[lxc-devel] [lxc/master] seccomp: cleanup
brauner on Github
lxc-bot at linuxcontainers.org
Thu May 24 14:56:55 UTC 2018
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 364 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20180524/98ee6e92/attachment.bin>
-------------- next part --------------
From 5fdc4e77a6433b65ace7372e486b12363f344a32 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Thu, 24 May 2018 13:34:49 +0200
Subject: [PATCH 01/17] lxcseccomp: cleanup header
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
src/lxc/lxcseccomp.h | 21 +++++++++++----------
1 file changed, 11 insertions(+), 10 deletions(-)
diff --git a/src/lxc/lxcseccomp.h b/src/lxc/lxcseccomp.h
index bfafe3aec..93d57bbdc 100644
--- a/src/lxc/lxcseccomp.h
+++ b/src/lxc/lxcseccomp.h
@@ -27,23 +27,24 @@
#include "conf.h"
#ifdef HAVE_SECCOMP
-int lxc_seccomp_load(struct lxc_conf *conf);
-int lxc_read_seccomp_config(struct lxc_conf *conf);
-void lxc_seccomp_free(struct lxc_conf *conf);
+extern int lxc_seccomp_load(struct lxc_conf *conf);
+extern int lxc_read_seccomp_config(struct lxc_conf *conf);
+extern void lxc_seccomp_free(struct lxc_conf *conf);
#else
-static inline int lxc_seccomp_load(struct lxc_conf *conf) {
+static inline int lxc_seccomp_load(struct lxc_conf *conf)
+{
return 0;
}
-static inline int lxc_read_seccomp_config(struct lxc_conf *conf) {
+static inline int lxc_read_seccomp_config(struct lxc_conf *conf)
+{
return 0;
}
-static inline void lxc_seccomp_free(struct lxc_conf *conf) {
- if (conf->seccomp) {
- free(conf->seccomp);
- conf->seccomp = NULL;
- }
+static inline void lxc_seccomp_free(struct lxc_conf *conf)
+{
+ free(conf->seccomp);
+ conf->seccomp = NULL;
}
#endif
From ccf8d128e43076d96ab8509a42dfb7bb2133ae59 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Thu, 24 May 2018 13:35:01 +0200
Subject: [PATCH 02/17] seccomp: parse_config_v1()
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
src/lxc/seccomp.c | 23 ++++++++++++++---------
1 file changed, 14 insertions(+), 9 deletions(-)
diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index c7b8c1219..817b53633 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -23,9 +23,9 @@
#define _GNU_SOURCE
#include <errno.h>
+#include <seccomp.h>
#include <stdio.h>
#include <stdlib.h>
-#include <seccomp.h>
#include <sys/mount.h>
#include <sys/utsname.h>
@@ -38,25 +38,30 @@ lxc_log_define(lxc_seccomp, lxc);
static int parse_config_v1(FILE *f, struct lxc_conf *conf)
{
- char line[1024];
- int ret;
+ int ret = 0;
+ size_t line_bufsz = 0;
+ char *line = NULL;
- while (fgets(line, 1024, f)) {
+ while (getline(&line, &line_bufsz, f) != -1) {
int nr;
+
ret = sscanf(line, "%d", &nr);
if (ret != 1)
return -1;
- ret = seccomp_rule_add(
+
#if HAVE_SCMP_FILTER_CTX
- conf->seccomp_ctx,
+ ret = seccomp_rule_add(conf->seccomp_ctx, SCMP_ACT_ALLOW, nr, 0);
+#else
+ ret = seccomp_rule_add(SCMP_ACT_ALLOW, nr, 0);
#endif
- SCMP_ACT_ALLOW, nr, 0);
if (ret < 0) {
ERROR("Failed loading allow rule for %d", nr);
- return ret;
+ break;
}
}
- return 0;
+ free(line);
+
+ return ret;
}
#if HAVE_DECL_SECCOMP_SYSCALL_RESOLVE_NAME_ARCH
From 7ad3767052a663d6d2c4e4309cdac78ac388dca6 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Thu, 24 May 2018 13:38:08 +0200
Subject: [PATCH 03/17] utils: add remove_trailing_newlines()
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
src/lxc/lxccontainer.c | 15 ++++-----------
src/lxc/seccomp.c | 10 ----------
src/lxc/utils.c | 11 +++++++++++
src/lxc/utils.h | 1 +
4 files changed, 16 insertions(+), 21 deletions(-)
diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index 16182332c..fa66060db 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -2685,15 +2685,6 @@ static bool mod_rdep(struct lxc_container *c0, struct lxc_container *c, bool inc
return bret;
}
-static void strip_newline(char *p)
-{
- size_t len = strlen(p);
- if (len < 1)
- return;
- if (p[len-1] == '\n')
- p[len-1] = '\0';
-}
-
void mod_all_rdeps(struct lxc_container *c, bool inc)
{
struct lxc_container *p;
@@ -2716,8 +2707,10 @@ void mod_all_rdeps(struct lxc_container *c, bool inc)
ERROR("badly formatted file %s", path);
goto out;
}
- strip_newline(lxcpath);
- strip_newline(lxcname);
+
+ remove_trailing_newlines(lxcpath);
+ remove_trailing_newlines(lxcname);
+
if ((p = lxc_container_new(lxcname, lxcpath)) == NULL) {
