[lxc-devel] [PATCH 2/2] attach: try to use the container's seccomp policy

Mon Feb 17 18:51:55 UTC 2014

On Mon, Feb 17, 2014 at 12:47:35PM -0600, Serge Hallyn wrote:
> We can't get the actual policy (in the case where the policy file
> has changed) from the container, but at least we can use the
> seccomp policy file listed in the container config file.
> 
> (If anyone wants to further improve this, it may be better to get
> the seccomp policy over the cmd api;  not sure that's what we want,
> and this seems simpler to hook into the existing code, so I went
> this way for now)
> 
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>

Acked-by: Stéphane Graber <stgraber at ubuntu.com>

> ---
>  src/lxc/attach.c | 37 +++++++++++++++++++++++++++++++++++++
>  src/lxc/attach.h |  3 +++
>  2 files changed, 40 insertions(+)
> 
> diff --git a/src/lxc/attach.c b/src/lxc/attach.c
> index a59dae3..31a5ae7 100644
> --- a/src/lxc/attach.c
> +++ b/src/lxc/attach.c
> @@ -51,6 +51,9 @@
>  #include "commands.h"
>  #include "cgroup.h"
>  #include "lxclock.h"
> +#include "conf.h"
> +#include "lxcseccomp.h"
> +#include <lxc/lxccontainer.h>
>  #include "lsm/lsm.h"
>  
>  #if HAVE_SYS_PERSONALITY_H
> @@ -135,6 +138,8 @@ static void lxc_proc_put_context_info(struct lxc_proc_context_info *ctx)
>  {
>  	if (ctx->lsm_label)
>  		free(ctx->lsm_label);
> +	if (ctx->container)
> +		lxc_container_put(ctx->container);
>  	free(ctx);
>  }
>  
> @@ -593,6 +598,28 @@ static int attach_child_main(void* data);
>  /* define default options if no options are supplied by the user */
>  static lxc_attach_options_t attach_static_default_options = LXC_ATTACH_OPTIONS_DEFAULT;
>  
> +static bool fetch_seccomp(const char *name, const char *lxcpath,
> +		struct lxc_proc_context_info *i, lxc_attach_options_t *options)
> +{
> +	struct lxc_container *c;
> +	
> +	if (!(options->namespaces & CLONE_NEWNS) || !(options->attach_flags & LXC_ATTACH_LSM))
> +		return true;
> +
> +	c = lxc_container_new(name, lxcpath);
> +	if (!c)
> +		return false;
> +	i->container = c;
> +	if (!c->lxc_conf)
> +		return false;
> +	if (lxc_read_seccomp_config(c->lxc_conf) < 0) {
> +		ERROR("Error reaading seccomp policy");
> +		return false;
> +	}
> +
> +	return true;
> +}
> +
>  int lxc_attach(const char* name, const char* lxcpath, lxc_attach_exec_t exec_function, void* exec_payload, lxc_attach_options_t* options, pid_t* attached_process)
>  {
>  	int ret, status;
> @@ -617,6 +644,9 @@ int lxc_attach(const char* name, const char* lxcpath, lxc_attach_exec_t exec_fun
>  		return -1;
>  	}
>  
> +	if (!fetch_seccomp(name, lxcpath, init_ctx, options))
> +		WARN("Failed to get seccomp policy");
> +
>  	cwd = getcwd(NULL, 0);
>  
>  	/* determine which namespaces the container was created with
> @@ -993,6 +1023,13 @@ static int attach_child_main(void* data)
>  			rexit(-1);
>  		}
>  	}
> +
> +	if (init_ctx->container && init_ctx->container->lxc_conf &&
> +			lxc_seccomp_load(init_ctx->container->lxc_conf) != 0) {
> +		ERROR("Loading seccomp policy");
> +		rexit(-1);
> +	}
> +
>  	lxc_proc_put_context_info(init_ctx);
>  
>  	/* The following is done after the communication socket is
> diff --git a/src/lxc/attach.h b/src/lxc/attach.h
> index 3d10777..8c833b1 100644
> --- a/src/lxc/attach.h
> +++ b/src/lxc/attach.h
> @@ -27,8 +27,11 @@
>  #include <sys/types.h>
>  #include <lxc/attach_options.h>
>  
> +struct lxc_conf;
> +
>  struct lxc_proc_context_info {
>  	char *lsm_label;
> +	struct lxc_container *container;
>  	unsigned long personality;
>  	unsigned long long capability_mask;
>  };
> -- 
> 1.9.rc1
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140217/131e8c48/attachment.pgp>