[CRIU] [PATCH 4/9] seccomp: Fetch seccomp flags if kernel provides
Cyrill Gorcunov
gorcunov at gmail.com
Sat May 5 00:07:00 MSK 2018
On Fri, May 04, 2018 at 08:07:33PM +0100, Dmitry Safonov wrote:
> > @@ -47,6 +54,7 @@ static struct seccomp_info *find_inherited(struct pstree_item *parent,
> >
> > static int collect_filter_for_pstree(struct pstree_item *item)
> > {
> > + struct seccomp_metadata meta_buf, *meta = &meta_buf;
> > struct seccomp_info *infos = NULL, *cursor;
> > int info_count, i, ret = -1;
> > struct sock_filter buf[BPF_MAXINSNS];
> > @@ -75,7 +83,29 @@ static int collect_filter_for_pstree(struct pstree_item *item)
> > }
> > }
> >
> > - inherited = find_inherited(item->parent, buf, len);
> > + if (!meta)
> > + meta = &meta_buf;
> > +
> > + meta->flags = 0;
> > + meta->filter_off = i;
> > +
> > + if (ptrace(PTRACE_SECCOMP_GET_METADATA, item->pid->real, sizeof(meta), meta) < 0) {
>
> Maybe sizeof(*meta), huh?
Heh, indeed. At moment it simply fetch offset without the flag itself.
Actually I don't know yet how to test this feature because the output
for logging goes into the system console.
> ^
> At this moment, if I see correctly in linux code - kernel will not write flags.
> So, also a nit: meta->flags needs no initialization.
I know, I put it here for consistency. Maybe worth dropping.
>
> It would be cleaner with kdat feature..
> But at least, can we do something:
> if (meta && ptrace())?
> It'll evaporate dirty lines with
> if (!meta) meta = &meta_buf;
> and will make it a bit faster on kernels without support even without kdat.
Will do, thanks!
More information about the CRIU
mailing list