ERROR("Unable to find dependent container %s:%s",
lxcpath, lxcname);
diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 817b53633..1e754db22 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -65,16 +65,6 @@ static int parse_config_v1(FILE *f, struct lxc_conf *conf)
}
#if HAVE_DECL_SECCOMP_SYSCALL_RESOLVE_NAME_ARCH
-static void remove_trailing_newlines(char *l)
-{
- char *p = l;
-
- while (*p)
- p++;
- while (--p >= l && *p == '\n')
- *p = '\0';
-}
-
static uint32_t get_v2_default_action(char *line)
{
uint32_t ret_action = -1;
diff --git a/src/lxc/utils.c b/src/lxc/utils.c
index 2669a4d4b..7525346e9 100644
--- a/src/lxc/utils.c
+++ b/src/lxc/utils.c
@@ -2533,3 +2533,14 @@ int lxc_set_death_signal(int signal)
return 0;
}
+
+void remove_trailing_newlines(char *l)
+{
+ char *p = l;
+
+ while (*p)
+ p++;
+
+ while (--p >= l && *p == '\n')
+ *p = '\0';
+}
diff --git a/src/lxc/utils.h b/src/lxc/utils.h
index dd4510644..93e2a3ee4 100644
--- a/src/lxc/utils.h
+++ b/src/lxc/utils.h
@@ -453,6 +453,7 @@ extern void lxc_free_array(void **array, lxc_free_fn element_free_fn);
extern size_t lxc_array_len(void **array);
extern void **lxc_append_null_to_array(void **array, size_t count);
+extern void remove_trailing_newlines(char *l);
/* initialize rand with urandom */
extern int randseed(bool);
From 30448a13abc70e4de7578bf8ca4a26a58655b0ea Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Thu, 24 May 2018 13:42:47 +0200
Subject: [PATCH 04/17] seccomp: get_v2_default_action()
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
src/lxc/seccomp.c | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)
diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 1e754db22..aae1921b4 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -71,20 +71,26 @@ static uint32_t get_v2_default_action(char *line)
while (*line == ' ')
line++;
+
/* After 'whitelist' or 'blacklist' comes default behavior. */
- if (strncmp(line, "kill", 4) == 0)
+ if (strncmp(line, "kill", 4) == 0) {
ret_action = SCMP_ACT_KILL;
- else if (strncmp(line, "errno", 5) == 0) {
- int e;
- if (sscanf(line + 5, "%d", &e) != 1) {
- ERROR("Bad errno value in %s", line);
+ } else if (strncmp(line, "errno", 5) == 0) {
+ int e, ret;
+
+ ret = sscanf(line + 5, "%d", &e);
+ if (ret != 1) {
+ ERROR("Failed to parse errno value from %s", line);
return -2;
}
+
ret_action = SCMP_ACT_ERRNO(e);
- } else if (strncmp(line, "allow", 5) == 0)
+ } else if (strncmp(line, "allow", 5) == 0) {
ret_action = SCMP_ACT_ALLOW;
- else if (strncmp(line, "trap", 4) == 0)
+ } else if (strncmp(line, "trap", 4) == 0) {
ret_action = SCMP_ACT_TRAP;
+ }
+
return ret_action;
}
From f0fd80ae3d90185dc169f0871b6e1d08e0c9d8ff Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Thu, 24 May 2018 13:46:06 +0200
Subject: [PATCH 05/17] seccomp: get_action_name()
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
src/lxc/seccomp.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index aae1921b4..f03dc4ab5 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -97,7 +97,7 @@ static uint32_t get_v2_default_action(char *line)
static const char *get_action_name(uint32_t action)
{
/* The upper 16 bits indicate the type of the seccomp action. */
- switch(action & 0xffff0000){
+ switch (action & 0xffff0000) {
case SCMP_ACT_KILL:
return "kill";
case SCMP_ACT_ALLOW:
@@ -106,9 +106,9 @@ static const char *get_action_name(uint32_t action)
return "trap";
case SCMP_ACT_ERRNO(0):
return "errno";
- default:
- return "invalid action";
}
+
+ return "invalid action";
}
static uint32_t get_v2_action(char *line, uint32_t def_action)
From 1ab6b4a12eb5c1ad55659886779d9ef864581d56 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Thu, 24 May 2018 13:47:59 +0200
Subject: [PATCH 06/17] seccomp: get_v2_action()
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
src/lxc/seccomp.c | 51 +++++++++++++++++++++++++++++----------------------
1 file changed, 29 insertions(+), 22 deletions(-)
diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index f03dc4ab5..d2f80cb70 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -65,6 +65,23 @@ static int parse_config_v1(FILE *f, struct lxc_conf *conf)
}
#if HAVE_DECL_SECCOMP_SYSCALL_RESOLVE_NAME_ARCH
+static const char *get_action_name(uint32_t action)
+{
