Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RFE: add transaction support to the libseccomp API #415

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

RFE: add transaction support to the libseccomp API #415

wants to merge 4 commits into from

Commits on Sep 9, 2024

  1. db: handle transaction aborts properly 

    It turns out we don't properly handle transaction aborts as we should,
this likely broke when we implemented the shadow snapshots but as the
transaction concept was not exported via the API, and callers most
likely abandoned the filter on error this went unnoticed.

This patch ensures that transaction aborts are handled properly by
correctly managing the filter's transaction stack.

Signed-off-by: Paul Moore <paul@paul-moore.com>
    @pcmoore
    pcmoore committed Sep 9, 2024
    Configuration menu
    Copy the full SHA
    bbfc17b View commit details
    Browse the repository at this point in the history

  2. db: properly handle a reduction in arch filters on transaction commits 

    Fix an off-by-one error that was causing us to leak a db_filter struct
at transaction commit time when we removed an arch/ABI in a transaction.

Reported-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
    @pcmoore
    pcmoore committed Sep 9, 2024
    Configuration menu
    Copy the full SHA
    955a0f4 View commit details
    Browse the repository at this point in the history

  3. api: add transaction support to the libseccomp API 

    While libseccomp has internally has transaction support for some time
now, it hasn't been accessible to callers through the libseccomp API.
This patch adds a transaction API as well as supporting documentation
and a new unit regression test.

  int seccomp_transaction_start(const scmp_filter_ctx ctx)
  int seccomp_transaction_commit(const scmp_filter_ctx ctx)
  void seccomp_transaction_reject(const scmp_filter_ctx ctx)

Signed-off-by: Paul Moore <paul@paul-moore.com>
    @pcmoore
    pcmoore committed Sep 9, 2024
    Configuration menu
    Copy the full SHA
    10af9fd View commit details
    Browse the repository at this point in the history

  4. tests: add test 62-sim-arch_transactions 

    Add a test to verify the logic at the end of db_col_transaction_commit()
properly copies and releases the snapshots from the filter when the
filter length doesn't match the snapshot length.

Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
[PM: subj tweak]
Signed-off-by: Paul Moore <paul@paul-moore.com>
    @drakenclimber @pcmoore
    drakenclimber authored and pcmoore committed Sep 9, 2024
    Configuration menu
    Copy the full SHA
    893e70d View commit details
    Browse the repository at this point in the history