[CRIU] [PATCH 4/9] seccomp: Fetch seccomp flags if kernel provides

Cyrill Gorcunov gorcunov at gmail.com
Sat May 5 00:07:00 MSK 2018


On Fri, May 04, 2018 at 08:07:33PM +0100, Dmitry Safonov wrote:
> > @@ -47,6 +54,7 @@ static struct seccomp_info *find_inherited(struct pstree_item *parent,
> >
> >  static int collect_filter_for_pstree(struct pstree_item *item)
> >  {
> > +       struct seccomp_metadata meta_buf, *meta = &meta_buf;
> >         struct seccomp_info *infos = NULL, *cursor;
> >         int info_count, i, ret = -1;
> >         struct sock_filter buf[BPF_MAXINSNS];
> > @@ -75,7 +83,29 @@ static int collect_filter_for_pstree(struct pstree_item *item)
> >                         }
> >                 }
> >
> > -               inherited = find_inherited(item->parent, buf, len);
> > +               if (!meta)
> > +                       meta = &meta_buf;
> > +
> > +               meta->flags = 0;
> > +               meta->filter_off = i;
> > +
> > +               if (ptrace(PTRACE_SECCOMP_GET_METADATA, item->pid->real, sizeof(meta), meta) < 0) {
> 
> Maybe sizeof(*meta), huh?

Heh, indeed. At moment it simply fetch offset without the flag itself.
Actually I don't know yet how to test this feature because the output
for logging goes into the system console.

>                                    ^
> At this moment, if I see correctly in linux code - kernel will not write flags.
> So, also a nit: meta->flags needs no initialization.

I know, I put it here for consistency. Maybe worth dropping.

> 
> It would be cleaner with kdat feature..
> But at least, can we do something:
> if (meta && ptrace())?
> It'll evaporate dirty lines with
> if (!meta) meta = &meta_buf;
> and will make it a bit faster on kernels without support even without kdat.

Will do, thanks!


More information about the CRIU mailing list