[CRIU] [PATCH] seccomp: define required constants (v2)
Tycho Andersen
tycho.andersen at canonical.com
Fri Jun 26 10:47:24 PDT 2015
Hi Andrew,
On Fri, Jun 26, 2015 at 08:31:26PM +0300, Andrey Vagin wrote:
> 2015-06-26 18:18 GMT+03:00 Tycho Andersen <tycho.andersen at canonical.com>:
> > On Fri, Jun 26, 2015 at 09:23:35AM +0300, Andrey Vagin wrote:
> >> seccomp was merged in 3.12, but criu should work on 3.11.
> >>
> >> Installed kernel headers and a current kernel may have different version
> >> and it's not good idea to compile seccomp code if PTRACE_O_TRACESECCOMP
> >> is defined int sys/ptrace.h.
> >>
> >> v2: fix all places
> >>
> >> Cc: Tycho Andersen <tycho.andersen at canonical.com>
> >
> > Ok, I think this basically overlaps with my patch (although I still
> > think you need something about parsing /proc/pid/status). Anyway,
> > either works for me.
>
> Hi Tycho,
>
> I've not known that you sent a patch too. Sorry for this. I have a bad
> internet connection here, so I can't read the criu mail list. If this
> patch does the same, we can drop this one. If you want, you can send
> me your patch to avagin at gmail.com and I will review it.
Ah, no problem. There is one little bit extra that mine does in
proc_parse that yours doesn't that I think is necessary for dump to
actually succeed in the 3.11 kernel case. I'll send you the patch off
list in a moment. Anyway, either patch works for me (provided we get
the proc_parse.c bits I mentioned).
Tycho
> Thanks,
> Andrew.
>
> >
> > Tycho
> >
> >> Signed-off-by: Andrey Vagin <avagin at openvz.org>
> >> ---
> >> cr-dump.c | 2 +-
> >> cr-restore.c | 2 +-
> >> include/ptrace.h | 5 +++++
> >> include/seccomp.h | 7 +++++++
> >> proc_parse.c | 3 ++-
> >> ptrace.c | 10 +---------
> >> test/zdtm/live/static/seccomp_strict.c | 7 ++++++-
> >> 7 files changed, 23 insertions(+), 13 deletions(-)
> >> create mode 100644 include/seccomp.h
> >>
> >> diff --git a/cr-dump.c b/cr-dump.c
> >> index 8936a64..ffcc3e3 100644
> >> --- a/cr-dump.c
> >> +++ b/cr-dump.c
> >> @@ -19,7 +19,7 @@
> >> #include <sched.h>
> >> #include <sys/resource.h>
> >>
> >> -#include <linux/seccomp.h>
> >> +#include "seccomp.h"
> >>
> >> #include "protobuf.h"
> >> #include "protobuf/fdinfo.pb-c.h"
> >> diff --git a/cr-restore.c b/cr-restore.c
> >> index 45c746e..765388a 100644
> >> --- a/cr-restore.c
> >> +++ b/cr-restore.c
> >> @@ -24,7 +24,7 @@
> >>
> >> #include <sys/sendfile.h>
> >>
> >> -#include <linux/seccomp.h>
> >> +#include "seccomp.h"
> >>
> >> #include "ptrace.h"
> >> #include "compiler.h"
> >> diff --git a/include/ptrace.h b/include/ptrace.h
> >> index 44b66c9..4d53b6c 100644
> >> --- a/include/ptrace.h
> >> +++ b/include/ptrace.h
> >> @@ -65,6 +65,11 @@ struct ptrace_peeksiginfo_args {
> >> #define PTRACE_O_TRACEVFORKDONE 0x00000020
> >> #define PTRACE_O_TRACEEXIT 0x00000040
> >>
> >> +#ifndef PTRACE_EVENT_SECCOMP
> >> +#define PTRACE_EVENT_SECCOMP 7
> >> +#define PTRACE_O_TRACESECCOMP (1 << PTRACE_EVENT_SECCOMP)
