aboutgitcodelistschat:MatrixIRC
diff options
context:
space:
mode:
authorAlice Frosi <afrosi@redhat.com>2023-01-16 17:22:51 +0100
committerAlice Frosi <afrosi@redhat.com>2023-01-17 13:05:41 +0100
commit8d44fb83386c1834163f037b077c03cf6cc7f748 (patch)
treeb2355286bf41b2b0210df6f4563b5d5a70bfc5c6
parentf9c6d862789eb5961502862882d2dc33eff854b8 (diff)
downloadseitan-8d44fb83386c1834163f037b077c03cf6cc7f748.tar
seitan-8d44fb83386c1834163f037b077c03cf6cc7f748.tar.gz
seitan-8d44fb83386c1834163f037b077c03cf6cc7f748.tar.bz2
seitan-8d44fb83386c1834163f037b077c03cf6cc7f748.tar.lz
seitan-8d44fb83386c1834163f037b077c03cf6cc7f748.tar.xz
seitan-8d44fb83386c1834163f037b077c03cf6cc7f748.tar.zst
seitan-8d44fb83386c1834163f037b077c03cf6cc7f748.zip
Use signals instead of connect for synchronization
The connect syscall was used to synchronize seitan and the eater for the seccomp installation filter and notifier initialization. However, we assume that the fd 0 is always free, and this might not always be the case. Try to implement an alternative and more robust solution. Signed-off-by: Alice Frosi <afrosi@redhat.com>
-rw-r--r--eater.c8
-rw-r--r--seitan.c16
2 files changed, 23 insertions, 1 deletions
diff --git a/eater.c b/eater.c
index cd03b44..ad2136e 100644
--- a/eater.c
+++ b/eater.c
@@ -20,6 +20,7 @@
#include <sys/prctl.h>
#include <sys/syscall.h>
#include <sys/socket.h>
+#include <signal.h>
#include <linux/audit.h>
#include <linux/filter.h>
@@ -75,6 +76,8 @@ static int seccomp(unsigned int operation, unsigned int flags, void *args)
return syscall(__NR_seccomp, operation, flags, args);
}
+static void signal_handler(__attribute__((unused))int s){}
+
/**
* main() - Entry point
* @argc: Argument count
@@ -87,6 +90,7 @@ int main(int argc, char **argv)
struct sock_filter filter[1024];
struct arguments arguments;
struct sock_fprog prog;
+ struct sigaction act;
size_t n;
int fd;
@@ -106,8 +110,10 @@ int main(int argc, char **argv)
perror("seccomp");
exit(EXIT_FAILURE);
}
+ act.sa_handler = signal_handler;
+ sigaction(SIGCONT, &act, NULL);
+ pause();
- connect(0, NULL, 0); /* Wait for seitan to unblock this */
execvpe(argv[arguments.program_index], &argv[arguments.program_index],
environ);
if (errno != ENOENT) {
diff --git a/seitan.c b/seitan.c
index b227fc8..6c66593 100644
--- a/seitan.c
+++ b/seitan.c
@@ -168,6 +168,19 @@ struct table {
static struct table t[16];
+static int pidfd_send_signal(int pidfd, int sig, siginfo_t *info,
+ unsigned int flags)
+{
+ return syscall(__NR_pidfd_send_signal, pidfd, sig, info, flags);
+}
+
+static void unblock_eater(int pidfd){
+ if (pidfd_send_signal(pidfd, SIGCONT, NULL, 0) == -1) {
+ perror("pidfd_send_signal");
+ exit(EXIT_FAILURE);
+ }
+}
+
int handle(struct seccomp_notif *req, int notifyfd)
{
char path[PATH_MAX + 1];
@@ -259,6 +272,9 @@ int main(int argc, char **argv)
perror("epoll_ctl: notifier");
exit(EXIT_FAILURE);
}
+ /* Unblock seitan-loader */
+ unblock_eater(pidfd);
+
while(running) {
nevents = epoll_wait(epollfd, events, EPOLL_EVENTS, -1);
if (nevents < 0 ) {