lxc · brauner · Mar 15, 2024 · Mar 15, 2024
@@ -915,6 +915,7 @@ func (d *Daemon) init() error {
 
 	if canUsePidFds() && d.os.LXCFeatures["pidfd"] {
 		d.os.PidFds = true
+		d.os.PidFdsThread = canUseThreadPidFds()
 	}
 
 	if d.os.PidFds {
@@ -923,6 +924,12 @@ func (d *Daemon) init() error {
 		logger.Info(" - pidfds: no")
 	}
 
+	if d.os.PidFdsThread {
+		logger.Info(" - pidfds for threads: yes")
+	} else {
+		logger.Info(" - pidfds for threads: no")
+	}
+
 	if canUseCoreScheduling() {
 		d.os.CoreScheduling = true
 		logger.Info(" - core scheduling: yes")

@@ -39,6 +39,7 @@ __ro_after_init bool close_range_aware = false;
 __ro_after_init bool tiocgptpeer_aware = false;
 __ro_after_init bool netnsid_aware = false;
 __ro_after_init bool pidfd_aware = false;
+__ro_after_init bool pidfd_thread_aware = false;
 __ro_after_init bool pidfd_setns_aware = false;
 __ro_after_init bool uevent_aware = false;
 __ro_after_init bool binfmt_aware = false;
@@ -419,7 +420,7 @@ static void is_seccomp_notify_aware(void)
 
 static int is_pidfd_aware(void)
 {
-	__do_close int pidfd = -EBADF;
+	__do_close int pidfd = -EBADF, pidfd_thread = -EBADF;
 	int ret;
 
 	pidfd = incus_pidfd_open(getpid(), 0);
@@ -442,6 +443,10 @@ static int is_pidfd_aware(void)
 	if (ret)
 		return -errno;
 
+	pidfd_thread = incus_pidfd_open(getpid(), PIDFD_THREAD);
+	if (pidfd_thread >= 0)
+		pidfd_thread_aware = true;
+
 	pidfd_aware = true;
 	return move_fd(pidfd);
 }
@@ -707,6 +712,10 @@ func canUsePidFds() bool {
 	return bool(C.pidfd_aware)
 }
 
+func canUseThreadPidFds() bool {
+	return bool(C.pidfd_thread_aware)
+}
+
 // We're only using this during daemon startup to give an indication whether
 // the underlying kernel has the necessary infrastructure to support idmapped
 // mounts. This check does not give any indication whether the relevant

@@ -264,7 +264,8 @@ static inline int bpf(int cmd, union bpf_attr *attr, size_t size)
 static int handle_bpf_syscall(pid_t pid_target, int notify_fd, int mem_fd,
 			      int tgid, struct seccomp_notify_proxy_msg *msg,
 			      struct seccomp_notif *req, struct seccomp_notif_resp *resp,
-			      int *bpf_cmd, int *bpf_prog_type, int *bpf_attach_type)
+			      int *bpf_cmd, int *bpf_prog_type, int *bpf_attach_type,
+			      unsigned int flags)
 {
 	__do_close int pidfd = -EBADF, bpf_target_fd = -EBADF, bpf_attach_fd = -EBADF,
 		       bpf_prog_fd = -EBADF;
@@ -307,7 +308,10 @@ static int handle_bpf_syscall(pid_t pid_target, int notify_fd, int mem_fd,
 
 	*bpf_prog_type = attr.prog_type;
 
-	pidfd = incus_pidfd_open(tgid, 0);
+	if (flags & PIDFD_THREAD)
+		pidfd = incus_pidfd_open(pid_target, PIDFD_THREAD);
+	else
+		pidfd = incus_pidfd_open(tgid, 0);
 	if (pidfd < 0)
 		return -errno;
 
@@ -383,7 +387,7 @@ static int handle_bpf_syscall(pid_t pid_target, int notify_fd, int mem_fd,
 		if (bpf_attach_fd < 0)
 			return -errno;
 
