Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
L
lxc
Project
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Chen Yisong
lxc
Commits
eb587451
Unverified
Commit
eb587451
authored
Oct 15, 2020
by
Wolfgang Bumiller
Committed by
GitHub
Oct 15, 2020
Browse files
Options
Browse Files
Download
Plain Diff
Merge pull request #3553 from brauner/2020-10-15/seccomp
seccomp: bugfixes
parents
186ff2be
dc70d7e4
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
19 additions
and
5 deletions
+19
-5
seccomp.c
src/lxc/seccomp.c
+19
-5
No files found.
src/lxc/seccomp.c
View file @
eb587451
...
@@ -1347,9 +1347,14 @@ static void seccomp_notify_default_answer(int fd, struct seccomp_notif *req,
...
@@ -1347,9 +1347,14 @@ static void seccomp_notify_default_answer(int fd, struct seccomp_notif *req,
{
{
resp
->
id
=
req
->
id
;
resp
->
id
=
req
->
id
;
resp
->
error
=
-
ENOSYS
;
resp
->
error
=
-
ENOSYS
;
resp
->
val
=
0
;
resp
->
flags
=
0
;
if
(
seccomp_notify_respond
(
fd
,
resp
))
if
(
seccomp_notify_respond
(
fd
,
resp
))
SYSERROR
(
"Failed to send default message to seccomp"
);
SYSERROR
(
"Failed to send default message to seccomp notification with id(%llu)"
,
resp
->
id
);
else
TRACE
(
"Sent default response for seccomp notification with id(%llu)"
,
resp
->
id
);
memset
(
resp
,
0
,
handler
->
conf
->
seccomp
.
notifier
.
sizes
.
seccomp_notif_resp
);
}
}
#endif
#endif
...
@@ -1377,7 +1382,7 @@ int seccomp_notify_handler(int fd, uint32_t events, void *data,
...
@@ -1377,7 +1382,7 @@ int seccomp_notify_handler(int fd, uint32_t events, void *data,
int
listener_proxy_fd
=
conf
->
seccomp
.
notifier
.
proxy_fd
;
int
listener_proxy_fd
=
conf
->
seccomp
.
notifier
.
proxy_fd
;
struct
seccomp_notify_proxy_msg
msg
=
{
0
};
struct
seccomp_notify_proxy_msg
msg
=
{
0
};
char
*
cookie
=
conf
->
seccomp
.
notifier
.
cookie
;
char
*
cookie
=
conf
->
seccomp
.
notifier
.
cookie
;
uint64_t
req_id
;
__u64
req_id
;
if
(
events
&
EPOLLHUP
)
{
if
(
events
&
EPOLLHUP
)
{
lxc_mainloop_del_handler
(
descr
,
fd
);
lxc_mainloop_del_handler
(
descr
,
fd
);
...
@@ -1385,7 +1390,7 @@ int seccomp_notify_handler(int fd, uint32_t events, void *data,
...
@@ -1385,7 +1390,7 @@ int seccomp_notify_handler(int fd, uint32_t events, void *data,
return
log_trace
(
0
,
"Removing seccomp notifier fd %d"
,
fd
);
return
log_trace
(
0
,
"Removing seccomp notifier fd %d"
,
fd
);
}
}
memset
(
req
,
0
,
sizeof
(
*
req
)
);
memset
(
req
,
0
,
conf
->
seccomp
.
notifier
.
sizes
.
seccomp_notif
);
ret
=
seccomp_notify_receive
(
fd
,
req
);
ret
=
seccomp_notify_receive
(
fd
,
req
);
if
(
ret
)
{
if
(
ret
)
{
SYSERROR
(
"Failed to read seccomp notification"
);
SYSERROR
(
"Failed to read seccomp notification"
);
...
@@ -1409,6 +1414,7 @@ int seccomp_notify_handler(int fd, uint32_t events, void *data,
...
@@ -1409,6 +1414,7 @@ int seccomp_notify_handler(int fd, uint32_t events, void *data,
/* remember the ID in case we receive garbage from the proxy */
/* remember the ID in case we receive garbage from the proxy */
resp
->
id
=
req_id
=
req
->
id
;
resp
->
id
=
req_id
=
req
->
id
;
TRACE
(
"Received seccomp notification with id(%llu)"
,
req_id
);
snprintf
(
mem_path
,
sizeof
(
mem_path
),
"/proc/%d"
,
req
->
pid
);
snprintf
(
mem_path
,
sizeof
(
mem_path
),
"/proc/%d"
,
req
->
pid
);
fd_pid
=
open
(
mem_path
,
O_RDONLY
|
O_DIRECTORY
|
O_CLOEXEC
);
fd_pid
=
open
(
mem_path
,
O_RDONLY
|
O_DIRECTORY
|
O_CLOEXEC
);
...
@@ -1433,7 +1439,7 @@ int seccomp_notify_handler(int fd, uint32_t events, void *data,
...
@@ -1433,7 +1439,7 @@ int seccomp_notify_handler(int fd, uint32_t events, void *data,
ret
=
seccomp_notify_id_valid
(
fd
,
req
->
id
);
ret
=
seccomp_notify_id_valid
(
fd
,
req
->
id
);
if
(
ret
<
0
)
{
if
(
ret
<
0
)
{
seccomp_notify_default_answer
(
fd
,
req
,
resp
,
hdlr
);
seccomp_notify_default_answer
(
fd
,
req
,
resp
,
hdlr
);
SYSERROR
(
"Invalid seccomp notify request id
"
);
SYSERROR
(
"Invalid seccomp notify request id
(%llu)"
,
req
->
id
);
goto
out
;
goto
out
;
}
}
...
@@ -1492,8 +1498,8 @@ retry:
...
@@ -1492,8 +1498,8 @@ retry:
}
}
if
(
resp
->
id
!=
req_id
)
{
if
(
resp
->
id
!=
req_id
)
{
ERROR
(
"Proxy returned response with illegal id(%llu) != id(%llu)"
,
resp
->
id
,
req_id
);
resp
->
id
=
req_id
;
resp
->
id
=
req_id
;
ERROR
(
"Proxy returned response with illegal id"
);
seccomp_notify_default_answer
(
fd
,
req
,
resp
,
hdlr
);
seccomp_notify_default_answer
(
fd
,
req
,
resp
,
hdlr
);
goto
out
;
goto
out
;
}
}
...
@@ -1505,9 +1511,17 @@ retry:
...
@@ -1505,9 +1511,17 @@ retry:
goto
out
;
goto
out
;
}
}
if
(
resp
->
id
!=
req_id
)
{
ERROR
(
"Proxy returned response with illegal id(%llu) != id(%llu)"
,
resp
->
id
,
req_id
);
resp
->
id
=
req_id
;
}
ret
=
seccomp_notify_respond
(
fd
,
resp
);
ret
=
seccomp_notify_respond
(
fd
,
resp
);
if
(
ret
)
if
(
ret
)
SYSERROR
(
"Failed to send seccomp notification"
);
SYSERROR
(
"Failed to send seccomp notification"
);
else
TRACE
(
"Sent response for seccomp notification with id(%llu)"
,
resp
->
id
);
memset
(
resp
,
0
,
conf
->
seccomp
.
notifier
.
sizes
.
seccomp_notif_resp
);
out:
out:
#endif
#endif
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
