[05/28] seccomp: Use collected seccomp_entry to figure out if filter is present

Submitted by Cyrill Gorcunov on March 20, 2018, 9:42 p.m.

Details

Message ID 20180320214313.25326-6-gorcunov@gmail.com
State Rejected
Series "seccomp, v2: Add support for per-thread tracking"
Headers show

Commit Message

Cyrill Gorcunov March 20, 2018, 9:42 p.m.
From: Cyrill Gorcunov <gorcunov@virtuozzo.com>

Signed-off-by: Cyrill Gorcunov <gorcunov@virtuozzo.com>
---
 criu/include/seccomp.h |  1 +
 criu/seccomp.c         | 25 +++++++++++++++++++++++--
 2 files changed, 24 insertions(+), 2 deletions(-)

Patch hide | download patch | download mbox

diff --git a/criu/include/seccomp.h b/criu/include/seccomp.h
index d1b2dcd3d81d..2eab28b1f0c1 100644
--- a/criu/include/seccomp.h
+++ b/criu/include/seccomp.h
@@ -34,6 +34,7 @@  struct seccomp_entry {
 	unsigned int		mode;
 };
 
+extern struct seccomp_entry *seccomp_find_entry(const struct pstree_item *item, pid_t tid);
 extern int seccomp_collect_entry(const struct pstree_item *item, pid_t tid, unsigned int mode);
 
 struct seccomp_info {
diff --git a/criu/seccomp.c b/criu/seccomp.c
index 16e965820838..843000b13831 100644
--- a/criu/seccomp.c
+++ b/criu/seccomp.c
@@ -18,6 +18,21 @@ 
 #include "protobuf.h"
 #include "images/seccomp.pb-c.h"
 
+struct seccomp_entry *seccomp_find_entry(const struct pstree_item *item, pid_t tid)
+{
+	struct dmp_info *dinfo = dmpi(item);
+	size_t i;
+
+	for (i = 0; i < dinfo->nr_seccomp_entry; i++) {
+		if (dinfo->seccomp_entry[i].tid == tid)
+			return &dinfo->seccomp_entry[i];
+	}
+
+	pr_err("Can't find entry on pid %d tid %d (%zu entries)\n",
+	       item->pid->real, tid, dinfo->nr_seccomp_entry);
+	return NULL;
+}
+
 int seccomp_collect_entry(const struct pstree_item *item, pid_t tid, unsigned int mode)
 {
 	struct dmp_info *dinfo = dmpi(item);
@@ -76,12 +91,18 @@  static int collect_filter_for_pstree(struct pstree_item *item)
 {
 	struct seccomp_metadata meta_buf, *meta = &meta_buf;
 	struct seccomp_info *infos = NULL, *cursor;
+	struct seccomp_entry *entry;
 	int info_count, i, ret = -1;
 	struct sock_filter buf[BPF_MAXINSNS];
 	void *m;
 
-	if (item->pid->state == TASK_DEAD ||
-	    dmpi(item)->pi_creds->s.seccomp_mode != SECCOMP_MODE_FILTER)
+	if (item->pid->state == TASK_DEAD)
+		return 0;
+
+	entry = seccomp_find_entry(item, item->pid->real);
+	if (!entry)
+		return -1;
+	if (entry->mode != SECCOMP_MODE_FILTER)
 		return 0;
 
 	for (i = 0; true; i++) {