Merge pull request #2871 from masters-of-cats/pr-seccomp-pipe-hang

Ensure the seccomp pipe is being read while exporting bpf

libcontainer/seccomp/patchbpf/enosys_linux.go

@@ -3,6 +3,7 @@
 package patchbpf
 
 import (
+	"bytes"
 	"encoding/binary"
 	"io"
 	"os"
@@ -114,14 +115,26 @@ func disassembleFilter(filter *libseccomp.ScmpFilter) ([]bpf.Instruction, error)
 	defer wtr.Close()
 	defer rdr.Close()
 
+	readerBuffer := new(bytes.Buffer)
+	errChan := make(chan error, 1)
+	go func() {
+		_, err := io.Copy(readerBuffer, rdr)
+		errChan <- err
+		close(errChan)
+	}()
+
 	if err := filter.ExportBPF(wtr); err != nil {
 		return nil, errors.Wrap(err, "exporting BPF")
 	}
 	// Close so that the reader actually gets EOF.
 	_ = wtr.Close()
 
+	if copyErr := <-errChan; copyErr != nil {
+		return nil, errors.Wrap(copyErr, "reading from ExportBPF pipe")
+	}
+
 	// Parse the instructions.
-	rawProgram, err := parseProgram(rdr)
+	rawProgram, err := parseProgram(readerBuffer)
 	if err != nil {
 		return nil, errors.Wrap(err, "parsing generated BPF filter")
 	}

libcontainer/seccomp/patchbpf/enosys_linux_test.go

@@ -281,3 +281,23 @@ func TestEnosysStub_MultiArch(t *testing.T) {
 		}
 	}
 }
+
+func TestDisassembleHugeFilterDoesNotHang(t *testing.T) {
+	hugeFilter, err := libseccomp.NewFilter(libseccomp.ActAllow)
+	if err != nil {
+		t.Fatalf("failed to create seccomp filter: %v", err)
+	}
+
+	for i := 1; i < 10000; i++ {
+		if err := hugeFilter.AddRule(libseccomp.ScmpSyscall(i), libseccomp.ActKill); err != nil {
+			t.Fatalf("failed to add rule to filter %d: %v", i, err)
+		}
+	}
+
+	_, err = disassembleFilter(hugeFilter)
+	if err != nil {
+		t.Fatalf("failed to disassembleFilter: %v", err)
+	}
+
+	// if we exit, we did not hang
+}