diff options
| author | Alice Frosi <afrosi@redhat.com> | 2023-01-17 09:52:47 +0100 |
|---|---|---|
| committer | Alice Frosi <afrosi@redhat.com> | 2023-01-19 11:26:28 +0100 |
| commit | e657e7d936209ebe2ed5a0cb5fd057810acb508b (patch) | |
| tree | b2560f7b7d67bd71260c3d605ac75a9859090082 | |
| parent | 8d44fb83386c1834163f037b077c03cf6cc7f748 (diff) | |
| download | seitan-e657e7d936209ebe2ed5a0cb5fd057810acb508b.tar seitan-e657e7d936209ebe2ed5a0cb5fd057810acb508b.tar.gz seitan-e657e7d936209ebe2ed5a0cb5fd057810acb508b.tar.bz2 seitan-e657e7d936209ebe2ed5a0cb5fd057810acb508b.tar.lz seitan-e657e7d936209ebe2ed5a0cb5fd057810acb508b.tar.xz seitan-e657e7d936209ebe2ed5a0cb5fd057810acb508b.tar.zst seitan-e657e7d936209ebe2ed5a0cb5fd057810acb508b.zip | |
seitan: find fd of seccomp noitifier from proc
Instead of assuming that the fd of the notifier is always 3, find the
correct fd from procfs.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
| -rw-r--r-- | seitan.c | 56 |
1 files changed, 55 insertions, 1 deletions
@@ -19,12 +19,15 @@ #include <unistd.h> #include <limits.h> #include <signal.h> +#include <dirent.h> #include <sys/prctl.h> #include <sys/syscall.h> #include <sys/ioctl.h> #include <sys/socket.h> #include <sys/un.h> #include <sys/epoll.h> +#include <sys/stat.h> +#include <sys/types.h> #include <argp.h> #include <linux/netlink.h> #include <linux/connector.h> @@ -181,6 +184,51 @@ static void unblock_eater(int pidfd){ } } +static int find_fd_seccomp_notifier(int pid) +{ + char path[PATH_MAX + 1]; + char entry[2*PATH_MAX + 1]; + char buf[PATH_MAX + 1]; + struct dirent *dp; + ssize_t nbytes; + struct stat sb; + DIR *dirp; + + snprintf(path, sizeof(path), "/proc/%i/fd", pid); + if ((dirp = opendir(path)) == NULL) { + fprintf(stderr,"failed reading fds from proc \n"); + return -1; + } + while ((dp = readdir (dirp)) != NULL) { + snprintf(entry, sizeof(entry), "%s/%s", path, dp->d_name); + if (lstat(entry, &sb) == -1) { + perror("lstat"); + } + /* Skip the entry if it isn't a symbolic link */ + if (!S_ISLNK(sb.st_mode)) + continue; + + nbytes = readlink(entry, buf, PATH_MAX); + if (nbytes == -1) { + perror("readlink"); + } + if (nbytes == PATH_MAX) { + perror("buffer overflow"); + continue; + } + /* + * From man proc: For file descriptors that have no + * corresponding inode (e.g., file descriptors produced by + * bpf(2)..), the entry will be a symbolic link with contents + * of the form: + * anon_inode:<file-type> + */ + if (strcmp(buf, "anon_inode:seccomp notify") == 0) + return atoi(dp->d_name); + } + return -1; +} + int handle(struct seccomp_notif *req, int notifyfd) { char path[PATH_MAX + 1]; @@ -235,6 +283,7 @@ int main(int argc, char **argv) struct arguments arguments; bool running = true; int fd, epollfd; + int notifierfd; int nevents,i; arguments.pid = -1; @@ -257,7 +306,12 @@ int main(int argc, char **argv) } sleep(1); - if ((notifier = syscall(SYS_pidfd_getfd, pidfd, 3, 0)) < 0) { + if ((notifierfd = find_fd_seccomp_notifier(ret)) < 0){ + fprintf(stderr, "failed getting fd of the notifier\n"); + exit(EXIT_FAILURE); + } + printf("fd notifier: %d \n", notifierfd); + if ((notifier = syscall(SYS_pidfd_getfd, pidfd, notifierfd, 0)) < 0) { perror("pidfd_getfd"); exit(EXIT_FAILURE); } |