syncParentSeccomp sends the fd associated with the seccomp file descriptor to the parent, and wait for the parent to do pidfd_getfd() to grab a copy.
(pipe *syncSocket, seccompFd int)
| 443 | // syncParentSeccomp sends the fd associated with the seccomp file descriptor |
| 444 | // to the parent, and wait for the parent to do pidfd_getfd() to grab a copy. |
| 445 | func syncParentSeccomp(pipe *syncSocket, seccompFd int) error { |
| 446 | if seccompFd == -1 { |
| 447 | return nil |
| 448 | } |
| 449 | defer unix.Close(seccompFd) |
| 450 | |
| 451 | // Tell parent to grab our fd. |
| 452 | // |
| 453 | // Notably, we do not use writeSyncFile here because a container might have |
| 454 | // an SCMP_ACT_NOTIFY action on sendmsg(2) so we need to use the smallest |
| 455 | // possible number of system calls here because all of those syscalls |
| 456 | // cannot be used with SCMP_ACT_NOTIFY as a result (any syscall we use here |
| 457 | // before the parent gets the file descriptor would deadlock "runc init" if |
| 458 | // we allowed it for SCMP_ACT_NOTIFY). See seccomp.InitSeccomp() for more |
| 459 | // details. |
| 460 | if err := writeSyncArg(pipe, procSeccomp, seccompFd); err != nil { |
| 461 | return err |
| 462 | } |
| 463 | // Wait for parent to tell us they've grabbed the seccompfd. |
| 464 | return readSync(pipe, procSeccompDone) |
| 465 | } |
| 466 | |
| 467 | // setupUser changes the groups, gid, and uid for the user inside the container. |
| 468 | func setupUser(config *initConfig) error { |
no test coverage detected
searching dependent graphs…