From 7b6c63b44795509d39f3af15fc9643cfc5c3c5ae Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano <gscrivan@redhat.com> Date: Thu, 27 Apr 2023 21:43:07 +0200 Subject: [PATCH 1/5] ctrl: on EINTR retry accept4 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> --- src/ctrl.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/ctrl.c b/src/ctrl.c index 5f4d1ef8..56b7f397 100644 --- a/src/ctrl.c +++ b/src/ctrl.c @@ -26,7 +26,11 @@ gboolean terminal_accept_cb(int fd, G_GNUC_UNUSED GIOCondition condition, G_GNUC { ndebugf("about to accept from console_socket_fd: %d", fd); - int connfd = accept4(fd, NULL, NULL, SOCK_CLOEXEC); + + int connfd; + do { + connfd = accept4(fd, NULL, NULL, SOCK_CLOEXEC); + } while (connfd < 0 && errno == EINTR); if (connfd < 0) { nwarn("Failed to accept console-socket connection"); return G_SOURCE_CONTINUE; From 76f10b44216069af5f2a7abe3bd9671abd039a6c Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano <gscrivan@redhat.com> Date: Thu, 27 Apr 2023 21:43:46 +0200 Subject: [PATCH 2/5] cmsg: fix program name Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> --- src/cmsg.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/cmsg.c b/src/cmsg.c index f14a94fa..a8ff29a9 100644 --- a/src/cmsg.c +++ b/src/cmsg.c @@ -38,14 +38,14 @@ #define error(s) \ do { \ - fprintf(stderr, "nsenter: %s %s\n", s, strerror(errno)); \ + fprintf(stderr, "conmon: %s %s\n", s, strerror(errno)); \ errno = ECOMM; \ goto err; /* return value */ \ } while (0) #define errorf(fmt, ...) \ do { \ - fprintf(stderr, "nsenter: " fmt ": %s\n", ##__VA_ARGS__, strerror(errno)); \ + fprintf(stderr, "conmon: " fmt ": %s\n", ##__VA_ARGS__, strerror(errno)); \ errno = ECOMM; \ goto err; /* return value */ \ } while (0) From 9cdf27f123484cdf3b85be04fcceacb9e89839c5 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano <gscrivan@redhat.com> Date: Thu, 27 Apr 2023 21:48:46 +0200 Subject: [PATCH 3/5] cmsg: recvfd returns an error on failures Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> --- src/cmsg.c | 2 +- src/ctrl.c | 4 ++++ src/seccomp_notify.c | 4 ++++ 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/src/cmsg.c b/src/cmsg.c index a8ff29a9..72003530 100644 --- a/src/cmsg.c +++ b/src/cmsg.c @@ -162,5 +162,5 @@ struct file_t recvfd(int sockfd) olderrno = errno; free(file.name); errno = olderrno; - return (struct file_t){0}; + return (struct file_t){.name = NULL, .fd = -1}; } diff --git a/src/ctrl.c b/src/ctrl.c index 56b7f397..18db83ed 100644 --- a/src/ctrl.c +++ b/src/ctrl.c @@ -47,6 +47,10 @@ gboolean terminal_accept_cb(int fd, G_GNUC_UNUSED GIOCondition condition, G_GNUC ndebugf("about to recvfd from connfd: %d", connfd); struct file_t console = recvfd(connfd); + if (console.fd < 0) { + pexit("Failed to receive console file descriptor"); + } + ndebugf("console = {.name = '%s'; .fd = %d}", console.name, console.fd); free(console.name); diff --git a/src/seccomp_notify.c b/src/seccomp_notify.c index bbc06ddb..d543e3a6 100644 --- a/src/seccomp_notify.c +++ b/src/seccomp_notify.c @@ -76,6 +76,10 @@ gboolean seccomp_accept_cb(int fd, G_GNUC_UNUSED GIOCondition condition, G_GNUC_ struct file_t listener = recvfd(connfd); close(connfd); + if (listener.fd < 0) { + pexit("Failed to receive socket listener file descriptor"); + } + _cleanup_free_ char *oci_config_path = g_strdup_printf("%s/config.json", opt_bundle_path); if (oci_config_path == NULL) { nwarn("Failed to allocate memory"); From 8efe8f0afda9fd1979e62565d04d4c0e3a8606b9 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano <gscrivan@redhat.com> Date: Thu, 27 Apr 2023 22:01:33 +0200 Subject: [PATCH 4/5] ctrl: make accept4 failures fatal Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> --- src/ctrl.