From 2545fcd3a936e7dddac0777fdf9ed97bc0183cd1 Mon Sep 17 00:00:00 2001 From: Robert Swiecki Date: Mon, 12 Feb 2018 17:09:45 +0100 Subject: [PATCH] nsjail: free seccomp filter upon nsjail exit --- cmdline.cc | 2 ++ nsjail.cc | 6 ++++-- sandbox.cc | 9 +++++++++ sandbox.h | 1 + 4 files changed, 16 insertions(+), 2 deletions(-) diff --git a/cmdline.cc b/cmdline.cc index 97c491f..b738984 100644 --- a/cmdline.cc +++ b/cmdline.cc @@ -363,6 +363,8 @@ std::unique_ptr parseArgs(int argc, char* argv[]) { nsjconf->iface_vs_gw = "0.0.0.0"; nsjconf->orig_uid = getuid(); nsjconf->num_cpus = sysconf(_SC_NPROCESSORS_ONLN); + nsjconf->seccomp_fprog.filter = NULL; + nsjconf->seccomp_fprog.len = 0; nsjconf->openfds.push_back(STDIN_FILENO); nsjconf->openfds.push_back(STDOUT_FILENO); diff --git a/nsjail.cc b/nsjail.cc index 6ba72f0..5553f0b 100644 --- a/nsjail.cc +++ b/nsjail.cc @@ -179,10 +179,12 @@ int main(int argc, char* argv[]) { LOG_F("Couldn't prepare sandboxing policy"); } + int ret = 0; if (nsjconf->mode == MODE_LISTEN_TCP) { nsjailListenMode(nsjconf.get()); } else { - return nsjailStandaloneMode(nsjconf.get()); + ret = nsjailStandaloneMode(nsjconf.get()); } - return 0; + sandbox::closePolicy(nsjconf.get()); + return ret; } diff --git a/sandbox.cc b/sandbox.cc index 50d9095..c8c20ea 100644 --- a/sandbox.cc +++ b/sandbox.cc @@ -95,4 +95,13 @@ bool preparePolicy(nsjconf_t* nsjconf) { return true; } +void closePolicy(nsjconf_t* nsjconf) { + if (!nsjconf->seccomp_fprog.filter) { + return; + } + free(nsjconf->seccomp_fprog.filter); + nsjconf->seccomp_fprog.filter = nullptr; + nsjconf->seccomp_fprog.len = 0; +} + } // namespace sandbox diff --git a/sandbox.h b/sandbox.h index ac754e9..5ce6264 100644 --- a/sandbox.h +++ b/sandbox.h @@ -30,6 +30,7 @@ namespace sandbox { bool applyPolicy(nsjconf_t* nsjconf); bool preparePolicy(nsjconf_t* nsjconf); +void closePolicy(nsjconf_t* nsjconf); } // namespace sandbox