0 | |
From 8147801fbc73016491d9caaab0fc740dbdbc989d Mon Sep 17 00:00:00 2001
|
1 | |
From: Paul Moore <paul@paul-moore.com>
|
2 | |
Date: Sun, 26 Jul 2020 11:01:49 -0400
|
3 | |
Subject: [PATCH] all: only request the userspace notification fd once
|
4 | |
|
5 | |
It turns out that requesting the seccomp userspace notifcation fd
|
6 | |
more than once is a bad thing which causes the kernel to complain
|
7 | |
(rightfully so for a variety of reasons). Unfortunately as we were
|
8 | |
always requesting the notification fd whenever possible this results
|
9 | |
in problems at filter load time.
|
10 | |
|
11 | |
Our solution is to move the notification fd out of the filter context
|
12 | |
and into the global task context, using a newly created task_state
|
13 | |
structure. This allows us to store, and retrieve the notification
|
14 | |
outside the scope of an individual filter context. It also provides
|
15 | |
some implementation improvements by giving us a convenient place to
|
16 | |
stash all of the API level related support variables. We also extend
|
17 | |
the seccomp_reset() API call to reset this internal global state when
|
18 | |
passed a NULL filter context.
|
19 | |
|
20 | |
There is one potential case which we don't currently handle well:
|
21 | |
threads. At the moment libseccomp is thread ignorant, and that works
|
22 | |
well as the only global state up to this point was the currently
|
23 | |
supported API level information which was common to all threads in a
|
24 | |
process. Unfortunately, it appears that the notification fd need not
|
25 | |
be common to all threads in a process, yet this patch treats it as if
|
26 | |
it is common. I suspect this is a very unusual use case so I decided
|
27 | |
to keep this patch simple and ignore this case, but in the future if
|
28 | |
we need to support this properly we should be able to do so without
|
29 | |
API changes by keeping an internal list of notification fds indexed
|
30 | |
by gettid(2).
|
31 | |
|
32 | |
This fixes the GitHub issue below:
|
33 | |
* https://github.com/seccomp/libseccomp/issues/273
|
34 | |
|
35 | |
Reported-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
36 | |
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
|
37 | |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
38 | |
(imported from commit ce314fe4111887c593e3c6b17c60d93bc6ab66b9)
|
39 | |
---
|
40 | |
doc/man/man3/seccomp_init.3 | 10 +-
|
41 | |
doc/man/man3/seccomp_notify_alloc.3 | 3 +-
|
42 | |
src/api.c | 19 ++-
|
43 | |
src/db.c | 1 -
|
44 | |
src/db.h | 3 +-
|
45 | |
src/system.c | 204 ++++++++++++++++++----------
|
46 | |
src/system.h | 3 +
|
47 | |
tests/11-basic-basic_errors.c | 9 +-
|
48 | |
tests/51-live-user_notification.c | 21 +++
|
49 | |
tests/51-live-user_notification.py | 4 +
|
50 | |
10 files changed, 187 insertions(+), 90 deletions(-)
|
51 | |
|
52 | |
diff --git a/doc/man/man3/seccomp_init.3 b/doc/man/man3/seccomp_init.3
|
53 | |
index 3ab68fef..87520cd3 100644
|
54 | |
--- a/doc/man/man3/seccomp_init.3
|
55 | |
+++ b/doc/man/man3/seccomp_init.3
|
56 | |
@@ -36,7 +36,15 @@ The
|
57 | |
function releases the existing filter context state before reinitializing it
|
58 | |
and can only be called after a call to
|
59 | |
.BR seccomp_init ()
|
60 | |
-has succeeded.
|
61 | |
+has succeeded. If
|
62 | |
+.BR seccomp_reset ()
|
63 | |
+is called with a NULL filter, it resets the library's global task state;
|
64 | |
+normally this is not needed, but it may be required to continue using the
|
65 | |
+library after a
|
66 | |
+.BR fork ()
|
67 | |
+or
|
68 | |
+.BR clone ()
|
69 | |
+call to ensure the API level and user notification state is properly reset.
|
70 | |
.P
|
71 | |
When the caller is finished configuring the seccomp filter and has loaded it
|
72 | |
into the kernel, the caller should call
|
73 | |
diff --git a/doc/man/man3/seccomp_notify_alloc.3 b/doc/man/man3/seccomp_notify_alloc.3
|
74 | |
index 50c89706..cb1c0480 100644
|
75 | |
--- a/doc/man/man3/seccomp_notify_alloc.3
|
76 | |
+++ b/doc/man/man3/seccomp_notify_alloc.3
|
77 | |
@@ -59,7 +59,8 @@ returns the notification fd of a filter after it has been loaded.
