When we fail to send a message, we send a default seccomp
response and try to reconnect to the proxy. It doesn't
really make much sense to retry to send the request over the
new connection as the syscall has already been answered. The
same goes for receiving the response - after reconnecting to
the proxy, we're a new client to a potentially new proxy
process, so awaiting a response without having sent a
request doesn't make all too much sense either.
In the future we should probably have a timeout or retry
count for the entire proxy _transaction_ before sending a
response to seccomp at all (and probably handle requests
asynchronously).
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
#if HAVE_DECL_SECCOMP_NOTIFY_FD
__do_close_prot_errno int fd_mem = -EBADF;
#if HAVE_DECL_SECCOMP_NOTIFY_FD
__do_close_prot_errno int fd_mem = -EBADF;
- int reconnect_count, ret;
ssize_t bytes;
struct iovec iov[4];
size_t iov_len, msg_base_size, msg_full_size;
ssize_t bytes;
struct iovec iov[4];
size_t iov_len, msg_base_size, msg_full_size;
- reconnect_count = 0;
- do {
- bytes = lxc_abstract_unix_send_fds_iov(listener_proxy_fd,
- &fd_mem, 1, iov,
- iov_len);
- if (bytes != (ssize_t)msg_full_size) {
- SYSERROR("Failed to forward message to seccomp proxy");
- if (seccomp_notify_default_answer(fd, req, resp, hdlr))
- goto out;
- }
- } while (reconnect_count++);
+ bytes = lxc_abstract_unix_send_fds_iov(listener_proxy_fd, &fd_mem, 1,
+ iov, iov_len);
+ if (bytes != (ssize_t)msg_full_size) {
+ SYSERROR("Failed to forward message to seccomp proxy");
+ (void)seccomp_notify_default_answer(fd, req, resp, hdlr);
+ goto out;
+ }
close_prot_errno_disarm(fd_mem);
close_prot_errno_disarm(fd_mem);
- reconnect_count = 0;
- do {
- bytes = lxc_recvmsg_nointr_iov(listener_proxy_fd, iov,iov_len,
- 0);
- if (bytes != (ssize_t)msg_base_size) {
- SYSERROR("Failed to receive message from seccomp proxy");
- if (seccomp_notify_default_answer(fd, req, resp, hdlr))
- goto out;
- }
- } while (reconnect_count++);
+ bytes = lxc_recvmsg_nointr_iov(listener_proxy_fd, iov,iov_len, 0);
+ if (bytes != (ssize_t)msg_base_size) {
+ SYSERROR("Failed to receive message from seccomp proxy");
+ (void)seccomp_notify_default_answer(fd, req, resp, hdlr);
+ goto out;
+ }
ret = seccomp_notify_respond(fd, resp);
if (ret)
ret = seccomp_notify_respond(fd, resp);
if (ret)