+ /* The upper 16 bits indicate the type of the seccomp action. */
+ switch (action & 0xffff0000) {
+ case SCMP_ACT_KILL:
+ return "kill";
+ case SCMP_ACT_ALLOW:
+ return "allow";
+ case SCMP_ACT_TRAP:
+ return "trap";
+ case SCMP_ACT_ERRNO(0):
+ return "errno";
+ }
+
+ return "invalid action";
+}
+
static uint32_t get_v2_default_action(char *line)
{
uint32_t ret_action = -1;
@@ -94,41 +111,31 @@ static uint32_t get_v2_default_action(char *line)
return ret_action;
}
-static const char *get_action_name(uint32_t action)
-{
- /* The upper 16 bits indicate the type of the seccomp action. */
- switch (action & 0xffff0000) {
- case SCMP_ACT_KILL:
- return "kill";
- case SCMP_ACT_ALLOW:
- return "allow";
- case SCMP_ACT_TRAP:
- return "trap";
- case SCMP_ACT_ERRNO(0):
- return "errno";
- }
-
- return "invalid action";
-}
-
static uint32_t get_v2_action(char *line, uint32_t def_action)
{
- char *p = strchr(line, ' ');
+ char *p;
uint32_t ret;
+ p = strchr(line, ' ');
if (!p)
return def_action;
p++;
+
while (*p == ' ')
p++;
+
if (!*p || *p == '#')
return def_action;
+
ret = get_v2_default_action(p);
- switch(ret) {
- case -2: return -1;
- case -1: return def_action;
- default: return ret;
+ switch (ret) {
+ case -2:
+ return -1;
+ case -1:
+ return def_action;
}
+
+ return ret;
}
struct v2_rule_args {
From 63a49b03f4fcc4b62cbd29bdfe6844cd248af7bd Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Thu, 24 May 2018 13:49:36 +0200
Subject: [PATCH 07/17] seccomp: fix get_seccomp_arg_value()
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
src/lxc/seccomp.c | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)
diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index d2f80cb70..176964c3a 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -138,7 +138,7 @@ static uint32_t get_v2_action(char *line, uint32_t def_action)
return ret;
}
-struct v2_rule_args {
+struct seccomp_v2_rule_args {
uint32_t index;
uint64_t value;
uint64_t mask;
@@ -148,7 +148,7 @@ struct v2_rule_args {
struct seccomp_v2_rule {
uint32_t action;
uint32_t args_num;
- struct v2_rule_args args_value[6];
+ struct seccomp_v2_rule_args args_value[6];
};
static enum scmp_compare parse_v2_rule_op(char *s)
@@ -171,7 +171,8 @@ static enum scmp_compare parse_v2_rule_op(char *s)
return _SCMP_CMP_MAX;
}
-/* This function is used to parse the args string into the structure.
+/*
+ * This function is used to parse the args string into the structure.
* args string format:[index,value,op,valueTwo] or [index,value,op]
* index: the index for syscall arguments (type uint)
* value: the value for syscall arguments (type uint64)
@@ -182,21 +183,21 @@ static enum scmp_compare parse_v2_rule_op(char *s)
* valueTwo: the value for syscall arguments only used for mask eq (type uint64, optional)
* Returns 0 on success, < 0 otherwise.
*/
-static int get_seccomp_arg_value(char *key, struct v2_rule_args *rule_args)
+static int get_seccomp_arg_value(char *key, struct seccomp_v2_rule_args *rule_args)
{
int ret = 0;
- uint64_t value = 0;
- uint64_t mask = 0;
- enum scmp_compare op = 0;
uint32_t index = 0;
- char s[31] = {0}, v[24] = {0}, m[24] = {0};
+ uint64_t mask = 0, value = 0;
+ enum scmp_compare op = 0;
char *tmp = NULL;
+ char s[31] = {0}, v[24] = {0}, m[24] = {0};
tmp = strchr(key, '[');
if (!tmp) {
ERROR("Failed to interpret args");
return -1;
}
+
ret = sscanf(tmp, "[%i,%23[^,],%30[^0-9^,],%23[^,]", &index, v, s, m);
if ((ret != 3 && ret != 4) || index >= 6) {
ERROR("Failed to interpret args value");
@@ -209,7 +210,7 @@ static int get_seccomp_arg_value(char *key, struct v2_rule_args *rule_args)
return -1;
}
- ret = lxc_safe_uint64(v, &mask);
+ ret = lxc_safe_uint64(m, &mask);
if (ret < 0) {
ERROR("Invalid argument mask");
return -1;
From 4336105aad566f9072296538c638f3b0bb93d8c4 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Thu, 24 May 2018 16:22:58 +0200
Subject: [PATCH 08/17] seccomp: parse_v2_rules()
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
src/lxc/seccomp.c | 30 ++++++++++++++----------------
1 file changed, 14 insertions(+), 16 deletions(-)
diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 176964c3a..1a56a49d9 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -235,13 +235,11 @@ static int get_seccomp_arg_value(char *key, struct seccomp_v2_rule_args *rule_ar
* @rules : output struct.
