system: use old SECCOMP_IOCTL_NOTIF_ID_VALID number if necessary

Kernel commit 47e33c05f9f0 ("seccomp: Fix ioctl number for SECCOMP_IOCTL_NOTIF_ID_VALID") changed the public definition of SECCOMP_IOCTL_NOTIF_ID_VALID for correctness sake because it had the wrong direction (no current functional change). If libseccomp is built against kernel headers after this commit but is run on a kernel that was built prior to this commit, then the ioctl will always return -1 EINVAL and thus seccomp_notify_id_valid will incorrectly return -ENOENT. Copy the (now non-public) definition of the old ioctl number and try it if the ioctl with the number from the kernel headers fails with -1 EINVAL. Also, update the fallback definition of SECCOMP_IOCTL_NOTIF_ID_VALID to the new value. Acked-by: Tom Hromatka <[email protected]> Signed-off-by: Max Rees <[email protected]> [PM: tweak some vertical whitespace, subject line] Signed-off-by: Paul Moore <[email protected]>
seccomp · Mar 5, 2021 · 83d7b02 · 83d7b02
1 parent 6d5a0bb
commit 83d7b02
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 2 deletions.
diff --git a/src/system.c b/src/system.c
@@ -535,10 +535,20 @@ int sys_notify_respond(int fd, struct seccomp_notif_resp *resp)
  */
 int sys_notify_id_valid(int fd, uint64_t id)
 {
+ int rc;
  if (state.sup_user_notif <= 0)
  return -EOPNOTSUPP;
 
- if (ioctl(fd, SECCOMP_IOCTL_NOTIF_ID_VALID, &id) < 0)
+ rc = ioctl(fd, SECCOMP_IOCTL_NOTIF_ID_VALID, &id);
+ if (rc < 0 && errno == EINVAL)
+ /* It is possible that libseccomp was built against newer kernel
+ * headers than the kernel it is running on. If so, the older
+ * runtime kernel may not support the "fixed"
+ * SECCOMP_IOCTL_NOTIF_ID_VALID ioctl number which was introduced in
+ * kernel commit 47e33c05f9f0 ("seccomp: Fix ioctl number for
+ * SECCOMP_IOCTL_NOTIF_ID_VALID"). Try the old value. */
+ rc = ioctl(fd, SECCOMP_IOCTL_NOTIF_ID_VALID_WRONG_DIR, &id);
+ if (rc < 0)
  return -ENOENT;
  return 0;
 }
diff --git a/src/system.h b/src/system.h
@@ -179,9 +179,12 @@ struct seccomp_notif_resp {
 #define SECCOMP_IOCTL_NOTIF_RECV SECCOMP_IOWR(0, struct seccomp_notif)
 #define SECCOMP_IOCTL_NOTIF_SEND SECCOMP_IOWR(1, \
  struct seccomp_notif_resp)
-#define SECCOMP_IOCTL_NOTIF_ID_VALID SECCOMP_IOR(2, __u64)
+#define SECCOMP_IOCTL_NOTIF_ID_VALID SECCOMP_IOW(2, __u64)
 #endif /* SECCOMP_RET_USER_NOTIF */
 
+/* non-public ioctl number for backwards compat (see system.c) */
+#define SECCOMP_IOCTL_NOTIF_ID_VALID_WRONG_DIR SECCOMP_IOR(2, __u64)
+
 void sys_reset_state(void);
 
 int sys_chk_seccomp_syscall(void);