[lxc-devel] [lxc/master] seccomp: export the seccomp filter after load it into kernel successful

[0x0916 on Github]

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 3345 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20170520/b8c2c183/attachment.bin>
-------------- next part --------------
From 3783e4fe934b3ab853e4cf3d8927d4c3a1729147 Mon Sep 17 00:00:00 2001
From: 0x0916 <w at laoqinren.net>
Date: Sat, 20 May 2017 10:49:06 +0800
Subject: [PATCH] seccomp: export the seccomp filter after load it into kernel
 successful

when the log level is DEBUG OR TRACE, this patch export the seccomp
filter to log file.

the ouput of `seccomp_export_pfc()` is human readable and this feature
is useful for user to make sure their `seccomp configuration file` is
right.

Output for he default ubuntu container's seccomp filter is the
following:

```
      lxc-start ubuntu 20170520024159.412 INFO     lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:238 - changed apparmor profile to lxc-container-default-cgns
if ($arch == 3221225534)
  # filter for syscall "finit_module" (313) [priority: 65535]
  if ($syscall == 313)
    action ERRNO(1);
  # filter for syscall "open_by_handle_at" (304) [priority: 65535]
  if ($syscall == 304)
    action ERRNO(1);
  # filter for syscall "kexec_load" (246) [priority: 65535]
  if ($syscall == 246)
    action ERRNO(1);
  # filter for syscall "delete_module" (176) [priority: 65535]
  if ($syscall == 176)
    action ERRNO(1);
  # filter for syscall "init_module" (175) [priority: 65535]
  if ($syscall == 175)
    action ERRNO(1);
  # filter for syscall "umount2" (166) [priority: 65533]
  if ($syscall == 166)
    if ($a1.hi32 & 0x00000000 == 0)
      if ($a1.lo32 & 0x00000001 == 1)
        action ERRNO(13);
  # default action
  action ALLOW;
if ($arch == 1073741827)
  # filter for syscall "finit_module" (350) [priority: 65535]
  if ($syscall == 350)
    action ERRNO(1);
  # filter for syscall "open_by_handle_at" (342) [priority: 65535]
  if ($syscall == 342)
    action ERRNO(1);
  # filter for syscall "kexec_load" (283) [priority: 65535]
  if ($syscall == 283)
    action ERRNO(1);
  # filter for syscall "delete_module" (129) [priority: 65535]
  if ($syscall == 129)
    action ERRNO(1);
  # filter for syscall "init_module" (128) [priority: 65535]
  if ($syscall == 128)
    action ERRNO(1);
  # filter for syscall "umount2" (52) [priority: 65534]
  if ($syscall == 52)
    if ($a1 & 0x00000001 == 1)
      action ERRNO(13);
  # default action
  action ALLOW;
if ($arch == 3221225534)
  # filter for syscall "kexec_load" (1073742352) [priority: 65535]
  if ($syscall == 1073742352)
    action ERRNO(1);
  # filter for syscall "finit_module" (1073742137) [priority: 65535]
  if ($syscall == 1073742137)
    action ERRNO(1);
  # filter for syscall "open_by_handle_at" (1073742128) [priority: 65535]
  if ($syscall == 1073742128)
    action ERRNO(1);
  # filter for syscall "delete_module" (1073742000) [priority: 65535]
  if ($syscall == 1073742000)
    action ERRNO(1);
  # filter for syscall "init_module" (1073741999) [priority: 65535]
  if ($syscall == 1073741999)
    action ERRNO(1);
  # filter for syscall "umount2" (1073741990) [priority: 65534]
  if ($syscall == 1073741990)
    if ($a1 & 0x00000001 == 1)
      action ERRNO(13);
  # default action
  action ALLOW;
action KILL;
      lxc-start ubuntu 20170520024159.412 NOTICE   lxc_start - start.c:start:1470 - Exec'ing "/sbin/init".
```

Signed-off-by: 0x0916 <w at laoqinren.net>
---
 src/lxc/seccomp.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 9369c90bf..bae7974e1 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -791,6 +791,17 @@ int lxc_seccomp_load(struct lxc_conf *conf)
 		ERROR("Error loading the seccomp policy: %s.", strerror(-ret));
 		return -1;
 	}
+
+/* After load seccomp filter into the kernel successfully, export the current seccomp
+ * filter to log file */
+#if HAVE_SCMP_FILTER_CTX
+	if (lxc_log_get_level() <= LXC_LOG_PRIORITY_DEBUG) {
+		ret = seccomp_export_pfc(conf->seccomp_ctx, lxc_log_fd);
+		/* Just give an warning when export error */
+		if (ret < 0)
+			WARN("Failed to export seccomp filter to log file: %s.", strerror(-ret));
+	}
+#endif
 	return 0;
 }