[CRIU] [PATCH 02/28] seccomp: Fetch seccomp flags if kernel provides
Cyrill Gorcunov
gorcunov at gmail.com
Wed Mar 21 00:42:47 MSK 2018
From: Cyrill Gorcunov <gorcunov at virtuozzo.com>
Note that we don't check it on restore yet just save in image.
Signed-off-by: Cyrill Gorcunov <gorcunov at virtuozzo.com>
---
criu/seccomp.c | 30 ++++++++++++++++++++++++++++--
images/seccomp.proto | 1 +
2 files changed, 29 insertions(+), 2 deletions(-)
diff --git a/criu/seccomp.c b/criu/seccomp.c
index 6416e793c61f..63a1eb298b58 100644
--- a/criu/seccomp.c
+++ b/criu/seccomp.c
@@ -23,7 +23,8 @@ static int next_filter_id = 0;
static struct seccomp_info **filters = NULL;
static struct seccomp_info *find_inherited(struct pstree_item *parent,
- struct sock_filter *filter, int len)
+ struct sock_filter *filter,
+ int len, struct seccomp_metadata *meta)
{
struct seccomp_info *info;
@@ -35,6 +36,12 @@ static struct seccomp_info *find_inherited(struct pstree_item *parent,
if (len != info->filter.filter.len)
continue;
+ if (!!meta ^ !!info->filter.has_flags)
+ continue;
+ if (info->filter.has_flags && meta) {
+ if (info->filter.flags != meta->flags)
+ continue;
+ }
if (!memcmp(filter, info->filter.filter.data, len))
return info;
}
@@ -44,6 +51,7 @@ static struct seccomp_info *find_inherited(struct pstree_item *parent,
static int collect_filter_for_pstree(struct pstree_item *item)
{
+ struct seccomp_metadata meta_buf, *meta = &meta_buf;
struct seccomp_info *infos = NULL, *cursor;
int info_count, i, ret = -1;
struct sock_filter buf[BPF_MAXINSNS];
@@ -72,7 +80,20 @@ static int collect_filter_for_pstree(struct pstree_item *item)
}
}
- inherited = find_inherited(item->parent, buf, len);
+ if (!meta)
+ meta = &meta_buf;
+
+ if (ptrace(PTRACE_SECCOMP_GET_METADATA, item->pid->real, i, meta) < 0) {
+ if (errno == EIO) {
+ meta = NULL;
+ } else {
+ pr_perror("couldn't fetch seccomp metadata: pid %d pos %d",
+ item->pid->real, i);
+ goto out;
+ }
+ }
+
+ inherited = find_inherited(item->parent, buf, len, meta);
if (inherited) {
bool found = false;
@@ -96,6 +117,11 @@ static int collect_filter_for_pstree(struct pstree_item *item)
goto out;
seccomp_filter__init(&info->filter);
+ if (meta) {
+ info->filter.has_flags = true;
+ info->filter.flags = meta->flags;
+ }
+
info->filter.filter.len = len * sizeof(struct sock_filter);
info->filter.filter.data = xmalloc(info->filter.filter.len);
if (!info->filter.filter.data) {
diff --git a/images/seccomp.proto b/images/seccomp.proto
index 565a7cdd4915..177e5fd4a50a 100644
--- a/images/seccomp.proto
+++ b/images/seccomp.proto
@@ -3,6 +3,7 @@ syntax = "proto2";
message seccomp_filter {
required bytes filter = 1;
optional uint32 prev = 2;
+ optional uint32 flags = 3;
}
message seccomp_entry {
--
2.14.3
More information about the CRIU
mailing list