system: use old SECCOMP_IOCTL_NOTIF_ID_VALID number if necessary

Kernel commit 47e33c05f9f0 ("seccomp: Fix ioctl number for SECCOMP_IOCTL_NOTIF_ID_VALID") changed the public definition of SECCOMP_IOCTL_NOTIF_ID_VALID for correctness sake because it had the wrong direction (no current functional change). If libseccomp is built against kernel headers after this commit but is run on a kernel that was built prior to this commit, then the ioctl will always return -1 EINVAL and thus seccomp_notify_id_valid will incorrectly return -ENOENT. Copy the (now non-public) definition of the old ioctl number and try it if the ioctl with the number from the kernel headers fails with -1 EINVAL. Also, update the fallback definition of SECCOMP_IOCTL_NOTIF_ID_VALID to the new value. Acked-by: Tom Hromatka <tom.hromatka@oracle.com> Signed-off-by: Max Rees <maxcrees@me.com> [PM: tweak some vertical whitespace, subject line] Signed-off-by: Paul Moore <paul@paul-moore.com>
seccomp · Mar 5, 2021 · 83d7b02 · 83d7b02
1 parent 6d5a0bb
commit 83d7b02
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 2 deletions.
diff --git a/src/system.c b/src/system.c
@@ -535,10 +535,20 @@ int sys_notify_respond(int fd, struct seccomp_notif_resp *resp)
  */
 int sys_notify_id_valid(int fd, uint64_t id)
 {
+	int rc;
 	if (state.sup_user_notif <= 0)
 		return -EOPNOTSUPP;
 
-	if (ioctl(fd, SECCOMP_IOCTL_NOTIF_ID_VALID, &id) < 0)
+	rc = ioctl(fd, SECCOMP_IOCTL_NOTIF_ID_VALID, &id);
+	if (rc < 0 && errno == EINVAL)
+		/* It is possible that libseccomp was built against newer kernel
+		 * headers than the kernel it is running on. If so, the older
+		 * runtime kernel may not support the "fixed"
+		 * SECCOMP_IOCTL_NOTIF_ID_VALID ioctl number which was introduced in
+		 * kernel commit 47e33c05f9f0 ("seccomp: Fix ioctl number for
+		 * SECCOMP_IOCTL_NOTIF_ID_VALID"). Try the old value. */
+		rc = ioctl(fd, SECCOMP_IOCTL_NOTIF_ID_VALID_WRONG_DIR, &id);
+	if (rc < 0)
 		return -ENOENT;
 	return 0;
 }
diff --git a/src/system.h b/src/system.h
@@ -179,9 +179,12 @@ struct seccomp_notif_resp {
 #define SECCOMP_IOCTL_NOTIF_RECV        SECCOMP_IOWR(0, struct seccomp_notif)
 #define SECCOMP_IOCTL_NOTIF_SEND        SECCOMP_IOWR(1, \
 						     struct seccomp_notif_resp)
-#define SECCOMP_IOCTL_NOTIF_ID_VALID    SECCOMP_IOR(2, __u64)
+#define SECCOMP_IOCTL_NOTIF_ID_VALID    SECCOMP_IOW(2, __u64)
 #endif /* SECCOMP_RET_USER_NOTIF */
 
+/* non-public ioctl number for backwards compat (see system.c) */
+#define SECCOMP_IOCTL_NOTIF_ID_VALID_WRONG_DIR SECCOMP_IOR(2, __u64)
+
 void sys_reset_state(void);
 
 int sys_chk_seccomp_syscall(void);