|
78 | |
.\" //////////////////////////////////////////////////////////////////////////
|
79 | |
The
|
80 | |
.BR seccomp_notify_fd ()
|
81 | |
-returns the notification fd of the loaded filter.
|
82 | |
+returns the notification fd of the loaded filter, -1 if a notification fd has
|
83 | |
+not yet been created, and -EINVAL if the filter context is invalid.
|
84 | |
.P
|
85 | |
The
|
86 | |
.BR seccomp_notify_id_valid ()
|
87 | |
diff --git a/src/api.c b/src/api.c
|
88 | |
index 00975ad5..5cec0883 100644
|
89 | |
--- a/src/api.c
|
90 | |
+++ b/src/api.c
|
91 | |
@@ -301,10 +301,18 @@ API int seccomp_reset(scmp_filter_ctx ctx, uint32_t def_action)
|
92 | |
{
|
93 | |
struct db_filter_col *col = (struct db_filter_col *)ctx;
|
94 | |
|
95 | |
- /* use a NULL filter collection here since we are resetting it */
|
96 | |
- if (ctx == NULL || db_col_action_valid(NULL, def_action) < 0)
|
97 | |
+ /* a NULL filter context indicates we are resetting the global state */
|
98 | |
+ if (ctx == NULL) {
|
99 | |
+ /* reset the global state and redetermine the api level */
|
100 | |
+ sys_reset_state();
|
101 | |
+ _seccomp_api_update();
|
102 | |
+ return _rc_filter(0);
|
103 | |
+ }
|
104 | |
+ /* ensure the default action is valid */
|
105 | |
+ if (db_col_action_valid(NULL, def_action) < 0)
|
106 | |
return _rc_filter(-EINVAL);
|
107 | |
|
108 | |
+ /* reset the filter */
|
109 | |
return _rc_filter(db_col_reset(col, def_action));
|
110 | |
}
|
111 | |
|
112 | |
@@ -675,16 +683,17 @@ API int seccomp_notify_id_valid(int fd, uint64_t id)
|
113 | |
/* NOTE - function header comment in include/seccomp.h */
|
114 | |
API int seccomp_notify_fd(const scmp_filter_ctx ctx)
|
115 | |
{
|
116 | |
- struct db_filter_col *col;
|
117 | |
+ /* NOTE: for historical reasons, and possibly future use, we require a
|
118 | |
+ * valid filter context even though we don't actual use it here; the
|
119 | |
+ * api update is also not strictly necessary, but keep it for now */
|
120 | |
|
121 | |
/* force a runtime api level detection */
|
122 | |
_seccomp_api_update();
|
123 | |
|
124 | |
if (_ctx_valid(ctx))
|
125 | |
return _rc_filter(-EINVAL);
|
126 | |
- col = (struct db_filter_col *)ctx;
|
127 | |
|
128 | |
- return _rc_filter(col->notify_fd);
|
129 | |
+ return _rc_filter(sys_notify_fd());
|
130 | |
}
|
131 | |
|
132 | |
/* NOTE - function header comment in include/seccomp.h */
|
133 | |
diff --git a/src/db.c b/src/db.c
|
134 | |
index 4a87ea36..836171ae 100644
|
135 | |
--- a/src/db.c
|
136 | |
+++ b/src/db.c
|
137 | |
@@ -1057,7 +1057,6 @@ int db_col_reset(struct db_filter_col *col, uint32_t def_action)
|
138 | |
if (col->filters)
|
139 | |
free(col->filters);
|
140 | |
col->filters = NULL;
|
141 | |
- col->notify_fd = -1;
|
142 | |
|
143 | |
/* set the endianess to undefined */
|
144 | |
col->endian = 0;
|
145 | |
diff --git a/src/db.h b/src/db.h
|
146 | |
index b96b1049..765c607e 100644
|
147 | |
--- a/src/db.h
|
148 | |
+++ b/src/db.h
|
149 | |
@@ -160,8 +160,7 @@ struct db_filter_col {
|
150 | |
/* transaction snapshots */
|
151 | |
struct db_filter_snap *snapshots;
|
152 | |
|
153 | |
- /* notification fd that was returned from seccomp() */
|
154 | |
- int notify_fd;
|
155 | |
+ /* userspace notification */
|
156 | |
bool notify_used;
|
157 | |
};
|
158 | |
|
159 | |
diff --git a/src/system.c b/src/system.c
|
160 | |
index 6cdfc16a..3b43b2a9 100644
|
161 | |
--- a/src/system.c
|
162 | |
+++ b/src/system.c
|
163 | |
@@ -40,16 +40,61 @@
|
164 | |
* our next release we may have to enable the allowlist */
|
