From 209693d49b018f08767f811005a6f1fa076bc9ff Mon Sep 17 00:00:00 2001 From: Tycho Andersen Date: Tue, 30 Jun 2015 07:47:11 -0600 Subject: [PATCH] don't assume the kernel has CONFIG_SECCOMP linux/seccomp.h may not be available, and the seccomp mode might not be listed in /proc/pid/status, so let's not assume those two things are present. v2: add a seccomp.h with all the constants we use from linux/seccomp.h v3: don't do a compile time check for PTRACE_O_SUSPEND_SECCOMP, just let ptrace return EINVAL for it; also add a checkskip to skip the seccomp_strict test if PTRACE_O_SUSPEND_SECCOMP or linux/seccomp.h aren't present. v4: use criu check --feature instead of checkskip to check whether the kernel supports seccomp_suspend Reported-by: Mr. Jenkins Signed-off-by: Tycho Andersen Acked-by: Andrew Vagin Signed-off-by: Pavel Emelyanov --- cr-dump.c | 3 +-- cr-restore.c | 3 +-- include/seccomp.h | 16 ++++++++++++++++ lsm.c | 2 ++ pie/restorer.c | 13 +------------ proc_parse.c | 4 ++-- ptrace.c | 11 +---------- scripts/feature-tests.mak | 11 ----------- test/zdtm.sh | 9 +++++++++ 9 files changed, 33 insertions(+), 39 deletions(-) create mode 100644 include/seccomp.h diff --git a/cr-dump.c b/cr-dump.c index 8936a648d..9505f5ebd 100644 --- a/cr-dump.c +++ b/cr-dump.c @@ -19,8 +19,6 @@ #include #include -#include - #include "protobuf.h" #include "protobuf/fdinfo.pb-c.h" #include "protobuf/fs.pb-c.h" @@ -77,6 +75,7 @@ #include "aio.h" #include "security.h" #include "lsm.h" +#include "seccomp.h" #include "asm/dump.h" diff --git a/cr-restore.c b/cr-restore.c index 45c746e7a..7439a0543 100644 --- a/cr-restore.c +++ b/cr-restore.c @@ -24,8 +24,6 @@ #include -#include - #include "ptrace.h" #include "compiler.h" #include "asm/types.h" @@ -77,6 +75,7 @@ #include "aio.h" #include "security.h" #include "lsm.h" +#include "seccomp.h" #include "parasite-syscall.h" diff --git a/include/seccomp.h b/include/seccomp.h new file mode 100644 index 000000000..017dcd46a --- /dev/null +++ b/include/seccomp.h @@ -0,0 +1,16 @@ +#ifndef __CR_SECCOMP_H__ +#define __CR_SECCOMP_H__ + +#ifndef SECCOMP_MODE_DISABLED +#define SECCOMP_MODE_DISABLED 0 +#endif + +#ifndef SECCOMP_MODE_STRICT +#define SECCOMP_MODE_STRICT 1 +#endif + +#ifndef SECCOMP_MODE_FILTER +#define SECCOMP_MODE_FILTER 2 +#endif + +#endif diff --git a/lsm.c b/lsm.c index 40d12ba43..c960611dd 100644 --- a/lsm.c +++ b/lsm.c @@ -12,6 +12,8 @@ #include "protobuf/inventory.pb-c.h" #include "protobuf/creds.pb-c.h" +#undef CONFIG_HAS_SELINUX + #ifdef CONFIG_HAS_SELINUX #include #endif diff --git a/pie/restorer.c b/pie/restorer.c index 4150b4958..8c6b42115 100644 --- a/pie/restorer.c +++ b/pie/restorer.c @@ -30,6 +30,7 @@ #include "lock.h" #include "restorer.h" #include "aio.h" +#include "seccomp.h" #include "protobuf/creds.pb-c.h" #include "protobuf/mm.pb-c.h" @@ -40,18 +41,6 @@ #define PR_SET_PDEATHSIG 1 #endif -#ifndef SECCOMP_MODE_DISABLED -#define SECCOMP_MODE_DISABLED 0 -#endif - -#ifndef SECCOMP_MODE_STRICT -#define SECCOMP_MODE_STRICT 1 -#endif - -#ifndef SECCOMP_MODE_FILTER -#define SECCOMP_MODE_FILTER 2 -#endif - #define sys_prctl_safe(opcode, val1, val2, val3) \ ({ \ long __ret = sys_prctl(opcode, val1, val2, val3, 0); \ diff --git a/proc_parse.c b/proc_parse.c index 168afcb67..e940fc143 100644 --- a/proc_parse.c +++ b/proc_parse.c @@ -9,7 +9,6 @@ #include #include #include -#include #include "asm/types.h" #include "list.h" @@ -28,6 +27,7 @@ #include "proc_parse.h" #include "cr_options.h" #include "sysfs_parse.h" +#include "seccomp.h" #include "protobuf.h" #include "protobuf/fdinfo.pb-c.h" #include "protobuf/mnt.pb-c.h" @@ -856,7 +856,7 @@ int parse_pid_status(pid_t pid, struct proc_status_creds *cr) } } - if (done == 9) + if (done >= 8) ret = 0; err_parse: diff --git a/ptrace.c b/ptrace.c index 4f9e66ef9..c3a955348 100644 --- a/ptrace.c +++ b/ptrace.c @@ -14,8 +14,6 @@ #include #include -#include - #include "compiler.h" #include "asm/types.h" #include "util.h" @@ -23,6 +21,7 @@ #include "proc_parse.h" #include "crtools.h" #include "security.h" +#include "seccomp.h" int unseize_task(pid_t pid, int orig_st, int st) { @@ -41,7 +40,6 @@ int unseize_task(pid_t pid, int orig_st, int st) return ptrace(PTRACE_DETACH, pid, NULL, NULL); } -#ifdef CONFIG_HAS_SUSPEND_SECCOMP int suspend_seccomp(pid_t pid) { if (ptrace(PTRACE_SETOPTIONS, pid, NULL, PTRACE_O_SUSPEND_SECCOMP) < 0) { @@ -51,13 +49,6 @@ int suspend_seccomp(pid_t pid) return 0; } -#else -int suspend_seccomp(pid_t pid) -{ - pr_err("seccomp enabled and seccomp suspending not supported\n"); - return -1; -} -#endif /* * This routine seizes task putting it into a special diff --git a/scripts/feature-tests.mak b/scripts/feature-tests.mak index ec7972a64..519eb5269 100644 --- a/scripts/feature-tests.mak +++ b/scripts/feature-tests.mak @@ -92,14 +92,3 @@ int main(int argc, char *argv[], char *envp[]) } endef - -define PTRACE_SUSPEND_SECCOMP_TEST - -#include - -int main(void) -{ - return PTRACE_O_SUSPEND_SECCOMP; -} - -endef diff --git a/test/zdtm.sh b/test/zdtm.sh index f1653f991..8c1e67a4b 100755 --- a/test/zdtm.sh +++ b/test/zdtm.sh @@ -229,6 +229,10 @@ generate_test_list() TEST_TUN=" ns/static/tun " + TEST_SECCOMP_SUSPEND=" + static/seccomp_strict + " + $CRIU check -v0 --feature "mnt_id" if [ $? -eq 0 ]; then @@ -252,6 +256,11 @@ generate_test_list() TEST_LIST="$TEST_LIST$TEST_TUN" fi + $CRIU check -v0 --feature "seccomp_suspend" + if [ $? -eq 0 ]; then + TEST_LIST="$TEST_LIST$TEST_SECCOMP_SUSPEND" + fi + BLACKLIST_FOR_USERNS=" ns/static/maps01 ns/static/mlock_setuid