5238,13 +5237,10 @@ static int do_lxcapi_seccomp_notify(struct lxc_container *c, unsigned int cmd, i
 		if (fd)
 			return minus_one_set_errno(EINVAL);
 
-		return c->lxc_conf->seccomp_notify_fd;
+		return lxc_seccomp_get_notify_fd(&c->lxc_conf->seccomp);
 	}
 
 	return minus_one_set_errno(EINVAL);
-#else
-	return minus_one_set_errno(ENOSYS);
-#endif
 }
 
 WRAP_API_2(int, lxcapi_seccomp_notify, unsigned int, int)

src/lxc/lxccontainer.h

@@ -31,7 +31,8 @@
 
 #include <lxc/attach_options.h>
 
-#if HAVE_DECL_SECCOMP_NOTIF_GET_FD
+#ifdef SCMP_ACT_USER_NOTIF
+#include <linux/seccomp.h>
 #include <seccomp.h>
 #endif
 
@@ -69,7 +70,7 @@ enum {
 	LXC_SECCOMP_NOTIFY_MAX,
 };
 
-#if HAVE_DECL_SECCOMP_NOTIF_GET_FD
+#ifdef SCMP_ACT_USER_NOTIF
 struct seccomp_notify_proxy_msg {
 	uint32_t version;
 	struct seccomp_notif req;

src/lxc/lxcseccomp.h

@@ -24,21 +24,86 @@
 #ifndef __LXC_LXCSECCOMP_H
 #define __LXC_LXCSECCOMP_H
 
+#ifndef _GNU_SOURCE
+#define _GNU_SOURCE 1
+#endif
 #include <errno.h>
 #ifdef HAVE_SECCOMP
+#include <linux/seccomp.h>
 #include <seccomp.h>
 #endif
+#if HAVE_DECL_SECCOMP_NOTIF_GET_FD
+#include <sys/socket.h>
+#include <sys/un.h>
+#endif
 
 #include "conf.h"
+#include "config.h"
+#include "memory_utils.h"
+
+struct lxc_conf;
+struct lxc_epoll_descr;
+struct lxc_handler;
 
 #ifdef HAVE_SECCOMP
+
+#if HAVE_DECL_SECCOMP_NOTIF_GET_FD
+struct seccomp_notify {
+	bool wants_supervision;
+	int notify_fd;
+	int proxy_fd;
+	struct sockaddr_un proxy_addr;
+	struct seccomp_notif *req_buf;
+	struct seccomp_notif_resp *rsp_buf;
+};
+
+#define HAVE_SECCOMP_NOTIFY 1
+
+#endif /* HAVE_DECL_SECCOMP_NOTIF_GET_FD */
+
+struct lxc_seccomp {
+	char *seccomp;
+#if HAVE_SCMP_FILTER_CTX
+	unsigned int allow_nesting;
+	scmp_filter_ctx seccomp_ctx;
+#endif /* HAVE_SCMP_FILTER_CTX */
+
+#if HAVE_DECL_SECCOMP_NOTIF_GET_FD
+	struct seccomp_notify notifier;
+#endif /* HAVE_DECL_SECCOMP_NOTIF_GET_FD */
+};
+
 extern int lxc_seccomp_load(struct lxc_conf *conf);
 extern int lxc_read_seccomp_config(struct lxc_conf *conf);
-extern void lxc_seccomp_free(struct lxc_conf *conf);
+extern void lxc_seccomp_free(struct lxc_seccomp *seccomp);
 extern int seccomp_notify_handler(int fd, uint32_t events, void *data,
 				  struct lxc_epoll_descr *descr);
-
+extern void seccomp_conf_init(struct lxc_conf *conf);
+extern int lxc_seccomp_setup_notifier(struct lxc_seccomp *seccomp,
+				      struct lxc_epoll_descr *descr,
+				      struct lxc_handler *handler);
+extern int lxc_seccomp_send_notifier_fd(struct lxc_seccomp *seccomp,
+					int socket_fd);
+extern int lxc_seccomp_recv_notifier_fd(struct lxc_seccomp *seccomp,
+					int socket_fd);
+extern int lxc_seccomp_add_notifier(const char *name, const char *lxcpath,
+				    struct lxc_seccomp *seccomp);
+static inline int lxc_seccomp_get_notify_fd(struct lxc_seccomp *seccomp)
+{
+#if HAVE_DECL_SECCOMP_NOTIF_GET_FD
+	return seccomp->notifier.notify_fd;
 #else
+	errno = ENOSYS;
+	return -EBADF;
+#endif
+}
+
+#else /* HAVE_SECCOMP */
+
+struct lxc_seccomp {
+	char *seccomp;
+};
+
 static inline int lxc_seccomp_load(struct lxc_conf *conf)
 {
 	return 0;
@@ -49,16 +114,50 @@ static inline int lxc_read_seccomp_config(struct lxc_conf *conf)
 	return 0;
 }
 