* Returns 0 on success, < 0 otherwise.
*/
-static int parse_v2_rules(char *line, uint32_t def_action, struct seccomp_v2_rule *rules)
+static int parse_v2_rules(char *line, uint32_t def_action,
+ struct seccomp_v2_rule *rules)
{
- int ret = 0 ;
- int i = 0;
- char *tmp = NULL;
- char *key = NULL;
- char *saveptr = NULL;
+ int i = 0, ret = -1;
+ char *key = NULL, *saveptr = NULL, *tmp = NULL;
tmp = strdup(line);
if (!tmp)
@@ -249,33 +247,33 @@ static int parse_v2_rules(char *line, uint32_t def_action, struct seccomp_v2_rul
/* read optional action which follows the syscall */
rules->action = get_v2_action(tmp, def_action);
- if (rules->action == -1) {
+ if (rules->action < 0) {
ERROR("Failed to interpret action");
- ret = -1;
goto out;
}
+ ret = 0;
rules->args_num = 0;
- if (!strchr(tmp, '[')) {
- ret = 0;
+ if (!strchr(tmp, '['))
goto out;
- }
- for ((key = strtok_r(tmp, "]", &saveptr)), i = 0; key && i < 6; (key = strtok_r(NULL, "]", &saveptr)), i++) {
+ ret = -1;
+ for ((key = strtok_r(tmp, "]", &saveptr)), i = 0; key && i < 6;
+ (key = strtok_r(NULL, "]", &saveptr)), i++) {
ret = get_seccomp_arg_value(key, &rules->args_value[i]);
- if (ret < 0) {
- ret = -1;
+ if (ret < 0)
goto out;
- }
+
rules->args_num++;
}
ret = 0;
+
out:
free(tmp);
+
return ret;
}
-
#endif
#if HAVE_DECL_SECCOMP_SYSCALL_RESOLVE_NAME_ARCH
From 5ae10abd9d1202ecffa5a93adbb6555912794984 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Thu, 24 May 2018 16:24:09 +0200
Subject: [PATCH 09/17] seccomp: move #ifdefines
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
src/lxc/seccomp.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 1a56a49d9..bf15c8a6b 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -34,6 +34,14 @@
#include "lxcseccomp.h"
#include "utils.h"
+#ifdef __MIPSEL__
+#define MIPS_ARCH_O32 lxc_seccomp_arch_mipsel
+#define MIPS_ARCH_N64 lxc_seccomp_arch_mipsel64
+#else
+#define MIPS_ARCH_O32 lxc_seccomp_arch_mips
+#define MIPS_ARCH_N64 lxc_seccomp_arch_mips64
+#endif
+
lxc_log_define(lxc_seccomp, lxc);
static int parse_config_v1(FILE *f, struct lxc_conf *conf)
@@ -298,14 +306,6 @@ enum lxc_hostarch_t {
lxc_seccomp_arch_unknown = 999,
};
-#ifdef __MIPSEL__
-# define MIPS_ARCH_O32 lxc_seccomp_arch_mipsel
-# define MIPS_ARCH_N64 lxc_seccomp_arch_mipsel64
-#else
-# define MIPS_ARCH_O32 lxc_seccomp_arch_mips
-# define MIPS_ARCH_N64 lxc_seccomp_arch_mips64
-#endif
-
int get_hostarch(void)
{
struct utsname uts;
From 2fba3515bada608fb22e90c0be55b38dd67f578f Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Thu, 24 May 2018 16:24:59 +0200
Subject: [PATCH 10/17] seccomp: get_hostarch()
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
src/lxc/seccomp.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index bf15c8a6b..69509d0c7 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -313,6 +313,7 @@ int get_hostarch(void)
SYSERROR("Failed to read host arch");
return -1;
}
+
if (strcmp(uts.machine, "i686") == 0)
return lxc_seccomp_arch_i386;
/* no x32 kernels */
@@ -334,6 +335,7 @@ int get_hostarch(void)
return MIPS_ARCH_O32;
else if (strncmp(uts.machine, "s390x", 5) == 0)
return lxc_seccomp_arch_s390x;
+
return lxc_seccomp_arch_unknown;
}
From 857cc7571a09a9670c3f3ec50efe0b8ba9de4a23 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Thu, 24 May 2018 16:28:02 +0200
Subject: [PATCH 11/17] seccomp: scmp_filter_ctx get_new_ctx()
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
src/lxc/seccomp.c | 88 +++++++++++++++++++++++++++++++++++++++----------------
1 file changed, 62 insertions(+), 26 deletions(-)
diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 69509d0c7..092cc538a 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -339,56 +339,92 @@ int get_hostarch(void)
