rewrite handle_notifications to be even more clear

squell · bjorn3 · commit e7a7fd0a89ca · 2025-05-02T12:33:21.000+02:00
diff --git a/src/exec/noexec.rs b/src/exec/noexec.rs
@@ -87,26 +87,26 @@ fn alloc_notify_allocs() -> NotifyAllocs {
     }
 }
 
-/// Returns 'false' if the ioctl failed with E_NOENT, 'true' if it succeeded.
+/// Returns 'None' if the ioctl failed with E_NOENT, 'Some(())' if it succeeded.
 /// This aborts the program in any other situation.
 ///
 /// # Safety
 ///
 /// `ioctl(fd, request, ptr)` must be safe to call
-unsafe fn ioctl<T>(fd: RawFd, request: libc::c_ulong, ptr: *mut T) -> bool {
+unsafe fn ioctl<T>(fd: RawFd, request: libc::c_ulong, ptr: *mut T) -> Option<()> {
     // SAFETY: By function contract
     if unsafe { libc::ioctl(fd, request, ptr) } == -1 {
         // SAFETY: Trivial
         if unsafe { *__errno_location() } == ENOENT {
-            false
+            None
         } else {
             // SAFETY: Not actually unsafe
             unsafe {
                 libc::abort();
             }
         }
     } else {
-        true
+        Some(())
     }
 }
 
@@ -120,37 +120,42 @@ unsafe fn handle_notifications(notify_fd: OwnedFd) -> ! {
         resp,
     } = alloc_notify_allocs();
 
-    // The first notification must be allowed to pass unhindered.
-    let mut error = 0;
-    let mut flags = SECCOMP_USER_NOTIF_FLAG_CONTINUE as _;
-
-    loop {
+    // SAFETY: See individual SAFETY comments
+    let handle_syscall = |create_response: fn(&mut _)| unsafe {
         // SECCOMP_IOCTL_NOTIF_RECV expects the target struct to be zeroed
         // SAFETY: req is at least req_size bytes big.
-        unsafe { std::ptr::write_bytes(req.cast::<u8>(), 0, req_size) };
+        std::ptr::write_bytes(req.cast::<u8>(), 0, req_size);
 
         // SAFETY: A valid pointer to a seccomp_notify is passed in; notify_fd is valid.
-        if unsafe { !ioctl(notify_fd.as_raw_fd(), SECCOMP_IOCTL_NOTIF_RECV, req) } {
-            continue;
-        }
+        ioctl(notify_fd.as_raw_fd(), SECCOMP_IOCTL_NOTIF_RECV, req)?;
 
         // Allow the first execve call as this is sudo itself starting the target executable.
         // SAFETY: resp is a valid pointer to a seccomp_notify_resp.
-        unsafe {
-            (*resp).id = (*req).id;
-            (*resp).val = 0;
-            (*resp).error = error;
-            (*resp).flags = flags;
-        }
+        (*resp).id = (*req).id;
+        create_response(&mut *resp);
 
         // SAFETY: A valid pointer to a seccomp_notify_resp is passed in; notify_fd is valid.
-        if unsafe { !ioctl(notify_fd.as_raw_fd(), SECCOMP_IOCTL_NOTIF_SEND, resp) } {
-            continue;
+        ioctl(notify_fd.as_raw_fd(), SECCOMP_IOCTL_NOTIF_SEND, resp)
+    };
+
+    loop {
+        if handle_syscall(|resp| {
+            resp.val = 0;
+            resp.error = 0;
+            resp.flags = SECCOMP_USER_NOTIF_FLAG_CONTINUE as _
+        })
+        .is_some()
+        {
+            break;
         }
+    }
 
-        // As soon as we have reached this point, all notifications will be acted upon.
-        error = -EACCES;
-        flags = 0;
+    loop {
+        handle_syscall(|resp| {
+            resp.val = 0;
+            resp.error = -EACCES;
+            resp.flags = 0;
+        });
     }
 }
 