-static inline void lxc_seccomp_free(struct lxc_conf *conf)
+static inline void lxc_seccomp_free(struct lxc_seccomp *seccomp)
 {
-	free(conf->seccomp);
-	conf->seccomp = NULL;
+	free_disarm(seccomp->seccomp);
 }
+
 static inline int seccomp_notify_handler(int fd, uint32_t events, void *data,
 				  struct lxc_epoll_descr *descr)
 {
 	return -ENOSYS;
 }
-#endif
 
-#endif
+static inline void seccomp_conf_init(struct lxc_conf *conf)
+{
+}
+
+static inline int lxc_seccomp_setup_notifier(struct lxc_seccomp *seccomp,
+					     struct lxc_epoll_descr *descr,
+					     struct lxc_handler *handler)
+{
+	return 0;
+}
+
+static inline int lxc_seccomp_send_notifier_fd(struct lxc_seccomp *seccomp,
+					       int socket_fd)
+{
+	return 0;
+}
+
+static inline int lxc_seccomp_recv_notifier_fd(struct lxc_seccomp *seccomp,
+					int socket_fd)
+{
+	return 0;
+}
+
+static inline int lxc_seccomp_add_notifier(const char *name, const char *lxcpath,
+					   struct lxc_seccomp *seccomp)
+{
+	return 0;
+}
+
+static inline int lxc_seccomp_get_notify_fd(struct lxc_seccomp *seccomp)
+{
+	return -EBADF;
+}
+
+#endif /* HAVE_SECCOMP */
+#endif /* __LXC_LXCSECCOMP_H */

src/lxc/memory_utils.h

@@ -55,6 +55,12 @@ static inline void __auto_closedir__(DIR **d)
 		fd = -EBADF;        \
 	}
 
+#define free_disarm(ptr)       \
+	({                     \
+		free(ptr);     \
+		move_ptr(ptr); \
+	})
+
 static inline void __auto_close__(int *fd)
 {
 	close_prot_errno_disarm(*fd);

src/lxc/start.c

@@ -591,32 +591,9 @@ int lxc_poll(const char *name, struct lxc_handler *handler)
 		goto out_mainloop_console;
 	}
 
-#if HAVE_DECL_SECCOMP_NOTIF_GET_FD
-	if (handler->conf->has_seccomp_notify &&
-	    handler->conf->seccomp_notify_proxy_addr.sun_path[1] != '\0') {
-                __do_close_prot_errno int notify_fd = -EBADF;
-
-		notify_fd = lxc_unix_connect(&handler->conf->seccomp_notify_proxy_addr);
-		if (notify_fd < 0)
-			goto out_mainloop_console;
-
-		/* 30 second timeout */
-		ret = lxc_socket_set_timeout(notify_fd, 30, 30);
-		if (ret)
-			goto out_mainloop_console;
-
-		ret = lxc_mainloop_add_handler(&descr,
-					       handler->conf->seccomp_notify_fd,
-					       seccomp_notify_handler, handler);
-		if (ret < 0) {
-			ERROR("Failed to add seccomp notify handler for %d to mainloop",
-			      handler->conf->seccomp_notify_fd);
-			goto out_mainloop_console;
-		}
-
-		handler->conf->seccomp_notify_proxy_fd = move_fd(notify_fd);
-	}
-#endif
+	ret = lxc_seccomp_setup_notifier(&handler->conf->seccomp, &descr, handler);
+	if (ret < 0)
+		goto out_mainloop_console;
 
 	if (has_console) {
 		struct lxc_terminal *console = &handler->conf->console;
@@ -1357,19 +1334,11 @@ static int do_start(void *data)
 	if (ret < 0)
 		goto out_warn_father;
 
