MCPcopy
hub / github.com/opencontainers/runc / syncParentSeccomp

Function syncParentSeccomp

libcontainer/init_linux.go:445–465  ·  view source on GitHub ↗

syncParentSeccomp sends the fd associated with the seccomp file descriptor to the parent, and wait for the parent to do pidfd_getfd() to grab a copy.

(pipe *syncSocket, seccompFd int)

Source from the content-addressed store, hash-verified

443// syncParentSeccomp sends the fd associated with the seccomp file descriptor
444// to the parent, and wait for the parent to do pidfd_getfd() to grab a copy.
445func syncParentSeccomp(pipe *syncSocket, seccompFd int) error {
446 if seccompFd == -1 {
447 return nil
448 }
449 defer unix.Close(seccompFd)
450
451 // Tell parent to grab our fd.
452 //
453 // Notably, we do not use writeSyncFile here because a container might have
454 // an SCMP_ACT_NOTIFY action on sendmsg(2) so we need to use the smallest
455 // possible number of system calls here because all of those syscalls
456 // cannot be used with SCMP_ACT_NOTIFY as a result (any syscall we use here
457 // before the parent gets the file descriptor would deadlock "runc init" if
458 // we allowed it for SCMP_ACT_NOTIFY). See seccomp.InitSeccomp() for more
459 // details.
460 if err := writeSyncArg(pipe, procSeccomp, seccompFd); err != nil {
461 return err
462 }
463 // Wait for parent to tell us they've grabbed the seccompfd.
464 return readSync(pipe, procSeccompDone)
465}
466
467// setupUser changes the groups, gid, and uid for the user inside the container.
468func setupUser(config *initConfig) error {

Callers 2

InitMethod · 0.85
InitMethod · 0.85

Calls 3

writeSyncArgFunction · 0.85
readSyncFunction · 0.85
CloseMethod · 0.45

Tested by

no test coverage detected

Used in the wild real call sites across dependent graphs

searching dependent graphs…