From 5201e324d2025b1febbade9bb90d6e405b92a14c Mon Sep 17 00:00:00 2001
From: Paul Moore <paul@paul-moore.com>
Date: Tue, 4 Aug 2020 10:52:08 -0400
Subject: [PATCH 102/102] system: change our notification fd handling

This commit changes how we handle the notification fd by only
requesting it via _NEW_LISTENER if the filter has a _NOTIFY action
in it.  We also augment the seccomp_reset(NULL, ...) behavior so
that it closes the notification fd before resetting the global
state; applications that need to keep their notification fd open
across a call to seccomp_reset(NULL, ...) can simply dup() it.
Although one would have to wonder why the application would be
calling seccomp_reset(NULL, ...) in that case.

Signed-off-by: Paul Moore <paul@paul-moore.com>
---
 doc/man/man3/seccomp_init.3 |  6 ++++--
 src/system.c                | 18 +++++++++++++++---
 2 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/doc/man/man3/seccomp_init.3 b/doc/man/man3/seccomp_init.3
index 87520cd..7881c35 100644
--- a/doc/man/man3/seccomp_init.3
+++ b/doc/man/man3/seccomp_init.3
@@ -38,8 +38,10 @@ and can only be called after a call to
 .BR seccomp_init ()
 has succeeded.  If
 .BR seccomp_reset ()
-is called with a NULL filter, it resets the library's global task state;
-normally this is not needed, but it may be required to continue using the
+is called with a NULL filter, it resets the library's global task state,
+including any notification file descriptors retrieved by
+.BR seccomp_notify_fd(3) .
+Normally this is not needed, but it may be required to continue using the
 library after a
 .BR fork ()
 or
diff --git a/src/system.c b/src/system.c
index 3b43b2a..c646c65 100644
--- a/src/system.c
+++ b/src/system.c
@@ -84,7 +84,11 @@ static struct task_state state = {
 void sys_reset_state(void)
 {
 	state.nr_seccomp = -1;
+
+	if (state.notify_fd > 0)
+		close(state.notify_fd);
 	state.notify_fd = -1;
+
 	state.sup_syscall = -1;
 	state.sup_flag_tsync = -1;
 	state.sup_flag_log = -1;
@@ -353,6 +357,7 @@ int sys_filter_load(struct db_filter_col *col, bool rawrc)
 {
 	int rc;
 	bool tsync_notify;
+	bool listener_req;
 	struct bpf_program *prgm = NULL;
 
 	rc = gen_bpf_generate(col, &prgm);
@@ -367,6 +372,8 @@ int sys_filter_load(struct db_filter_col *col, bool rawrc)
 	}
 
 	tsync_notify = state.sup_flag_tsync_esrch > 0 && state.notify_fd == -1;
+	listener_req = state.sup_user_notif > 0 && \
+		       col->notify_used && state.notify_fd == -1;
 
 	/* load the filter into the kernel */
 	if (sys_chk_seccomp_syscall() == 1) {
@@ -375,11 +382,16 @@ int sys_filter_load(struct db_filter_col *col, bool rawrc)
 			if (col->attr.tsync_enable)
 				flgs |= SECCOMP_FILTER_FLAG_TSYNC | \
 					SECCOMP_FILTER_FLAG_TSYNC_ESRCH;
-			if (state.sup_user_notif > 0)
+			if (listener_req)
 				flgs |= SECCOMP_FILTER_FLAG_NEW_LISTENER;
-		} else if (col->attr.tsync_enable)
+		} else if (col->attr.tsync_enable) {
+			if (listener_req) {
+				/* NOTE: we _should_ catch this in db.c */
+				rc = -EFAULT;
+				goto filter_load_out;
+			}
 			flgs |= SECCOMP_FILTER_FLAG_TSYNC;
-		else if (state.sup_user_notif > 0 && state.notify_fd == -1)
+		} else if (listener_req)
 			flgs |= SECCOMP_FILTER_FLAG_NEW_LISTENER;
 		if (col->attr.log_enable)
 			flgs |= SECCOMP_FILTER_FLAG_LOG;
-- 
2.26.2