165 | |
#define SYSCALL_ALLOWLIST_ENABLE 0
|
166 | |
|
167 | |
-static int _nr_seccomp = -1;
|
168 | |
-static int _support_seccomp_syscall = -1;
|
169 | |
-static int _support_seccomp_flag_tsync = -1;
|
170 | |
-static int _support_seccomp_flag_log = -1;
|
171 | |
-static int _support_seccomp_action_log = -1;
|
172 | |
-static int _support_seccomp_kill_process = -1;
|
173 | |
-static int _support_seccomp_flag_spec_allow = -1;
|
174 | |
-static int _support_seccomp_flag_new_listener = -1;
|
175 | |
-static int _support_seccomp_user_notif = -1;
|
176 | |
-static int _support_seccomp_flag_tsync_esrch = -1;
|
177 | |
+/* task global state */
|
178 | |
+struct task_state {
|
179 | |
+ /* seccomp(2) syscall */
|
180 | |
+ int nr_seccomp;
|
181 | |
+
|
182 | |
+ /* userspace notification fd */
|
183 | |
+ int notify_fd;
|
184 | |
+
|
185 | |
+ /* runtime support flags */
|
186 | |
+ int sup_syscall;
|
187 | |
+ int sup_flag_tsync;
|
188 | |
+ int sup_flag_log;
|
189 | |
+ int sup_action_log;
|
190 | |
+ int sup_kill_process;
|
191 | |
+ int sup_flag_spec_allow;
|
192 | |
+ int sup_flag_new_listener;
|
193 | |
+ int sup_user_notif;
|
194 | |
+ int sup_flag_tsync_esrch;
|
195 | |
+};
|
196 | |
+static struct task_state state = {
|
197 | |
+ .nr_seccomp = -1,
|
198 | |
+
|
199 | |
+ .notify_fd = -1,
|
200 | |
+
|
201 | |
+ .sup_syscall = -1,
|
202 | |
+ .sup_flag_tsync = -1,
|
203 | |
+ .sup_flag_log = -1,
|
204 | |
+ .sup_action_log = -1,
|
205 | |
+ .sup_kill_process = -1,
|
206 | |
+ .sup_flag_spec_allow = -1,
|
207 | |
+ .sup_flag_new_listener = -1,
|
208 | |
+ .sup_user_notif = -1,
|
209 | |
+ .sup_flag_tsync_esrch = -1,
|
210 | |
+};
|
211 | |
+
|
212 | |
+/**
|
213 | |
+ * Reset the task state
|
214 | |
+ *
|
215 | |
+ * This function fully resets the library's global "system task state".
|
216 | |
+ *
|
217 | |
+ */
|
218 | |
+void sys_reset_state(void)
|
219 | |
+{
|
220 | |
+ state.nr_seccomp = -1;
|
221 | |
+ state.notify_fd = -1;
|
222 | |
+ state.sup_syscall = -1;
|
223 | |
+ state.sup_flag_tsync = -1;
|
224 | |
+ state.sup_flag_log = -1;
|
225 | |
+ state.sup_action_log = -1;
|
226 | |
+ state.sup_kill_process = -1;
|
227 | |
+ state.sup_flag_spec_allow = -1;
|
228 | |
+ state.sup_flag_new_listener = -1;
|
229 | |
+ state.sup_user_notif = -1;
|
230 | |
+ state.sup_flag_tsync_esrch = -1;
|
231 | |
+}
|
232 | |
|
233 | |
/**
|
234 | |
* Check to see if the seccomp() syscall is supported
|
235 | |
@@ -68,8 +113,8 @@ int sys_chk_seccomp_syscall(void)
|
236 | |
/* NOTE: it is reasonably safe to assume that we should be able to call
|
237 | |
* seccomp() when the caller first starts, but we can't rely on
|
238 | |
* it later so we need to cache our findings for use later */
|
239 | |
- if (_support_seccomp_syscall >= 0)
|
240 | |
- return _support_seccomp_syscall;
|
241 | |
+ if (state.sup_syscall >= 0)
|
242 | |
+ return state.sup_syscall;
|
243 | |
|
244 | |
#if SYSCALL_ALLOWLIST_ENABLE
|
245 | |
/* architecture allowlist */
|
246 | |
@@ -100,11 +145,11 @@ int sys_chk_seccomp_syscall(void)
|
247 | |
goto supported;
|
248 | |
|
249 | |
unsupported:
|
250 | |
- _support_seccomp_syscall = 0;
|
251 | |
+ state.sup_syscall = 0;
|
252 | |
return 0;
|
253 | |
supported:
|
254 | |
- _nr_seccomp = nr_seccomp;
|
255 | |
- _support_seccomp_syscall = 1;
|
256 | |
+ state.nr_seccomp = nr_seccomp;
|
257 | |
+ state.sup_syscall = 1;
|
258 | |
return 1;
|
259 | |
}
|
260 | |
|
261 | |
@@ -118,7 +163,7 @@ int sys_chk_seccomp_syscall(void)
|
262 | |
*/
|
263 | |
void sys_set_seccomp_syscall(bool enable)
|
