Mirrors/criu
1
0
Fork 0
mirror of https://github.com/checkpoint-restore/criu.git synced 2026-01-23 02:14:37 +00:00
Code Issues Projects Releases Wiki Activity

seccomp: Fetch seccomp flags if kernel provides

Browse source 
Note that there is no real usage of this flag on restore,
we simply save it in image and will make a real use
later.

Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
Signed-off-by: Andrei Vagin <avagin@virtuozzo.com>
This commit is contained in:
Cyrill Gorcunov 2018-05-07 11:42:44 +03:00 committed by Andrei Vagin
parent 4776079e0b
commit 06626522d1
2 changed files with 38 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

39
criu/seccomp.c
View file

@ -26,7 +26,8 @@ static int next_filter_id = 0;
static struct seccomp_info **filters = NULL;
static struct seccomp_info *find_inherited(struct pstree_item *parent,
struct sock_filter *filter, int len)
struct sock_filter *filter,
int len, struct seccomp_metadata *meta)
{
struct seccomp_info *info;
@ -38,6 +39,12 @@ static struct seccomp_info *find_inherited(struct pstree_item *parent,
if (len != info->filter.filter.len)
continue;
if (!!meta ^ !!info->filter.has_flags)
continue;
if (info->filter.has_flags && meta) {
if (info->filter.flags != meta->flags)
continue;
}
if (!memcmp(filter, info->filter.filter.data, len))
return info;
}
@ -47,6 +54,7 @@ static struct seccomp_info *find_inherited(struct pstree_item *parent,
static int collect_filter_for_pstree(struct pstree_item *item)
{
struct seccomp_metadata meta_buf, *meta = &meta_buf;
struct seccomp_info *infos = NULL, *cursor;
int info_count, i, ret = -1;
struct sock_filter buf[BPF_MAXINSNS];
@ -75,7 +83,29 @@ static int collect_filter_for_pstree(struct pstree_item *item)
}
}
inherited = find_inherited(item->parent, buf, len);
if (!meta)
meta = &meta_buf;
meta->flags = 0;
meta->filter_off = i;
if (ptrace(PTRACE_SECCOMP_GET_METADATA, item->pid->real, sizeof(meta), meta) < 0) {
if (errno == EIO) {
/*
* No PTRACE_SECCOMP_GET_METADATA support in
* kernel detected, thus simply ignore. Moving
* it into kerndat is preferred but not
* required.
*/
meta = NULL;
} else {
pr_perror("couldn't fetch seccomp metadata: pid %d pos %d",
item->pid->real, i);
goto out;
}
}
inherited = find_inherited(item->parent, buf, len, meta);
if (inherited) {
bool found = false;
@ -99,6 +129,11 @@ static int collect_filter_for_pstree(struct pstree_item *item)
goto out;
seccomp_filter__init(&info->filter);
if (meta) {
info->filter.has_flags = true;
info->filter.flags = meta->flags;
}
info->filter.filter.len = len * sizeof(struct sock_filter);
info->filter.filter.data = xmalloc(info->filter.filter.len);
if (!info->filter.filter.data) {

1
images/seccomp.proto
View file

@ -3,6 +3,7 @@ syntax = "proto2";
message seccomp_filter {
required bytes filter = 1;
optional uint32 prev = 2;
optional uint32 flags = 3;
}
message seccomp_entry {