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/ctrl.c b/src/ctrl.c index 18db83ed..08f82246 100644 --- a/src/ctrl.c +++ b/src/ctrl.c @@ -32,8 +32,7 @@ gboolean terminal_accept_cb(int fd, G_GNUC_UNUSED GIOCondition condition, G_GNUC connfd = accept4(fd, NULL, NULL, SOCK_CLOEXEC); } while (connfd < 0 && errno == EINTR); if (connfd < 0) { - nwarn("Failed to accept console-socket connection"); - return G_SOURCE_CONTINUE; + pexit("Failed to accept console-socket connection"); } /* Not accepting anything else. */ From fb37f8096a00332402134cf97fad339d90988760 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano <gscrivan@redhat.com> Date: Fri, 28 Apr 2023 10:42:21 +0200 Subject: [PATCH 5/5] conmon: drop return after pexit() pexit terminates the current process, no need to return from the function. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> --- src/seccomp_notify.c | 7 ------- 1 file changed, 7 deletions(-) diff --git a/src/seccomp_notify.c b/src/seccomp_notify.c index d543e3a6..8d34d9d3 100644 --- a/src/seccomp_notify.c +++ b/src/seccomp_notify.c @@ -114,7 +114,6 @@ int seccomp_notify_plugins_load(struct seccomp_notify_context_s **out, const cha if (seccomp_syscall(SECCOMP_GET_NOTIF_SIZES, 0, &ctx->sizes) < 0) { pexit("Failed to get notifications size"); - return -1; } ctx->sreq = xmalloc0(ctx->sizes.seccomp_notif); @@ -129,7 +128,6 @@ int seccomp_notify_plugins_load(struct seccomp_notify_context_s **out, const cha b = strdup(plugins); if (b == NULL) { pexit("Failed to strdup"); - return -1; } for (s = 0, it = strtok_r(b, ":", &saveptr); it; s++, it = strtok_r(NULL, ":", &saveptr)) { run_oci_seccomp_notify_plugin_version_cb version_cb; @@ -139,7 +137,6 @@ int seccomp_notify_plugins_load(struct seccomp_notify_context_s **out, const cha ctx->plugins[s].handle = dlopen(it, RTLD_NOW); if (ctx->plugins[s].handle == NULL) { pexitf("cannot load `%s`: %s", it, dlerror()); - return -1; } version_cb = (run_oci_seccomp_notify_plugin_version_cb)dlsym(ctx->plugins[s].handle, "run_oci_seccomp_notify_version"); @@ -149,7 +146,6 @@ int seccomp_notify_plugins_load(struct seccomp_notify_context_s **out, const cha version = version_cb(); if (version != 1) { pexitf("invalid version supported by the plugin `%s`", it); - return -1; } } @@ -157,7 +153,6 @@ int seccomp_notify_plugins_load(struct seccomp_notify_context_s **out, const cha (run_oci_seccomp_notify_handle_request_cb)dlsym(ctx->plugins[s].handle, "run_oci_seccomp_notify_handle_request"); if (ctx->plugins[s].handle_request_cb == NULL) { pexitf("plugin `%s` doesn't export `run_oci_seccomp_notify_handle_request`", it); - return -1; } start_cb = (run_oci_seccomp_notify_start_cb)dlsym(ctx->plugins[s].handle, "run_oci_seccomp_notify_start"); @@ -167,7 +162,6 @@ int seccomp_notify_plugins_load(struct seccomp_notify_context_s **out, const cha ret = start_cb(&opq, conf, sizeof(*conf)); if (ret != 0) { pexitf("error loading `%s`", it); - return -1; } } ctx->plugins[s].opaque = opq; @@ -227,7 +221,6 @@ int seccomp_notify_plugins_event(struct seccomp_notify_context_s *ctx, int secco default: pexitf("Unknown handler action specified %d", handled); - return -1; } } }