264 | |
{
|
265 | |
- _support_seccomp_syscall = (enable ? 1 : 0);
|
266 | |
+ state.sup_syscall = (enable ? 1 : 0);
|
267 | |
}
|
268 | |
|
269 | |
/**
|
270 | |
@@ -132,16 +177,16 @@ void sys_set_seccomp_syscall(bool enable)
|
271 | |
int sys_chk_seccomp_action(uint32_t action)
|
272 | |
{
|
273 | |
if (action == SCMP_ACT_KILL_PROCESS) {
|
274 | |
- if (_support_seccomp_kill_process < 0) {
|
275 | |
+ if (state.sup_kill_process < 0) {
|
276 | |
if (sys_chk_seccomp_syscall() == 1 &&
|
277 | |
- syscall(_nr_seccomp, SECCOMP_GET_ACTION_AVAIL, 0,
|
278 | |
- &action) == 0)
|
279 | |
- _support_seccomp_kill_process = 1;
|
280 | |
+ syscall(state.nr_seccomp,
|
281 | |
+ SECCOMP_GET_ACTION_AVAIL, 0, &action) == 0)
|
282 | |
+ state.sup_kill_process = 1;
|
283 | |
else
|
284 | |
- _support_seccomp_kill_process = 0;
|
285 | |
+ state.sup_kill_process = 0;
|
286 | |
}
|
287 | |
|
288 | |
- return _support_seccomp_kill_process;
|
289 | |
+ return state.sup_kill_process;
|
290 | |
} else if (action == SCMP_ACT_KILL_THREAD) {
|
291 | |
return 1;
|
292 | |
} else if (action == SCMP_ACT_TRAP) {
|
293 | |
@@ -152,30 +197,30 @@ int sys_chk_seccomp_action(uint32_t action)
|
294 | |
} else if (action == SCMP_ACT_TRACE(action & 0x0000ffff)) {
|
295 | |
return 1;
|
296 | |
} else if (action == SCMP_ACT_LOG) {
|
297 | |
- if (_support_seccomp_action_log < 0) {
|
298 | |
+ if (state.sup_action_log < 0) {
|
299 | |
if (sys_chk_seccomp_syscall() == 1 &&
|
300 | |
- syscall(_nr_seccomp, SECCOMP_GET_ACTION_AVAIL, 0,
|
301 | |
- &action) == 0)
|
302 | |
- _support_seccomp_action_log = 1;
|
303 | |
+ syscall(state.nr_seccomp,
|
304 | |
+ SECCOMP_GET_ACTION_AVAIL, 0, &action) == 0)
|
305 | |
+ state.sup_action_log = 1;
|
306 | |
else
|
307 | |
- _support_seccomp_action_log = 0;
|
308 | |
+ state.sup_action_log = 0;
|
309 | |
}
|
310 | |
|
311 | |
- return _support_seccomp_action_log;
|
312 | |
+ return state.sup_action_log;
|
313 | |
} else if (action == SCMP_ACT_ALLOW) {
|
314 | |
return 1;
|
315 | |
} else if (action == SCMP_ACT_NOTIFY) {
|
316 | |
- if (_support_seccomp_user_notif < 0) {
|
317 | |
+ if (state.sup_user_notif < 0) {
|
318 | |
struct seccomp_notif_sizes sizes;
|
319 | |
if (sys_chk_seccomp_syscall() == 1 &&
|
320 | |
- syscall(_nr_seccomp, SECCOMP_GET_NOTIF_SIZES, 0,
|
321 | |
- &sizes) == 0)
|
322 | |
- _support_seccomp_user_notif = 1;
|
323 | |
+ syscall(state.nr_seccomp,
|
324 | |
+ SECCOMP_GET_NOTIF_SIZES, 0, &sizes) == 0)
|
325 | |
+ state.sup_user_notif = 1;
|
326 | |
else
|
327 | |
- _support_seccomp_user_notif = 0;
|
328 | |
+ state.sup_user_notif = 0;
|
329 | |
}
|
330 | |
|
331 | |
- return _support_seccomp_user_notif;
|
332 | |
+ return state.sup_user_notif;
|
333 | |
}
|
334 | |
|
335 | |
return 0;
|
336 | |
@@ -193,13 +238,13 @@ void sys_set_seccomp_action(uint32_t action, bool enable)
|
337 | |
{
|
338 | |
switch (action) {
|
339 | |
case SCMP_ACT_LOG:
|
340 | |
- _support_seccomp_action_log = (enable ? 1 : 0);
|
341 | |
+ state.sup_action_log = (enable ? 1 : 0);
|
342 | |
break;
|
343 | |
case SCMP_ACT_KILL_PROCESS:
|
344 | |
- _support_seccomp_kill_process = (enable ? 1 : 0);
|
345 | |
+ state.sup_kill_process = (enable ? 1 : 0);
|
346 | |
break;
|
347 | |
case SCMP_ACT_NOTIFY:
|
348 | |
- _support_seccomp_user_notif = (enable ? 1 : 0);
|
349 | |
+ state.sup_user_notif = (enable ? 1 : 0);
|
350 | |
break;
|
351 | |
}
|
352 | |
}
|
353 | |
@@ -212,13 +257,14 @@ void sys_set_seccomp_action(uint32_t action, bool enable)
|
354 | |
* Return one if the flag is supported, zero otherwise.
