diff options
| author | Alice Frosi <afrosi@redhat.com> | 2023-01-16 17:22:51 +0100 |
|---|---|---|
| committer | Alice Frosi <afrosi@redhat.com> | 2023-01-17 13:05:41 +0100 |
| commit | 8d44fb83386c1834163f037b077c03cf6cc7f748 (patch) | |
| tree | b2355286bf41b2b0210df6f4563b5d5a70bfc5c6 | |
| parent | f9c6d862789eb5961502862882d2dc33eff854b8 (diff) | |
| download | seitan-8d44fb83386c1834163f037b077c03cf6cc7f748.tar seitan-8d44fb83386c1834163f037b077c03cf6cc7f748.tar.gz seitan-8d44fb83386c1834163f037b077c03cf6cc7f748.tar.bz2 seitan-8d44fb83386c1834163f037b077c03cf6cc7f748.tar.lz seitan-8d44fb83386c1834163f037b077c03cf6cc7f748.tar.xz seitan-8d44fb83386c1834163f037b077c03cf6cc7f748.tar.zst seitan-8d44fb83386c1834163f037b077c03cf6cc7f748.zip | |
Use signals instead of connect for synchronization
The connect syscall was used to synchronize seitan and the eater for the
seccomp installation filter and notifier initialization. However, we
assume that the fd 0 is always free, and this might not always be the
case.
Try to implement an alternative and more robust solution.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
| -rw-r--r-- | eater.c | 8 | ||||
| -rw-r--r-- | seitan.c | 16 |
2 files changed, 23 insertions, 1 deletions
@@ -20,6 +20,7 @@ #include <sys/prctl.h> #include <sys/syscall.h> #include <sys/socket.h> +#include <signal.h> #include <linux/audit.h> #include <linux/filter.h> @@ -75,6 +76,8 @@ static int seccomp(unsigned int operation, unsigned int flags, void *args) return syscall(__NR_seccomp, operation, flags, args); } +static void signal_handler(__attribute__((unused))int s){} + /** * main() - Entry point * @argc: Argument count @@ -87,6 +90,7 @@ int main(int argc, char **argv) struct sock_filter filter[1024]; struct arguments arguments; struct sock_fprog prog; + struct sigaction act; size_t n; int fd; @@ -106,8 +110,10 @@ int main(int argc, char **argv) perror("seccomp"); exit(EXIT_FAILURE); } + act.sa_handler = signal_handler; + sigaction(SIGCONT, &act, NULL); + pause(); - connect(0, NULL, 0); /* Wait for seitan to unblock this */ execvpe(argv[arguments.program_index], &argv[arguments.program_index], environ); if (errno != ENOENT) { @@ -168,6 +168,19 @@ struct table { static struct table t[16]; +static int pidfd_send_signal(int pidfd, int sig, siginfo_t *info, + unsigned int flags) +{ + return syscall(__NR_pidfd_send_signal, pidfd, sig, info, flags); +} + +static void unblock_eater(int pidfd){ + if (pidfd_send_signal(pidfd, SIGCONT, NULL, 0) == -1) { + perror("pidfd_send_signal"); + exit(EXIT_FAILURE); + } +} + int handle(struct seccomp_notif *req, int notifyfd) { char path[PATH_MAX + 1]; @@ -259,6 +272,9 @@ int main(int argc, char **argv) perror("epoll_ctl: notifier"); exit(EXIT_FAILURE); } + /* Unblock seitan-loader */ + unblock_eater(pidfd); + while(running) { nevents = epoll_wait(epollfd, events, EPOLL_EVENTS, -1); if (nevents < 0 ) { |