api: add the seccomp notify addfd support

Add support for the seccomp notify addfd feature in the core API. It allows a caller to install fd in target's fd table.

Signed-off-by: Sudipta Pandit <sudpandit@microsoft.com>

Author: realsdx

doc/man/man3/seccomp_notify_addfd.3

@@ -0,0 +1 @@
+.so man3/seccomp_notify_alloc.3

doc/man/man3/seccomp_notify_alloc.3

@@ -3,7 +3,7 @@
 .SH NAME
 .\" //////////////////////////////////////////////////////////////////////////
 seccomp_notify_alloc, seccomp_notify_free, seccomp_notify_receive,
-seccomp_notify_respond, seccomp_notify_id_valid, seccomp_notify_fd \- Manage seccomp notifications
+seccomp_notify_respond, seccomp_notify_id_valid, seccomp_notify_fd, seccomp_notify_addfd \- Manage seccomp notifications
 .\" //////////////////////////////////////////////////////////////////////////
 .SH SYNOPSIS
 .\" //////////////////////////////////////////////////////////////////////////
@@ -16,6 +16,7 @@ seccomp_notify_respond, seccomp_notify_id_valid, seccomp_notify_fd \- Manage sec
 .BI "int seccomp_notify_respond(int " fd ", struct seccomp_notif_resp *" resp ")"
 .BI "int seccomp_notify_id_valid(int " fd ", uint64_t " id ")"
 .BI "int seccomp_notify_fd(const scmp_filter_ctx " ctx ")"
+.BI "int seccomp_notify_addfd(int " fd ", struct seccomp_notif_addfd *" addfd ")"
 .sp
 Link with \fI\-lseccomp\fP.
 .fi
@@ -54,6 +55,11 @@ race conditions.
 The
 .BR seccomp_notify_fd ()
 returns the notification fd of a filter after it has been loaded.
+.P
+The
+.BR seccomp_notify_addfd ()
+function enables the caller to install a file descriptor into the target's file descriptor table.
+The id field of the struct should be the same as the id from the request.
 .\" //////////////////////////////////////////////////////////////////////////
 .SH RETURN VALUE
 .\" //////////////////////////////////////////////////////////////////////////
@@ -67,6 +73,10 @@ The
 returns 0 if the id is valid, and -ENOENT if it is not.
 .P
 The
+.BR seccomp_notify_addfd ()
+returns the installed fd number on success, and one of error codes mentioned below on failure.
+.P
+The
 .BR seccomp_notify_alloc (),
 .BR seccomp_notify_receive (),
 and

include/seccomp.h.in

@@ -405,6 +405,24 @@ struct seccomp_notif_resp {
 	__s32 error;
 	__u32 flags;
 };
+
+#endif
+
+/* seccomp_notif_addfd and ADDFD_FLAG_SETFD was added in kernel v5.10 */
+#ifndef SECCOMP_ADDFD_FLAG_SETFD
+#define SECCOMP_ADDFD_FLAG_SETFD        (1UL << 0)
+struct seccomp_notif_addfd {
+	__u64 id;
+	__u32 flags;
+	__u32 srcfd;
+	__u32 newfd;
+	__u32 newfd_flags;
+};
+#endif
+
+/* Addfd and return it, atomically. ADDFD_FLAG_SEND was added in kernel 5.14 */
+#ifndef SECCOMP_ADDFD_FLAG_SEND
+#define SECCOMP_ADDFD_FLAG_SEND        (1UL << 1)
 #endif
 
 /*
@@ -814,6 +832,18 @@ int seccomp_notify_id_valid(int fd, uint64_t id);
  */
 int seccomp_notify_fd(const scmp_filter_ctx ctx);
 
