diff options
| author | Alice Frosi <afrosi@redhat.com> | 2023-01-19 16:56:28 +0100 |
|---|---|---|
| committer | Alice Frosi <afrosi@redhat.com> | 2023-02-15 11:31:46 +0100 |
| commit | 4d80c91ea37b6903ca6d5cdb788db6b2f0b44b09 (patch) | |
| tree | f23d1c5eb3755632fb0d82a308da05b396cd36ae | |
| parent | cc0ae5b0b0418ba6cebd7f6b7b45001de15a0c48 (diff) | |
| download | seitan-4d80c91ea37b6903ca6d5cdb788db6b2f0b44b09.tar seitan-4d80c91ea37b6903ca6d5cdb788db6b2f0b44b09.tar.gz seitan-4d80c91ea37b6903ca6d5cdb788db6b2f0b44b09.tar.bz2 seitan-4d80c91ea37b6903ca6d5cdb788db6b2f0b44b09.tar.lz seitan-4d80c91ea37b6903ca6d5cdb788db6b2f0b44b09.tar.xz seitan-4d80c91ea37b6903ca6d5cdb788db6b2f0b44b09.tar.zst seitan-4d80c91ea37b6903ca6d5cdb788db6b2f0b44b09.zip | |
eater: unset O_CLOEXEC for the seccomp notifier fd
Preserve the seccomp notifier fd after the exec. In this way, if seitan
needs to restat is able to retrive the fd from /proc/<pid>/fd of the
target.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
| -rw-r--r-- | Makefile | 4 | ||||
| -rw-r--r-- | eater.c | 23 |
2 files changed, 22 insertions, 5 deletions
@@ -21,8 +21,8 @@ build: build.c filter.c filter.h numbers.h bpf_dbg: disasm.c disasm.h bpf_dbg.c $(CC) $(CFLAGS) -o bpf_dbg bpf_dbg.c disasm.c -seitan-eater: eater.c - $(CC) $(CFLAGS) -o seitan-eater eater.c +seitan-eater: eater.c common.h common.c + $(CC) $(CFLAGS) -o seitan-eater eater.c common.c seitan: seitan.c transform.h common.h common.c $(CC) $(CFLAGS) -o seitan seitan.c common.c @@ -26,6 +26,11 @@ #include <linux/filter.h> #include <linux/seccomp.h> +#include <dirent.h> +#include <sys/stat.h> + +#include "common.h" + extern char **environ; static char doc[] = @@ -92,7 +97,7 @@ int main(int argc, char **argv) struct sock_fprog prog; struct sigaction act; size_t n; - int fd; + int fd, flags; argp_parse(&argp, argc, argv, 0, 0, &arguments); fd = open(arguments.input_file, O_CLOEXEC | O_RDONLY); @@ -105,11 +110,22 @@ int main(int argc, char **argv) perror("prctl"); exit(EXIT_FAILURE); } - if ((fd = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_NEW_LISTENER, - &prog) < 0)) { + if (seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_NEW_LISTENER, + &prog) < 0) { perror("seccomp"); exit(EXIT_FAILURE); } + /* + * close-on-exec flag is set for the file descriptor by seccomp. + * We want to preserve the fd on the exec in this way we are able + * to easly find the notifier fd if seitan restarts. + */ + fd = find_fd_seccomp_notifier("/proc/self/fd"); + flags = fcntl(fd, F_GETFD); + if (fcntl(fd, F_SETFD, flags & !FD_CLOEXEC) < 0) { + perror("fcntl"); + exit(EXIT_FAILURE); + } act.sa_handler = signal_handler; sigaction(SIGCONT, &act, NULL); pause(); @@ -120,5 +136,6 @@ int main(int argc, char **argv) perror("execvpe"); exit(EXIT_FAILURE); } + close(fd); return EXIT_FAILURE; } |