[CRIU] [PATCH 2/2] don't assume the kernel has CONFIG_SECCOMP
Tycho Andersen
tycho.andersen at canonical.com
Tue Jun 30 06:47:11 PDT 2015
linux/seccomp.h may not be available, and the seccomp mode might not be
listed in /proc/pid/status, so let's not assume those two things are
present.
v2: add a seccomp.h with all the constants we use from linux/seccomp.h
v3: don't do a compile time check for PTRACE_O_SUSPEND_SECCOMP, just let
ptrace return EINVAL for it; also add a checkskip to skip the
seccomp_strict test if PTRACE_O_SUSPEND_SECCOMP or linux/seccomp.h
aren't present.
v4: use criu check --feature instead of checkskip to check whether the
kernel supports seccomp_suspend
Reported-by: Mr. Jenkins
Signed-off-by: Tycho Andersen <tycho.andersen at canonical.com>
---
cr-dump.c | 3 +--
cr-restore.c | 3 +--
include/seccomp.h | 16 ++++++++++++++++
lsm.c | 2 ++
pie/restorer.c | 13 +------------
proc_parse.c | 4 ++--
ptrace.c | 11 +----------
scripts/feature-tests.mak | 11 -----------
test/zdtm.sh | 9 +++++++++
9 files changed, 33 insertions(+), 39 deletions(-)
create mode 100644 include/seccomp.h
diff --git a/cr-dump.c b/cr-dump.c
index 8936a64..9505f5e 100644
--- a/cr-dump.c
+++ b/cr-dump.c
@@ -19,8 +19,6 @@
#include <sched.h>
#include <sys/resource.h>
-#include <linux/seccomp.h>
-
#include "protobuf.h"
#include "protobuf/fdinfo.pb-c.h"
#include "protobuf/fs.pb-c.h"
@@ -77,6 +75,7 @@
#include "aio.h"
#include "security.h"
#include "lsm.h"
+#include "seccomp.h"
#include "asm/dump.h"
diff --git a/cr-restore.c b/cr-restore.c
index 45c746e..7439a05 100644
--- a/cr-restore.c
+++ b/cr-restore.c
@@ -24,8 +24,6 @@
#include <sys/sendfile.h>
-#include <linux/seccomp.h>
-
#include "ptrace.h"
#include "compiler.h"
#include "asm/types.h"
@@ -77,6 +75,7 @@
#include "aio.h"
#include "security.h"
#include "lsm.h"
+#include "seccomp.h"
#include "parasite-syscall.h"
diff --git a/include/seccomp.h b/include/seccomp.h
new file mode 100644
index 0000000..017dcd4
--- /dev/null
+++ b/include/seccomp.h
@@ -0,0 +1,16 @@
+#ifndef __CR_SECCOMP_H__
+#define __CR_SECCOMP_H__
+
+#ifndef SECCOMP_MODE_DISABLED
+#define SECCOMP_MODE_DISABLED 0
+#endif
+
+#ifndef SECCOMP_MODE_STRICT
+#define SECCOMP_MODE_STRICT 1
+#endif
+
+#ifndef SECCOMP_MODE_FILTER
+#define SECCOMP_MODE_FILTER 2
+#endif
+
+#endif
diff --git a/lsm.c b/lsm.c
index 40d12ba..c960611 100644
--- a/lsm.c
+++ b/lsm.c
@@ -12,6 +12,8 @@
#include "protobuf/inventory.pb-c.h"
#include "protobuf/creds.pb-c.h"
+#undef CONFIG_HAS_SELINUX
+
#ifdef CONFIG_HAS_SELINUX
#include <selinux/selinux.h>
#endif
diff --git a/pie/restorer.c b/pie/restorer.c
index 4150b49..8c6b421 100644
--- a/pie/restorer.c
+++ b/pie/restorer.c
@@ -30,6 +30,7 @@
#include "lock.h"
#include "restorer.h"
#include "aio.h"
+#include "seccomp.h"
#include "protobuf/creds.pb-c.h"
#include "protobuf/mm.pb-c.h"
@@ -40,18 +41,6 @@