-		if (tgid != pid_target) {
+		if (!(flags & PIDFD_THREAD) && tgid != pid_target) {
 			// Make sure that the file descriptor table is shared
 			// so we can be sure that we're talking about the same
 			// open files.
@@ -416,7 +420,7 @@ static int handle_bpf_syscall(pid_t pid_target, int notify_fd, int mem_fd,
 		if (bpf_attach_fd < 0)
 			return -errno;
 
-		if (tgid != pid_target) {
+		if (!(flags & PIDFD_THREAD) && tgid != pid_target) {
 			// Make sure that the file descriptor table is shared
 			// so we can be sure that we're talking about the same
 			// open files.
@@ -2259,7 +2263,8 @@ func (s *Server) HandleBpfSyscall(c Instance, siov *Iovec) int {
 	}
 
 	defer logger.Debug("Handling bpf syscall", ctx)
-	var bpfCmd, bpfProgType, bpfAttachType C.int
+	var bpfCmd, bpfProgType, bpfAttachType, tgid C.int
+	var flags C.uint
 
 	if util.IsFalseOrEmpty(c.ExpandedConfig()["security.syscalls.intercept.bpf.devices"]) {
 		ctx["syscall_continue"] = "true"
@@ -2268,12 +2273,17 @@ func (s *Server) HandleBpfSyscall(c Instance, siov *Iovec) int {
 		return 0
 	}
 
-	tgid, err := FindTGID(siov.procFd)
-	if err != nil || tgid == -1 {
-		ctx["syscall_continue"] = "true"
-		ctx["syscall_handler_reason"] = "Could not find thread group leader ID"
-		C.seccomp_notify_update_response(siov.resp, 0, C.uint32_t(seccompUserNotifFlagContinue))
-		return 0
+	if s.s.OS.PidFdsThread {
+		flags |= C.PIDFD_THREAD
+		tgid = -1
+	} else {
+		tgid, err := FindTGID(siov.procFd)
+		if err != nil || tgid == -1 {
+			ctx["syscall_continue"] = "true"
+			ctx["syscall_handler_reason"] = "Could not find thread group leader ID"
+			C.seccomp_notify_update_response(siov.resp, 0, C.uint32_t(seccompUserNotifFlagContinue))
+			return 0
+		}
 	}
 
 	// Locking to a thread shouldn't be necessary but it still makes me
@@ -2289,7 +2299,7 @@ func (s *Server) HandleBpfSyscall(c Instance, siov *Iovec) int {
 		siov.resp,
 		&bpfCmd,
 		&bpfProgType,
-		&bpfAttachType)
+		&bpfAttachType, flags)
 	runtime.UnlockOSThread()
 	ctx["bpf_cmd"] = fmt.Sprintf("%d", bpfCmd)
 	ctx["bpf_prog_type"] = fmt.Sprintf("%d", bpfProgType)

@@ -81,6 +81,7 @@ type OS struct {
 	NativeTerminals         bool // NativeTerminals indicates support for TIOGPTPEER ioctl.
 	NetnsGetifaddrs         bool // NetnsGetifaddrs indicates support for NETLINK_GET_STRICT_CHK.
 	PidFds                  bool // PidFds indicates support for PID fds.
+	PidFdsThread            bool // PidFds indicates support for thread PID fds.
 	PidFdSetns              bool // PidFdSetns indicates support for setns through PID fds.
 	SeccompListenerAddfd    bool // SeccompListenerAddfd indicates support for passing new FD to process through seccomp notify.
 	SeccompListener         bool // SeccompListener indicates support for seccomp notify.

@@ -18,6 +18,10 @@
 #include "memory_utils.h"
 #include "syscall_numbers.h"
 
+#ifndef PIDFD_THREAD
+#define PIDFD_THREAD O_EXCL
+#endif
+
 static inline int incus_pidfd_open(pid_t pid, unsigned int flags)
 {
 	return syscall(__NR_pidfd_open, pid, flags);