Add support for seccomp_unotify

This allows users to install rules which notify a supervisory process.

See https://man7.org/linux/man-pages/man2/seccomp_unotify.2.html.

Signed-off-by: Colin Marc <hi@colinmarc.com>

Author: colinmarc

CHANGELOG.md

@@ -5,6 +5,7 @@
 ## Added
 - [[#72]](https://github.com/rust-vmm/seccompiler/pull/72): Introduce RISC-V
   64-bit architecture support.
+- [[#75]](https://github.com/rust-vmm/seccompiler/pull/75): Support for `seccomp_unotify`.
 
 ## Changed
 - [[#78]](https://github.com/rust-vmm/seccompiler/pull/78): Update

Cargo.toml

@@ -11,6 +11,7 @@ edition = "2021"
 
 [features]
 json = ["serde", "serde_json"]
+seccomp_unotify = []
 
 [dependencies]
 libc = "^0.2.153"

src/backend/mod.rs

@@ -25,6 +25,10 @@ use libc::{
     SECCOMP_RET_KILL_THREAD, SECCOMP_RET_LOG, SECCOMP_RET_TRACE, SECCOMP_RET_TRAP,
 };
 
+// Not available in the libc crate yet.
+#[cfg(feature = "seccomp_unotify")]
+const SECCOMP_RET_USER_NOTIF: libc::c_uint = 0x7fc00000;
+
 use bpf::{ARG_NUMBER_MAX, AUDIT_ARCH_AARCH64, AUDIT_ARCH_RISCV64, AUDIT_ARCH_X86_64, BPF_MAX_LEN};
 
 pub use bpf::{sock_filter, BpfProgram, BpfProgramRef};
@@ -166,6 +170,9 @@ pub enum SeccompAction {
     Trace(u32),
     /// Sends `SIGSYS` to the calling process.
     Trap,
+    /// Sends a notification to a supervisory process.
+    #[cfg(feature = "seccomp_unotify")]
+    Notify,
 }
 
 impl From<SeccompAction> for u32 {
@@ -185,6 +192,8 @@ impl From<SeccompAction> for u32 {
             SeccompAction::Log => SECCOMP_RET_LOG,
             SeccompAction::Trace(x) => SECCOMP_RET_TRACE | (x & SECCOMP_RET_DATA),
             SeccompAction::Trap => SECCOMP_RET_TRAP,
+            #[cfg(feature = "seccomp_unotify")]
+            SeccompAction::Notify => SECCOMP_RET_USER_NOTIF,
         }
     }
 }

src/lib.rs

@@ -196,6 +196,9 @@ use std::convert::TryInto;
 #[cfg(feature = "json")]
 use std::io::Read;
 
+#[cfg(feature = "seccomp_unotify")]
+use std::os::fd::{FromRawFd as _, OwnedFd};
+
 use std::collections::HashMap;
 use std::fmt::{Display, Formatter};
 use std::io;
@@ -310,7 +313,8 @@ impl From<JsonFrontendError> for Error {
 ///
 /// [`BpfProgram`]: type.BpfProgram.html
 pub fn apply_filter(bpf_filter: BpfProgramRef) -> Result<()> {
-    apply_filter_with_flags(bpf_filter, 0)
+    apply_filter_with_flags(bpf_filter, 0)?;
+    Ok(())
 }
 
 /// Apply a BPF filter to the all threads in the process via the TSYNC feature. Please read the
@@ -322,7 +326,28 @@ pub fn apply_filter(bpf_filter: BpfProgramRef) -> Result<()> {
 ///
 /// [`BpfProgram`]: type.BpfProgram.html
 pub fn apply_filter_all_threads(bpf_filter: BpfProgramRef) -> Result<()> {
-    apply_filter_with_flags(bpf_filter, libc::SECCOMP_FILTER_FLAG_TSYNC)
+    let rc = apply_filter_with_flags(bpf_filter, libc::SECCOMP_FILTER_FLAG_TSYNC)?;
+
+    if rc > 0 {
+        return Err(Error::ThreadSync(rc));
+    }
+
+    Ok(())
+}
+
+/// Apply a filter with the SECCOMP_FILTER_FLAG_NEW_LISTENER flag.
+///
+/// The returned FD can be polled for notifications generated by a rule with the
+/// action [SeccompAction::Notify]. See `man 2 seccomp_unotify` for more
+/// information.
+#[cfg(feature = "seccomp_unotify")]
+pub fn apply_filter_with_notify_fd(bpf_filter: BpfProgramRef) -> Result<OwnedFd> {
+    let rc = apply_filter_with_flags(bpf_filter, libc::SECCOMP_FILTER_FLAG_NEW_LISTENER)?;
+
+    // SAFETY: seccomp_unotify documents that it returns a valid FD if the
+    // syscall is a success.
+    let fd = unsafe { OwnedFd::from_raw_fd(rc as _) };
+    Ok(fd)
 }
 
 /// Apply a BPF filter to the calling thread.
@@ -333,7 +358,7 @@ pub fn apply_filter_all_threads(bpf_filter: BpfProgramRef) -> Result<()> {
 /// * `flags` - A u64 representing a bitset of seccomp's flags parameter.
 ///
 /// [`BpfProgram`]: type.BpfProgram.html
-fn apply_filter_with_flags(bpf_filter: BpfProgramRef, flags: libc::c_ulong) -> Result<()> {
+fn apply_filter_with_flags(bpf_filter: BpfProgramRef, flags: libc::c_ulong) -> Result<i64> {
     // If the program is empty, don't install the filter.
     if bpf_filter.is_empty() {
         return Err(Error::EmptyFilter);
@@ -364,16 +389,11 @@ fn apply_filter_with_flags(bpf_filter: BpfProgramRef, flags: libc::c_ulong) -> R
         )
     };
 
-    #[allow(clippy::comparison_chain)]
-    // Per manpage, if TSYNC fails, retcode is >0 and equals the pid of the thread that caused the
-    // failure. Otherwise, error code is -1 and errno is set.
     if rc < 0 {
-        return Err(Error::Seccomp(io::Error::last_os_error()));
-    } else if rc > 0 {
-        return Err(Error::ThreadSync(rc));
+        return Err(Error::Seccomp(std::io::Error::last_os_error()));
     }
 
-    Ok(())
+    Ok(rc)
 }
 
 /// Compile [`BpfProgram`]s from JSON.