[lxc-devel] [lxc/lxc] d64178: seccomp: simplify and fix rule parsing

GitHub noreply at github.com
Wed Jul 29 02:37:15 UTC 2015 

  Branch: refs/heads/master
  Home:   https://github.com/lxc/lxc
  Commit: d6417887b93477133a2c600ce755ba3afc843d44
      https://github.com/lxc/lxc/commit/d6417887b93477133a2c600ce755ba3afc843d44
  Author: Wolfgang Bumiller <w.bumiller at proxmox.com>
  Date:   2015-07-23 (Thu, 23 Jul 2015)

  Changed paths:
    M src/lxc/seccomp.c

  Log Message:
  -----------
  seccomp: simplify and fix rule parsing

1) Two checks on amd64 for whether compat_ctx has already
been generated were redundant, as compat_ctx is generally
generated before entering the parsing loop.

2) With introduction of reject_force_umount the check for
whether the syscall has the same id on both native and
compat archs results in false behavior as this is an
internal keyword and thus produces a -1 on
seccomp_syscall_resolve_name_arch().
The result was that it was added to the native architecture
twice and never to the 32 bit architecture, causing it to
have no effect on 32 bit containers on 64 bit hosts.

3) I do not see a reason to care about whether the syscalls
have the same number on the two architectures. On the one
hand this check was there to avoid adding it to two archs
(and effectively leaving one arch unprotected), while on
the other hand it seemed to be okay to add it to the
same arch *twice*.

The entire architecture checking branches are now reduced to
three simple cases: 'native', 'non-native' and 'all'. With
'all' adding to both architectures regardless of the syscall
ID.

Also note that libseccomp had a bug in its architecture
checking, so architecture related filters weren't working as
expected before version 2.2.2, which may have contributed to
the confusion in the original architecture-related code.

Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>


  Commit: e88ba17e633fda987df5e83c1b1a53d45e3d18ec
      https://github.com/lxc/lxc/commit/e88ba17e633fda987df5e83c1b1a53d45e3d18ec
  Author: Serge Hallyn <serge at hallyn.com>
  Date:   2015-07-28 (Tue, 28 Jul 2015)

  Changed paths:
    M src/lxc/seccomp.c

  Log Message:
  -----------
  Merge pull request #600 from Blub/wbumiller/seccomp

seccomp: simplify and fix rule parsing


Compare: https://github.com/lxc/lxc/compare/f5fd66f70ab5...e88ba17e633f

More information about the lxc-devel mailing list