-#if HAVE_DECL_SECCOMP_NOTIF_GET_FD
-	if (handler->conf->has_seccomp_notify) {
-		ret = lxc_abstract_unix_send_fds(data_sock0,
-						 &handler->conf->seccomp_notify_fd,
-						 1, NULL, 0);
-		if (ret < 0) {
-			SYSERROR("Failed to send seccomp notify fd to parent");
-			goto out_warn_father;
-		}
-		close(handler->conf->seccomp_notify_fd);
-		handler->conf->seccomp_notify_fd = -EBADF;
+	ret = lxc_seccomp_send_notifier_fd(&handler->conf->seccomp, data_sock0);
+	if (ret < 0) {
+		SYSERROR("Failed to send seccomp notify fd to parent");
+		goto out_warn_father;
 	}
-#endif
 
 	ret = run_lxc_hooks(handler->name, "start", handler->conf, NULL);
 	if (ret < 0) {
@@ -1932,25 +1901,11 @@ static int lxc_spawn(struct lxc_handler *handler)
 		goto out_delete_net;
 	}
 
-#if HAVE_DECL_SECCOMP_NOTIF_GET_FD
-	if (handler->conf->has_seccomp_notify) {
-		ret = lxc_abstract_unix_recv_fds(handler->data_sock[1],
-						 &handler->conf->seccomp_notify_fd,
-						 1, NULL, 0);
-		if (ret < 0) {
-			SYSERROR("Failed to receive seccomp notify fd from child");
-			goto out_delete_net;
-		}
-
-		ret = seccomp_notif_alloc(&handler->conf->seccomp_notify_req,
-					  &handler->conf->seccomp_notify_resp);
-		if (ret) {
-			errno = ret;
-			ret = -1;
-			goto out_delete_net;
-		}
+	ret = lxc_seccomp_recv_notifier_fd(&handler->conf->seccomp, data_sock1);
+	if (ret < 0) {
+		SYSERROR("Failed to receive seccomp notify fd from child");
+		goto out_delete_net;
 	}
-#endif
 
 	ret = handler->ops->post_start(handler, handler->data);
 	if (ret < 0)

src/tests/Makefile.am

@@ -25,7 +25,8 @@ lxc_test_locktests_SOURCES = locktests.c
 lxc_test_lxcpath_SOURCES = lxcpath.c
 lxc_test_may_control_SOURCES = may_control.c
 lxc_test_mount_injection_SOURCES = mount_injection.c lxctest.h
-lxc_test_parse_config_file_SOURCES = parse_config_file.c lxctest.h
+lxc_test_parse_config_file_SOURCES = parse_config_file.c \
+				     lxctest.h
 lxc_test_raw_clone_SOURCES = lxc_raw_clone.c \
 			     lxctest.h \
 			     ../lxc/namespace.c ../lxc/namespace.h \
@@ -57,6 +58,11 @@ if ENABLE_APPARMOR
 AM_CFLAGS += -DHAVE_APPARMOR
 endif
 
+if ENABLE_SECCOMP
+AM_CFLAGS += -DHAVE_SECCOMP \
+	     $(SECCOMP_CFLAGS)
+endif
+
 if ENABLE_SELINUX
 AM_CFLAGS += -DHAVE_SELINUX
 endif

src/tests/parse_config_file.c

@@ -28,6 +28,7 @@
 #include <unistd.h>
 #include <libgen.h>
 
+#include "conf.h"
 #include "confile_utils.h"
 #include "lxc/state.h"
 #include "lxctest.h"