The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/3572
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
Suggested-by: Jann Horn <j...@thejh.net>
Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>
From a60c98aaf637f3cb8ef6b054cceab666d2317615 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brau...@ubuntu.com>
Date: Mon, 2 Nov 2020 16:44:05 +0100
Subject: [PATCH 1/2] seccomp: make seccomp notifier fd non-blocking
Suggested-by: Jann Horn <j...@thejh.net>
Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>
---
src/lxc/file_utils.c | 12 ++++++++++++
src/lxc/file_utils.h | 1 +
src/lxc/seccomp.c | 3 +++
3 files changed, 16 insertions(+)
diff --git a/src/lxc/file_utils.c b/src/lxc/file_utils.c
index 4a8c7a8d99..fafaba354c 100644
--- a/src/lxc/file_utils.c
+++ b/src/lxc/file_utils.c
@@ -577,3 +577,15 @@ int open_beneath(int dir_fd, const char *path, unsigned
int flags)
return openat(dir_fd, path, O_NOFOLLOW | flags);
}
+
+int fd_make_nonblocking(int fd)
+{
+ int flags;
+
+ flags = fcntl(fd, F_GETFL);
+ if (flags < 0)
+ return -1;
+
+ flags &= ~O_NONBLOCK;
+ return fcntl(fd, F_SETFL, flags);
+}
diff --git a/src/lxc/file_utils.h b/src/lxc/file_utils.h
index df3a00d4dc..ea9570dd18 100644
--- a/src/lxc/file_utils.h
+++ b/src/lxc/file_utils.h
@@ -76,5 +76,6 @@ __hidden extern int timens_offset_write(clockid_t clk_id,
int64_t s_offset, int6
__hidden extern bool exists_dir_at(int dir_fd, const char *path);
__hidden extern bool exists_file_at(int dir_fd, const char *path);
__hidden extern int open_beneath(int dir_fd, const char *path, unsigned int
flags);
+__hidden int fd_make_nonblocking(int fd);
#endif /* __LXC_FILE_UTILS_H */
diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 4faf693f6c..e303561bf9 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -1280,6 +1280,9 @@ int lxc_seccomp_load(struct lxc_conf *conf)
return -1;
}
+ if (fd_make_nonblocking(ret))
+ return log_error_errno(-1, errno, "Failed to make
seccomp listener fd non-blocking");;
+
conf->seccomp.notifier.notify_fd = ret;
TRACE("Retrieved new seccomp listener fd %d", ret);
}
From 0d724ab4f4b2611f5d93525ef8ef4f1c6d91334d Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brau...@ubuntu.com>
Date: Mon, 2 Nov 2020 16:48:02 +0100
Subject: [PATCH 2/2] seccomp: log aborted system calls
Suggested-by: Jann Horn <j...@thejh.net>
Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>
---
src/lxc/seccomp.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index e303561bf9..ba6811d903 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -1390,7 +1390,10 @@ int seccomp_notify_handler(int fd, uint32_t events, void
*data,
memset(req, 0, conf->seccomp.notifier.sizes.seccomp_notif);
ret = seccomp_notify_receive(fd, req);
if (ret) {
- SYSERROR("Failed to read seccomp notification");
+ if (errno == ENOENT)
+ TRACE("Intercepted system call aborted");
+ else
+ SYSERROR("Failed to read seccomp notification");
goto out;
}
_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