|
355 | |
*
|
356 | |
*/
|
357 | |
-static int _sys_chk_seccomp_flag_kernel(int flag)
|
358 | |
+static int _sys_chk_flag_kernel(int flag)
|
359 | |
{
|
360 | |
/* this is an invalid seccomp(2) call because the last argument
|
361 | |
* is NULL, but depending on the errno value of EFAULT we can
|
362 | |
* guess if the filter flag is supported or not */
|
363 | |
if (sys_chk_seccomp_syscall() == 1 &&
|
364 | |
- syscall(_nr_seccomp, SECCOMP_SET_MODE_FILTER, flag, NULL) == -1 &&
|
365 | |
+ syscall(state.nr_seccomp,
|
366 | |
+ SECCOMP_SET_MODE_FILTER, flag, NULL) == -1 &&
|
367 | |
errno == EFAULT)
|
368 | |
return 1;
|
369 | |
|
370 | |
@@ -238,29 +284,25 @@ int sys_chk_seccomp_flag(int flag)
|
371 | |
{
|
372 | |
switch (flag) {
|
373 | |
case SECCOMP_FILTER_FLAG_TSYNC:
|
374 | |
- if (_support_seccomp_flag_tsync < 0)
|
375 | |
- _support_seccomp_flag_tsync = _sys_chk_seccomp_flag_kernel(flag);
|
376 | |
-
|
377 | |
- return _support_seccomp_flag_tsync;
|
378 | |
+ if (state.sup_flag_tsync < 0)
|
379 | |
+ state.sup_flag_tsync = _sys_chk_flag_kernel(flag);
|
380 | |
+ return state.sup_flag_tsync;
|
381 | |
case SECCOMP_FILTER_FLAG_LOG:
|
382 | |
- if (_support_seccomp_flag_log < 0)
|
383 | |
- _support_seccomp_flag_log = _sys_chk_seccomp_flag_kernel(flag);
|
384 | |
-
|
385 | |
- return _support_seccomp_flag_log;
|
386 | |
+ if (state.sup_flag_log < 0)
|
387 | |
+ state.sup_flag_log = _sys_chk_flag_kernel(flag);
|
388 | |
+ return state.sup_flag_log;
|
389 | |
case SECCOMP_FILTER_FLAG_SPEC_ALLOW:
|
390 | |
- if (_support_seccomp_flag_spec_allow < 0)
|
391 | |
- _support_seccomp_flag_spec_allow = _sys_chk_seccomp_flag_kernel(flag);
|
392 | |
-
|
393 | |
- return _support_seccomp_flag_spec_allow;
|
394 | |
+ if (state.sup_flag_spec_allow < 0)
|
395 | |
+ state.sup_flag_spec_allow = _sys_chk_flag_kernel(flag);
|
396 | |
+ return state.sup_flag_spec_allow;
|
397 | |
case SECCOMP_FILTER_FLAG_NEW_LISTENER:
|
398 | |
- if (_support_seccomp_flag_new_listener < 0)
|
399 | |
- _support_seccomp_flag_new_listener = _sys_chk_seccomp_flag_kernel(flag);
|
400 | |
-
|
401 | |
- return _support_seccomp_flag_new_listener;
|
402 | |
+ if (state.sup_flag_new_listener < 0)
|
403 | |
+ state.sup_flag_new_listener = _sys_chk_flag_kernel(flag);
|
404 | |
+ return state.sup_flag_new_listener;
|
405 | |
case SECCOMP_FILTER_FLAG_TSYNC_ESRCH:
|
406 | |
- if (_support_seccomp_flag_tsync_esrch < 0)
|
407 | |
- _support_seccomp_flag_tsync_esrch = _sys_chk_seccomp_flag_kernel(flag);
|
408 | |
- return _support_seccomp_flag_tsync_esrch;
|
409 | |
+ if (state.sup_flag_tsync_esrch < 0)
|
410 | |
+ state.sup_flag_tsync_esrch = _sys_chk_flag_kernel(flag);
|
411 | |
+ return state.sup_flag_tsync_esrch;
|
412 | |
}
|
413 | |
|
414 | |
return -EOPNOTSUPP;
|
415 | |
@@ -279,19 +321,19 @@ void sys_set_seccomp_flag(int flag, bool enable)
