From 61adda616e624d4437ad1a3dc9a6e103be3d5a3a Mon Sep 17 00:00:00 2001 From: utam0k Date: Mon, 29 Apr 2024 21:40:22 +0900 Subject: [PATCH] seccomp: Add a case for checking arguments Signed-off-by: utam0k --- experiment/seccomp/Cargo.lock | 367 ++++++++++++++++++++++++++++++ experiment/seccomp/Cargo.toml | 2 + experiment/seccomp/src/main.rs | 130 +++++++---- experiment/seccomp/src/seccomp.rs | 23 +- 4 files changed, 474 insertions(+), 48 deletions(-) diff --git a/experiment/seccomp/Cargo.lock b/experiment/seccomp/Cargo.lock index c2f0239f..d3af855d 100644 --- a/experiment/seccomp/Cargo.lock +++ b/experiment/seccomp/Cargo.lock @@ -2,6 +2,21 @@ # It is not intended for manual editing. version = 3 +[[package]] +name = "addr2line" +version = "0.21.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8a30b2e23b9e17a9f90641c7ab1549cd9b44f296d3ccbf309d2863cfe398a0cb" +dependencies = [ + "gimli", +] + +[[package]] +name = "adler" +version = "1.0.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f26201604c87b1e01bd3d98f8d5d9a8fcbb815e8cedb41ffccbeb4bf593a35fe" + [[package]] name = "anyhow" version = "1.0.81" @@ -14,12 +29,39 @@ version = "1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa" +[[package]] +name = "backtrace" +version = "0.3.71" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "26b05800d2e817c8b3b4b54abd461726265fa9789ae34330622f2db9ee696f9d" +dependencies = [ + "addr2line", + "cc", + "cfg-if", + "libc", + "miniz_oxide", + "object", + "rustc-demangle", +] + [[package]] name = "bitflags" version = "2.4.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ed570934406eb16438a4e976b1b4500774099c13b8cb96eec99f620f05090ddf" +[[package]] +name = "bytes" +version = "1.6.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "514de17de45fdb8dc022b1a7975556c53c86f9f0aa5f534b98977b171857c2c9" + +[[package]] +name = "cc" +version = "1.0.95" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d32a725bc159af97c3e629873bb9f88fb8cf8a4867175f76dc987815ea07c83b" + [[package]] name = "cfg-if" version = "1.0.0" @@ -32,12 +74,40 @@ version = "0.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "fd16c4719339c4530435d38e511904438d07cce7950afa3718a84ac36c10e89e" +[[package]] +name = "gimli" +version = "0.28.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4271d37baee1b8c7e4b708028c57d816cf9d2434acb33a549475f78c181f6253" + +[[package]] +name = "hermit-abi" +version = "0.3.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d231dfb89cfffdbc30e7fc41579ed6066ad03abda9e567ccafae602b97ec5024" + [[package]] name = "libc" version = "0.2.153" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9c198f91728a82281a64e1f4f9eeb25d82cb32a5de251c6bd1b5154d63a8e7bd" +[[package]] +name = "lock_api" +version = "0.4.12" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "07af8b9cdd281b7915f413fa73f29ebd5d55d0d3f0155584dade1ff18cea1b17" +dependencies = [ + "autocfg", + "scopeguard", +] + +[[package]] +name = "memchr" +version = "2.7.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6c8640c5d730cb13ebd907d8d04b52f55ac9a2eec55b440c8892f40d56c76c1d" + [[package]] name = "memoffset" version = "0.9.0" @@ -47,6 +117,26 @@ dependencies = [ "autocfg", ] +[[package]] +name = "miniz_oxide" +version = "0.7.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9d811f3e15f28568be3407c8e7fdb6514c1cda3cb30683f15b6a1a1dc4ea14a7" +dependencies = [ + "adler", +] + +[[package]] +name = "mio" +version = "0.8.11" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a4a650543ca06a924e8b371db273b2756685faae30f8487da1b56505a8f78b0c" +dependencies = [ + "libc", + "wasi", + "windows-sys 0.48.0", +] + [[package]] name = "nix" version = "0.27.1" @@ -71,6 +161,54 @@ dependencies = [ "libc", ] +[[package]] +name = "num_cpus" +version = "1.16.