seccomp: refactor error handling

[eriksjolund]

Fix error leak.
Fix incorrect assumption about err value.
Optimize common prefix comparison.

Closes: #2021
Closes: #2022

[gemini-code-assist]

Summary of Changes

Hello @eriksjolund, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the robustness and correctness of seccomp-related error handling within the libcrun library. By refactoring key functions and correcting type inconsistencies, it ensures that error conditions are properly detected and propagated, preventing potential leaks and misinterpretations of error states. The changes contribute to a more reliable and secure seccomp implementation.

Highlights

• Error Handling Refactoring: The get_seccomp_operator and get_seccomp_action functions have been refactored to return an integer status code and pass their results via output parameters, improving error propagation and clarity.
• Type Correction: The action and default_action variables in libcrun_generate_seccomp were updated from int to uint32_t to align with the libseccomp library's type definitions for seccomp actions.
• Issue Resolution: This pull request addresses and closes issues seccomp: possible error leak #2021 and seccomp: incorrect assumption about err value #2022, which were related to error leaks and incorrect assumptions about error values in the seccomp implementation.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• src/libcrun/seccomp.c
  • Refactored get_seccomp_operator to return an integer status and output the operator via a pointer.
  • Refactored get_seccomp_action to return an integer status and output the action via a pointer.
  • Updated libcrun_generate_seccomp to correctly handle the new error reporting and output parameters of get_seccomp_operator and get_seccomp_action.
  • Changed the type of action and default_action variables from int to uint32_t for consistency with libseccomp types.

Activity

• Opened to address issues seccomp: possible error leak #2021 and seccomp: incorrect assumption about err value #2022 related to seccomp error handling.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request refactors the error handling in the seccomp-related functions get_seccomp_operator and get_seccomp_action. The changes correctly address an error leak where specific error information was being discarded, and fix a bug where an error return value was ambiguous and could be misinterpreted as a valid seccomp action. The new implementation uses a standard C pattern of returning an error code and passing values via output parameters, which improves robustness and clarity. The changes are well-implemented and correctly applied at all call sites. Overall, this is a great improvement to the code's correctness and maintainability.

[eriksjolund]

I'm not quite sure about what types to use, like for instance
enum scmp_compare * and uint32_t

I see for example that seccomp_init() takes an argument of type uint32_t

scmp_filter_ctx seccomp_init(uint32_t def_action);

https://man7.org/linux/man-pages/man3/seccomp_init.3.html

[packit-as-a-service]

TMT tests failed. @containers/packit-build please check.

[eriksjolund]

It should be possible to fix #2021 and #2022 by changing fewer lines of source code,
but I thought following the crun error handling convention improves code readability.

[kolyshkin]

In general I like the direction; left a few comments.

[kolyshkin]

Strictly speaking, else is redundant here because there's a return before it. I'd remove it for simplicity.

[kolyshkin]

We can also apply the same optimization as in get_seccomp_action, i.e. compare against the common prefix first and error out early, then compare only for "LE", "EQ" etc. This is a separate thing to do, or course.

[kolyshkin]

Also, maybe we can keep the code simple by having a function which does what the current code does, i.e.

static enum scmp_compare
get_seccomp_operator_raw(const char *name)
{
  if (strcmp (name, "SCMP_CMP_NE") == 0)
      return SCMP_CMP_NE;
  // etc.
  return _SCMP_CMP_MIN; // Error.
}

when add a second wrapper function which will make and return a proper error:

static int
get_seccomp_operator (const char *name, enum scmp_compare *op, libcrun_error_t *err)
{
   *op = get_seccomp_operator_raw(name);
   if (UNLIKELY (*op == _SCMP_CMP_MIN))
     // make and return an error
   return 0;
}

This way we'll keep the code which does bunch of if strcmp simple.

[eriksjolund]

Good thoughts. Now fixed.

If you want I could also do another common prefix optimization:

      for (i = 0; i < seccomp_flags_len; i++)
        {
          const char *p;

          p = seccomp_flags[i];
          if (strncmp (p, "SECCOMP_FILTER_FLAG_", 20))
            return crun_make_error (err, 0, "unknown seccomp option `%s`", seccomp_flags[i]);

          p += 20;

          if (strcmp (p, "TSYNC") == 0)
            flags |= SECCOMP_FILTER_FLAG_TSYNC;
          else if (strcmp (p, "SPEC_ALLOW") == 0)
            flags |= SECCOMP_FILTER_FLAG_SPEC_ALLOW;
          else if (strcmp (p, "LOG") == 0)
            flags |= SECCOMP_FILTER_FLAG_LOG;
          else if (strcmp (p, "WAIT_KILLABLE_RECV") == 0)
            flags |= SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV;
          else
            return crun_make_error (err, 0, "unknown seccomp option `%s`", seccomp_flags[i]);
        }
    }

I don't know what is best.

If you want I could also remove unnecessary else in get_seccomp_action().
These were already present in the code. The PR currently doesn't modify them.

[kolyshkin]

Perhaps get_seccomp_action can also benefit from the same thing done with get_seccomp_operator? You can probably use ~0U as an error value.