|
416 | |
{
|
417 | |
switch (flag) {
|
418 | |
case SECCOMP_FILTER_FLAG_TSYNC:
|
419 | |
- _support_seccomp_flag_tsync = (enable ? 1 : 0);
|
420 | |
+ state.sup_flag_tsync = (enable ? 1 : 0);
|
421 | |
break;
|
422 | |
case SECCOMP_FILTER_FLAG_LOG:
|
423 | |
- _support_seccomp_flag_log = (enable ? 1 : 0);
|
424 | |
+ state.sup_flag_log = (enable ? 1 : 0);
|
425 | |
break;
|
426 | |
case SECCOMP_FILTER_FLAG_SPEC_ALLOW:
|
427 | |
- _support_seccomp_flag_spec_allow = (enable ? 1 : 0);
|
428 | |
+ state.sup_flag_spec_allow = (enable ? 1 : 0);
|
429 | |
break;
|
430 | |
case SECCOMP_FILTER_FLAG_NEW_LISTENER:
|
431 | |
- _support_seccomp_flag_new_listener = (enable ? 1 : 0);
|
432 | |
+ state.sup_flag_new_listener = (enable ? 1 : 0);
|
433 | |
break;
|
434 | |
case SECCOMP_FILTER_FLAG_TSYNC_ESRCH:
|
435 | |
- _support_seccomp_flag_tsync_esrch = (enable ? 1 : 0);
|
436 | |
+ state.sup_flag_tsync_esrch = (enable ? 1 : 0);
|
437 | |
break;
|
438 | |
}
|
439 | |
}
|
440 | |
@@ -324,7 +366,7 @@ int sys_filter_load(struct db_filter_col *col, bool rawrc)
|
441 | |
goto filter_load_out;
|
442 | |
}
|
443 | |
|
444 | |
- tsync_notify = (_support_seccomp_flag_tsync_esrch > 0);
|
445 | |
+ tsync_notify = state.sup_flag_tsync_esrch > 0 && state.notify_fd == -1;
|
446 | |
|
447 | |
/* load the filter into the kernel */
|
448 | |
if (sys_chk_seccomp_syscall() == 1) {
|
449 | |
@@ -333,28 +375,29 @@ int sys_filter_load(struct db_filter_col *col, bool rawrc)
|
450 | |
if (col->attr.tsync_enable)
|
451 | |
flgs |= SECCOMP_FILTER_FLAG_TSYNC | \
|
452 | |
SECCOMP_FILTER_FLAG_TSYNC_ESRCH;
|
453 | |
- if (_support_seccomp_user_notif > 0)
|
454 | |
+ if (state.sup_user_notif > 0)
|
455 | |
flgs |= SECCOMP_FILTER_FLAG_NEW_LISTENER;
|
456 | |
} else if (col->attr.tsync_enable)
|
457 | |
flgs |= SECCOMP_FILTER_FLAG_TSYNC;
|
458 | |
- else if (_support_seccomp_user_notif > 0)
|
459 | |
+ else if (state.sup_user_notif > 0 && state.notify_fd == -1)
|
460 | |
flgs |= SECCOMP_FILTER_FLAG_NEW_LISTENER;
|
461 | |
if (col->attr.log_enable)
|
462 | |
flgs |= SECCOMP_FILTER_FLAG_LOG;
|
463 | |
if (col->attr.spec_allow)
|
464 | |
flgs |= SECCOMP_FILTER_FLAG_SPEC_ALLOW;
|
465 | |
- rc = syscall(_nr_seccomp, SECCOMP_SET_MODE_FILTER, flgs, prgm);
|
466 | |
+ rc = syscall(state.nr_seccomp,
|
467 | |
+ SECCOMP_SET_MODE_FILTER, flgs, prgm);
|
468 | |
if (tsync_notify && rc > 0) {
|
469 | |
/* return 0 on NEW_LISTENER success, but save the fd */
|
470 | |
- col->notify_fd = rc;
|
471 | |
+ state.notify_fd = rc;
|
472 | |
rc = 0;
|
473 | |
} else if (rc > 0 && col->attr.tsync_enable) {
|
474 | |
/* always return -ESRCH if we fail to sync threads */
|
475 | |
errno = ESRCH;
|
476 | |
rc = -errno;
|
477 | |
- } else if (rc > 0 && _support_seccomp_user_notif > 0) {
|
478 | |
