[lxc-devel] [PATCH] Fix seccomp profile on attach of undefined container

Stéphane Graber stgraber at ubuntu.com
Fri Dec 11 06:12:14 UTC 2015 

On Fri, Dec 11, 2015 at 12:08:55AM -0600, Serge E. Hallyn wrote:
> On Thu, Dec 10, 2015 at 06:58:58PM -0500, Stéphane Graber wrote:
> > Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
> 
> Thanks, that's what I thought would have to happen when the problem
> came up earlier.
> 
> Only thing is you have to free the path when done.  After that,

Cool, will update and push, thanks!

> 
> Acked-by: Serge Hallyn <serge.hallyn at canonical.com>
> 
> Oh wait, one other thing I'm not sure about, below
> 
> > ---
> >  src/lxc/attach.c | 19 ++++++++++++++++++-
> >  1 file changed, 18 insertions(+), 1 deletion(-)
> > 
> > diff --git a/src/lxc/attach.c b/src/lxc/attach.c
> > index 436ae7a..5192c25 100644
> > --- a/src/lxc/attach.c
> > +++ b/src/lxc/attach.c
> > @@ -661,6 +661,7 @@ static bool fetch_seccomp(const char *name, const char *lxcpath,
> >  		struct lxc_proc_context_info *i, lxc_attach_options_t *options)
> >  {
> >  	struct lxc_container *c;
> > +	char *path;
> >  
> >  	if (!(options->namespaces & CLONE_NEWNS) || !(options->attach_flags & LXC_ATTACH_LSM))
> >  		return true;
> > @@ -669,8 +670,24 @@ static bool fetch_seccomp(const char *name, const char *lxcpath,
> >  	if (!c)
> >  		return false;
> >  	i->container = c;
> > -	if (!c->lxc_conf)
> > +
> > +	/* Initialize an empty lxc_conf */
> > +	if (!c->set_config_item(c, "lxc.seccomp", "")) {
> >  		return false;
> > +	}
> > +
> > +	/* Fetch the current profile path over the cmd interface */
> > +	path = c->get_running_config_item(c, "lxc.seccomp");
> 
> If the container has no seccomp policy set, will get_running_config_item
> return NULL?  Should you return true in that case?
> 
> It's not a big deal as it'll just spit out a WARN, but I think it
> currently is silent in that case.

Good point, will change to returning true on null (indeed null is what
you'd get if it's not set).

> 
> > +	if (!path) {
> > +		return false;
> > +	}
> > +
> > +	/* Copy the value into the new lxc_conf */
> > +	if (!c->set_config_item(c, "lxc.seccomp", path)) {
> > +		return false;
> > +	}
> > +
> > +	/* Attempt to parse the resulting config */
> >  	if (lxc_read_seccomp_config(c->lxc_conf) < 0) {
> >  		ERROR("Error reading seccomp policy");
> >  		return false;
> > -- 
> > 1.9.1

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20151211/702b3405/attachment.sig>

More information about the lxc-devel mailing list