[lxc-devel] [PATCH 1/1] seccomp: add 'lxc.seccomp.optional'

Serge Hallyn serge.hallyn at ubuntu.com
Mon Feb 17 20:05:10 UTC 2014


If that is set, then if reading the policy failed, we continue
without trying to load seccomp.  (If reading the policy
succeeded, then we do not ignore failure to load the policy;
we could consider doing that as well, however the goal here
is to have a generic container configuration work whether
the host has seccompv2 support or not)

Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
---
 src/lxc/attach.c  | 10 ++++++++--
 src/lxc/conf.h    |  1 +
 src/lxc/confile.c | 15 +++++++++++++++
 src/lxc/start.c   |  9 +++++++--
 4 files changed, 31 insertions(+), 4 deletions(-)

diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index 31a5ae7..600332a 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -613,8 +613,14 @@ static bool fetch_seccomp(const char *name, const char *lxcpath,
 	if (!c->lxc_conf)
 		return false;
 	if (lxc_read_seccomp_config(c->lxc_conf) < 0) {
-		ERROR("Error reaading seccomp policy");
-		return false;
+		if (c->lxc_conf->seccomp_optional) {
+			WARN("Ignoring error loading seccomp policy.");
+			lxc_container_put(c);
+			i->container = NULL;
+		} else {
+			ERROR("Error reaading seccomp policy");
+			return false;
+		}
 	}
 
 	return true;
diff --git a/src/lxc/conf.h b/src/lxc/conf.h
index 4591470..3622287 100644
--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -303,6 +303,7 @@ struct lxc_conf {
 	char *lsm_se_context;
 	int tmp_umount_proc;
 	char *seccomp;  // filename with the seccomp rules
+	bool seccomp_optional;  // proceed if seccomp_load fails
 #if HAVE_SCMP_FILTER_CTX
 	scmp_filter_ctx *seccomp_ctx;
 #endif
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index afc9e32..bc99e45 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -89,6 +89,7 @@ static int config_cap_drop(const char *, const char *, struct lxc_conf *);
 static int config_cap_keep(const char *, const char *, struct lxc_conf *);
 static int config_console(const char *, const char *, struct lxc_conf *);
 static int config_seccomp(const char *, const char *, struct lxc_conf *);
+static int config_seccomp_opt(const char *, const char *, struct lxc_conf *);
 static int config_includefile(const char *, const char *, struct lxc_conf *);
 static int config_network_nic(const char *, const char *, struct lxc_conf *);
 static int config_autodev(const char *, const char *, struct lxc_conf *);
@@ -143,6 +144,7 @@ static struct lxc_config_t config[] = {
 	{ "lxc.cap.drop",             config_cap_drop             },
 	{ "lxc.cap.keep",             config_cap_keep             },
 	{ "lxc.console",              config_console              },
+	{ "lxc.seccomp.optional",     config_seccomp_opt          },
 	{ "lxc.seccomp",              config_seccomp              },
 	{ "lxc.include",              config_includefile          },
 	{ "lxc.autodev",              config_autodev              },
@@ -928,6 +930,19 @@ static int config_seccomp(const char *key, const char *value,
 	return config_path_item(&lxc_conf->seccomp, value);
 }
 
+static int config_seccomp_opt(const char *key, const char *value,
+				 struct lxc_conf *lxc_conf)
+{
+	int opt, ret;
+
+	ret = sscanf(value, "%d", &opt);
+	if (ret != 1)
+		return -1;
+	lxc_conf->seccomp_optional = opt == 1;
+
+	return 0;
+}
+
 static int config_hook(const char *key, const char *value,
 				 struct lxc_conf *lxc_conf)
 {
diff --git a/src/lxc/start.c b/src/lxc/start.c
index 5b3b6eb..8c3c40f 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -381,8 +381,13 @@ struct lxc_handler *lxc_init(const char *name, struct lxc_conf *conf, const char
 		goto out_free_name;
 
 	if (lxc_read_seccomp_config(conf) != 0) {
-		ERROR("failed loading seccomp policy");
-		goto out_close_maincmd_fd;
+		if (conf->seccomp_optional) {
+			WARN("Ignoring error loading seccomp policy.");
+			lxc_seccomp_free(conf);
+		} else {
+			ERROR("Exiting on failure to load seccomp policy");
+			goto out_close_maincmd_fd;
+		}
 	}
 
 	/* Begin by setting the state to STARTING */
-- 
1.9.rc1



More information about the lxc-devel mailing list