#define PR_SET_PDEATHSIG 1
#endif
-#ifndef SECCOMP_MODE_DISABLED
-#define SECCOMP_MODE_DISABLED 0
-#endif
-
-#ifndef SECCOMP_MODE_STRICT
-#define SECCOMP_MODE_STRICT 1
-#endif
-
-#ifndef SECCOMP_MODE_FILTER
-#define SECCOMP_MODE_FILTER 2
-#endif
-
#define sys_prctl_safe(opcode, val1, val2, val3) \
({ \
long __ret = sys_prctl(opcode, val1, val2, val3, 0); \
diff --git a/proc_parse.c b/proc_parse.c
index 168afcb..e940fc1 100644
--- a/proc_parse.c
+++ b/proc_parse.c
@@ -9,7 +9,6 @@
#include <string.h>
#include <ctype.h>
#include <linux/fs.h>
-#include <linux/seccomp.h>
#include "asm/types.h"
#include "list.h"
@@ -28,6 +27,7 @@
#include "proc_parse.h"
#include "cr_options.h"
#include "sysfs_parse.h"
+#include "seccomp.h"
#include "protobuf.h"
#include "protobuf/fdinfo.pb-c.h"
#include "protobuf/mnt.pb-c.h"
@@ -856,7 +856,7 @@ int parse_pid_status(pid_t pid, struct proc_status_creds *cr)
}
}
- if (done == 9)
+ if (done >= 8)
ret = 0;
err_parse:
diff --git a/ptrace.c b/ptrace.c
index 4f9e66e..c3a9553 100644
--- a/ptrace.c
+++ b/ptrace.c
@@ -14,8 +14,6 @@
#include <sys/resource.h>
#include <sys/wait.h>
-#include <linux/seccomp.h>
-
#include "compiler.h"
#include "asm/types.h"
#include "util.h"
@@ -23,6 +21,7 @@
#include "proc_parse.h"
#include "crtools.h"
#include "security.h"
+#include "seccomp.h"
int unseize_task(pid_t pid, int orig_st, int st)
{
@@ -41,7 +40,6 @@ int unseize_task(pid_t pid, int orig_st, int st)
return ptrace(PTRACE_DETACH, pid, NULL, NULL);
}
-#ifdef CONFIG_HAS_SUSPEND_SECCOMP
int suspend_seccomp(pid_t pid)
{
if (ptrace(PTRACE_SETOPTIONS, pid, NULL, PTRACE_O_SUSPEND_SECCOMP) < 0) {
@@ -51,13 +49,6 @@ int suspend_seccomp(pid_t pid)
return 0;
}
-#else
-int suspend_seccomp(pid_t pid)
-{
- pr_err("seccomp enabled and seccomp suspending not supported\n");
- return -1;
-}
-#endif
/*
* This routine seizes task putting it into a special
diff --git a/scripts/feature-tests.mak b/scripts/feature-tests.mak
index ec7972a..519eb52 100644
--- a/scripts/feature-tests.mak
+++ b/scripts/feature-tests.mak
@@ -92,14 +92,3 @@ int main(int argc, char *argv[], char *envp[])
}
endef
-
-define PTRACE_SUSPEND_SECCOMP_TEST
-
-#include <linux/ptrace.h>
-
-int main(void)
-{
- return PTRACE_O_SUSPEND_SECCOMP;
-}
-
-endef
diff --git a/test/zdtm.sh b/test/zdtm.sh
index f1653f9..8c1e67a 100755
--- a/test/zdtm.sh
+++ b/test/zdtm.sh
@@ -229,6 +229,10 @@ generate_test_list()
TEST_TUN="
ns/static/tun
"
+ TEST_SECCOMP_SUSPEND="
+ static/seccomp_strict
+ "
+
$CRIU check -v0 --feature "mnt_id"
if [ $? -eq 0 ]; then
@@ -252,6 +256,11 @@ generate_test_list()
TEST_LIST="$TEST_LIST$TEST_TUN"
fi
+ $CRIU check -v0 --feature "seccomp_suspend"
+ if [ $? -eq 0 ]; then
+ TEST_LIST="$TEST_LIST$TEST_SECCOMP_SUSPEND"
+ fi
+
BLACKLIST_FOR_USERNS="
ns/static/maps01
ns/static/mlock_setuid
--
2.1.4
More information about the CRIU
mailing list