return lxc_seccomp_arch_unknown;
}
-scmp_filter_ctx get_new_ctx(enum lxc_hostarch_t n_arch, uint32_t default_policy_action, bool *needs_merge)
+scmp_filter_ctx get_new_ctx(enum lxc_hostarch_t n_arch,
+ uint32_t default_policy_action, bool *needs_merge)
{
- scmp_filter_ctx ctx;
int ret;
uint32_t arch;
+ scmp_filter_ctx ctx;
- switch(n_arch) {
- case lxc_seccomp_arch_i386: arch = SCMP_ARCH_X86; break;
- case lxc_seccomp_arch_x32: arch = SCMP_ARCH_X32; break;
- case lxc_seccomp_arch_amd64: arch = SCMP_ARCH_X86_64; break;
- case lxc_seccomp_arch_arm: arch = SCMP_ARCH_ARM; break;
+ switch (n_arch) {
+ case lxc_seccomp_arch_i386:
+ arch = SCMP_ARCH_X86;
+ break;
+ case lxc_seccomp_arch_x32:
+ arch = SCMP_ARCH_X32;
+ break;
+ case lxc_seccomp_arch_amd64:
+ arch = SCMP_ARCH_X86_64;
+ break;
+ case lxc_seccomp_arch_arm:
+ arch = SCMP_ARCH_ARM;
+ break;
#ifdef SCMP_ARCH_AARCH64
- case lxc_seccomp_arch_arm64: arch = SCMP_ARCH_AARCH64; break;
+ case lxc_seccomp_arch_arm64:
+ arch = SCMP_ARCH_AARCH64;
+ break;
#endif
#ifdef SCMP_ARCH_PPC64LE
- case lxc_seccomp_arch_ppc64le: arch = SCMP_ARCH_PPC64LE; break;
+ case lxc_seccomp_arch_ppc64le:
+ arch = SCMP_ARCH_PPC64LE;
+ break;
#endif
#ifdef SCMP_ARCH_PPC64
- case lxc_seccomp_arch_ppc64: arch = SCMP_ARCH_PPC64; break;
+ case lxc_seccomp_arch_ppc64:
+ arch = SCMP_ARCH_PPC64;
+ break;
#endif
#ifdef SCMP_ARCH_PPC
- case lxc_seccomp_arch_ppc: arch = SCMP_ARCH_PPC; break;
+ case lxc_seccomp_arch_ppc:
+ arch = SCMP_ARCH_PPC;
+ break;
#endif
#ifdef SCMP_ARCH_MIPS
- case lxc_seccomp_arch_mips: arch = SCMP_ARCH_MIPS; break;
- case lxc_seccomp_arch_mips64: arch = SCMP_ARCH_MIPS64; break;
- case lxc_seccomp_arch_mips64n32: arch = SCMP_ARCH_MIPS64N32; break;
- case lxc_seccomp_arch_mipsel: arch = SCMP_ARCH_MIPSEL; break;
- case lxc_seccomp_arch_mipsel64: arch = SCMP_ARCH_MIPSEL64; break;
- case lxc_seccomp_arch_mipsel64n32: arch = SCMP_ARCH_MIPSEL64N32; break;
+ case lxc_seccomp_arch_mips:
+ arch = SCMP_ARCH_MIPS;
+ break;
+ case lxc_seccomp_arch_mips64:
+ arch = SCMP_ARCH_MIPS64;
+ break;
+ case lxc_seccomp_arch_mips64n32:
+ arch = SCMP_ARCH_MIPS64N32;
+ break;
+ case lxc_seccomp_arch_mipsel:
+ arch = SCMP_ARCH_MIPSEL;
+ break;
+ case lxc_seccomp_arch_mipsel64:
+ arch = SCMP_ARCH_MIPSEL64;
+ break;
+ case lxc_seccomp_arch_mipsel64n32:
+ arch = SCMP_ARCH_MIPSEL64N32;
+ break;
#endif
#ifdef SCMP_ARCH_S390X
- case lxc_seccomp_arch_s390x: arch = SCMP_ARCH_S390X; break;
+ case lxc_seccomp_arch_s390x:
+ arch = SCMP_ARCH_S390X;
+ break;
#endif
- default: return NULL;
+ default:
+ return NULL;
}
- if ((ctx = seccomp_init(default_policy_action)) == NULL) {
+ ctx = seccomp_init(default_policy_action);
+ if (!ctx) {
ERROR("Error initializing seccomp context");
return NULL;
}
- if (seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 0)) {
- ERROR("Failed to turn off no-new-privs");
+
+ ret = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 0);
+ if (ret < 0) {
+ ERROR("%s - Failed to turn off no-new-privs", strerror(-ret));
seccomp_release(ctx);
return NULL;
}
+
#ifdef SCMP_FLTATR_ATL_TSKIP
- if (seccomp_attr_set(ctx, SCMP_FLTATR_ATL_TSKIP, 1)) {
- WARN("Failed to turn on seccomp nop-skip, continuing");
- }
+ ret = seccomp_attr_set(ctx, SCMP_FLTATR_ATL_TSKIP, 1);
+ if (ret < 0)
+ WARN("%s - Failed to turn on seccomp nop-skip, continuing", strerror(-ret));
#endif
ret = seccomp_arch_exist(ctx, arch);
@@ -396,7 +432,7 @@ scmp_filter_ctx get_new_ctx(enum lxc_hostarch_t n_arch, uint32_t default_policy_
if (ret != -EEXIST) {
ERROR("%s - Failed to determine whether arch %d is "
"already present in the main seccomp context",
- strerror(-ret), (int)n_arch);
