MCPcopy
hub / github.com/lxc/incus / NewSeccompServer

Function NewSeccompServer

internal/server/seccomp/seccomp.go:1022–1097  ·  view source on GitHub ↗

NewSeccompServer creates a new seccomp server.

(s *state.State, path string, findPID func(pid int32, s *state.State) (Instance, error))

Source from the content-addressed store, hash-verified

1020
1021// NewSeccompServer creates a new seccomp server.
1022func NewSeccompServer(s *state.State, path string, findPID func(pid int32, s *state.State) (Instance, error)) (*Server, error) {
1023 ret := C.seccomp_notify_get_sizes(&C.expected_sizes)
1024 if ret < 0 {
1025 return nil, errors.New("Failed to query kernel for seccomp notifier sizes")
1026 }
1027
1028 // Cleanup existing sockets
1029 if util.PathExists(path) {
1030 err := os.Remove(path)
1031 if err != nil {
1032 return nil, err
1033 }
1034 }
1035
1036 // Bind new socket
1037 l, err := net.Listen("unixpacket", path)
1038 if err != nil {
1039 return nil, err
1040 }
1041
1042 // Restrict access
1043 err = os.Chmod(path, 0o700)
1044 if err != nil {
1045 return nil, err
1046 }
1047
1048 // Start the server
1049 server := Server{
1050 s: s,
1051 path: path,
1052 l: l,
1053 }
1054
1055 go func() {
1056 for {
1057 c, err := l.Accept()
1058 if err != nil {
1059 return
1060 }
1061
1062 go func() {
1063 ucred, err := linux.GetUcred(c.(*net.UnixConn))
1064 if err != nil {
1065 logger.Errorf("Unable to get ucred from seccomp socket client: %v", err)
1066 return
1067 }
1068
1069 logger.Debugf("Connected to seccomp socket: pid=%v", ucred.Pid)
1070
1071 unixFile, err := c.(*net.UnixConn).File()
1072 if err != nil {
1073 logger.Debugf("Failed to turn unix socket client into file")
1074 return
1075 }
1076
1077 for {
1078 siov := NewSeccompIovec(ucred)
1079 bytes, err := siov.ReceiveSeccompIovec(int(unixFile.Fd()))

Callers 1

initMethod · 0.92

Calls 13

HandleValidMethod · 0.95
HandleInvalidMethod · 0.95
PathExistsFunction · 0.92
GetUcredFunction · 0.92
ErrorfFunction · 0.92
DebugfFunction · 0.92
NewSeccompIovecFunction · 0.85
FileMethod · 0.80
ReceiveSeccompIovecMethod · 0.80
IsValidSeccompIovecMethod · 0.80
RemoveMethod · 0.65
CloseMethod · 0.65

Tested by

no test coverage detected

Used in the wild real call sites across dependent graphs

searching dependent graphs…