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4161fcb6d602d4d2081af7c3a45852d875a03dd337a6bfdd6e06407b61342a43" +dependencies = [ + "hermit-abi", + "libc", +] + +[[package]] +name = "object" +version = "0.32.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a6a622008b6e321afc04970976f62ee297fdbaa6f95318ca343e3eebb9648441" +dependencies = [ + "memchr", +] + +[[package]] +name = "parking_lot" +version = "0.12.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7e4af0ca4f6caed20e900d564c242b8e5d4903fdacf31d3daf527b66fe6f42fb" +dependencies = [ + "lock_api", + "parking_lot_core", +] + +[[package]] +name = "parking_lot_core" +version = "0.9.10" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1e401f977ab385c9e4e3ab30627d6f26d00e2c73eef317493c4ec6d468726cf8" +dependencies = [ + "cfg-if", + "libc", + "redox_syscall", + "smallvec", + "windows-targets 0.52.5", +] + +[[package]] +name = "pin-project-lite" +version = "0.2.14" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bda66fc9667c18cb2758a2ac84d1167245054bcf85d5d1aaa6923f45801bdd02" + [[package]] name = "prctl" version = "1.0.0" @@ -99,6 +237,27 @@ dependencies = [ "proc-macro2", ] +[[package]] +name = "redox_syscall" +version = "0.5.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "469052894dcb553421e483e4209ee581a45100d31b4018de03e5a7ad86374a7e" +dependencies = [ + "bitflags", +] + +[[package]] +name = "rustc-demangle" +version = "0.1.23" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d626bb9dae77e28219937af045c257c28bfd3f69333c512553507f5f9798cb76" + +[[package]] +name = "scopeguard" +version = "1.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49" + [[package]] name = "seccomp" version = "0.0.0" @@ -106,7 +265,34 @@ dependencies = [ "anyhow", "nix 0.27.1", "prctl", + "syscall-numbers", "thiserror", + "tokio", +] + +[[package]] +name = "signal-hook-registry" +version = "1.4.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a9e9e0b4211b72e7b8b6e85c807d36c212bdb33ea8587f7569562a84df5465b1" +dependencies = [ + "libc", +] + +[[package]] +name = "smallvec" +version = "1.13.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67" + +[[package]] +name = "socket2" +version = "0.5.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "05ffd9c0a93b7543e062e759284fcf5f5e3b098501104bfbdde4d404db792871" +dependencies = [ + "libc", + "windows-sys 0.52.0", ] [[package]] @@ -120,6 +306,12 @@ dependencies = [ "unicode-ident", ] +[[package]] +name = "syscall-numbers" +version = "3.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "084e382bf467cd3381fdec080d883505792ee0d16a004b1b090abf2db5dc2a29" + [[package]] name = "thiserror" version = "1.0.58" @@ -140,8 +332,183 @@ dependencies = [ "syn", ] +[[package]] +name = "tokio" +version = "1.37.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1adbebffeca75fcfd058afa480fb6c0b81e165a0323f9c9d39c9697e37c46787" +dependencies = [ + "backtrace", + "bytes", + "libc", + "mio", + "num_cpus", + "parking_lot", + "pin-project-lite", + "signal-hook-registry", + "socket2", + "tokio-macros", + "windows-sys 0.48.0", +] + +[[package]] +name = "tokio-macros" +version = "2.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5b8a1e28f2deaa14e508979454cb3a223b10b938b45af148bc0986de36f1923b" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + [[package]] name = "unicode-ident" version = "1.0.12" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3354b9ac3fae1ff6755cb6db53683adb661634f67557942dea4facebec0fee4b" + +[[package]] +name = "wasi" +version = "0.11.0+wasi-snapshot-preview1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423" + +[[package]] +name = "windows-sys" +version = "0.48.