seccomp: skip supervisor for nested calls

The old code returned a fake epoll fd as the supervisor fd to avoid
refactoring the fd passing code, but it was just a hack.

This commit does things properly by allowing send_fd to accept -1 to
signify "send no file descriptor". A matching recv_fd will in turn
return -1.

This allows us to return -1 when the supervisor already exists somewhere
up the chain and skip the nested supervisor loop if that's the case.

Author: Snaipe

enter.c

@@ -472,8 +472,8 @@ int enter(struct entry_settings *opts)
 
 #ifdef HAVE_SECCOMP_UNOTIFY
 		int seccomp_fd = sec_seccomp_install_filter();
+		send_fd(outer_helper.fd, seccomp_fd);
 		if (seccomp_fd != -1) {
-			send_fd(outer_helper.fd, seccomp_fd);
 			close(seccomp_fd);
 		}
 #endif

fd.c

@@ -8,6 +8,7 @@
 #include <fcntl.h>
 #include <stdarg.h>
 #include <stddef.h>
+#include <string.h>
 #include <sys/socket.h>
 #include <unistd.h>
 
@@ -43,7 +44,7 @@ int recv_fd(int socket)
 
 	struct cmsghdr *pCm = CMSG_FIRSTHDR(&msg);
 	if (pCm == NULL || pCm->cmsg_len != CMSG_LEN(sizeof (int))) {
-		errx(1, "recv_fd: no descriptor passed");
+		return -1;
 	}
 	if (pCm->cmsg_level != SOL_SOCKET) {
 		errx(1, "recv_fd: control level != SOL_SOCKET");
@@ -64,19 +65,26 @@ void send_fd(int socket, int fd)
 		struct cmsghdr _align;
 		char ctrl[CMSG_SPACE(sizeof(int))];
 	} uCtrl;
+	memset(&uCtrl, 0, sizeof(uCtrl));
+
 	struct msghdr msg = {
-		.msg_control = uCtrl.ctrl,
-		.msg_controllen = sizeof(uCtrl.ctrl),
 		.msg_name = NULL,
 		.msg_namelen = 0,
 		.msg_iov = iov,
 		.msg_iovlen = 1,
 	};
-	struct cmsghdr *pCm = CMSG_FIRSTHDR(&msg);
-	pCm->cmsg_len = CMSG_LEN(sizeof(int));
-	pCm->cmsg_level = SOL_SOCKET;
-	pCm->cmsg_type = SCM_RIGHTS;
-	*((int*) CMSG_DATA(pCm)) = fd;
+
+	if (fd != -1) {
+		msg.msg_control = uCtrl.ctrl;
+		msg.msg_controllen = sizeof(uCtrl.ctrl);
+
+		struct cmsghdr *pCm = CMSG_FIRSTHDR(&msg);
+		pCm->cmsg_len = CMSG_LEN(sizeof(int));
+		pCm->cmsg_level = SOL_SOCKET;
+		pCm->cmsg_type = SCM_RIGHTS;
+		*((int*) CMSG_DATA(pCm)) = fd;
+	}
+
 	if (sendmsg(socket, &msg, 0) < 0) {
 		err(1, "send_fd: sendmsg");
 	}

outer.c

@@ -404,6 +404,10 @@ void outer_helper_spawn(struct outer_helper *helper)
 
 #ifdef HAVE_SECCOMP_UNOTIFY
 	int seccomp_fd = recv_fd(fd);
+	if (seccomp_fd == -1) {
+		/* We could not install seccomp */
+		_exit(0);
+	}
 
 	/* Don't hold onto any file descriptors before running our supervisor loop,
 	   because doing so may keep other children stuck waiting on fds that

sec.c

@@ -748,9 +748,8 @@ int sec_seccomp_install_filter(void)
 	int fd = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_NEW_LISTENER, &prog);
 	if (fd == -1) {
 		if (errno == EBUSY) {
-			// We're likely running bst in bst; ignore the error, and return
-			// a useless file descriptor to pass to the seccomp supervisor
-			return epoll_create1(EPOLL_CLOEXEC);
+			// We're likely running bst in bst; this error is nonfatal.
+			return -1;
 		}
 		err(1, "seccomp SECCOMP_SET_MODE_FILTER");
 	}