+ } else if (rc > 0 && state.sup_user_notif > 0) {
|
479 | |
/* return 0 on NEW_LISTENER success, but save the fd */
|
480 | |
- col->notify_fd = rc;
|
481 | |
+ state.notify_fd = rc;
|
482 | |
rc = 0;
|
483 | |
}
|
484 | |
} else
|
485 | |
@@ -370,6 +413,19 @@ int sys_filter_load(struct db_filter_col *col, bool rawrc)
|
486 | |
return rc;
|
487 | |
}
|
488 | |
|
489 | |
+/**
|
490 | |
+ * Return the userspace notification fd
|
491 | |
+ *
|
492 | |
+ * This function returns the userspace notification fd from
|
493 | |
+ * SECCOMP_FILTER_FLAG_NEW_LISTENER. If the notification fd has not yet been
|
494 | |
+ * set, or an error has occurred, -1 is returned.
|
495 | |
+ *
|
496 | |
+ */
|
497 | |
+int sys_notify_fd(void)
|
498 | |
+{
|
499 | |
+ return state.notify_fd;
|
500 | |
+}
|
501 | |
+
|
502 | |
/**
|
503 | |
* Allocate a pair of notification request/response structures
|
504 | |
* @param req the request location
|
505 | |
@@ -386,7 +442,7 @@ int sys_notify_alloc(struct seccomp_notif **req,
|
506 | |
int rc;
|
507 | |
static struct seccomp_notif_sizes sizes = { 0, 0, 0 };
|
508 | |
|
509 | |
- if (_support_seccomp_syscall <= 0)
|
510 | |
+ if (state.sup_syscall <= 0)
|
511 | |
return -EOPNOTSUPP;
|
512 | |
|
513 | |
if (sizes.seccomp_notif == 0 && sizes.seccomp_notif_resp == 0) {
|
514 | |
@@ -427,7 +483,7 @@ int sys_notify_alloc(struct seccomp_notif **req,
|
515 | |
*/
|
516 | |
int sys_notify_receive(int fd, struct seccomp_notif *req)
|
517 | |
{
|
518 | |
- if (_support_seccomp_user_notif <= 0)
|
519 | |
+ if (state.sup_user_notif <= 0)
|
520 | |
return -EOPNOTSUPP;
|
521 | |
|
522 | |
if (ioctl(fd, SECCOMP_IOCTL_NOTIF_RECV, req) < 0)
|
523 | |
@@ -448,7 +504,7 @@ int sys_notify_receive(int fd, struct seccomp_notif *req)
|
524 | |
*/
|
525 | |
int sys_notify_respond(int fd, struct seccomp_notif_resp *resp)
|
526 | |
{
|
527 | |
- if (_support_seccomp_user_notif <= 0)
|
528 | |
+ if (state.sup_user_notif <= 0)
|
529 | |
return -EOPNOTSUPP;
|
530 | |
|
531 | |
if (ioctl(fd, SECCOMP_IOCTL_NOTIF_SEND, resp) < 0)
|
532 | |
@@ -467,7 +523,7 @@ int sys_notify_respond(int fd, struct seccomp_notif_resp *resp)
|
533 | |
*/
|
534 | |
int sys_notify_id_valid(int fd, uint64_t id)
|
535 | |
{
|
536 | |
- if (_support_seccomp_user_notif <= 0)
|
537 | |
+ if (state.sup_user_notif <= 0)
|
538 | |
return -EOPNOTSUPP;
|
539 | |
|
540 | |
if (ioctl(fd, SECCOMP_IOCTL_NOTIF_ID_VALID, &id) < 0)
|
541 | |
diff --git a/src/system.h b/src/system.h
|
542 | |
index 133f9b11..096f3cad 100644
|
543 | |
--- a/src/system.h
|
544 | |
+++ b/src/system.h
|
545 | |
@@ -182,6 +182,8 @@ struct seccomp_notif_resp {
|
546 | |
#define SECCOMP_IOCTL_NOTIF_ID_VALID SECCOMP_IOR(2, __u64)
|
547 | |
#endif /* SECCOMP_RET_USER_NOTIF */
|
548 | |
|
549 | |
+void sys_reset_state(void);
|
550 | |
+
|
551 | |
int sys_chk_seccomp_syscall(void);