+/**
+ * Install a file descriptor into the target's process.
+ * @param fd the notification fd
+ * @param addfd the addfd structure
+ *
+ * This function enables the caller to install/add a fd into the
+ * target's fd table. Returns the installed fd number on success and,
+ * negative values on failure.
+ *
+ */
+int seccomp_notify_addfd(int fd, struct seccomp_notif_addfd *addfd);
+
 /**
  * Generate seccomp Pseudo Filter Code (PFC) and export it to a file
  * @param ctx the filter context

src/api.c

@@ -728,6 +728,15 @@ API int seccomp_notify_fd(const scmp_filter_ctx ctx)
 	return _rc_filter(sys_notify_fd());
 }
 
+/* NOTE - function header comment in include/seccomp.h */
+API int seccomp_notify_addfd(int fd, struct seccomp_notif_addfd *addfd)
+{
+	/* force a runtime api level detection */
+	_seccomp_api_update();
+
+	return _rc_filter(sys_notify_addfd(fd, addfd));
+}
+
 /* NOTE - function header comment in include/seccomp.h */
 API int seccomp_export_pfc(const scmp_filter_ctx ctx, int fd)
 {

src/system.c

@@ -573,3 +573,25 @@ int sys_notify_id_valid(int fd, uint64_t id)
 		return -ENOENT;
 	return 0;
 }
+
+/**
+ * Install a file descriptor into the target's process.
+ * @param fd the notification fd
+ * @param addfd the addfd structure
+ *
+ * Install a file descriptor into the target's process. Returns the
+ * installed fd number on success, negative values on failure.
+ *
+ */
+int sys_notify_addfd(int fd, struct seccomp_notif_addfd *addfd)
+{
+	if (state.sup_user_notif <= 0)
+		return -EOPNOTSUPP;
+
+	int rc = ioctl(fd, SECCOMP_IOCTL_NOTIF_ADDFD, addfd);
+	if ( rc < 0 && errno == EINVAL)
+		return -EOPNOTSUPP;
+	if (rc < 0)
+		return -ECANCELED;
+	return rc;
+}

src/system.h

@@ -193,6 +193,29 @@ struct seccomp_notif_resp {
 #define SECCOMP_IOCTL_NOTIF_ID_VALID    SECCOMP_IOW(2, __u64)
 #endif /* SECCOMP_RET_USER_NOTIF */
 
+/* seccomp_notif_addfd and ADDFD_FLAG_SETFD was added in kernel v5.10 */
+#ifndef SECCOMP_ADDFD_FLAG_SETFD
+#define SECCOMP_ADDFD_FLAG_SETFD        (1UL << 0)
+struct seccomp_notif_addfd {
+	__u64 id;
+	__u32 flags;
+	__u32 srcfd;
+	__u32 newfd;
+	__u32 newfd_flags;
+};
+#endif
+
+/* Addfd and return it, atomically. ADDFD_FLAG_SEND was added in kernel 5.14 */
+#ifndef SECCOMP_ADDFD_FLAG_SEND
+#define SECCOMP_ADDFD_FLAG_SEND        (1UL << 1)
+#endif
+
+/* SECCOMP_IOCTL_NOTIF_ADDFD was added in kernel v5.10 */
+#ifndef SECCOMP_IOCTL_NOTIF_ADDFD
+#define SECCOMP_IOCTL_NOTIF_ADDFD      SECCOMP_IOW(3, \
+                                                   struct seccomp_notif_addfd)
+#endif
+
 /* non-public ioctl number for backwards compat (see system.c) */
 #define SECCOMP_IOCTL_NOTIF_ID_VALID_WRONG_DIR SECCOMP_IOR(2, __u64)
 
@@ -215,4 +238,5 @@ int sys_notify_alloc(struct seccomp_notif **req,
 int sys_notify_receive(int fd, struct seccomp_notif *req);
 int sys_notify_respond(int fd, struct seccomp_notif_resp *resp);
 int sys_notify_id_valid(int fd, uint64_t id);
+int sys_notify_addfd(int fd, struct seccomp_notif_addfd *addfd);
 #endif