[CRIU] [PATCH] criu: Fix compilation when seccomp mode filter is not supported

Pavel Emelyanov xemul at parallels.com
Fri Nov 20 10:20:21 PST 2015 

On 11/19/2015 06:14 PM, Tycho Andersen wrote:
> Hi Pavel,
> 
> On Thu, Nov 19, 2015 at 05:48:41PM +0300, Pavel Emelyanov wrote:
>> I have two issues in my VM -- no SECCOMP_SET_MODE_FILTER in header
>> and no linux/bpf.h header.
> 
> This patch is fine with me, or I can re-send the one I sent that
> Cyrill asked about. 

Hm... I must have missed that patch :\ Would you re-send one, please?

> One thing that has that this doesn't is a runtime
> fix if seccomp doesn't exists. It doesn't have the bpf ifdef, though,
> so some combination of both is needed. Let me know what you want.

Well, first we need to get criu compiled, which is only possible with
idefs over the code, but probably more smarter detection of seccomp
filter stuff present. I was also unsure whether compiling out the bpf
stuff is OK under ifndef SECCOMP_MODE_FILTER :)

And, of course, the run-time is also needed.

> Acked-by: Tycho Andersen <tycho.andersen at canonical.com>
> 
>> Signed-off-by: Pavel Emelyanov <xemul at parallels.com>
>> ---
>>  cr-check.c     | 7 +++++++
>>  pie/restorer.c | 5 +++++
>>  2 files changed, 12 insertions(+)
>>
>> diff --git a/cr-check.c b/cr-check.c
>> index 8669576..5ee98c4 100644
>> --- a/cr-check.c
>> +++ b/cr-check.c
>> @@ -13,7 +13,9 @@
>>  #include <signal.h>
>>  #include <linux/if.h>
>>  #include <linux/filter.h>
>> +#ifdef SECCOMP_MODE_FILTER
>>  #include <linux/bpf.h>
>> +#endif
>>  #include <linux/seccomp.h>
>>  #include <sys/syscall.h>
>>  #include <sys/ioctl.h>
>> @@ -646,6 +648,7 @@ static int check_ptrace_suspend_seccomp(void)
>>  
>>  static int setup_seccomp_filter(void)
>>  {
>> +#ifdef SECCOMP_MODE_FILTER
>>  	struct sock_filter filter[] = {
>>  		BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, nr)),
>>  		/* Allow all syscalls except ptrace */
>> @@ -663,6 +666,10 @@ static int setup_seccomp_filter(void)
>>  		return -1;
>>  
>>  	return 0;
>> +#else
>> +	pr_err("Can't check seccomp filter support");
>> +	return -1;
>> +#endif
>>  }
>>  
>>  static int check_ptrace_dump_seccomp_filters(void)
>> diff --git a/pie/restorer.c b/pie/restorer.c
>> index 4665c5d..02173f0 100644
>> --- a/pie/restorer.c
>> +++ b/pie/restorer.c
>> @@ -41,6 +41,11 @@
>>  #define PR_SET_PDEATHSIG 1
>>  #endif
>>  
>> +#ifndef SECCOMP_SET_MODE_FILTER
>> +#define SECCOMP_SET_MODE_FILTER 1
>> +#define SECCOMP_FILTER_FLAG_TSYNC 1
>> +#endif
>> +
>>  #define sys_prctl_safe(opcode, val1, val2, val3)			\
>>  	({								\
>>  		long __ret = sys_prctl(opcode, val1, val2, val3, 0);	\
>> -- 
>> 1.9.3
>>
> .
>

More information about the CRIU mailing list