[lxc-devel] [lxc/master] More seccomp fixes
flx42 on Github
lxc-bot at linuxcontainers.org
Fri Jun 1 23:46:04 UTC 2018
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 301 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20180601/ea98aae7/attachment.bin>
-------------- next part --------------
From 73e3cb9a16e8a53e0e52b4682bdb3923cbc9f6f6 Mon Sep 17 00:00:00 2001
From: Felix Abecassis <fabecassis at nvidia.com>
Date: Fri, 1 Jun 2018 16:01:22 -0700
Subject: [PATCH 1/2] seccomp: drop misleading argument name inherited from the
OCI spec
The last (optional) argument was named "valueTwo", which seems to
originate from the OCI runtime spec:
https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#seccomp
In proper seccomp terminology, "value" is "datum_a" and "valueTwo" is "datum_b".
However, LXC's "valueTwo" was used as the mask for SCMP_CMP_MASKED_EQ,
while the mask is supposed to be "datum_a".
Signed-off-by: Felix Abecassis <fabecassis at nvidia.com>
---
src/lxc/seccomp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index e32c23b43..4ea3c2a7c 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -184,14 +184,14 @@ static enum scmp_compare parse_v2_rule_op(char *s)
/*
* This function is used to parse the args string into the structure.
- * args string format:[index,value,op,valueTwo] or [index,value,op]
+ * args string format:[index,value,op,mask] or [index,value,op]
* index: the index for syscall arguments (type uint)
* value: the value for syscall arguments (type uint64)
* op: the operator for syscall arguments(string),
a valid list of constants as of libseccomp v2.3.2 is
SCMP_CMP_NE,SCMP_CMP_LE,SCMP_CMP_LE, SCMP_CMP_EQ, SCMP_CMP_GE,
SCMP_CMP_GT, SCMP_CMP_MASKED_EQ, or !=,<=,==,>=,>,&=
- * valueTwo: the value for syscall arguments only used for mask eq (type uint64, optional)
+ * mask: the mask to apply on "value" for SCMP_CMP_MASKED_EQ (type uint64, optional)
* Returns 0 on success, < 0 otherwise.
*/
static int get_seccomp_arg_value(char *key, struct seccomp_v2_rule_args *rule_args)
From f42183e68cfe5ee185e4ccc0330a22c02fc24597 Mon Sep 17 00:00:00 2001
From: Felix Abecassis <fabecassis at nvidia.com>
Date: Fri, 1 Jun 2018 16:36:26 -0700
Subject: [PATCH 2/2] seccomp: use a default value of 0 for the mask
The mask was unconditionally parsed, it failed if no mask was
provided.
Signed-off-by: Felix Abecassis <fabecassis at nvidia.com>
---
src/lxc/seccomp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 4ea3c2a7c..24c69c305 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -201,7 +201,7 @@ static int get_seccomp_arg_value(char *key, struct seccomp_v2_rule_args *rule_ar
uint64_t mask = 0, value = 0;
enum scmp_compare op = 0;
char *tmp = NULL;
- char s[31] = {0}, v[24] = {0}, m[24] = {0};
+ char s[31] = {0}, v[24] = {0}, m[24] = {'0'};
tmp = strchr(key, '[');
if (!tmp) {
More information about the lxc-devel
mailing list