[lxc-devel] [lxc/master] seccomp: set SCMP_FLTATR_ATL_TSKIP if available

hallyn on Github lxc-bot at linuxcontainers.org
Mon Mar 6 19:42:29 UTC 2017 

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 656 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20170306/cd4085bc/attachment.bin>
-------------- next part --------------
From 92c2978d9c0968bc3e1c959a8a0f86df20fd8421 Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge at hallyn.com>
Date: Mon, 6 Mar 2017 13:36:19 -0600
Subject: [PATCH] seccomp: set SCMP_FLTATR_ATL_TSKIP if available

Newer libseccomp has a flag called SCMP_FLTATR_ATL_TSKIP which
allows syscall '-1' (nop) to be executed.  Without that flag,
debuggers cannot skip system calls inside containers.  For reference,
see the seccomp(2) manpage, which says:

	The tracer can skip the system call by changing the system call  number  to  -1.

and see the seccomp issue #80
---
 src/lxc/seccomp.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 0ce758b..b6a316f 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -221,6 +221,11 @@ scmp_filter_ctx get_new_ctx(enum lxc_hostarch_t n_arch, uint32_t default_policy_
 		seccomp_release(ctx);
 		return NULL;
 	}
+#ifdef SCMP_FLTATR_ATL_TSKIP
+	if (seccomp_attr_set(ctx, SCMP_FLTATR_ATL_TSKIP, 1)) {
+		WARN("Failed to turn on seccomp nop-skip, continuing");
+	}
+#endif
 	ret = seccomp_arch_add(ctx, arch);
 	if (ret != 0) {
 		ERROR("Seccomp error %d (%s) adding arch: %d", ret,
@@ -396,6 +401,11 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
 			ERROR("Failed to turn off n-new-privs.");
 			return -1;
 		}
+#ifdef SCMP_FLTATR_ATL_TSKIP
+		if (seccomp_attr_set(conf->seccomp_ctx, SCMP_FLTATR_ATL_TSKIP, 1)) {
+			WARN("Failed to turn on seccomp nop-skip, continuing");
+		}
+#endif
 	}
 
 	while (fgets(line, 1024, f)) {
@@ -717,7 +727,7 @@ int lxc_read_seccomp_config(struct lxc_conf *conf)
 		return -1;
 	}
 
-/* turn of no-new-privs.  We don't want it in lxc, and it breaks
+/* turn off no-new-privs.  We don't want it in lxc, and it breaks
  * with apparmor */
 #if HAVE_SCMP_FILTER_CTX
 	check_seccomp_attr_set = seccomp_attr_set(conf->seccomp_ctx, SCMP_FLTATR_CTL_NNP, 0);
@@ -728,6 +738,11 @@ int lxc_read_seccomp_config(struct lxc_conf *conf)
 		ERROR("Failed to turn off n-new-privs.");
 		return -1;
 	}
+#ifdef SCMP_FLTATR_ATL_TSKIP
+	if (seccomp_attr_set(conf->seccomp_ctx, SCMP_FLTATR_ATL_TSKIP, 1)) {
+		WARN("Failed to turn on seccomp nop-skip, continuing");
+	}
+#endif
 
 	f = fopen(conf->seccomp, "r");
 	if (!f) {

More information about the lxc-devel mailing list