The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/3508
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
which allows to retrieve an active seccomp notifier fd from a running
container.
Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>
From 2140576960c1cfc95db5724553b360f0b4daa247 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brau...@ubuntu.com>
Date: Thu, 6 Aug 2020 14:38:07 +0200
Subject: [PATCH] seccomp: add seccomp_notify_fd_active api extension
which allows to retrieve an active seccomp notifier fd from a running
container.
Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>
---
doc/api-extensions.md | 4 ++++
src/lxc/api_extensions.h | 1 +
src/lxc/commands.c | 52 ++++++++++++++++++++++++++++++++++++++++
src/lxc/commands.h | 2 ++
src/lxc/lxccontainer.c | 11 +++++++++
src/lxc/lxccontainer.h | 9 +++++++
6 files changed, 79 insertions(+)
diff --git a/doc/api-extensions.md b/doc/api-extensions.md
index 21cb55d111..9a716e48ac 100644
--- a/doc/api-extensions.md
+++ b/doc/api-extensions.md
@@ -136,3 +136,7 @@ This adds the ability to use "denylist" and "allowlist" in
seccomp v2 policies.
This adds the ability to allocate a file descriptor for the devpts instance of
the container.
+
+## seccomp\_notify\_fd\_active
+
+Retrieve the seccomp notifier fd from a running container.
diff --git a/src/lxc/api_extensions.h b/src/lxc/api_extensions.h
index 4d97504887..1b40e5d452 100644
--- a/src/lxc/api_extensions.h
+++ b/src/lxc/api_extensions.h
@@ -44,6 +44,7 @@ static char *api_extensions[] = {
"time_namespace",
"seccomp_allow_deny_syntax",
"devpts_fd",
+ "seccomp_notify_fd_active",
};
static size_t nr_api_extensions = sizeof(api_extensions) /
sizeof(*api_extensions);
diff --git a/src/lxc/commands.c b/src/lxc/commands.c
index 22fbb04bb4..4ed84c3a02 100644
--- a/src/lxc/commands.c
+++ b/src/lxc/commands.c
@@ -87,6 +87,7 @@ static const char *lxc_cmd_str(lxc_cmd_t cmd)
[LXC_CMD_GET_LIMITING_CGROUP] = "get_limiting_cgroup",
[LXC_CMD_GET_LIMITING_CGROUP2_FD] =
"get_limiting_cgroup2_fd",
[LXC_CMD_GET_DEVPTS_FD] = "get_devpts_fd",
+ [LXC_CMD_GET_SECCOMP_NOTIFY_FD] =
"get_seccomp_notify_fd",
};
if (cmd >= LXC_CMD_MAX)
@@ -162,6 +163,11 @@ static int lxc_cmd_rsp_recv(int sock, struct lxc_cmd_rr
*cmd)
rsp->data = INT_TO_PTR(devpts_fd);
}
+ if (cmd->req.cmd == LXC_CMD_GET_SECCOMP_NOTIFY_FD) {
+ int seccomp_notify_fd = move_fd(fd_rsp);
+ rsp->data = INT_TO_PTR(seccomp_notify_fd);
+ }
+
if (rsp->datalen == 0)
return log_debug(ret,
"Response data length for command \"%s\" is 0",
@@ -490,6 +496,51 @@ static int lxc_cmd_get_devpts_fd_callback(int fd, struct
lxc_cmd_req *req,
return 0;
}
+int lxc_cmd_get_seccomp_notify_fd(const char *name, const char *lxcpath)
+{
+#if HAVE_DECL_SECCOMP_NOTIFY_FD
+ int ret, stopped;
+ struct lxc_cmd_rr cmd = {
+ .req = {
+ .cmd = LXC_CMD_GET_SECCOMP_NOTIFY_FD,
+ },
+ };
+
+ ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL);
+ if (ret < 0)
+ return log_debug_errno(-1, errno, "Failed to process seccomp
notify fd command");
+
+ if (cmd.rsp.ret < 0)
+ return log_debug_errno(-EBADF, errno, "Failed to receive
seccomp notify fd");
+
+ return PTR_TO_INT(cmd.rsp.data);
+#else
+ return ret_errno(EOPNOTSUPP);
+#endif
+}
+
+static int lxc_cmd_get_seccomp_notify_fd_callback(int fd, struct lxc_cmd_req
*req,
+ struct lxc_handler *handler,
+ struct lxc_epoll_descr *descr)
