[lxc-devel] [PATCH] Fix seccomp profile on attach of undefined container
Stéphane Graber
stgraber at ubuntu.com
Thu Dec 10 23:58:58 UTC 2015
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
src/lxc/attach.c | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index 436ae7a..5192c25 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -661,6 +661,7 @@ static bool fetch_seccomp(const char *name, const char *lxcpath,
struct lxc_proc_context_info *i, lxc_attach_options_t *options)
{
struct lxc_container *c;
+ char *path;
if (!(options->namespaces & CLONE_NEWNS) || !(options->attach_flags & LXC_ATTACH_LSM))
return true;
@@ -669,8 +670,24 @@ static bool fetch_seccomp(const char *name, const char *lxcpath,
if (!c)
return false;
i->container = c;
- if (!c->lxc_conf)
+
+ /* Initialize an empty lxc_conf */
+ if (!c->set_config_item(c, "lxc.seccomp", "")) {
return false;
+ }
+
+ /* Fetch the current profile path over the cmd interface */
+ path = c->get_running_config_item(c, "lxc.seccomp");
+ if (!path) {
+ return false;
+ }
+
+ /* Copy the value into the new lxc_conf */
+ if (!c->set_config_item(c, "lxc.seccomp", path)) {
+ return false;
+ }
+
+ /* Attempt to parse the resulting config */
if (lxc_read_seccomp_config(c->lxc_conf) < 0) {
ERROR("Error reading seccomp policy");
return false;
--
1.9.1
More information about the lxc-devel
mailing list