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "677d2418bec65e3338edb076e806bc1ec15693c5d0104683f2efe857f61056a9" +dependencies = [ + "windows-targets 0.48.5", +] + +[[package]] +name = "windows-sys" +version = "0.52.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d" +dependencies = [ + "windows-targets 0.52.5", +] + +[[package]] +name = "windows-targets" +version = "0.48.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9a2fa6e2155d7247be68c096456083145c183cbbbc2764150dda45a87197940c" +dependencies = [ + "windows_aarch64_gnullvm 0.48.5", + "windows_aarch64_msvc 0.48.5", + "windows_i686_gnu 0.48.5", + "windows_i686_msvc 0.48.5", + "windows_x86_64_gnu 0.48.5", + "windows_x86_64_gnullvm 0.48.5", + "windows_x86_64_msvc 0.48.5", +] + +[[package]] +name = "windows-targets" +version = "0.52.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6f0713a46559409d202e70e28227288446bf7841d3211583a4b53e3f6d96e7eb" +dependencies = [ + "windows_aarch64_gnullvm 0.52.5", + "windows_aarch64_msvc 0.52.5", + "windows_i686_gnu 0.52.5", + "windows_i686_gnullvm", + "windows_i686_msvc 0.52.5", + "windows_x86_64_gnu 0.52.5", + "windows_x86_64_gnullvm 0.52.5", + "windows_x86_64_msvc 0.52.5", +] + +[[package]] +name = "windows_aarch64_gnullvm" +version = "0.48.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2b38e32f0abccf9987a4e3079dfb67dcd799fb61361e53e2882c3cbaf0d905d8" + +[[package]] +name = "windows_aarch64_gnullvm" +version = "0.52.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7088eed71e8b8dda258ecc8bac5fb1153c5cffaf2578fc8ff5d61e23578d3263" + +[[package]] +name = "windows_aarch64_msvc" +version = "0.48.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "dc35310971f3b2dbbf3f0690a219f40e2d9afcf64f9ab7cc1be722937c26b4bc" + +[[package]] +name = "windows_aarch64_msvc" +version = "0.52.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9985fd1504e250c615ca5f281c3f7a6da76213ebd5ccc9561496568a2752afb6" + +[[package]] +name = "windows_i686_gnu" +version = "0.48.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a75915e7def60c94dcef72200b9a8e58e5091744960da64ec734a6c6e9b3743e" + +[[package]] +name = "windows_i686_gnu" +version = "0.52.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "88ba073cf16d5372720ec942a8ccbf61626074c6d4dd2e745299726ce8b89670" + +[[package]] +name = "windows_i686_gnullvm" +version = "0.52.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "87f4261229030a858f36b459e748ae97545d6f1ec60e5e0d6a3d32e0dc232ee9" + +[[package]] +name = "windows_i686_msvc" +version = "0.48.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8f55c233f70c4b27f66c523580f78f1004e8b5a8b659e05a4eb49d4166cca406" + +[[package]] +name = "windows_i686_msvc" +version = "0.52.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "db3c2bf3d13d5b658be73463284eaf12830ac9a26a90c717b7f771dfe97487bf" + +[[package]] +name = "windows_x86_64_gnu" +version = "0.48.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "53d40abd2583d23e4718fddf1ebec84dbff8381c07cae67ff7768bbf19c6718e" + +[[package]] +name = "windows_x86_64_gnu" +version = "0.52.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4e4246f76bdeff09eb48875a0fd3e2af6aada79d409d33011886d3e1581517d9" + +[[package]] +name = "windows_x86_64_gnullvm" +version = "0.48.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0b7b52767868a23d5bab768e390dc5f5c55825b6d30b86c844ff2dc7414044cc" + +[[package]] +name = "windows_x86_64_gnullvm" +version = "0.52.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "852298e482cd67c356ddd9570386e2862b5673c85bd5f88df9ab6802b334c596" + +[[package]] +name = "windows_x86_64_msvc" +version = "0.48.