+ strerror(-ret), (int)n_arch);
seccomp_release(ctx);
return NULL;
}
From 3462394306d6297cebc154f0b7c594667b249344 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Thu, 24 May 2018 16:35:21 +0200
Subject: [PATCH 12/17] seccomp: do_resolve_add_rule()
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
src/lxc/seccomp.c | 57 ++++++++++++++++++++++++++++++-------------------------
1 file changed, 31 insertions(+), 26 deletions(-)
diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 092cc538a..4ab551134 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -464,18 +464,14 @@ scmp_filter_ctx get_new_ctx(enum lxc_hostarch_t n_arch,
}
bool do_resolve_add_rule(uint32_t arch, char *line, scmp_filter_ctx ctx,
- struct seccomp_v2_rule *rule)
+ struct seccomp_v2_rule *rule)
{
- int nr, ret, i;
- struct scmp_arg_cmp arg_cmp[6];
-
- memset(arg_cmp, 0 ,sizeof(arg_cmp));
+ int i, nr, ret;
+ struct scmp_arg_cmp arg_cmp[6] = {0};
ret = seccomp_arch_exist(ctx, arch);
if (arch && ret != 0) {
- ERROR("BUG: Seccomp: rule and context arch do not match (arch "
- "%d): %s",
- arch, strerror(-ret));
+ ERROR("%s - Seccomp: rule and context arch do not match (arch %d)", strerror(-ret), arch);
return false;
}
@@ -485,49 +481,58 @@ bool do_resolve_add_rule(uint32_t arch, char *line, scmp_filter_ctx ctx,
*p = '\0';
if (strncmp(line, "reject_force_umount", 19) == 0) {
- INFO("Setting Seccomp rule to reject force umounts");
- ret = seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(umount2),
- 1, SCMP_A1(SCMP_CMP_MASKED_EQ , MNT_FORCE , MNT_FORCE ));
+ ret = seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(EACCES),
+ SCMP_SYS(umount2), 1,
+ SCMP_A1(SCMP_CMP_MASKED_EQ, MNT_FORCE, MNT_FORCE));
if (ret < 0) {
- ERROR("Failed (%d) loading rule to reject force "
- "umount: %s",
- ret, strerror(-ret));
+ ERROR("%s - Failed loading rule to reject force umount", strerror(-ret));
return false;
}
+
+ INFO("Set seccomp rule to reject force umounts");
return true;
}
nr = seccomp_syscall_resolve_name(line);
if (nr == __NR_SCMP_ERROR) {
- WARN("Seccomp: failed to resolve syscall: %s", line);
+ WARN("Failed to resolve syscall \"%s\"", line);
WARN("This syscall will NOT be blacklisted");
return true;
}
+
if (nr < 0) {
- WARN("Seccomp: got negative for syscall: %d: %s", nr, line);
+ WARN("Got negative return value %d for syscall \"%s\"", nr, line);
WARN("This syscall will NOT be blacklisted");
return true;
}
for (i = 0; i < rule->args_num; i++) {
- INFO("arg_cmp[%d]:SCMP_CMP(%u, %llu, %llu, %llu)", i,
- rule->args_value[i].index,
- (long long unsigned int)rule->args_value[i].op,
- (long long unsigned int)rule->args_value[i].mask,
- (long long unsigned int)rule->args_value[i].value);
+ INFO("arg_cmp[%d]: SCMP_CMP(%u, %llu, %llu, %llu)", i,
+ rule->args_value[i].index,
+ (long long unsigned int)rule->args_value[i].op,
+ (long long unsigned int)rule->args_value[i].mask,
+ (long long unsigned int)rule->args_value[i].value);
if (SCMP_CMP_MASKED_EQ == rule->args_value[i].op)
- arg_cmp[i] = SCMP_CMP(rule->args_value[i].index, rule->args_value[i].op, rule->args_value[i].mask, rule->args_value[i].value);
+ arg_cmp[i] = SCMP_CMP(rule->args_value[i].index,
+ rule->args_value[i].op,
+ rule->args_value[i].mask,
+ rule->args_value[i].value);
else
- arg_cmp[i] = SCMP_CMP(rule->args_value[i].index, rule->args_value[i].op, rule->args_value[i].value);
+ arg_cmp[i] = SCMP_CMP(rule->args_value[i].index,
+ rule->args_value[i].op,
+ rule->args_value[i].value);
}
- ret = seccomp_rule_add_exact_array(ctx, rule->action, nr, rule->args_num, arg_cmp);
+ ret = seccomp_rule_add_exact_array(ctx, rule->action, nr,
+ rule->args_num, arg_cmp);
if (ret < 0) {
