From 4d80c91ea37b6903ca6d5cdb788db6b2f0b44b09 Mon Sep 17 00:00:00 2001 From: Alice Frosi Date: Thu, 19 Jan 2023 16:56:28 +0100 Subject: eater: unset O_CLOEXEC for the seccomp notifier fd Preserve the seccomp notifier fd after the exec. In this way, if seitan needs to restat is able to retrive the fd from /proc//fd of the target. Signed-off-by: Alice Frosi --- eater.c | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) (limited to 'eater.c') diff --git a/eater.c b/eater.c index ad2136e..26250d8 100644 --- a/eater.c +++ b/eater.c @@ -26,6 +26,11 @@ #include #include +#include +#include + +#include "common.h" + extern char **environ; static char doc[] = @@ -92,7 +97,7 @@ int main(int argc, char **argv) struct sock_fprog prog; struct sigaction act; size_t n; - int fd; + int fd, flags; argp_parse(&argp, argc, argv, 0, 0, &arguments); fd = open(arguments.input_file, O_CLOEXEC | O_RDONLY); @@ -105,11 +110,22 @@ int main(int argc, char **argv) perror("prctl"); exit(EXIT_FAILURE); } - if ((fd = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_NEW_LISTENER, - &prog) < 0)) { + if (seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_NEW_LISTENER, + &prog) < 0) { perror("seccomp"); exit(EXIT_FAILURE); } + /* + * close-on-exec flag is set for the file descriptor by seccomp. + * We want to preserve the fd on the exec in this way we are able + * to easly find the notifier fd if seitan restarts. + */ + fd = find_fd_seccomp_notifier("/proc/self/fd"); + flags = fcntl(fd, F_GETFD); + if (fcntl(fd, F_SETFD, flags & !FD_CLOEXEC) < 0) { + perror("fcntl"); + exit(EXIT_FAILURE); + } act.sa_handler = signal_handler; sigaction(SIGCONT, &act, NULL); pause(); @@ -120,5 +136,6 @@ int main(int argc, char **argv) perror("execvpe"); exit(EXIT_FAILURE); } + close(fd); return EXIT_FAILURE; } -- cgit v1.2.3