|
552 | |
void sys_set_seccomp_syscall(bool enable);
|
553 | |
|
554 | |
@@ -193,6 +195,7 @@ void sys_set_seccomp_flag(int flag, bool enable);
|
555 | |
|
556 | |
int sys_filter_load(struct db_filter_col *col, bool rawrc);
|
557 | |
|
558 | |
+int sys_notify_fd(void);
|
559 | |
int sys_notify_alloc(struct seccomp_notif **req,
|
560 | |
struct seccomp_notif_resp **resp);
|
561 | |
int sys_notify_receive(int fd, struct seccomp_notif *req);
|
562 | |
diff --git a/tests/11-basic-basic_errors.c b/tests/11-basic-basic_errors.c
|
563 | |
index d3b22566..da059df2 100644
|
564 | |
--- a/tests/11-basic-basic_errors.c
|
565 | |
+++ b/tests/11-basic-basic_errors.c
|
566 | |
@@ -41,12 +41,9 @@ int main(int argc, char *argv[])
|
567 | |
seccomp_release(ctx);
|
568 | |
ctx = NULL;
|
569 | |
|
570 | |
- /* seccomp_reset error */
|
571 | |
- rc = seccomp_reset(ctx, SCMP_ACT_KILL + 1);
|
572 | |
- if (rc != -EINVAL)
|
573 | |
- return -1;
|
574 | |
- rc = seccomp_reset(ctx, SCMP_ACT_KILL);
|
575 | |
- if (rc != -EINVAL)
|
576 | |
+ /* ensure that seccomp_reset(NULL, ...) is accepted */
|
577 | |
+ rc = seccomp_reset(NULL, SCMP_ACT_ALLOW);
|
578 | |
+ if (rc != 0)
|
579 | |
return -1;
|
580 | |
|
581 | |
/* seccomp_load error */
|
582 | |
diff --git a/tests/51-live-user_notification.c b/tests/51-live-user_notification.c
|
583 | |
index 4340194c..4847d8b1 100644
|
584 | |
--- a/tests/51-live-user_notification.c
|
585 | |
+++ b/tests/51-live-user_notification.c
|
586 | |
@@ -99,6 +99,27 @@ int main(int argc, char *argv[])
|
587 | |
goto out;
|
588 | |
}
|
589 | |
|
590 | |
+ rc = seccomp_reset(ctx, SCMP_ACT_ALLOW);
|
591 | |
+ if (rc < 0)
|
592 | |
+ goto out;
|
593 | |
+
|
594 | |
+ rc = seccomp_rule_add(ctx, SCMP_ACT_NOTIFY, SCMP_SYS(getppid), 0, NULL);
|
595 | |
+ if (rc)
|
596 | |
+ goto out;
|
597 | |
+
|
598 | |
+ rc = seccomp_load(ctx);
|
599 | |
+ if (rc < 0)
|
600 | |
+ goto out;
|
601 | |
+
|
602 | |
+ rc = seccomp_notify_fd(ctx);
|
603 | |
+ if (rc < 0)
|
604 | |
+ goto out;
|
605 | |
+ if (rc != fd) {
|
606 | |
+ rc = -EFAULT;
|
607 | |
+ goto out;
|
608 | |
+ } else
|
609 | |
+ rc = 0;
|
610 | |
+
|
611 | |
out:
|
612 | |
if (fd >= 0)
|
613 | |
close(fd);
|
614 | |
diff --git a/tests/51-live-user_notification.py b/tests/51-live-user_notification.py
|
615 | |
index 0d81f5e1..3449c44c 100755
|
616 | |
--- a/tests/51-live-user_notification.py
|
617 | |
+++ b/tests/51-live-user_notification.py
|
618 | |
@@ -52,6 +52,10 @@ def test():
|
619 | |
raise RuntimeError("Child process error")
|
620 | |
if os.WEXITSTATUS(rc) != 0:
|
621 | |
raise RuntimeError("Child process error")
|
622 | |
+ f.reset(ALLOW)
|
623 | |
+ f.add_rule(NOTIFY, "getppid")
|
624 | |
+ f.load()
|
625 | |
+ # no easy way to check the notification fd here
|
626 | |
quit(160)
|
627 | |
|
628 | |
test()
|