[lxc-devel] [lxc/master] tools: fix lxc-attach regression with -s USER

Wed Sep 21 15:29:09 UTC 2016

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 384 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20160921/3b26d0bb/attachment.bin>
-------------- next part --------------
From bd4307f0c154ace6560082cf449b08f2f567c98c Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at canonical.com>
Date: Wed, 21 Sep 2016 13:02:08 +0200
Subject: [PATCH] tools: fix lxc-attach regression with -s USER

Signed-off-by: Christian Brauner <christian.brauner at canonical.com>
---
 src/lxc/attach.c  | 24 +++++++++++-------------
 src/lxc/seccomp.c |  2 +-
 2 files changed, 12 insertions(+), 14 deletions(-)

diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index c741410..99b07fa 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -665,16 +665,16 @@ static int attach_child_main(void* data);
 /* define default options if no options are supplied by the user */
 static lxc_attach_options_t attach_static_default_options = LXC_ATTACH_OPTIONS_DEFAULT;
 
-static bool fetch_seccomp(struct lxc_proc_context_info *i,
+static bool fetch_seccomp(struct lxc_container *c,
 			  lxc_attach_options_t *options)
 {
-	struct lxc_container *c;
 	char *path;
 
-	if (!(options->namespaces & CLONE_NEWNS) || !(options->attach_flags & LXC_ATTACH_LSM))
+	if (!(options->namespaces & CLONE_NEWNS) || !(options->attach_flags & LXC_ATTACH_LSM)) {
+		free(c->lxc_conf->seccomp);
+		c->lxc_conf->seccomp = NULL;
 		return true;
-
-	c = i->container;
+	}
 
 	/* Remove current setting. */
 	if (!c->set_config_item(c, "lxc.seccomp", "")) {
@@ -684,6 +684,7 @@ static bool fetch_seccomp(struct lxc_proc_context_info *i,
 	/* Fetch the current profile path over the cmd interface */
 	path = c->get_running_config_item(c, "lxc.seccomp");
 	if (!path) {
+		INFO("Failed to get running config item for lxc.seccomp.");
 		return true;
 	}
 
@@ -704,14 +705,11 @@ static bool fetch_seccomp(struct lxc_proc_context_info *i,
 	return true;
 }
 
-static bool no_new_privs(struct lxc_proc_context_info *ctx,
+static bool no_new_privs(struct lxc_container *c,
 			 lxc_attach_options_t *options)
 {
-	struct lxc_container *c;
 	char *val;
 
-	c = ctx->container;
-
 	/* Remove current setting. */
 	if (!c->set_config_item(c, "lxc.no_new_privs", "")) {
 		return false;
@@ -784,10 +782,10 @@ int lxc_attach(const char* name, const char* lxcpath, lxc_attach_exec_t exec_fun
 	if (!init_ctx->container)
 		return -1;
 
-	if (!fetch_seccomp(init_ctx, options))
+	if (!fetch_seccomp(init_ctx->container, options))
 		WARN("Failed to get seccomp policy");
 
-	if (!no_new_privs(init_ctx, options))
+	if (!no_new_privs(init_ctx->container, options))
 		WARN("Could not determine whether PR_SET_NO_NEW_PRIVS is set.");
 
 	cwd = getcwd(NULL, 0);
@@ -1211,9 +1209,9 @@ static int attach_child_main(void* data)
 			rexit(-1);
 		}
 	}
-
 	if (init_ctx->container && init_ctx->container->lxc_conf &&
-			lxc_seccomp_load(init_ctx->container->lxc_conf) != 0) {
+	    init_ctx->container->lxc_conf->seccomp &&
+	    (lxc_seccomp_load(init_ctx->container->lxc_conf) != 0)) {
 		ERROR("Loading seccomp policy");
 		rexit(-1);
 	}
diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 5069730..ccffa9f 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -748,7 +748,7 @@ int lxc_seccomp_load(struct lxc_conf *conf)
 #endif
 	    );
 	if (ret < 0) {
-		ERROR("Error loading the seccomp policy.");
+		ERROR("Error loading the seccomp policy: %s.", strerror(-ret));
 		return -1;
 	}
 	return 0;