+{
+#if HAVE_DECL_SECCOMP_NOTIFY_FD
+ struct lxc_cmd_rsp rsp = {
+ .ret = 0,
+ };
+ int ret;
+
+ if (!handler->conf || handler->conf->seccomp.notifier.notify_fd < 0)
+ rsp.ret = -EBADF;
+ ret = lxc_abstract_unix_send_fds(fd,
&handler->conf->seccomp.notifier.notify_fd, 1, &rsp, sizeof(rsp));
+ if (ret < 0)
+ return log_error(LXC_CMD_REAP_CLIENT_FD, "Failed to send
seccomp notify fd");
+
+ return 0;
+#else
+ return ret_errno(EOPNOTSUPP);
+#endif
+}
+
/*
* lxc_cmd_get_clone_flags: Get clone flags container was spawned with
*
@@ -1549,6 +1600,7 @@ static int lxc_cmd_process(int fd, struct lxc_cmd_req
*req,
[LXC_CMD_GET_LIMITING_CGROUP] =
lxc_cmd_get_limiting_cgroup_callback,
[LXC_CMD_GET_LIMITING_CGROUP2_FD] =
lxc_cmd_get_limiting_cgroup2_fd_callback,
[LXC_CMD_GET_DEVPTS_FD] =
lxc_cmd_get_devpts_fd_callback,
+ [LXC_CMD_GET_SECCOMP_NOTIFY_FD] =
lxc_cmd_get_seccomp_notify_fd_callback,
};
if (req->cmd >= LXC_CMD_MAX)
diff --git a/src/lxc/commands.h b/src/lxc/commands.h
index ef545e23ae..c87dad4e90 100644
--- a/src/lxc/commands.h
+++ b/src/lxc/commands.h
@@ -42,6 +42,7 @@ typedef enum {
LXC_CMD_GET_LIMITING_CGROUP,
LXC_CMD_GET_LIMITING_CGROUP2_FD,
LXC_CMD_GET_DEVPTS_FD,
+ LXC_CMD_GET_SECCOMP_NOTIFY_FD,
LXC_CMD_MAX,
} lxc_cmd_t;
@@ -120,6 +121,7 @@ __hidden extern int lxc_cmd_mainloop_add(const char *name,
struct lxc_epoll_desc
__hidden extern int lxc_try_cmd(const char *name, const char *lxcpath);
__hidden extern int lxc_cmd_console_log(const char *name, const char *lxcpath,
struct lxc_console_log *log);
+__hidden extern int lxc_cmd_get_seccomp_notify_fd(const char *name, const char
*lxcpath);
__hidden extern int lxc_cmd_seccomp_notify_add_listener(const char *name,
const char *lxcpath, int fd,
/* unused */ unsigned
int command,
/* unused */ unsigned
int flags);
diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index 8d854aaf13..673cf2483d 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -5240,6 +5240,16 @@ static int do_lxcapi_seccomp_notify_fd(struct
lxc_container *c)
WRAP_API(int, lxcapi_seccomp_notify_fd)
+static int do_lxcapi_seccomp_notify_fd_active(struct lxc_container *c)
+{
+ if (!c || !c->lxc_conf)
+ return ret_set_errno(-1, -EINVAL);
+
+ return lxc_cmd_get_seccomp_notify_fd(c->name, c->config_path);
+}
+
+WRAP_API(int, lxcapi_seccomp_notify_fd_active)
+
struct lxc_container *lxc_container_new(const char *name, const char
*configpath)
{
struct lxc_container *c;
@@ -5382,6 +5392,7 @@ struct lxc_container *lxc_container_new(const char *name,
const char *configpath
c->mount = lxcapi_mount;
c->umount = lxcapi_umount;
c->seccomp_notify_fd = lxcapi_seccomp_notify_fd;
+ c->seccomp_notify_fd_active = lxcapi_seccomp_notify_fd_active;
return c;
diff --git a/src/lxc/lxccontainer.h b/src/lxc/lxccontainer.h
index 3437550d7e..1229a1f349 100644
--- a/src/lxc/lxccontainer.h
+++ b/src/lxc/lxccontainer.h
@@ -857,6 +857,15 @@ struct lxc_container {
*/
int (*seccomp_notify_fd)(struct lxc_container *c);
+ /*!
+ * \brief Retrieve a file descriptor for the running container's
seccomp filter.
+ *
+ * \param c Container
+ *
+ * \return file descriptor for the running container's seccomp filter
+ */
+ int (*seccomp_notify_fd_active)(struct lxc_container *c);
+
/*!
* \brief Retrieve a pidfd for the container's init process.
*
_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
