[lxc-devel] [PATCH] Fix seccomp profile on attach of undefined container
Serge E. Hallyn
serge.hallyn at ubuntu.com
Fri Dec 11 06:08:55 UTC 2015
On Thu, Dec 10, 2015 at 06:58:58PM -0500, Stéphane Graber wrote:
> Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
Thanks, that's what I thought would have to happen when the problem
came up earlier.
Only thing is you have to free the path when done. After that,
Acked-by: Serge Hallyn <serge.hallyn at canonical.com>
Oh wait, one other thing I'm not sure about, below
> ---
> src/lxc/attach.c | 19 ++++++++++++++++++-
> 1 file changed, 18 insertions(+), 1 deletion(-)
>
> diff --git a/src/lxc/attach.c b/src/lxc/attach.c
> index 436ae7a..5192c25 100644
> --- a/src/lxc/attach.c
> +++ b/src/lxc/attach.c
> @@ -661,6 +661,7 @@ static bool fetch_seccomp(const char *name, const char *lxcpath,
> struct lxc_proc_context_info *i, lxc_attach_options_t *options)
> {
> struct lxc_container *c;
> + char *path;
>
> if (!(options->namespaces & CLONE_NEWNS) || !(options->attach_flags & LXC_ATTACH_LSM))
> return true;
> @@ -669,8 +670,24 @@ static bool fetch_seccomp(const char *name, const char *lxcpath,
> if (!c)
> return false;
> i->container = c;
> - if (!c->lxc_conf)
> +
> + /* Initialize an empty lxc_conf */
> + if (!c->set_config_item(c, "lxc.seccomp", "")) {
> return false;
> + }
> +
> + /* Fetch the current profile path over the cmd interface */
> + path = c->get_running_config_item(c, "lxc.seccomp");
If the container has no seccomp policy set, will get_running_config_item
return NULL? Should you return true in that case?
It's not a big deal as it'll just spit out a WARN, but I think it
currently is silent in that case.
> + if (!path) {
> + return false;
> + }
> +
> + /* Copy the value into the new lxc_conf */
> + if (!c->set_config_item(c, "lxc.seccomp", path)) {
> + return false;
> + }
> +
> + /* Attempt to parse the resulting config */
> if (lxc_read_seccomp_config(c->lxc_conf) < 0) {
> ERROR("Error reading seccomp policy");
> return false;
> --
> 1.9.1
More information about the lxc-devel
mailing list