aboutgitcodelistschat:MatrixIRC
diff options
context:
space:
mode:
authorAlice Frosi <afrosi@redhat.com>2023-01-17 09:52:47 +0100
committerAlice Frosi <afrosi@redhat.com>2023-01-19 11:26:28 +0100
commite657e7d936209ebe2ed5a0cb5fd057810acb508b (patch)
treeb2560f7b7d67bd71260c3d605ac75a9859090082
parent8d44fb83386c1834163f037b077c03cf6cc7f748 (diff)
downloadseitan-e657e7d936209ebe2ed5a0cb5fd057810acb508b.tar
seitan-e657e7d936209ebe2ed5a0cb5fd057810acb508b.tar.gz
seitan-e657e7d936209ebe2ed5a0cb5fd057810acb508b.tar.bz2
seitan-e657e7d936209ebe2ed5a0cb5fd057810acb508b.tar.lz
seitan-e657e7d936209ebe2ed5a0cb5fd057810acb508b.tar.xz
seitan-e657e7d936209ebe2ed5a0cb5fd057810acb508b.tar.zst
seitan-e657e7d936209ebe2ed5a0cb5fd057810acb508b.zip
seitan: find fd of seccomp noitifier from proc
Instead of assuming that the fd of the notifier is always 3, find the correct fd from procfs. Signed-off-by: Alice Frosi <afrosi@redhat.com>
-rw-r--r--seitan.c56
1 files changed, 55 insertions, 1 deletions
diff --git a/seitan.c b/seitan.c
index 6c66593..dd4bd9c 100644
--- a/seitan.c
+++ b/seitan.c
@@ -19,12 +19,15 @@
#include <unistd.h>
#include <limits.h>
#include <signal.h>
+#include <dirent.h>
#include <sys/prctl.h>
#include <sys/syscall.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <sys/epoll.h>
+#include <sys/stat.h>
+#include <sys/types.h>
#include <argp.h>
#include <linux/netlink.h>
#include <linux/connector.h>
@@ -181,6 +184,51 @@ static void unblock_eater(int pidfd){
}
}
+static int find_fd_seccomp_notifier(int pid)
+{
+ char path[PATH_MAX + 1];
+ char entry[2*PATH_MAX + 1];
+ char buf[PATH_MAX + 1];
+ struct dirent *dp;
+ ssize_t nbytes;
+ struct stat sb;
+ DIR *dirp;
+
+ snprintf(path, sizeof(path), "/proc/%i/fd", pid);
+ if ((dirp = opendir(path)) == NULL) {
+ fprintf(stderr,"failed reading fds from proc \n");
+ return -1;
+ }
+ while ((dp = readdir (dirp)) != NULL) {
+ snprintf(entry, sizeof(entry), "%s/%s", path, dp->d_name);
+ if (lstat(entry, &sb) == -1) {
+ perror("lstat");
+ }
+ /* Skip the entry if it isn't a symbolic link */
+ if (!S_ISLNK(sb.st_mode))
+ continue;
+
+ nbytes = readlink(entry, buf, PATH_MAX);
+ if (nbytes == -1) {
+ perror("readlink");
+ }
+ if (nbytes == PATH_MAX) {
+ perror("buffer overflow");
+ continue;
+ }
+ /*
+ * From man proc: For file descriptors that have no
+ * corresponding inode (e.g., file descriptors produced by
+ * bpf(2)..), the entry will be a symbolic link with contents
+ * of the form:
+ * anon_inode:<file-type>
+ */
+ if (strcmp(buf, "anon_inode:seccomp notify") == 0)
+ return atoi(dp->d_name);
+ }
+ return -1;
+}
+
int handle(struct seccomp_notif *req, int notifyfd)
{
char path[PATH_MAX + 1];
@@ -235,6 +283,7 @@ int main(int argc, char **argv)
struct arguments arguments;
bool running = true;
int fd, epollfd;
+ int notifierfd;
int nevents,i;
arguments.pid = -1;
@@ -257,7 +306,12 @@ int main(int argc, char **argv)
}
sleep(1);
- if ((notifier = syscall(SYS_pidfd_getfd, pidfd, 3, 0)) < 0) {
+ if ((notifierfd = find_fd_seccomp_notifier(ret)) < 0){
+ fprintf(stderr, "failed getting fd of the notifier\n");
+ exit(EXIT_FAILURE);
+ }
+ printf("fd notifier: %d \n", notifierfd);
+ if ((notifier = syscall(SYS_pidfd_getfd, pidfd, notifierfd, 0)) < 0) {
perror("pidfd_getfd");
exit(EXIT_FAILURE);
}