[lxc-devel] [PATCH] Fix seccomp profile on attach of undefined container

[Serge E. Hallyn]

On Thu, Dec 10, 2015 at 06:58:58PM -0500, Stéphane Graber wrote:
> Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>

Thanks, that's what I thought would have to happen when the problem
came up earlier.

Only thing is you have to free the path when done.  After that,

Acked-by: Serge Hallyn <serge.hallyn at canonical.com>

Oh wait, one other thing I'm not sure about, below

> ---
>  src/lxc/attach.c | 19 ++++++++++++++++++-
>  1 file changed, 18 insertions(+), 1 deletion(-)
> 
> diff --git a/src/lxc/attach.c b/src/lxc/attach.c
> index 436ae7a..5192c25 100644
> --- a/src/lxc/attach.c
> +++ b/src/lxc/attach.c
> @@ -661,6 +661,7 @@ static bool fetch_seccomp(const char *name, const char *lxcpath,
>  		struct lxc_proc_context_info *i, lxc_attach_options_t *options)
>  {
>  	struct lxc_container *c;
> +	char *path;
>  
>  	if (!(options->namespaces & CLONE_NEWNS) || !(options->attach_flags & LXC_ATTACH_LSM))
>  		return true;
> @@ -669,8 +670,24 @@ static bool fetch_seccomp(const char *name, const char *lxcpath,
>  	if (!c)
>  		return false;
>  	i->container = c;
> -	if (!c->lxc_conf)
> +
> +	/* Initialize an empty lxc_conf */
> +	if (!c->set_config_item(c, "lxc.seccomp", "")) {
>  		return false;
> +	}
> +
> +	/* Fetch the current profile path over the cmd interface */
> +	path = c->get_running_config_item(c, "lxc.seccomp");

If the container has no seccomp policy set, will get_running_config_item
return NULL?  Should you return true in that case?

It's not a big deal as it'll just spit out a WARN, but I think it
currently is silent in that case.

> +	if (!path) {
> +		return false;
> +	}
> +
> +	/* Copy the value into the new lxc_conf */
> +	if (!c->set_config_item(c, "lxc.seccomp", path)) {
> +		return false;
> +	}
> +
> +	/* Attempt to parse the resulting config */
>  	if (lxc_read_seccomp_config(c->lxc_conf) < 0) {
>  		ERROR("Error reading seccomp policy");
>  		return false;
> -- 
> 1.9.1