From: Wolfgang Bumiller Date: Fri, 5 Jul 2019 07:31:09 +0000 (+0200) Subject: seccomp: use SOCK_SEQPACKET for the notify proxy X-Git-Tag: lxc-4.0.0~149^2~10 X-Git-Url: https://git.proxmox.com/?p=mirror_lxc.git;a=commitdiff_plain;h=045ee7210dbe4ca1f250128e3ea4dc2cf7ec519c seccomp: use SOCK_SEQPACKET for the notify proxy The seccomp notify API has a few variables: The struct sizes are queried at runtime, and we now also have a user configured cookie. This means that with a SOCK_STREAM connection the proxy needs to carefully read() the right amount of data based on the contents of our proxy message struct to avoid ending up in the middle of a packet. While for now this may not be too tragic, since we currently only ever send a single packet and then wait for the response, we may at some point want to be able to handle multiple processes simultaneously, hence it makes sense to switch to a packet based connection. So switch to using SOCK_SEQPACKET which is packet based, (and also guarantees ordering). The `MSG_PEEK` flag can be used with `recvmsg()` to figure out a packet's size on the other end, and usually the size *should* not change after that for an existing connection from a running container. Signed-off-by: Wolfgang Bumiller --- diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c index af87ab922..af7dc3210 100644 --- a/src/lxc/seccomp.c +++ b/src/lxc/seccomp.c @@ -1311,7 +1311,8 @@ static int seccomp_notify_reconnect(struct lxc_handler *handler) close_prot_errno_disarm(handler->conf->seccomp.notifier.proxy_fd); - notify_fd = lxc_unix_connect(&handler->conf->seccomp.notifier.proxy_addr); + notify_fd = lxc_unix_connect_type( + &handler->conf->seccomp.notifier.proxy_addr, SOCK_SEQPACKET); if (notify_fd < 0) { SYSERROR("Failed to reconnect to seccomp proxy"); return -1; @@ -1501,7 +1502,8 @@ int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp, __do_close_prot_errno int notify_fd = -EBADF; int ret; - notify_fd = lxc_unix_connect(&seccomp->notifier.proxy_addr); + notify_fd = lxc_unix_connect_type(&seccomp->notifier.proxy_addr, + SOCK_SEQPACKET); if (notify_fd < 0) { SYSERROR("Failed to connect to seccomp proxy"); return -1;