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ed94fce61571a4006852b7389a063ab983c02eb1bb37b47f8272ce92d06d9538" + +[[package]] +name = "windows_x86_64_msvc" +version = "0.52.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bec47e5bfd1bff0eeaf6d8b485cc1074891a197ab4225d504cb7a1ab88b02bf0" diff --git a/experiment/seccomp/Cargo.toml b/experiment/seccomp/Cargo.toml index 25bee2aa..56c4fae4 100644 --- a/experiment/seccomp/Cargo.toml +++ b/experiment/seccomp/Cargo.toml @@ -22,3 +22,5 @@ nix = { version = "0.27.1", features = [ thiserror = "1.0.57" prctl = "1.0.0" anyhow = "1.0" +tokio = { version = "1", features = ["full"] } +syscall-numbers = "3.1.1" diff --git a/experiment/seccomp/src/main.rs b/experiment/seccomp/src/main.rs index bdab976f..9fd04bda 100644 --- a/experiment/seccomp/src/main.rs +++ b/experiment/seccomp/src/main.rs @@ -1,4 +1,3 @@ -use nix::unistd::mkdir; use seccomp::{ instruction::{self, *}, seccomp::{NotifyFd, Seccomp}, @@ -13,13 +12,16 @@ use anyhow::Result; use nix::{ libc, sys::{ + signal::Signal, socket::{ self, ControlMessage, ControlMessageOwned, MsgFlags, SockFlag, SockType, UnixAddr, }, stat::Mode, + wait::{self, WaitStatus}, }, - unistd::close, + unistd::{close, mkdir}, }; +use syscall_numbers::x86_64; fn send_fd(sock: OwnedFd, fd: &F) -> nix::Result<()> { let fd = fd.as_raw_fd(); @@ -38,7 +40,7 @@ fn recv_fd(sock: RawFd) -> nix::Result> { let mut cmsg_buf = nix::cmsg_space!(RawFd); let msg = socket::recvmsg::(sock, &mut iov, Some(&mut cmsg_buf), MsgFlags::empty())?; match msg.cmsgs().next() { - Some(ControlMessageOwned::ScmRights(fds)) if fds.len() > 0 => { + Some(ControlMessageOwned::ScmRights(fds)) if !fds.is_empty() => { let fd = unsafe { F::from_raw_fd(fds[0]) }; Ok(Some(fd)) } @@ -46,19 +48,40 @@ fn recv_fd(sock: RawFd) -> nix::Result> { } } -fn handle_notifications(notify_fd: NotifyFd) -> nix::Result<()> { +async fn handle_notifications(notify_fd: NotifyFd) -> nix::Result<()> { loop { println!("Waiting on next"); let req = notify_fd.recv()?.notif; - assert_eq!(req.data.nr, libc::SYS_mkdir as i32); + let syscall_name = x86_64::sys_call_name(req.data.nr.into()); println!( - "Got notification for mkdir(2): id={}, pid={}, nr={}", - req.id, req.pid, req.data.nr + "Got notification: id={}, pid={}, nr={:?}", + req.id, req.pid, syscall_name ); + + notify_fd.success(0, req.id)?; } } -fn main() -> Result<()> { +async fn handle_signal(pid: nix::unistd::Pid) -> Result<()> { + let status = wait::waitpid(pid, None)?; + match status { + WaitStatus::Signaled(_, signal, _) => { + if signal == Signal::SIGSYS { + println!("Got SIGSYS, seccomp filter applied successfully!"); + return Ok(()); + } + dbg!(signal); + Ok(()) + } + wait_status => { + dbg!("Unexpected wait status: {:?}", wait_status); + Err(anyhow::anyhow!("Unexpected wait status: {:?}", wait_status)) + } + } +} + +#[tokio::main] +async fn main() -> Result<()> { let (sock_for_child, sock_for_parent) = socket::socketpair( socket::AddressFamily::Unix, SockType::Stream, @@ -74,54 +97,67 @@ fn main() -> Result<()> { Instruction::stmt(BPF_LD | BPF_W | BPF_ABS, 0), Instruction::jump(BPF_JMP | BPF_JEQ | BPF_K, 0, 1, libc::SYS_getcwd as u32), // If false, go to B Instruction::stmt(BPF_RET | BPF_K, SECCOMP_RET_KILL_PROCESS), - // B: Check if syscall is mkdir and if so, return seccomp notify + // B: Check if syscall is write and it is writing to stderr(fd=2) Instruction::stmt(BPF_LD | BPF_W | BPF_ABS, 0), - Instruction::jump(BPF_JMP | BPF_JEQ | BPF_K, 0, 1, libc::SYS_mkdir as u32), // If false, go to C + Instruction::jump(BPF_JMP | BPF_JEQ | BPF_K, 0, 3, libc::SYS_write as u32), // If false, go to C + // Load the file descriptor + Instruction::stmt(BPF_LD | BPF_W | BPF_ABS, seccomp_data_args_offset().into()), + // Check if args is stderr + Instruction::jump(BPF_JMP | BPF_JEQ | BPF_K, 0, 1, libc::STDERR_FILENO as u32), // If false, go to C + Instruction::stmt(BPF_RET | BPF_K, SECCOMP_RET_KILL_PROCESS), + // C: Check if syscall is mkdir and if so, return seccomp notify + Instruction::stmt(BPF_LD | BPF_W | BPF_ABS, 0), + Instruction::jump(BPF_JMP | BPF_JEQ | BPF_K, 0, 1, libc::SYS_mkdir as u32), // If false, go to D Instruction::stmt(BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF), - // C: Pass + // D: Pass Instruction::stmt(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), ]); let seccomp = Seccomp { filters: bpf_prog }; - if let nix::unistd::ForkResult::Child = unsafe { nix::unistd::fork()? } { - // nix::unistd::ForkResult::Parent { child } => match wait::waitpid(child, None)? { - // wait::WaitStatus::Signaled(_, signal, _) => { - // if signal == Signal::SIGSYS { - // println!("Got SIGSYS, seccomp filter applied successfully!"); - // return Ok(()); - // } - // dbg!(signal); - // } - // wait_status => { - // dbg!("Unexpected wait status: {:?}", wait_status); - // } - // }, - std::panic::catch_unwind(|| { - let notify_fd = seccomp.apply().unwrap(); - println!( - "Seccomp applied successfully with notify fd: {:?}", - notify_fd - ); - send_fd(sock_for_child, ¬ify_fd).unwrap(); - - if let Err(e) = mkdir("/tmp/test", Mode::S_IRUSR | Mode::S_IWUSR) { - eprintln!("Failed to mkdir: {}", e); - } else { - println!("mkdir succeeded"); - } - }) - .unwrap(); - + tokio::spawn(async move { + tokio::signal::ctrl_c() + .await + .expect("failed to listen for event"); + println!("Received ctrl-c event. Bye"); std::process::exit(0); + }); + + match unsafe { nix::unistd::fork()? } { + nix::unistd::ForkResult::Child => { + std::panic::catch_unwind(|| { + let notify_fd = seccomp.apply().unwrap(); + println!( + "Seccomp applied successfully with notify fd: {:?}", + notify_fd + ); + send_fd(sock_for_child, ¬ify_fd).unwrap(); + + if let Err(e) = mkdir("/tmp/test", Mode::S_IRUSR | Mode::S_IWUSR) { + eprintln!("Failed to mkdir: {}", e); + } else { + println!("mkdir succeeded"); + } + + eprintln!("stderr should be banned by seccomp"); + }) + .unwrap(); + + std::process::exit(0); + } + nix::unistd::ForkResult::Parent { child } => { + let notify_fd = recv_fd::(sock_for_parent.as_raw_fd())?.unwrap(); + + close(sock_for_child.as_raw_fd())?; + close(sock_for_parent.as_raw_fd())?; + + tokio::spawn(async move { + handle_signal(child).await.unwrap(); + }); + + handle_notifications(notify_fd).await?; + } }; - let notify_fd = recv_fd::(sock_for_parent.as_raw_fd())?.unwrap(); - - close(sock_for_child.as_raw_fd())?; - close(sock_for_parent.as_raw_fd())?; - - handle_notifications(notify_fd)?; - Ok(()) } diff --git a/experiment/seccomp/src/seccomp.rs b/experiment/seccomp/src/seccomp.rs index caee84df..bc45741d 100644 --- a/experiment/seccomp/src/seccomp.rs +++ b/experiment/seccomp/src/seccomp.rs @@ -26,6 +26,12 @@ pub struct Seccomp { pub filters: Vec, } +impl Default for Seccomp { + fn default() -> Self { + Seccomp::new() + } +} + impl Seccomp { pub fn new() -> Self { Seccomp { @@ -84,6 +90,21 @@ impl AsRawFd for NotifyFd { } } +impl NotifyFd { + pub fn success(&self, v: i64, notify_id: u64) -> nix::Result<()> { + let mut resp = SeccompNotifResp { + id: notify_id, + val: v, + error: 0, + flags: 0, + }; + + unsafe { seccomp_notif_ioctl_send(self.fd, &mut resp as *mut _)? }; + + Ok(()) + } +} + // TODO: Rename #[repr(C)] #[derive(Debug)] @@ -164,7 +185,7 @@ impl NotifyFd { res.assume_init() }; - Ok(Notification { notif, fd: &self }) + Ok(Notification { notif, fd: self }) } }