nsjail: free seccomp filter upon nsjail exit

2018-02-12 17:09:45 +01:00 · 2018-02-12 17:09:45 +01:00 · 2545fcd3a9
commit 2545fcd3a9
parent 8a22a4abb6
4 changed files with 16 additions and 2 deletions
--- a/cmdline.cc
+++ b/cmdline.cc
@ -363,6 +363,8 @@ std::unique_ptr<nsjconf_t> parseArgs(int argc, char* argv[]) {
 	nsjconf->iface_vs_gw = "0.0.0.0";
 	nsjconf->orig_uid = getuid();
 	nsjconf->num_cpus = sysconf(_SC_NPROCESSORS_ONLN);
        nsjconf->seccomp_fprog.filter = NULL;
        nsjconf->seccomp_fprog.len = 0;
 	nsjconf->openfds.push_back(STDIN_FILENO);
 	nsjconf->openfds.push_back(STDOUT_FILENO);
--- a/nsjail.cc
+++ b/nsjail.cc
@ -179,10 +179,12 @@ int main(int argc, char* argv[]) {
 		LOG_F("Couldn't prepare sandboxing policy");
 	}
        int ret = 0;
 	if (nsjconf->mode == MODE_LISTEN_TCP) {
 		nsjailListenMode(nsjconf.get());
 	} else {
-		return nsjailStandaloneMode(nsjconf.get());
+		ret = nsjailStandaloneMode(nsjconf.get());
 	}
-	return 0;
+        sandbox::closePolicy(nsjconf.get());
 	return ret;
 }
--- a/sandbox.cc
+++ b/sandbox.cc
@ -95,4 +95,13 @@ bool preparePolicy(nsjconf_t* nsjconf) {
 	return true;
 }
 void closePolicy(nsjconf_t* nsjconf) {
  if (!nsjconf->seccomp_fprog.filter) {
    return;
  }
  free(nsjconf->seccomp_fprog.filter);
  nsjconf->seccomp_fprog.filter = nullptr;
  nsjconf->seccomp_fprog.len = 0;
 }
 }  // namespace sandbox
--- a/sandbox.h
+++ b/sandbox.h
@ -30,6 +30,7 @@ namespace sandbox {
 bool applyPolicy(nsjconf_t* nsjconf);
 bool preparePolicy(nsjconf_t* nsjconf);
 void closePolicy(nsjconf_t* nsjconf);
 }  // namespace sandbox