- ERROR("Failed (%d) loading rule for %s (nr %d action %d(%s)): %s",
- ret, line, nr, rule->action, get_action_name(rule->action), strerror(-ret));
+ ERROR("%s - Failed loading rule for %s (nr %d action %d (%s))",
+ strerror(-ret), line, nr, rule->action,
+ get_action_name(rule->action));
return false;
}
+
return true;
}
From 3bbf11ebf7ed5d66b339a67884fb81d8b18f057f Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Thu, 24 May 2018 16:47:08 +0200
Subject: [PATCH 13/17] seccomp: parse_config_v2()
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
src/lxc/seccomp.c | 85 ++++++++++++++++++++++++++++++++++++++++---------------
1 file changed, 62 insertions(+), 23 deletions(-)
diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 4ab551134..6ce3d5559 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -552,12 +552,13 @@ bool do_resolve_add_rule(uint32_t arch, char *line, scmp_filter_ctx ctx,
*/
static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
{
- char *p;
int ret;
+ char *p;
+ enum lxc_hostarch_t cur_rule_arch, native_arch;
+ size_t line_bufsz = 0;
bool blacklist = false;
+ char *rule_line = NULL;
uint32_t default_policy_action = -1, default_rule_action = -1;
- enum lxc_hostarch_t native_arch = get_hostarch(),
- cur_rule_arch = native_arch;
struct seccomp_v2_rule rule;
struct scmp_ctx_info {
uint32_t architectures[3];
@@ -568,11 +569,12 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
if (strncmp(line, "blacklist", 9) == 0)
blacklist = true;
else if (strncmp(line, "whitelist", 9) != 0) {
- ERROR("Bad seccomp policy style: %s", line);
+ ERROR("Bad seccomp policy style \"%s\"", line);
return -1;
}
- if ((p = strchr(line, ' '))) {
+ p = strchr(line, ' ');
+ if (p) {
default_policy_action = get_v2_default_action(p + 1);
if (default_policy_action == -2)
return -1;
@@ -582,11 +584,13 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
if (blacklist) {
if (default_policy_action == -1)
default_policy_action = SCMP_ACT_ALLOW;
+
if (default_rule_action == -1)
default_rule_action = SCMP_ACT_KILL;
} else {
if (default_policy_action == -1)
default_policy_action = SCMP_ACT_KILL;
+
if (default_rule_action == -1)
default_rule_action = SCMP_ACT_ALLOW;
}
@@ -595,6 +599,8 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
ctx.architectures[0] = SCMP_ARCH_NATIVE;
ctx.architectures[1] = SCMP_ARCH_NATIVE;
ctx.architectures[2] = SCMP_ARCH_NATIVE;
+ native_arch = get_hostarch();
+ cur_rule_arch = native_arch;
if (native_arch == lxc_seccomp_arch_amd64) {
cur_rule_arch = lxc_seccomp_arch_all;
@@ -641,17 +647,17 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
cur_rule_arch = lxc_seccomp_arch_all;
ctx.architectures[0] = SCMP_ARCH_ARM;
- ctx.contexts[0] =
- get_new_ctx(lxc_seccomp_arch_arm, default_policy_action,
- &ctx.needs_merge[0]);
+ ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_arm,
+ default_policy_action,
+ &ctx.needs_merge[0]);
if (!ctx.contexts[0])
goto bad;
#ifdef SCMP_ARCH_AARCH64
ctx.architectures[2] = SCMP_ARCH_AARCH64;
- ctx.contexts[2] =
- get_new_ctx(lxc_seccomp_arch_arm64, default_policy_action,
- &ctx.needs_merge[2]);
+ ctx.contexts[2] = get_new_ctx(lxc_seccomp_arch_arm64,
+ default_policy_action,
+ &ctx.needs_merge[2]);
if (!ctx.contexts[2])
goto bad;
#endif
@@ -712,25 +718,30 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
ERROR("Error re-initializing Seccomp");
return -1;
}
- if (seccomp_attr_set(conf->seccomp_ctx, SCMP_FLTATR_CTL_NNP, 0)) {
- ERROR("Failed to turn off no-new-privs");
+
+ ret = seccomp_attr_set(conf->seccomp_ctx, SCMP_FLTATR_CTL_NNP, 0);
+ if (ret < 0) {
+ ERROR("%s - Failed to turn off no-new-privs", strerror(-ret));
return -1;
}
+
#ifdef SCMP_FLTATR_ATL_TSKIP
