fix(fspy): improve seccomp_unotify ipc#255
Merged
branchseer merged 11 commits intomainfrom Oct 25, 2025
Merged
Conversation
Member
Author
This stack of pull requests is managed by Graphite. Learn more about stacking. |
branchseer
changed the base branch from
10-24-test_add_test_for_type-aware_linting
to
graphite-base/255
branchseer
force-pushed
the
10-24-fix_fspy_fix_ipc_of_seccomp_filter_fd
branch
from
2521ede to
eca1c3b
Compare
branchseer
force-pushed
the
graphite-base/255
branch
from
94ae95e to
61f7745
Compare
branchseer
force-pushed
the
10-24-fix_fspy_fix_ipc_of_seccomp_filter_fd
branch
3 times, most recently
from
9464840 to
39c3141
Compare
branchseer
changed the title
branchseer
changed the title
branchseer
changed the title
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR improves the seccomp filter IPC mechanism by replacing direct file descriptor passing with Unix domain socket path-based communication, resolving deadlock issues and adding support for static executable tracking.
Key Changes:
- Replaced FD inheritance with Unix socket path passing for seccomp_unotify IPC
- Added test infrastructure for static executables including a test binary crate
- Implemented handling of the
opensyscall for x86_64 architecture
Reviewed Changes
Copilot reviewed 19 out of 21 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| packages/cli/snap-tests/oxlint-typeaware/steps.json | Enabled typeaware linting test on Linux by removing platform restriction |
| crates/fspy_test_bin/src/main.rs | Added test binary for static executable testing with file operation actions |
| crates/fspy_test_bin/Cargo.toml | Created cargo configuration for test binary crate |
| crates/fspy_shared_unix/src/spawn/linux/mod.rs | Moved elf module to library root for shared access |
| crates/fspy_shared_unix/src/lib.rs | Exposed elf utility for verifying static executables |
| crates/fspy_seccomp_unotify/tests/arg_types.rs | Updated tests to handle optional path reads and new supervisor API |
| crates/fspy_seccomp_unotify/src/target.rs | Changed from direct FD passing to Unix socket connection |
| crates/fspy_seccomp_unotify/src/supervisor/mod.rs | Replaced FD pair with Unix domain socket listener for IPC |
| crates/fspy_seccomp_unotify/src/supervisor/handler/mod.rs | Enhanced macro to support conditional compilation attributes |
| crates/fspy_seccomp_unotify/src/supervisor/handler/arg.rs | Modified CStrPtr reading to return success status instead of error on overflow |
| crates/fspy_seccomp_unotify/src/payload/mod.rs | Changed payload from RawFd to socket path bytes |
| crates/fspy_seccomp_unotify/Cargo.toml | Added dependencies for socket handling and async operations |
| crates/fspy/tests/test_utils.rs | Improved assertion with detailed error message on failure |
| crates/fspy/tests/static_executable.rs | Added comprehensive tests for tracking static executables |
| crates/fspy/src/unix/syscall_handler/mod.rs | Added x86_64 open syscall handler and refactored path handling |
| crates/fspy/src/unix/mod.rs | Updated to use new supervisor API without pre_exec |
| crates/fspy/Cargo.toml | Added platform-specific test binary dependencies |
| .github/workflows/ci.yml | Added musl target for building static test binaries |
| .devcontainer/devcontainer.json | Simplified devcontainer setup by removing mise dependency |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
branchseer
force-pushed
the
10-24-fix_fspy_fix_ipc_of_seccomp_filter_fd
branch
from
a0847f3 to
687857f
Compare
fengmk2
approved these changes
Oct 25, 2025
Member
Author
Merge activity
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix seccomp filter IPC and add static executable support
This PR improves the seccomp filter IPC mechanism by using path-based Unix domain sockets instead of directly passing file descriptors. This approach is consistent with #234 and eliminates the need for pre-exec handling.
Key changes:
opensyscall on x86_64 architectureThe PR also includes various code improvements and cleanup, such as better error handling and more robust syscall tracking.