[lxc-devel] [lxc/master] Seccomp: update comment, print action name etc
0x0916 on Github
lxc-bot at linuxcontainers.org
Mon May 15 10:47:10 UTC 2017
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 340 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20170515/f920615d/attachment.bin>
-------------- next part --------------
From 65afdf08b5d7657534e9a143c370aafdf0ae8227 Mon Sep 17 00:00:00 2001
From: 0x0916 <w at laoqinren.net>
Date: Mon, 15 May 2017 18:03:41 +0800
Subject: [PATCH 1/3] seccomp: s/n-new-privs/no-new-privs/g
Signed-off-by: 0x0916 <w at laoqinren.net>
---
src/lxc/seccomp.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index b6a316f..9ddae28 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -217,7 +217,7 @@ scmp_filter_ctx get_new_ctx(enum lxc_hostarch_t n_arch, uint32_t default_policy_
return NULL;
}
if (seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 0)) {
- ERROR("Failed to turn off n-new-privs.");
+ ERROR("Failed to turn off no-new-privs.");
seccomp_release(ctx);
return NULL;
}
@@ -398,7 +398,7 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
return -1;
}
if (seccomp_attr_set(conf->seccomp_ctx, SCMP_FLTATR_CTL_NNP, 0)) {
- ERROR("Failed to turn off n-new-privs.");
+ ERROR("Failed to turn off no-new-privs.");
return -1;
}
#ifdef SCMP_FLTATR_ATL_TSKIP
@@ -735,7 +735,7 @@ int lxc_read_seccomp_config(struct lxc_conf *conf)
check_seccomp_attr_set = seccomp_attr_set(SCMP_FLTATR_CTL_NNP, 0);
#endif
if (check_seccomp_attr_set) {
- ERROR("Failed to turn off n-new-privs.");
+ ERROR("Failed to turn off no-new-privs.");
return -1;
}
#ifdef SCMP_FLTATR_ATL_TSKIP
From 998cd2f4179d5d962fad8b195ca10679f4afbf97 Mon Sep 17 00:00:00 2001
From: 0x0916 <w at laoqinren.net>
Date: Mon, 15 May 2017 18:04:27 +0800
Subject: [PATCH 2/3] seccomp: update comment for function `parse_config`
Signed-off-by: 0x0916 <w at laoqinren.net>
---
src/lxc/seccomp.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 9ddae28..881a498 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -631,9 +631,9 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
* The first line of the config file has a policy language version
* the second line has some directives
* then comes policy subject to the directives
- * right now version must be '1'
- * the directives must include 'whitelist' (only type of policy currently
- * supported) and can include 'debug' (though debug is not yet supported).
+ * right now version must be '1' or '2'
+ * the directives must include 'whitelist'(version == 1 or 2) or 'blacklist'
+ * (version == 2) and can include 'debug' (though debug is not yet supported).
*/
static int parse_config(FILE *f, struct lxc_conf *conf)
{
From 3facd9b0ec1168981ca1fb7861cfa82fdc8bc1fe Mon Sep 17 00:00:00 2001
From: 0x0916 <w at laoqinren.net>
Date: Mon, 15 May 2017 18:05:09 +0800
Subject: [PATCH 3/3] seccomp: print action name in log
This patch add function `get_action_name`, so we can print action name
in the log file. for example:
```
lxc-start ubuntu 20170515095416.561 INFO lxc_seccomp - seccomp.c:parse_config_v2:613 - Adding compat rule for reject_force_umount action 0(kill).
lxc-start ubuntu 20170515095416.562 INFO lxc_seccomp - seccomp.c:parse_config_v2:613 - Adding compat rule for kexec_load action 327681(errno).
```
Signed-off-by: 0x0916 <w at laoqinren.net>
---
src/lxc/seccomp.c | 32 ++++++++++++++++++++++++++------
1 file changed, 26 insertions(+), 6 deletions(-)
diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 881a498..8065d27 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -92,6 +92,22 @@ static uint32_t get_v2_default_action(char *line)
return ret_action;
}
+static const char *get_action_name(uint32_t action)
+{
+ switch(action & 0xffff0000){
+ case SCMP_ACT_KILL:
+ return "kill";
+ case SCMP_ACT_ALLOW:
+ return "allow";
+ case SCMP_ACT_TRAP:
+ return "trap";
+ case SCMP_ACT_ERRNO(0):
+ return "errno";
+ default:
+ return "invalid action";
+ }
+}
+
static uint32_t get_and_clear_v2_action(char *line, uint32_t def_action)
{
char *p = strchr(line, ' ');
@@ -281,8 +297,8 @@ bool do_resolve_add_rule(uint32_t arch, char *line, scmp_filter_ctx ctx,
}
ret = seccomp_rule_add_exact(ctx, action, nr, 0);
if (ret < 0) {
- ERROR("Failed (%d) loading rule for %s (nr %d action %d): %s.",
- ret, line, nr, action, strerror(-ret));
+ ERROR("Failed (%d) loading rule for %s (nr %d action %d(%s)): %s.",
+ ret, line, nr, action, get_action_name(action), strerror(-ret));
return false;
}
return true;
@@ -573,7 +589,8 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
if (cur_rule_arch == native_arch ||
cur_rule_arch == lxc_seccomp_arch_native ||
compat_arch[0] == SCMP_ARCH_NATIVE) {
- INFO("Adding native rule for %s action %d.", line, action);
+ INFO("Adding native rule for %s action %d(%s).", line, action,
+ get_action_name(action));
if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line, conf->seccomp_ctx, action))
goto bad_rule;
}
@@ -582,15 +599,18 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
cur_rule_arch == lxc_seccomp_arch_mips64n32 ||
cur_rule_arch == lxc_seccomp_arch_mipsel64n32 ? 1 : 0;
- INFO("Adding compat-only rule for %s action %d.", line, action);
+ INFO("Adding compat-only rule for %s action %d(%s).", line, action,
+ get_action_name(action));
if (!do_resolve_add_rule(compat_arch[arch_index], line, compat_ctx[arch_index], action))
goto bad_rule;
}
else {
- INFO("Adding native rule for %s action %d.", line, action);
+ INFO("Adding native rule for %s action %d(%s).", line, action,
+ get_action_name(action));
if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line, conf->seccomp_ctx, action))
goto bad_rule;
- INFO("Adding compat rule for %s action %d.", line, action);
+ INFO("Adding compat rule for %s action %d(%s).", line, action,
+ get_action_name(action));
if (!do_resolve_add_rule(compat_arch[0], line, compat_ctx[0], action))
goto bad_rule;
if (compat_arch[1] != SCMP_ARCH_NATIVE &&
More information about the lxc-devel
mailing list