From ed3a98c4c260fea0886da822fb5a11304cfa8d4d Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Fri, 5 Jul 2019 11:30:24 +0200 Subject: [PATCH] seccomp: keep retrying to reconnect to proxy If a syscall happens after we already failed to communicate with the proxy, proxy_fd was -1. Before the previous commit we'd then be stuck in the state where there was no proxy registered. With the previous commit we'd send a default reply and only then try to reconnect. Improve this even further by trying to reconnect right at the start. Signed-off-by: Wolfgang Bumiller --- src/lxc/seccomp.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c index 12e6dbe78..ebbdc0732 100644 --- a/src/lxc/seccomp.c +++ b/src/lxc/seccomp.c @@ -1374,8 +1374,18 @@ int seccomp_notify_handler(int fd, uint32_t events, void *data, } if (listener_proxy_fd < 0) { - ERROR("No seccomp proxy registered"); - return seccomp_notify_default_answer(fd, req, resp, hdlr); + ret = -1; + /* Same condition as for the initial setup_proxy() */ + if (conf->seccomp.notifier.wants_supervision && + conf->seccomp.notifier.proxy_addr.sun_path[1] != '\0') { + ret = seccomp_notify_reconnect(hdlr); + } + if (ret) { + ERROR("No seccomp proxy registered"); + return seccomp_notify_default_answer(fd, req, resp, + hdlr); + } + listener_proxy_fd = conf->seccomp.notifier.proxy_fd; } /* remember the ID in case we receive garbage from the proxy */ -- 2.39.2