projects / platform / upstream / nsjail.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 8a22a4a)
nsjail: free seccomp filter upon nsjail exit
authorRobert Swiecki <robert@swiecki.net>
Mon, 12 Feb 2018 16:09:45 +0000 (17:09 +0100)
committerRobert Swiecki <robert@swiecki.net>
Mon, 12 Feb 2018 16:09:45 +0000 (17:09 +0100)
cmdline.cc patch | blob | history
nsjail.cc patch | blob | history
sandbox.cc patch | blob | history
sandbox.h patch | blob | history

diff --git a/cmdline.cc b/cmdline.cc
index 97c491feb3939cf549df00f4e6ca4370ffd0d877..b738984678a4a2afcf40cca7dea21293206ea55e 100644 (file)
--- a/cmdline.cc
+++ b/cmdline.cc
@@ -363,6 +363,8 @@ std::unique_ptr<nsjconf_t> parseArgs(int argc, char* argv[]) {
        nsjconf->iface_vs_gw = "0.0.0.0";
        nsjconf->orig_uid = getuid();
        nsjconf->num_cpus = sysconf(_SC_NPROCESSORS_ONLN);
+        nsjconf->seccomp_fprog.filter = NULL;
+        nsjconf->seccomp_fprog.len = 0;
 
        nsjconf->openfds.push_back(STDIN_FILENO);
        nsjconf->openfds.push_back(STDOUT_FILENO);
diff --git a/nsjail.cc b/nsjail.cc
index 6ba72f08767fab48fec2af87e94f2ff450fb7847..5553f0bc2aa0221b88f527a0646b980e2768bba8 100644 (file)
--- a/nsjail.cc
+++ b/nsjail.cc
@@ -179,10 +179,12 @@ int main(int argc, char* argv[]) {
                LOG_F("Couldn't prepare sandboxing policy");
        }
 
+        int ret = 0;
        if (nsjconf->mode == MODE_LISTEN_TCP) {
                nsjailListenMode(nsjconf.get());
        } else {
-               return nsjailStandaloneMode(nsjconf.get());
+               ret = nsjailStandaloneMode(nsjconf.get());
        }
-       return 0;
+        sandbox::closePolicy(nsjconf.get());
+       return ret;
 }
diff --git a/sandbox.cc b/sandbox.cc
index 50d90959e4ad7eccddfe4daecef16fcb197e4110..c8c20ea8d735e9df1d8636e06a82c2ee775cd74a 100644 (file)
--- a/sandbox.cc
+++ b/sandbox.cc
@@ -95,4 +95,13 @@ bool preparePolicy(nsjconf_t* nsjconf) {
        return true;
 }
 
+void closePolicy(nsjconf_t* nsjconf) {
+  if (!nsjconf->seccomp_fprog.filter) {
+    return;
+  }
+  free(nsjconf->seccomp_fprog.filter);
+  nsjconf->seccomp_fprog.filter = nullptr;
+  nsjconf->seccomp_fprog.len = 0;
+}
+
 }  // namespace sandbox
diff --git a/sandbox.h b/sandbox.h
index ac754e9d643969f158ee20dce909d4adb31096f3..5ce6264ce141261448acde60a167648cbe91cd6f 100644 (file)
--- a/sandbox.h
+++ b/sandbox.h
@@ -30,6 +30,7 @@ namespace sandbox {
 
 bool applyPolicy(nsjconf_t* nsjconf);
 bool preparePolicy(nsjconf_t* nsjconf);
+void closePolicy(nsjconf_t* nsjconf);
 
 }  // namespace sandbox
 
Domain: System / System Framework;