[lxc-devel] [PATCH 2/2] attach: try to use the container's seccomp policy

Mon Feb 17 18:47:35 UTC 2014

We can't get the actual policy (in the case where the policy file
has changed) from the container, but at least we can use the
seccomp policy file listed in the container config file.

(If anyone wants to further improve this, it may be better to get
the seccomp policy over the cmd api;  not sure that's what we want,
and this seems simpler to hook into the existing code, so I went
this way for now)

Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
---
 src/lxc/attach.c | 37 +++++++++++++++++++++++++++++++++++++
 src/lxc/attach.h |  3 +++
 2 files changed, 40 insertions(+)

diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index a59dae3..31a5ae7 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -51,6 +51,9 @@
 #include "commands.h"
 #include "cgroup.h"
 #include "lxclock.h"
+#include "conf.h"
+#include "lxcseccomp.h"
+#include <lxc/lxccontainer.h>
 #include "lsm/lsm.h"
 
 #if HAVE_SYS_PERSONALITY_H
@@ -135,6 +138,8 @@ static void lxc_proc_put_context_info(struct lxc_proc_context_info *ctx)
 {
 	if (ctx->lsm_label)
 		free(ctx->lsm_label);
+	if (ctx->container)
+		lxc_container_put(ctx->container);
 	free(ctx);
 }
 
@@ -593,6 +598,28 @@ static int attach_child_main(void* data);
 /* define default options if no options are supplied by the user */
 static lxc_attach_options_t attach_static_default_options = LXC_ATTACH_OPTIONS_DEFAULT;
 
+static bool fetch_seccomp(const char *name, const char *lxcpath,
+		struct lxc_proc_context_info *i, lxc_attach_options_t *options)
+{
+	struct lxc_container *c;
+	
+	if (!(options->namespaces & CLONE_NEWNS) || !(options->attach_flags & LXC_ATTACH_LSM))
+		return true;
+
+	c = lxc_container_new(name, lxcpath);
+	if (!c)
+		return false;
+	i->container = c;
+	if (!c->lxc_conf)
+		return false;
+	if (lxc_read_seccomp_config(c->lxc_conf) < 0) {
+		ERROR("Error reaading seccomp policy");
+		return false;
+	}
+
+	return true;
+}
+
 int lxc_attach(const char* name, const char* lxcpath, lxc_attach_exec_t exec_function, void* exec_payload, lxc_attach_options_t* options, pid_t* attached_process)
 {
 	int ret, status;
@@ -617,6 +644,9 @@ int lxc_attach(const char* name, const char* lxcpath, lxc_attach_exec_t exec_fun
 		return -1;
 	}
 
+	if (!fetch_seccomp(name, lxcpath, init_ctx, options))
+		WARN("Failed to get seccomp policy");
+
 	cwd = getcwd(NULL, 0);
 
 	/* determine which namespaces the container was created with
@@ -993,6 +1023,13 @@ static int attach_child_main(void* data)
 			rexit(-1);
 		}
 	}
+
+	if (init_ctx->container && init_ctx->container->lxc_conf &&
+			lxc_seccomp_load(init_ctx->container->lxc_conf) != 0) {
+		ERROR("Loading seccomp policy");
+		rexit(-1);
+	}
+
 	lxc_proc_put_context_info(init_ctx);
 
 	/* The following is done after the communication socket is
diff --git a/src/lxc/attach.h b/src/lxc/attach.h
index 3d10777..8c833b1 100644
--- a/src/lxc/attach.h
+++ b/src/lxc/attach.h
@@ -27,8 +27,11 @@
 #include <sys/types.h>
 #include <lxc/attach_options.h>
 
+struct lxc_conf;
+
 struct lxc_proc_context_info {
 	char *lsm_label;
+	struct lxc_container *container;
 	unsigned long personality;
 	unsigned long long capability_mask;
 };
-- 
1.9.rc1

