[lxc-devel] [lxc/master] seccomp: export the seccomp filter after load it into kernel successful
0x0916 on Github
lxc-bot at linuxcontainers.org
Sat May 20 03:01:30 UTC 2017
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 3345 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20170520/b8c2c183/attachment.bin>
-------------- next part --------------
From 3783e4fe934b3ab853e4cf3d8927d4c3a1729147 Mon Sep 17 00:00:00 2001
From: 0x0916 <w at laoqinren.net>
Date: Sat, 20 May 2017 10:49:06 +0800
Subject: [PATCH] seccomp: export the seccomp filter after load it into kernel
successful
when the log level is DEBUG OR TRACE, this patch export the seccomp
filter to log file.
the ouput of `seccomp_export_pfc()` is human readable and this feature
is useful for user to make sure their `seccomp configuration file` is
right.
Output for he default ubuntu container's seccomp filter is the
following:
```
lxc-start ubuntu 20170520024159.412 INFO lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:238 - changed apparmor profile to lxc-container-default-cgns
if ($arch == 3221225534)
# filter for syscall "finit_module" (313) [priority: 65535]
if ($syscall == 313)
action ERRNO(1);
# filter for syscall "open_by_handle_at" (304) [priority: 65535]
if ($syscall == 304)
action ERRNO(1);
# filter for syscall "kexec_load" (246) [priority: 65535]
if ($syscall == 246)
action ERRNO(1);
# filter for syscall "delete_module" (176) [priority: 65535]
if ($syscall == 176)
action ERRNO(1);
# filter for syscall "init_module" (175) [priority: 65535]
if ($syscall == 175)
action ERRNO(1);
# filter for syscall "umount2" (166) [priority: 65533]
if ($syscall == 166)
if ($a1.hi32 & 0x00000000 == 0)
if ($a1.lo32 & 0x00000001 == 1)
action ERRNO(13);
# default action
action ALLOW;
if ($arch == 1073741827)
# filter for syscall "finit_module" (350) [priority: 65535]
if ($syscall == 350)
action ERRNO(1);
# filter for syscall "open_by_handle_at" (342) [priority: 65535]
if ($syscall == 342)
action ERRNO(1);
# filter for syscall "kexec_load" (283) [priority: 65535]
if ($syscall == 283)
action ERRNO(1);
# filter for syscall "delete_module" (129) [priority: 65535]
if ($syscall == 129)
action ERRNO(1);
# filter for syscall "init_module" (128) [priority: 65535]
if ($syscall == 128)
action ERRNO(1);
# filter for syscall "umount2" (52) [priority: 65534]
if ($syscall == 52)
if ($a1 & 0x00000001 == 1)
action ERRNO(13);
# default action
action ALLOW;
if ($arch == 3221225534)
# filter for syscall "kexec_load" (1073742352) [priority: 65535]
if ($syscall == 1073742352)
action ERRNO(1);
# filter for syscall "finit_module" (1073742137) [priority: 65535]
if ($syscall == 1073742137)
action ERRNO(1);
# filter for syscall "open_by_handle_at" (1073742128) [priority: 65535]
if ($syscall == 1073742128)
action ERRNO(1);
# filter for syscall "delete_module" (1073742000) [priority: 65535]
if ($syscall == 1073742000)
action ERRNO(1);
# filter for syscall "init_module" (1073741999) [priority: 65535]
if ($syscall == 1073741999)
action ERRNO(1);
# filter for syscall "umount2" (1073741990) [priority: 65534]
if ($syscall == 1073741990)
if ($a1 & 0x00000001 == 1)
action ERRNO(13);
# default action
action ALLOW;
action KILL;
lxc-start ubuntu 20170520024159.412 NOTICE lxc_start - start.c:start:1470 - Exec'ing "/sbin/init".
```
Signed-off-by: 0x0916 <w at laoqinren.net>
---
src/lxc/seccomp.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 9369c90bf..bae7974e1 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -791,6 +791,17 @@ int lxc_seccomp_load(struct lxc_conf *conf)
ERROR("Error loading the seccomp policy: %s.", strerror(-ret));
return -1;
}
+
+/* After load seccomp filter into the kernel successfully, export the current seccomp
+ * filter to log file */
+#if HAVE_SCMP_FILTER_CTX
+ if (lxc_log_get_level() <= LXC_LOG_PRIORITY_DEBUG) {
+ ret = seccomp_export_pfc(conf->seccomp_ctx, lxc_log_fd);
+ /* Just give an warning when export error */
+ if (ret < 0)
+ WARN("Failed to export seccomp filter to log file: %s.", strerror(-ret));
+ }
+#endif
return 0;
}
More information about the lxc-devel
mailing list