[lxc-devel] [lxd/master] lxd/seccomp: Really handle old libseccomp
stgraber on Github
lxc-bot at linuxcontainers.org
Wed May 8 19:41:43 UTC 2019
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 370 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20190508/e0fc3bf6/attachment.bin>
-------------- next part --------------
From 0bb4473932b9371ad08c6dec8914be2e48e05e30 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Wed, 8 May 2019 15:40:56 -0400
Subject: [PATCH] lxd/seccomp: Really handle old libseccomp
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Closes #5737
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
lxd/container_lxc.go | 36 +++++++++++++++++++++++++++++++-----
lxd/seccomp.go | 4 +---
2 files changed, 32 insertions(+), 8 deletions(-)
diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index 508a8db697..46d519a8d3 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -199,6 +199,29 @@ func lxcParseRawLXC(line string) (string, string, error) {
return key, val, nil
}
+func lxcSupportSeccompNotify(state *state.State) bool {
+ if !state.OS.SeccompListener {
+ return false
+ }
+
+ if !lxc.HasApiExtension("seccomp_notify") {
+ return false
+ }
+
+ c, err := lxc.NewContainer("test-seccomp", state.OS.LxcPath)
+ if err != nil {
+ return false
+ }
+
+ err = c.SetConfigItem("lxc.seccomp.notify.proxy", fmt.Sprintf("unix:%s", shared.VarPath("seccomp.socket")))
+ if err != nil {
+ return false
+ }
+
+ c.Release()
+ return true
+}
+
func lxcValidConfig(rawLxc string) error {
for _, line := range strings.Split(rawLxc, "\n") {
key, _, err := lxcParseRawLXC(line)
@@ -1811,11 +1834,14 @@ func (c *containerLXC) initLXC(config bool) error {
return err
}
- if !c.IsPrivileged() && !c.state.OS.RunningInUserNS && lxc.HasApiExtension("seccomp_notify") && c.DaemonState().OS.SeccompListener {
- // NOTE: Don't fail in cases where liblxc is recent enough but libseccomp isn't
- // when we add mount() support with user-configurable
- // options, we will want a hard fail if the user configured it
- lxcSetConfigItem(cc, "lxc.seccomp.notify.proxy", fmt.Sprintf("unix:%s", shared.VarPath("seccomp.socket")))
+ // NOTE: Don't fail in cases where liblxc is recent enough but libseccomp isn't
+ // when we add mount() support with user-configurable
+ // options, we will want a hard fail if the user configured it
+ if !c.IsPrivileged() && !c.state.OS.RunningInUserNS && lxcSupportSeccompNotify(c.state) {
+ err = lxcSetConfigItem(cc, "lxc.seccomp.notify.proxy", fmt.Sprintf("unix:%s", shared.VarPath("seccomp.socket")))
+ if err != nil {
+ return err
+ }
}
// Apply raw.lxc
diff --git a/lxd/seccomp.go b/lxd/seccomp.go
index 90a934a750..5e0afc80c6 100644
--- a/lxd/seccomp.go
+++ b/lxd/seccomp.go
@@ -15,8 +15,6 @@ import (
"golang.org/x/sys/unix"
- "gopkg.in/lxc/go-lxc.v2"
-
"github.com/lxc/lxd/lxd/util"
"github.com/lxc/lxd/shared"
"github.com/lxc/lxd/shared/logger"
@@ -253,7 +251,7 @@ func getSeccompProfileContent(c container) (string, error) {
policy += DEFAULT_SECCOMP_POLICY
}
- if !c.IsPrivileged() && !c.DaemonState().OS.RunningInUserNS && lxc.HasApiExtension("seccomp_notify") && c.DaemonState().OS.SeccompListener {
+ if !c.IsPrivileged() && !c.DaemonState().OS.RunningInUserNS && lxcSupportSeccompNotify(c.DaemonState()) {
policy += SECCOMP_NOTIFY_POLICY
}
More information about the lxc-devel
mailing list