> >> +#endif /* PTRACE_EVENT_SECCOMP */
> >> +
> >> #define SI_EVENT(_si_code) (((_si_code) & 0xFFFF) >> 8)
> >>
> >> extern int seize_task(pid_t pid, pid_t ppid, struct proc_status_creds **creds);
> >> diff --git a/include/seccomp.h b/include/seccomp.h
> >> new file mode 100644
> >> index 0000000..f46929b
> >> --- /dev/null
> >> +++ b/include/seccomp.h
> >> @@ -0,0 +1,7 @@
> >> +#ifndef __CR_SECCOMP_H__
> >> +
> >> +#define SECCOMP_MODE_DISABLED 0 /* seccomp is not in use. */
> >> +#define SECCOMP_MODE_STRICT 1 /* uses hard-coded filter. */
> >> +#define SECCOMP_MODE_FILTER 2 /* uses user-supplied filter. */
> >> +
> >> +#endif /* __CR_SECCOMP_H__ */
> >> diff --git a/proc_parse.c b/proc_parse.c
> >> index 168afcb..06c85c8 100644
> >> --- a/proc_parse.c
> >> +++ b/proc_parse.c
> >> @@ -9,7 +9,6 @@
> >> #include <string.h>
> >> #include <ctype.h>
> >> #include <linux/fs.h>
> >> -#include <linux/seccomp.h>
> >>
> >> #include "asm/types.h"
> >> #include "list.h"
> >> @@ -28,6 +27,8 @@
> >> #include "proc_parse.h"
> >> #include "cr_options.h"
> >> #include "sysfs_parse.h"
> >> +#include "seccomp.h"
> >> +
> >> #include "protobuf.h"
> >> #include "protobuf/fdinfo.pb-c.h"
> >> #include "protobuf/mnt.pb-c.h"
> >> diff --git a/ptrace.c b/ptrace.c
> >> index 4f9e66e..5bd5ea5 100644
> >> --- a/ptrace.c
> >> +++ b/ptrace.c
> >> @@ -14,7 +14,7 @@
> >> #include <sys/resource.h>
> >> #include <sys/wait.h>
> >>
> >> -#include <linux/seccomp.h>
> >> +#include "seccomp.h"
> >>
> >> #include "compiler.h"
> >> #include "asm/types.h"
> >> @@ -41,7 +41,6 @@ int unseize_task(pid_t pid, int orig_st, int st)
> >> return ptrace(PTRACE_DETACH, pid, NULL, NULL);
> >> }
> >>
> >> -#ifdef CONFIG_HAS_SUSPEND_SECCOMP
> >> int suspend_seccomp(pid_t pid)
> >> {
> >> if (ptrace(PTRACE_SETOPTIONS, pid, NULL, PTRACE_O_SUSPEND_SECCOMP) < 0) {
> >> @@ -51,13 +50,6 @@ int suspend_seccomp(pid_t pid)
> >>
> >> return 0;
> >> }
> >> -#else
> >> -int suspend_seccomp(pid_t pid)
> >> -{
> >> - pr_err("seccomp enabled and seccomp suspending not supported\n");
> >> - return -1;
> >> -}
> >> -#endif
> >>
> >> /*
> >> * This routine seizes task putting it into a special
> >> diff --git a/test/zdtm/live/static/seccomp_strict.c b/test/zdtm/live/static/seccomp_strict.c
> >> index 97db19b..bd9c39b 100644
> >> --- a/test/zdtm/live/static/seccomp_strict.c
> >> +++ b/test/zdtm/live/static/seccomp_strict.c
> >> @@ -2,7 +2,6 @@
> >> #include <stdbool.h>
> >> #include <signal.h>
> >> #include <sys/prctl.h>
> >> -#include <linux/seccomp.h>
> >> #include <linux/limits.h>
> >> #include "zdtmtst.h"
> >>
> >> @@ -41,6 +40,12 @@ int get_seccomp_mode(pid_t pid, bool after_checkpoint)
> >> return -1;
> >> }
> >>
> >> +#define SECCOMP_MODE_STRICT 1 /* uses hard-coded filter. */
> >> +
> >> +#ifndef PR_SET_SECCOMP
> >> +#define PR_SET_SECCOMP 22
> >> +#endif
> >> +
> >> int main(int argc, char ** argv)
> >> {
> >> pid_t pid;
> >> --
> >> 2.1.0
> >>
More information about the CRIU
mailing list