NewSeccompServer creates a new seccomp server.
(s *state.State, path string, findPID func(pid int32, s *state.State) (Instance, error))
| 1020 | |
| 1021 | // NewSeccompServer creates a new seccomp server. |
| 1022 | func NewSeccompServer(s *state.State, path string, findPID func(pid int32, s *state.State) (Instance, error)) (*Server, error) { |
| 1023 | ret := C.seccomp_notify_get_sizes(&C.expected_sizes) |
| 1024 | if ret < 0 { |
| 1025 | return nil, errors.New("Failed to query kernel for seccomp notifier sizes") |
| 1026 | } |
| 1027 | |
| 1028 | // Cleanup existing sockets |
| 1029 | if util.PathExists(path) { |
| 1030 | err := os.Remove(path) |
| 1031 | if err != nil { |
| 1032 | return nil, err |
| 1033 | } |
| 1034 | } |
| 1035 | |
| 1036 | // Bind new socket |
| 1037 | l, err := net.Listen("unixpacket", path) |
| 1038 | if err != nil { |
| 1039 | return nil, err |
| 1040 | } |
| 1041 | |
| 1042 | // Restrict access |
| 1043 | err = os.Chmod(path, 0o700) |
| 1044 | if err != nil { |
| 1045 | return nil, err |
| 1046 | } |
| 1047 | |
| 1048 | // Start the server |
| 1049 | server := Server{ |
| 1050 | s: s, |
| 1051 | path: path, |
| 1052 | l: l, |
| 1053 | } |
| 1054 | |
| 1055 | go func() { |
| 1056 | for { |
| 1057 | c, err := l.Accept() |
| 1058 | if err != nil { |
| 1059 | return |
| 1060 | } |
| 1061 | |
| 1062 | go func() { |
| 1063 | ucred, err := linux.GetUcred(c.(*net.UnixConn)) |
| 1064 | if err != nil { |
| 1065 | logger.Errorf("Unable to get ucred from seccomp socket client: %v", err) |
| 1066 | return |
| 1067 | } |
| 1068 | |
| 1069 | logger.Debugf("Connected to seccomp socket: pid=%v", ucred.Pid) |
| 1070 | |
| 1071 | unixFile, err := c.(*net.UnixConn).File() |
| 1072 | if err != nil { |
| 1073 | logger.Debugf("Failed to turn unix socket client into file") |
| 1074 | return |
| 1075 | } |
| 1076 | |
| 1077 | for { |
| 1078 | siov := NewSeccompIovec(ucred) |
| 1079 | bytes, err := siov.ReceiveSeccompIovec(int(unixFile.Fd())) |
no test coverage detected
searching dependent graphs…