Merge pull request #2871 from masters-of-cats/pr-seccomp-pipe-hang

Ensure the seccomp pipe is being read while exporting bpf
This commit is contained in:
Mrunal Patel
2021-04-01 15:09:08 -07:00
committed by GitHub
2 changed files with 34 additions and 1 deletions
+14 -1
View File
@@ -3,6 +3,7 @@
package patchbpf
import (
"bytes"
"encoding/binary"
"io"
"os"
@@ -114,14 +115,26 @@ func disassembleFilter(filter *libseccomp.ScmpFilter) ([]bpf.Instruction, error)
defer wtr.Close()
defer rdr.Close()
readerBuffer := new(bytes.Buffer)
errChan := make(chan error, 1)
go func() {
_, err := io.Copy(readerBuffer, rdr)
errChan <- err
close(errChan)
}()
if err := filter.ExportBPF(wtr); err != nil {
return nil, errors.Wrap(err, "exporting BPF")
}
// Close so that the reader actually gets EOF.
_ = wtr.Close()
if copyErr := <-errChan; copyErr != nil {
return nil, errors.Wrap(copyErr, "reading from ExportBPF pipe")
}
// Parse the instructions.
rawProgram, err := parseProgram(rdr)
rawProgram, err := parseProgram(readerBuffer)
if err != nil {
return nil, errors.Wrap(err, "parsing generated BPF filter")
}
@@ -281,3 +281,23 @@ func TestEnosysStub_MultiArch(t *testing.T) {
}
}
}
func TestDisassembleHugeFilterDoesNotHang(t *testing.T) {
hugeFilter, err := libseccomp.NewFilter(libseccomp.ActAllow)
if err != nil {
t.Fatalf("failed to create seccomp filter: %v", err)
}
for i := 1; i < 10000; i++ {
if err := hugeFilter.AddRule(libseccomp.ScmpSyscall(i), libseccomp.ActKill); err != nil {
t.Fatalf("failed to add rule to filter %d: %v", i, err)
}
}
_, err = disassembleFilter(hugeFilter)
if err != nil {
t.Fatalf("failed to disassembleFilter: %v", err)
}
// if we exit, we did not hang
}