arp, tap, util: Don't use perror() after seccomp filter is installed

If stderr is closed, after we fork to background, glibc's
implementation of perror() will try to re-open it by calling dup(),
upon which the seccomp filter causes the process to terminate,
because dup() is not included in the list of allowed syscalls.

Replace perror() calls that might happen after isolation_postfork().
We could probably replace all of them, but early ones need a bit more
attention as we have to check whether log.c functions work in early
stages.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
This commit is contained in:
Stefano Brivio 2022-11-14 23:00:27 +01:00
parent 5f74465010
commit b27d6d121c
3 changed files with 10 additions and 8 deletions

6
arp.c
View file

@ -24,6 +24,7 @@
#include <string.h> #include <string.h>
#include "util.h" #include "util.h"
#include "log.h"
#include "arp.h" #include "arp.h"
#include "dhcp.h" #include "dhcp.h"
#include "passt.h" #include "passt.h"
@ -43,6 +44,7 @@ int arp(const struct ctx *c, const struct pool *p)
struct arphdr *ah; struct arphdr *ah;
struct arpmsg *am; struct arpmsg *am;
size_t len; size_t len;
int ret;
eh = packet_get(p, 0, 0, sizeof(*eh), NULL); eh = packet_get(p, 0, 0, sizeof(*eh), NULL);
ah = packet_get(p, 0, sizeof(*eh), sizeof(*ah), NULL); ah = packet_get(p, 0, sizeof(*eh), sizeof(*ah), NULL);
@ -81,8 +83,8 @@ int arp(const struct ctx *c, const struct pool *p)
memcpy(eh->h_dest, eh->h_source, sizeof(eh->h_dest)); memcpy(eh->h_dest, eh->h_source, sizeof(eh->h_dest));
memcpy(eh->h_source, c->mac, sizeof(eh->h_source)); memcpy(eh->h_source, c->mac, sizeof(eh->h_source));
if (tap_send(c, eh, len) < 0) if ((ret = tap_send(c, eh, len)) < 0)
perror("ARP: send"); warn("ARP: send: %s", strerror(ret));
return 1; return 1;
} }

6
tap.c
View file

@ -899,7 +899,7 @@ static void tap_sock_unix_init(struct ctx *c)
int i; int i;
if (fd < 0) { if (fd < 0) {
perror("UNIX socket"); err("UNIX socket: %s", strerror(errno));
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
@ -920,7 +920,7 @@ static void tap_sock_unix_init(struct ctx *c)
ex = socket(AF_UNIX, SOCK_STREAM | SOCK_NONBLOCK, 0); ex = socket(AF_UNIX, SOCK_STREAM | SOCK_NONBLOCK, 0);
if (ex < 0) { if (ex < 0) {
perror("UNIX domain socket check"); err("UNIX domain socket check: %s", strerror(errno));
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
@ -944,7 +944,7 @@ static void tap_sock_unix_init(struct ctx *c)
} }
if (i == UNIX_SOCK_MAX) { if (i == UNIX_SOCK_MAX) {
perror("UNIX socket bind"); err("UNIX socket bind: %s", strerror(errno));
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }

6
util.c
View file

@ -125,7 +125,7 @@ int sock_l4(const struct ctx *c, int af, uint8_t proto,
fd = socket(af, SOCK_DGRAM | SOCK_NONBLOCK, proto); fd = socket(af, SOCK_DGRAM | SOCK_NONBLOCK, proto);
if (fd < 0) { if (fd < 0) {
perror("L4 socket"); warn("L4 socket: %s", strerror(errno));
return -1; return -1;
} }
@ -193,7 +193,7 @@ int sock_l4(const struct ctx *c, int af, uint8_t proto,
} }
if (proto == IPPROTO_TCP && listen(fd, 128) < 0) { if (proto == IPPROTO_TCP && listen(fd, 128) < 0) {
perror("TCP socket listen"); warn("TCP socket listen: %s", strerror(errno));
close(fd); close(fd);
return -1; return -1;
} }
@ -201,7 +201,7 @@ int sock_l4(const struct ctx *c, int af, uint8_t proto,
ev.events = EPOLLIN; ev.events = EPOLLIN;
ev.data.u64 = ref.u64; ev.data.u64 = ref.u64;
if (epoll_ctl(c->epollfd, EPOLL_CTL_ADD, fd, &ev) == -1) { if (epoll_ctl(c->epollfd, EPOLL_CTL_ADD, fd, &ev) == -1) {
perror("L4 epoll_ctl"); warn("L4 epoll_ctl: %s", strerror(errno));
return -1; return -1;
} }