The seccomp notify API has a few variables: The struct sizes
are queried at runtime, and we now also have a user
configured cookie.
This means that with a SOCK_STREAM connection the proxy
needs to carefully read() the right amount of data based on
the contents of our proxy message struct to avoid ending up
in the middle of a packet.
While for now this may not be too tragic, since we currently
only ever send a single packet and then wait for the
response, we may at some point want to be able to handle
multiple processes simultaneously, hence it makes sense to
switch to a packet based connection.
So switch to using SOCK_SEQPACKET which is packet based,
(and also guarantees ordering). The `MSG_PEEK` flag can be
used with `recvmsg()` to figure out a packet's size on the
other end, and usually the size *should* not change after
that for an existing connection from a running container.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
close_prot_errno_disarm(handler->conf->seccomp.notifier.proxy_fd);
- notify_fd = lxc_unix_connect(&handler->conf->seccomp.notifier.proxy_addr);
+ notify_fd = lxc_unix_connect_type(
+ &handler->conf->seccomp.notifier.proxy_addr, SOCK_SEQPACKET);
if (notify_fd < 0) {
SYSERROR("Failed to reconnect to seccomp proxy");
return -1;
__do_close_prot_errno int notify_fd = -EBADF;
int ret;
- notify_fd = lxc_unix_connect(&seccomp->notifier.proxy_addr);
+ notify_fd = lxc_unix_connect_type(&seccomp->notifier.proxy_addr,
+ SOCK_SEQPACKET);
if (notify_fd < 0) {
SYSERROR("Failed to connect to seccomp proxy");
return -1;