[lxc-devel] [PATCH 1/1] seccomp: add 'lxc.seccomp.optional'

Stéphane Graber stgraber at ubuntu.com
Mon Feb 17 22:16:51 UTC 2014 

On Mon, Feb 17, 2014 at 02:05:10PM -0600, Serge Hallyn wrote:
> If that is set, then if reading the policy failed, we continue
> without trying to load seccomp.  (If reading the policy
> succeeded, then we do not ignore failure to load the policy;
> we could consider doing that as well, however the goal here
> is to have a generic container configuration work whether
> the host has seccompv2 support or not)
> 
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>

Acked-by: Stéphane Graber <stgraber at ubuntu.com>

> ---
>  src/lxc/attach.c  | 10 ++++++++--
>  src/lxc/conf.h    |  1 +
>  src/lxc/confile.c | 15 +++++++++++++++
>  src/lxc/start.c   |  9 +++++++--
>  4 files changed, 31 insertions(+), 4 deletions(-)
> 
> diff --git a/src/lxc/attach.c b/src/lxc/attach.c
> index 31a5ae7..600332a 100644
> --- a/src/lxc/attach.c
> +++ b/src/lxc/attach.c
> @@ -613,8 +613,14 @@ static bool fetch_seccomp(const char *name, const char *lxcpath,
>  	if (!c->lxc_conf)
>  		return false;
>  	if (lxc_read_seccomp_config(c->lxc_conf) < 0) {
> -		ERROR("Error reaading seccomp policy");
> -		return false;
> +		if (c->lxc_conf->seccomp_optional) {
> +			WARN("Ignoring error loading seccomp policy.");
> +			lxc_container_put(c);
> +			i->container = NULL;
> +		} else {
> +			ERROR("Error reaading seccomp policy");
> +			return false;
> +		}
>  	}
>  
>  	return true;
> diff --git a/src/lxc/conf.h b/src/lxc/conf.h
> index 4591470..3622287 100644
> --- a/src/lxc/conf.h
> +++ b/src/lxc/conf.h
> @@ -303,6 +303,7 @@ struct lxc_conf {
>  	char *lsm_se_context;
>  	int tmp_umount_proc;
>  	char *seccomp;  // filename with the seccomp rules
> +	bool seccomp_optional;  // proceed if seccomp_load fails
>  #if HAVE_SCMP_FILTER_CTX
>  	scmp_filter_ctx *seccomp_ctx;
>  #endif
> diff --git a/src/lxc/confile.c b/src/lxc/confile.c
> index afc9e32..bc99e45 100644
> --- a/src/lxc/confile.c
> +++ b/src/lxc/confile.c
> @@ -89,6 +89,7 @@ static int config_cap_drop(const char *, const char *, struct lxc_conf *);
>  static int config_cap_keep(const char *, const char *, struct lxc_conf *);
>  static int config_console(const char *, const char *, struct lxc_conf *);
>  static int config_seccomp(const char *, const char *, struct lxc_conf *);
> +static int config_seccomp_opt(const char *, const char *, struct lxc_conf *);
>  static int config_includefile(const char *, const char *, struct lxc_conf *);
>  static int config_network_nic(const char *, const char *, struct lxc_conf *);
>  static int config_autodev(const char *, const char *, struct lxc_conf *);
> @@ -143,6 +144,7 @@ static struct lxc_config_t config[] = {
>  	{ "lxc.cap.drop",             config_cap_drop             },
>  	{ "lxc.cap.keep",             config_cap_keep             },
>  	{ "lxc.console",              config_console              },
> +	{ "lxc.seccomp.optional",     config_seccomp_opt          },
>  	{ "lxc.seccomp",              config_seccomp              },
>  	{ "lxc.include",              config_includefile          },
>  	{ "lxc.autodev",              config_autodev              },
> @@ -928,6 +930,19 @@ static int config_seccomp(const char *key, const char *value,
>  	return config_path_item(&lxc_conf->seccomp, value);
>  }
>  
> +static int config_seccomp_opt(const char *key, const char *value,
> +				 struct lxc_conf *lxc_conf)
> +{
> +	int opt, ret;
> +
> +	ret = sscanf(value, "%d", &opt);
> +	if (ret != 1)
> +		return -1;
> +	lxc_conf->seccomp_optional = opt == 1;
> +
> +	return 0;
> +}
> +
>  static int config_hook(const char *key, const char *value,
>  				 struct lxc_conf *lxc_conf)
>  {
> diff --git a/src/lxc/start.c b/src/lxc/start.c
> index 5b3b6eb..8c3c40f 100644
> --- a/src/lxc/start.c
> +++ b/src/lxc/start.c
> @@ -381,8 +381,13 @@ struct lxc_handler *lxc_init(const char *name, struct lxc_conf *conf, const char
>  		goto out_free_name;
>  
>  	if (lxc_read_seccomp_config(conf) != 0) {
> -		ERROR("failed loading seccomp policy");
> -		goto out_close_maincmd_fd;
> +		if (conf->seccomp_optional) {
> +			WARN("Ignoring error loading seccomp policy.");
> +			lxc_seccomp_free(conf);
> +		} else {
> +			ERROR("Exiting on failure to load seccomp policy");
> +			goto out_close_maincmd_fd;
> +		}
>  	}
>  
>  	/* Begin by setting the state to STARTING */
> -- 
> 1.9.rc1
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140217/3e8b367e/attachment.pgp>

More information about the lxc-devel mailing list