[lxc-devel] [lxc/master] Seccomp: update comment, print action name etc

0x0916 on Github lxc-bot at linuxcontainers.org
Mon May 15 10:47:10 UTC 2017


A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 340 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20170515/f920615d/attachment.bin>
-------------- next part --------------
From 65afdf08b5d7657534e9a143c370aafdf0ae8227 Mon Sep 17 00:00:00 2001
From: 0x0916 <w at laoqinren.net>
Date: Mon, 15 May 2017 18:03:41 +0800
Subject: [PATCH 1/3] seccomp: s/n-new-privs/no-new-privs/g

Signed-off-by: 0x0916 <w at laoqinren.net>
---
 src/lxc/seccomp.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index b6a316f..9ddae28 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -217,7 +217,7 @@ scmp_filter_ctx get_new_ctx(enum lxc_hostarch_t n_arch, uint32_t default_policy_
 		return NULL;
 	}
 	if (seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 0)) {
-		ERROR("Failed to turn off n-new-privs.");
+		ERROR("Failed to turn off no-new-privs.");
 		seccomp_release(ctx);
 		return NULL;
 	}
@@ -398,7 +398,7 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
 			return -1;
 		}
 		if (seccomp_attr_set(conf->seccomp_ctx, SCMP_FLTATR_CTL_NNP, 0)) {
-			ERROR("Failed to turn off n-new-privs.");
+			ERROR("Failed to turn off no-new-privs.");
 			return -1;
 		}
 #ifdef SCMP_FLTATR_ATL_TSKIP
@@ -735,7 +735,7 @@ int lxc_read_seccomp_config(struct lxc_conf *conf)
 	check_seccomp_attr_set = seccomp_attr_set(SCMP_FLTATR_CTL_NNP, 0);
 #endif
 	if (check_seccomp_attr_set) {
-		ERROR("Failed to turn off n-new-privs.");
+		ERROR("Failed to turn off no-new-privs.");
 		return -1;
 	}
 #ifdef SCMP_FLTATR_ATL_TSKIP

From 998cd2f4179d5d962fad8b195ca10679f4afbf97 Mon Sep 17 00:00:00 2001
From: 0x0916 <w at laoqinren.net>
Date: Mon, 15 May 2017 18:04:27 +0800
Subject: [PATCH 2/3] seccomp: update comment for function `parse_config`

Signed-off-by: 0x0916 <w at laoqinren.net>
---
 src/lxc/seccomp.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 9ddae28..881a498 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -631,9 +631,9 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
  * The first line of the config file has a policy language version
  * the second line has some directives
  * then comes policy subject to the directives
- * right now version must be '1'
- * the directives must include 'whitelist' (only type of policy currently
- * supported) and can include 'debug' (though debug is not yet supported).
+ * right now version must be '1' or '2'
+ * the directives must include 'whitelist'(version == 1 or 2) or 'blacklist'
+ * (version == 2) and can include 'debug' (though debug is not yet supported).
  */
 static int parse_config(FILE *f, struct lxc_conf *conf)
 {

From 3facd9b0ec1168981ca1fb7861cfa82fdc8bc1fe Mon Sep 17 00:00:00 2001
From: 0x0916 <w at laoqinren.net>
Date: Mon, 15 May 2017 18:05:09 +0800
Subject: [PATCH 3/3] seccomp: print action name in log

This patch add function `get_action_name`, so we can print action name
in the log file. for example:

```
lxc-start ubuntu 20170515095416.561 INFO     lxc_seccomp - seccomp.c:parse_config_v2:613 - Adding compat rule for reject_force_umount action 0(kill).
lxc-start ubuntu 20170515095416.562 INFO     lxc_seccomp - seccomp.c:parse_config_v2:613 - Adding compat rule for kexec_load action 327681(errno).
```

Signed-off-by: 0x0916 <w at laoqinren.net>
---
 src/lxc/seccomp.c | 32 ++++++++++++++++++++++++++------
 1 file changed, 26 insertions(+), 6 deletions(-)

diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 881a498..8065d27 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -92,6 +92,22 @@ static uint32_t get_v2_default_action(char *line)
 	return ret_action;
 }
 
+static const char *get_action_name(uint32_t action)
+{
+	switch(action & 0xffff0000){
+	case SCMP_ACT_KILL:
+		return "kill";
+	case SCMP_ACT_ALLOW:
+		return "allow";
+	case SCMP_ACT_TRAP:
+		return "trap";
+	case SCMP_ACT_ERRNO(0):
+		return "errno";
+	default:
+		return "invalid action";
+	}
+}
+
 static uint32_t get_and_clear_v2_action(char *line, uint32_t def_action)
 {
 	char *p = strchr(line, ' ');
@@ -281,8 +297,8 @@ bool do_resolve_add_rule(uint32_t arch, char *line, scmp_filter_ctx ctx,
 	}
 	ret = seccomp_rule_add_exact(ctx, action, nr, 0);
 	if (ret < 0) {
-		ERROR("Failed (%d) loading rule for %s (nr %d action %d): %s.",
-		      ret, line, nr, action, strerror(-ret));
+		ERROR("Failed (%d) loading rule for %s (nr %d action %d(%s)): %s.",
+		      ret, line, nr, action, get_action_name(action), strerror(-ret));
 		return false;
 	}
 	return true;
@@ -573,7 +589,8 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
 		if (cur_rule_arch == native_arch ||
 		    cur_rule_arch == lxc_seccomp_arch_native ||
 		    compat_arch[0] == SCMP_ARCH_NATIVE) {
-			INFO("Adding native rule for %s action %d.", line, action);
+			INFO("Adding native rule for %s action %d(%s).", line, action,
+			     get_action_name(action));
 			if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line, conf->seccomp_ctx, action))
 				goto bad_rule;
 		}
@@ -582,15 +599,18 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
 				cur_rule_arch == lxc_seccomp_arch_mips64n32 ||
 				cur_rule_arch == lxc_seccomp_arch_mipsel64n32 ? 1 : 0;
 
-			INFO("Adding compat-only rule for %s action %d.", line, action);
+			INFO("Adding compat-only rule for %s action %d(%s).", line, action,
+			     get_action_name(action));
 			if (!do_resolve_add_rule(compat_arch[arch_index], line, compat_ctx[arch_index], action))
 				goto bad_rule;
 		}
 		else {
-			INFO("Adding native rule for %s action %d.", line, action);
+			INFO("Adding native rule for %s action %d(%s).", line, action,
+			     get_action_name(action));
 			if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line, conf->seccomp_ctx, action))
 				goto bad_rule;
-			INFO("Adding compat rule for %s action %d.", line, action);
+			INFO("Adding compat rule for %s action %d(%s).", line, action,
+			     get_action_name(action));
 			if (!do_resolve_add_rule(compat_arch[0], line, compat_ctx[0], action))
 				goto bad_rule;
 			if (compat_arch[1] != SCMP_ARCH_NATIVE &&


More information about the lxc-devel mailing list