[02/28] seccomp: Fetch seccomp flags if kernel provides

Submitted by Cyrill Gorcunov on March 20, 2018, 9:42 p.m.

Details

Message ID 20180320214313.25326-3-gorcunov@gmail.com
State Rejected
Series "seccomp, v2: Add support for per-thread tracking"
Headers show

Commit Message

Cyrill Gorcunov March 20, 2018, 9:42 p.m.
From: Cyrill Gorcunov <gorcunov@virtuozzo.com>

Note that we don't check it on restore yet just save in image.

Signed-off-by: Cyrill Gorcunov <gorcunov@virtuozzo.com>
---
 criu/seccomp.c       | 30 ++++++++++++++++++++++++++++--
 images/seccomp.proto |  1 +
 2 files changed, 29 insertions(+), 2 deletions(-)

Patch hide | download patch | download mbox

diff --git a/criu/seccomp.c b/criu/seccomp.c
index 6416e793c61f..63a1eb298b58 100644
--- a/criu/seccomp.c
+++ b/criu/seccomp.c
@@ -23,7 +23,8 @@  static int next_filter_id = 0;
 static struct seccomp_info **filters = NULL;
 
 static struct seccomp_info *find_inherited(struct pstree_item *parent,
-					   struct sock_filter *filter, int len)
+					   struct sock_filter *filter,
+					   int len, struct seccomp_metadata *meta)
 {
 	struct seccomp_info *info;
 
@@ -35,6 +36,12 @@  static struct seccomp_info *find_inherited(struct pstree_item *parent,
 
 		if (len != info->filter.filter.len)
 			continue;
+		if (!!meta ^ !!info->filter.has_flags)
+			continue;
+		if (info->filter.has_flags && meta) {
+			if (info->filter.flags != meta->flags)
+				continue;
+		}
 		if (!memcmp(filter, info->filter.filter.data, len))
 			return info;
 	}
@@ -44,6 +51,7 @@  static struct seccomp_info *find_inherited(struct pstree_item *parent,
 
 static int collect_filter_for_pstree(struct pstree_item *item)
 {
+	struct seccomp_metadata meta_buf, *meta = &meta_buf;
 	struct seccomp_info *infos = NULL, *cursor;
 	int info_count, i, ret = -1;
 	struct sock_filter buf[BPF_MAXINSNS];
@@ -72,7 +80,20 @@  static int collect_filter_for_pstree(struct pstree_item *item)
 			}
 		}
 
-		inherited = find_inherited(item->parent, buf, len);
+		if (!meta)
+			meta = &meta_buf;
+
+		if (ptrace(PTRACE_SECCOMP_GET_METADATA, item->pid->real, i, meta) < 0) {
+			if (errno == EIO) {
+				meta = NULL;
+			} else {
+				pr_perror("couldn't fetch seccomp metadata: pid %d pos %d",
+					  item->pid->real, i);
+				goto out;
+			}
+		}
+
+		inherited = find_inherited(item->parent, buf, len, meta);
 		if (inherited) {
 			bool found = false;
 
@@ -96,6 +117,11 @@  static int collect_filter_for_pstree(struct pstree_item *item)
 			goto out;
 		seccomp_filter__init(&info->filter);
 
+		if (meta) {
+			info->filter.has_flags = true;
+			info->filter.flags = meta->flags;
+		}
+
 		info->filter.filter.len = len * sizeof(struct sock_filter);
 		info->filter.filter.data = xmalloc(info->filter.filter.len);
 		if (!info->filter.filter.data) {
diff --git a/images/seccomp.proto b/images/seccomp.proto
index 565a7cdd4915..177e5fd4a50a 100644
--- a/images/seccomp.proto
+++ b/images/seccomp.proto
@@ -3,6 +3,7 @@  syntax = "proto2";
 message seccomp_filter {
 	required bytes		filter			= 1;
 	optional uint32		prev			= 2;
+	optional uint32		flags			= 3;
 }
 
 message seccomp_entry {