94 lines
3.2 KiB
Diff
94 lines
3.2 KiB
Diff
From 5201e324d2025b1febbade9bb90d6e405b92a14c Mon Sep 17 00:00:00 2001
|
|
From: Paul Moore <paul@paul-moore.com>
|
|
Date: Tue, 4 Aug 2020 10:52:08 -0400
|
|
Subject: [PATCH 102/102] system: change our notification fd handling
|
|
|
|
This commit changes how we handle the notification fd by only
|
|
requesting it via _NEW_LISTENER if the filter has a _NOTIFY action
|
|
in it. We also augment the seccomp_reset(NULL, ...) behavior so
|
|
that it closes the notification fd before resetting the global
|
|
state; applications that need to keep their notification fd open
|
|
across a call to seccomp_reset(NULL, ...) can simply dup() it.
|
|
Although one would have to wonder why the application would be
|
|
calling seccomp_reset(NULL, ...) in that case.
|
|
|
|
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
---
|
|
doc/man/man3/seccomp_init.3 | 6 ++++--
|
|
src/system.c | 18 +++++++++++++++---
|
|
2 files changed, 19 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/doc/man/man3/seccomp_init.3 b/doc/man/man3/seccomp_init.3
|
|
index 87520cd..7881c35 100644
|
|
--- a/doc/man/man3/seccomp_init.3
|
|
+++ b/doc/man/man3/seccomp_init.3
|
|
@@ -38,8 +38,10 @@ and can only be called after a call to
|
|
.BR seccomp_init ()
|
|
has succeeded. If
|
|
.BR seccomp_reset ()
|
|
-is called with a NULL filter, it resets the library's global task state;
|
|
-normally this is not needed, but it may be required to continue using the
|
|
+is called with a NULL filter, it resets the library's global task state,
|
|
+including any notification file descriptors retrieved by
|
|
+.BR seccomp_notify_fd(3) .
|
|
+Normally this is not needed, but it may be required to continue using the
|
|
library after a
|
|
.BR fork ()
|
|
or
|
|
diff --git a/src/system.c b/src/system.c
|
|
index 3b43b2a..c646c65 100644
|
|
--- a/src/system.c
|
|
+++ b/src/system.c
|
|
@@ -84,7 +84,11 @@ static struct task_state state = {
|
|
void sys_reset_state(void)
|
|
{
|
|
state.nr_seccomp = -1;
|
|
+
|
|
+ if (state.notify_fd > 0)
|
|
+ close(state.notify_fd);
|
|
state.notify_fd = -1;
|
|
+
|
|
state.sup_syscall = -1;
|
|
state.sup_flag_tsync = -1;
|
|
state.sup_flag_log = -1;
|
|
@@ -353,6 +357,7 @@ int sys_filter_load(struct db_filter_col *col, bool rawrc)
|
|
{
|
|
int rc;
|
|
bool tsync_notify;
|
|
+ bool listener_req;
|
|
struct bpf_program *prgm = NULL;
|
|
|
|
rc = gen_bpf_generate(col, &prgm);
|
|
@@ -367,6 +372,8 @@ int sys_filter_load(struct db_filter_col *col, bool rawrc)
|
|
}
|
|
|
|
tsync_notify = state.sup_flag_tsync_esrch > 0 && state.notify_fd == -1;
|
|
+ listener_req = state.sup_user_notif > 0 && \
|
|
+ col->notify_used && state.notify_fd == -1;
|
|
|
|
/* load the filter into the kernel */
|
|
if (sys_chk_seccomp_syscall() == 1) {
|
|
@@ -375,11 +382,16 @@ int sys_filter_load(struct db_filter_col *col, bool rawrc)
|
|
if (col->attr.tsync_enable)
|
|
flgs |= SECCOMP_FILTER_FLAG_TSYNC | \
|
|
SECCOMP_FILTER_FLAG_TSYNC_ESRCH;
|
|
- if (state.sup_user_notif > 0)
|
|
+ if (listener_req)
|
|
flgs |= SECCOMP_FILTER_FLAG_NEW_LISTENER;
|
|
- } else if (col->attr.tsync_enable)
|
|
+ } else if (col->attr.tsync_enable) {
|
|
+ if (listener_req) {
|
|
+ /* NOTE: we _should_ catch this in db.c */
|
|
+ rc = -EFAULT;
|
|
+ goto filter_load_out;
|
|
+ }
|
|
flgs |= SECCOMP_FILTER_FLAG_TSYNC;
|
|
- else if (state.sup_user_notif > 0 && state.notify_fd == -1)
|
|
+ } else if (listener_req)
|
|
flgs |= SECCOMP_FILTER_FLAG_NEW_LISTENER;
|
|
if (col->attr.log_enable)
|
|
flgs |= SECCOMP_FILTER_FLAG_LOG;
|
|
--
|
|
2.26.2
|
|
|