Merge pull request #627 from giuseppe/seccomp-notifications-oci

seccomp: support notify listener

Author: rhatdan

Makefile.am

@@ -129,6 +129,7 @@ TESTS = tests/test_capabilities.py \
 	tests/test_resources.py \
 	tests/test_start.py \
 	tests/test_exec.py \
+	tests/test_seccomp.py \
 	$(UNIT_TESTS)
 
 .version:

contrib/seccomp-receiver/Makefile

@@ -0,0 +1,2 @@
+CFLAGS = -I../..
+seccomp-receiver: seccomp-receiver.c

contrib/seccomp-receiver/seccomp-receiver.c

@@ -0,0 +1,133 @@
+/*
+ * crun - OCI runtime written in C
+ *
+ * Copyright (C) 2021 Giuseppe Scrivano <[email protected]>
+ * crun is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * crun is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with crun.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#define _GNU_SOURCE
+
+#include <config.h>
+#include <stdarg.h>
+#include <stdlib.h>
+#include <sys/un.h>
+#include <sys/socket.h>
+#include <errno.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <sys/ioctl.h>
+#include <termios.h>
+#include <stdio.h>
+
+#define error(status, errno, fmt, ...) do {                             \
+    if (errno)                                                          \
+      fprintf (stderr, "crun: " fmt, ##__VA_ARGS__);                    \
+    else                                                                \
+      fprintf (stderr, "crun: %s:" fmt, strerror (errno), ##__VA_ARGS__); \
+    if (status)                                                         \
+      exit (status);                                                    \
+  } while(0)
+
+static int
+open_unix_domain_socket (const char *path)
+{
+  struct sockaddr_un addr = {};
+  int ret;
+  int fd = socket (AF_UNIX, SOCK_STREAM, 0);
+  if (fd < 0)
+    error (EXIT_FAILURE, errno, "error creating UNIX socket");
+
+  strcpy (addr.sun_path, path);
+  addr.sun_family = AF_UNIX;
+  ret = bind (fd, (struct sockaddr *) &addr, sizeof (addr));
+  if (ret < 0)
+    error (EXIT_FAILURE, errno, "error binding UNIX socket");
+
+  ret = listen (fd, 1);
+  if (ret < 0)
+    error (EXIT_FAILURE, errno, "listen");
+
+  return fd;
+}
+
+static void
+print_payload (int from)
+{
+  int fd = -1;
+  struct iovec iov[1];
+  struct msghdr msg = {};
+  char ctrl_buf[2048] = {};
+  char data[2048];
+  int ret;
+  struct cmsghdr *cmsg;
+
+  iov[0].iov_base = data;
+  iov[0].iov_len = sizeof (data) - 1;
+
+  msg.msg_name = NULL;
+  msg.msg_namelen = 0;
+  msg.msg_iov = iov;
+  msg.msg_iovlen = 1;
+  msg.msg_controllen = CMSG_SPACE (sizeof (int));
+  msg.msg_control = ctrl_buf;
+
+  do
+    ret = recvmsg (from, &msg, 0);
+  while (ret < 0 && errno == EINTR);
+  if (ret < 0)
+    {
+      error (0, errno, "recvmsg");
+      return;
+    }
+
+  data[iov[0].iov_len] = '\0';
+  puts (data);
+
+  cmsg = CMSG_FIRSTHDR (&msg);
+  if (cmsg == NULL)
+    {
+      error (0, 0, "no msg received");
+      return;
+    }
+  memcpy (&fd, CMSG_DATA (cmsg), sizeof (fd));
+  close (fd);
+}
+
+int
+main (int argc, char **argv)
+{
+  char buf[8192];
+  int ret, fd, socket;
+  if (argc < 2)
+    error (EXIT_FAILURE, 0, "usage %s PATH\n", argv[0]);
+
+  unlink (argv[1]);
+
+  socket = open_unix_domain_socket (argv[1]);
+  while (1)
+    {
+      struct termios tset;
+      int conn;
+
+      do
+        conn = accept (socket, NULL, NULL);
+      while (conn < 0 && errno == EINTR);
+      if (conn < 0)
+        error (EXIT_FAILURE, errno, "accept");
+
+      print_payload (conn);
+    }
+
+  return 0;
+}

src/create.c

@@ -114,7 +114,7 @@ static struct argp run_argp = { options, parse_opt, args_doc, doc, NULL, NULL, N
 int
 crun_command_create (struct crun_global_arguments *global_args, int argc, char **argv, libcrun_error_t *err)
 {
-  int first_arg, ret;
+  int first_arg = 0, ret;
   cleanup_container libcrun_container_t *container = NULL;
   cleanup_free char *bundle_cleanup = NULL;
   cleanup_free char *config_file_cleanup = NULL;
@@ -138,7 +138,9 @@ crun_command_create (struct crun_global_arguments *global_args, int argc, char *
     }
 
   /* Make sure the bundle is an absolute path.  */
-  if (bundle)
+  if (bundle == NULL)
+    bundle = bundle_cleanup = getcwd (NULL, 0);
+  else
     {
       if (bundle[0] != '/')
         {
@@ -160,7 +162,7 @@ crun_command_create (struct crun_global_arguments *global_args, int argc, char *
   if (container == NULL)
     libcrun_fail_with_error (0, "error loading config.json");
 
-  crun_context.bundle = bundle ? bundle : ".";
+  crun_context.bundle = bundle;
   if (getenv ("LISTEN_FDS"))
     crun_context.preserve_fds += strtoll (getenv ("LISTEN_FDS"), NULL, 10);
 

src/crun.c

@@ -297,7 +297,7 @@ int
 main (int argc, char **argv)
 {
   libcrun_error_t err = NULL;
-  int ret, first_argument;
+  int ret, first_argument = 0;
 
   argp_program_version_hook = print_version;
 

src/delete.c

@@ -86,7 +86,7 @@ static struct argp run_argp = { options, parse_opt, args_doc, doc, NULL, NULL, N
 int
 crun_command_delete (struct crun_global_arguments *global_args, int argc, char **argv, libcrun_error_t *err)
 {
-  int first_arg, ret;
+  int first_arg = 0, ret;
 
   libcrun_context_t crun_context = {
     0,

src/exec.c

@@ -202,7 +202,7 @@ make_oci_process_user (const char *userspec)
 int
 crun_command_exec (struct crun_global_arguments *global_args, int argc, char **argv, libcrun_error_t *err)
 {
-  int first_arg, ret = 0;
+  int first_arg = 0, ret = 0;
   libcrun_context_t crun_context = {
     0,
   };

src/kill.c

@@ -87,7 +87,7 @@ static struct argp run_argp = { options, parse_opt, args_doc, doc, NULL, NULL, N
 int
 crun_command_kill (struct crun_global_arguments *global_args, int argc, char **argv, libcrun_error_t *err)
 {
-  int first_arg, signal, ret;
+  int first_arg = 0, signal, ret;
 
   libcrun_context_t crun_context = {
     0,

src/libcrun/cgroup.c

@@ -1819,6 +1819,9 @@ read_pids_cgroup (int dfd, bool recurse, pid_t **pids, size_t *n_pids, size_t *a
   if (UNLIKELY (ret < 0))
     return ret;
 
+  if (len == 0)
+    return 0;
+
   for (n_new_pids = 0, it = buffer; it; it = strchr (it + 1, '\n'))
     n_new_pids++;