Merge pull request #2965 from brauner/2019-05-01/seccomp_notifier_fixes

seccomp: notifier fixes
2025-08-13 18:02:40 +00:00 · 2019-04-30 18:53:21 -04:00 · 2019-04-30 18:53:21 -04:00 · 0b8bb8db54
commit 0b8bb8db54
parent 8d539bc9a8 2ac0f627f5
5 changed files with 48 additions and 36 deletions
--- a/src/lxc/af_unix.c
+++ b/src/lxc/af_unix.c
@ -365,18 +365,23 @@ int lxc_unix_connect(struct sockaddr_un *addr)
 	int ret;
 	ssize_t len;

-	fd = socket(PF_UNIX, SOCK_STREAM, SOCK_CLOEXEC);
-	if (fd < 0)
+	fd = socket(AF_UNIX, SOCK_STREAM, 0);
+	if (fd < 0) {
+		SYSERROR("Failed to open new AF_UNIX socket");
 		return -1;
+	}

 	if (addr->sun_path[0] == '\0')
 		len = strlen(&addr->sun_path[1]);
 	else
 		len = strlen(&addr->sun_path[0]);
-	ret = connect(fd, (struct sockaddr *)&addr,
-		      offsetof(struct sockaddr_un, sun_path) + len + 1);
-	if (ret < 0)
+
+	ret = connect(fd, (struct sockaddr *)addr,
+		      offsetof(struct sockaddr_un, sun_path) + len);
+	if (ret < 0) {
+		SYSERROR("Failed to bind new AF_UNIX socket");
 		return -1;
+	}

 	return move_fd(fd);
 }
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@ -1317,13 +1317,15 @@ int lxc_attach(const char *name, const char *lxcpath,
 			TRACE("Sent LSM label file descriptor %d to child", labelfd);
 		}

-		ret = lxc_seccomp_recv_notifier_fd(&conf->seccomp, ipc_sockets[0]);
-		if (ret < 0)
-			goto close_mainloop;
+		if (conf && conf->seccomp.seccomp) {
+			ret = lxc_seccomp_recv_notifier_fd(&conf->seccomp, ipc_sockets[0]);
+			if (ret < 0)
+				goto close_mainloop;

-		ret = lxc_seccomp_add_notifier(name, lxcpath, &conf->seccomp);
-		if (ret < 0)
-			goto close_mainloop;
+			ret = lxc_seccomp_add_notifier(name, lxcpath, &conf->seccomp);
+			if (ret < 0)
+				goto close_mainloop;
+		}

 		/* We're done, the child process should now execute whatever it
 		 * is that the user requested. The parent can now track it with
--- a/src/lxc/lxcseccomp.h
+++ b/src/lxc/lxcseccomp.h
@ -79,9 +79,9 @@ extern void lxc_seccomp_free(struct lxc_seccomp *seccomp);
 extern int seccomp_notify_handler(int fd, uint32_t events, void *data,
 				  struct lxc_epoll_descr *descr);
 extern void seccomp_conf_init(struct lxc_conf *conf);
-extern int lxc_seccomp_setup_notifier(struct lxc_seccomp *seccomp,
-				      struct lxc_epoll_descr *descr,
-				      struct lxc_handler *handler);
+extern int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp,
+				   struct lxc_epoll_descr *descr,
+				   struct lxc_handler *handler);
 extern int lxc_seccomp_send_notifier_fd(struct lxc_seccomp *seccomp,
 					int socket_fd);
 extern int lxc_seccomp_recv_notifier_fd(struct lxc_seccomp *seccomp,
@ -129,9 +129,9 @@ static inline void seccomp_conf_init(struct lxc_conf *conf)
 {
 }

-static inline int lxc_seccomp_setup_notifier(struct lxc_seccomp *seccomp,
-					     struct lxc_epoll_descr *descr,
-					     struct lxc_handler *handler)
+static inline int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp,
+					  struct lxc_epoll_descr *descr,
+					  struct lxc_handler *handler)
 {
 	return 0;
 }
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@ -1410,9 +1410,9 @@ void seccomp_conf_init(struct lxc_conf *conf)
 #endif
 }

-int lxc_seccomp_setup_notifier(struct lxc_seccomp *seccomp,
-			       struct lxc_epoll_descr *descr,
-			       struct lxc_handler *handler)
+int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp,
+			    struct lxc_epoll_descr *descr,
+			    struct lxc_handler *handler)
 {
 #if HAVE_DECL_SECCOMP_NOTIF_GET_FD
 	if (seccomp->notifier.wants_supervision &&
@ -1421,20 +1421,32 @@ int lxc_seccomp_setup_notifier(struct lxc_seccomp *seccomp,
 		int ret;

 		notify_fd = lxc_unix_connect(&seccomp->notifier.proxy_addr);
-		if (notify_fd < 0)
+		if (notify_fd < 0) {
+			SYSERROR("Failed to connect to seccomp proxy");
 			return -1;
+		}

 		/* 30 second timeout */
 		ret = lxc_socket_set_timeout(notify_fd, 30, 30);
-		if (ret)
+		if (ret) {
+			SYSERROR("Failed to set timeouts for seccomp proxy");
 			return -1;
+		}
+
+		ret = seccomp_notif_alloc(&seccomp->notifier.req_buf,
+					  &seccomp->notifier.rsp_buf);
+		if (ret) {
+			ERROR("Failed to allocate seccomp notify request and response buffers");
+			errno = ret;
+			return -1;
+		}

 		ret = lxc_mainloop_add_handler(descr,
 					       seccomp->notifier.notify_fd,
 					       seccomp_notify_handler, handler);
 		if (ret < 0) {
 			ERROR("Failed to add seccomp notify handler for %d to mainloop",
-			      seccomp->notifier.notify_fd);
+			      notify_fd);
 			return -1;
 		}

@ -1469,15 +1481,6 @@ int lxc_seccomp_recv_notifier_fd(struct lxc_seccomp *seccomp, int socket_fd)
 						 1, NULL, 0);
 		if (ret < 0)
 			return -1;
-
-		if (seccomp->notifier.proxy_fd >= 0) {
-			ret = seccomp_notif_alloc(&seccomp->notifier.req_buf,
-						  &seccomp->notifier.rsp_buf);
-			if (ret) {
-				errno = ret;
-				return -1;
-			}
-		}
 	}
 #endif
 	return 0;
@ -1488,11 +1491,11 @@ int lxc_seccomp_add_notifier(const char *name, const char *lxcpath,
 {

 #if HAVE_DECL_SECCOMP_NOTIF_GET_FD
-	if (seccomp->notifier.proxy_fd >= 0) {
+	if (seccomp->notifier.wants_supervision) {
 		int ret;

 		ret = lxc_cmd_seccomp_notify_add_listener(name, lxcpath,
-		          				  seccomp->notifier.notify_fd,
+							  seccomp->notifier.notify_fd,
 							  -1, 0);
 		close_prot_errno_disarm(seccomp->notifier.notify_fd);
 		if (ret < 0)
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@ -591,9 +591,11 @@ int lxc_poll(const char *name, struct lxc_handler *handler)
 		goto out_mainloop_console;
 	}

-	ret = lxc_seccomp_setup_notifier(&handler->conf->seccomp, &descr, handler);
-	if (ret < 0)
+	ret = lxc_seccomp_setup_proxy(&handler->conf->seccomp, &descr, handler);
+	if (ret < 0) {
+		ERROR("Failed to setup seccomp proxy");
 		goto out_mainloop_console;
+	}

 	if (has_console) {
 		struct lxc_terminal *console = &handler->conf->console;