don't assume the kernel has CONFIG_SECCOMP

linux/seccomp.h may not be available, and the seccomp mode might not be listed in /proc/pid/status, so let's not assume those two things are present. v2: add a seccomp.h with all the constants we use from linux/seccomp.h v3: don't do a compile time check for PTRACE_O_SUSPEND_SECCOMP, just let ptrace return EINVAL for it; also add a checkskip to skip the seccomp_strict test if PTRACE_O_SUSPEND_SECCOMP or linux/seccomp.h aren't present. v4: use criu check --feature instead of checkskip to check whether the kernel supports seccomp_suspend Reported-by: Mr. Jenkins Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com> Acked-by: Andrew Vagin <avagin@odin.com> Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
2025-08-30 05:48:05 +00:00 · 2015-06-30 07:47:11 -06:00 · 2015-06-30 07:47:11 -06:00 · 209693d49b
commit 209693d49b
parent 1fa30840da
9 changed files with 33 additions and 39 deletions
--- a/cr-dump.c
+++ b/cr-dump.c
@ -19,8 +19,6 @@
 #include <sched.h>
 #include <sys/resource.h>

-#include <linux/seccomp.h>
-
 #include "protobuf.h"
 #include "protobuf/fdinfo.pb-c.h"
 #include "protobuf/fs.pb-c.h"
@ -77,6 +75,7 @@
 #include "aio.h"
 #include "security.h"
 #include "lsm.h"
+#include "seccomp.h"

 #include "asm/dump.h"

--- a/cr-restore.c
+++ b/cr-restore.c
@ -24,8 +24,6 @@

 #include <sys/sendfile.h>

-#include <linux/seccomp.h>
-
 #include "ptrace.h"
 #include "compiler.h"
 #include "asm/types.h"
@ -77,6 +75,7 @@
 #include "aio.h"
 #include "security.h"
 #include "lsm.h"
+#include "seccomp.h"

 #include "parasite-syscall.h"

--- a/include/seccomp.h
+++ b/include/seccomp.h
@ -0,0 +1,16 @@
+#ifndef __CR_SECCOMP_H__
+#define __CR_SECCOMP_H__
+
+#ifndef SECCOMP_MODE_DISABLED
+#define SECCOMP_MODE_DISABLED 0
+#endif
+
+#ifndef SECCOMP_MODE_STRICT
+#define SECCOMP_MODE_STRICT 1
+#endif
+
+#ifndef SECCOMP_MODE_FILTER
+#define SECCOMP_MODE_FILTER 2
+#endif
+
+#endif
--- a/lsm.c
+++ b/lsm.c
@ -12,6 +12,8 @@
 #include "protobuf/inventory.pb-c.h"
 #include "protobuf/creds.pb-c.h"

+#undef CONFIG_HAS_SELINUX
+
 #ifdef CONFIG_HAS_SELINUX
 #include <selinux/selinux.h>
 #endif
--- a/pie/restorer.c
+++ b/pie/restorer.c
@ -30,6 +30,7 @@
 #include "lock.h"
 #include "restorer.h"
 #include "aio.h"
+#include "seccomp.h"

 #include "protobuf/creds.pb-c.h"
 #include "protobuf/mm.pb-c.h"
@ -40,18 +41,6 @@
 #define PR_SET_PDEATHSIG 1
 #endif

-#ifndef SECCOMP_MODE_DISABLED
-#define SECCOMP_MODE_DISABLED 0
-#endif
-
-#ifndef SECCOMP_MODE_STRICT
-#define SECCOMP_MODE_STRICT 1
-#endif
-
-#ifndef SECCOMP_MODE_FILTER
-#define SECCOMP_MODE_FILTER 2
-#endif
-
 #define sys_prctl_safe(opcode, val1, val2, val3)			\
 	({								\
 		long __ret = sys_prctl(opcode, val1, val2, val3, 0);	\
--- a/proc_parse.c
+++ b/proc_parse.c
@ -9,7 +9,6 @@
 #include <string.h>
 #include <ctype.h>
 #include <linux/fs.h>
-#include <linux/seccomp.h>

 #include "asm/types.h"
 #include "list.h"
@ -28,6 +27,7 @@
 #include "proc_parse.h"
 #include "cr_options.h"
 #include "sysfs_parse.h"
+#include "seccomp.h"
 #include "protobuf.h"
 #include "protobuf/fdinfo.pb-c.h"
 #include "protobuf/mnt.pb-c.h"
@ -856,7 +856,7 @@ int parse_pid_status(pid_t pid, struct proc_status_creds *cr)
 		}
 	}

-	if (done == 9)
+	if (done >= 8)
 		ret = 0;

 err_parse:
--- a/ptrace.c
+++ b/ptrace.c
@ -14,8 +14,6 @@
 #include <sys/resource.h>
 #include <sys/wait.h>

-#include <linux/seccomp.h>
-
 #include "compiler.h"
 #include "asm/types.h"
 #include "util.h"
@ -23,6 +21,7 @@
 #include "proc_parse.h"
 #include "crtools.h"
 #include "security.h"
+#include "seccomp.h"

 int unseize_task(pid_t pid, int orig_st, int st)
 {
@ -41,7 +40,6 @@ int unseize_task(pid_t pid, int orig_st, int st)
 	return ptrace(PTRACE_DETACH, pid, NULL, NULL);
 }

-#ifdef CONFIG_HAS_SUSPEND_SECCOMP
 int suspend_seccomp(pid_t pid)
 {
 	if (ptrace(PTRACE_SETOPTIONS, pid, NULL, PTRACE_O_SUSPEND_SECCOMP) < 0) {
@ -51,13 +49,6 @@ int suspend_seccomp(pid_t pid)

 	return 0;
 }
-#else
-int suspend_seccomp(pid_t pid)
-{
-	pr_err("seccomp enabled and seccomp suspending not supported\n");
-	return -1;
-}
-#endif

 /*
 * This routine seizes task putting it into a special
--- a/scripts/feature-tests.mak
+++ b/scripts/feature-tests.mak
@ -92,14 +92,3 @@ int main(int argc, char *argv[], char *envp[])
 }

 endef
-
-define PTRACE_SUSPEND_SECCOMP_TEST
-
-#include <linux/ptrace.h>
-
-int main(void)
-{
-	return PTRACE_O_SUSPEND_SECCOMP;
-}
-
-endef
--- a/test/zdtm.sh
+++ b/test/zdtm.sh
@ -229,6 +229,10 @@ generate_test_list()
 	TEST_TUN="
 		ns/static/tun
 	"
+	TEST_SECCOMP_SUSPEND="
+		static/seccomp_strict
+	"
+

 	$CRIU check -v0 --feature "mnt_id"
 	if [ $? -eq 0 ]; then
@ -252,6 +256,11 @@ generate_test_list()
 		TEST_LIST="$TEST_LIST$TEST_TUN"
 	fi

+	$CRIU check -v0 --feature "seccomp_suspend"
+	if [ $? -eq 0 ]; then
+		TEST_LIST="$TEST_LIST$TEST_SECCOMP_SUSPEND"
+	fi
+
 	BLACKLIST_FOR_USERNS="
 		ns/static/maps01
 		ns/static/mlock_setuid