- if (seccomp_attr_set(conf->seccomp_ctx, SCMP_FLTATR_ATL_TSKIP, 1)) {
- WARN("Failed to turn on seccomp nop-skip, continuing");
- }
+ ret = seccomp_attr_set(conf->seccomp_ctx, SCMP_FLTATR_ATL_TSKIP, 1);
+ if (ret < 0)
+ WARN("%s - Failed to turn on seccomp nop-skip, continuing", strerror(-ret));
#endif
}
- while (fgets(line, 1024, f)) {
-
+ while (getline(&rule_line, &line_bufsz, f) != -1) {
if (line[0] == '#')
continue;
- if (strlen(line) == 0)
+
+ if (line[0] == '\0')
continue;
+
remove_trailing_newlines(line);
- INFO("processing: .%s", line);
+
+ INFO("Processing \"%s\"", line);
if (line[0] == '[') {
/* Read the architecture for next set of rules. */
if (strcmp(line, "[x86]") == 0 ||
@@ -740,6 +751,7 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
cur_rule_arch = lxc_seccomp_arch_unknown;
continue;
}
+
cur_rule_arch = lxc_seccomp_arch_i386;
} else if (strcmp(line, "[x32]") == 0 ||
strcmp(line, "[X32]") == 0) {
@@ -747,6 +759,7 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
cur_rule_arch = lxc_seccomp_arch_unknown;
continue;
}
+
cur_rule_arch = lxc_seccomp_arch_x32;
} else if (strcmp(line, "[X86_64]") == 0 ||
strcmp(line, "[x86_64]") == 0) {
@@ -754,6 +767,7 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
cur_rule_arch = lxc_seccomp_arch_unknown;
continue;
}
+
cur_rule_arch = lxc_seccomp_arch_amd64;
} else if (strcmp(line, "[all]") == 0 ||
strcmp(line, "[ALL]") == 0) {
@@ -767,6 +781,7 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
cur_rule_arch = lxc_seccomp_arch_unknown;
continue;
}
+
cur_rule_arch = lxc_seccomp_arch_arm;
}
#endif
@@ -777,6 +792,7 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
cur_rule_arch = lxc_seccomp_arch_unknown;
continue;
}
+
cur_rule_arch = lxc_seccomp_arch_arm64;
}
#endif
@@ -787,6 +803,7 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
cur_rule_arch = lxc_seccomp_arch_unknown;
continue;
}
+
cur_rule_arch = lxc_seccomp_arch_ppc64le;
}
#endif
@@ -797,6 +814,7 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
cur_rule_arch = lxc_seccomp_arch_unknown;
continue;
}
+
cur_rule_arch = lxc_seccomp_arch_ppc64;
}
#endif
@@ -808,6 +826,7 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
cur_rule_arch = lxc_seccomp_arch_unknown;
continue;
}
+
cur_rule_arch = lxc_seccomp_arch_ppc;
}
#endif
@@ -818,6 +837,7 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
cur_rule_arch = lxc_seccomp_arch_unknown;
continue;
}
+
cur_rule_arch = lxc_seccomp_arch_mips64;
} else if (strcmp(line, "[mips64n32]") == 0 ||
strcmp(line, "[MIPS64N32]") == 0) {
@@ -825,6 +845,7 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
cur_rule_arch = lxc_seccomp_arch_unknown;
continue;
}
+
cur_rule_arch = lxc_seccomp_arch_mips64n32;
} else if (strcmp(line, "[mips]") == 0 ||
strcmp(line, "[MIPS]") == 0) {
@@ -833,6 +854,7 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
cur_rule_arch = lxc_seccomp_arch_unknown;
continue;
}
+
cur_rule_arch = lxc_seccomp_arch_mips;
} else if (strcmp(line, "[mipsel64]") == 0 ||
strcmp(line, "[MIPSEL64]") == 0) {
@@ -840,6 +862,7 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
cur_rule_arch = lxc_seccomp_arch_unknown;
continue;
}
+
cur_rule_arch = lxc_seccomp_arch_mipsel64;
} else if (strcmp(line, "[mipsel64n32]") == 0 ||
strcmp(line, "[MIPSEL64N32]") == 0) {
@@ -847,6 +870,7 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
cur_rule_arch = lxc_seccomp_arch_unknown;
continue;
}
+
cur_rule_arch = lxc_seccomp_arch_mipsel64n32;
} else if (strcmp(line, "[mipsel]") == 0 ||
strcmp(line, "[MIPSEL]") == 0) {
@@ -855,6 +879,7 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
cur_rule_arch = lxc_seccomp_arch_unknown;
continue;
}
+
cur_rule_arch = lxc_seccomp_arch_mipsel;
}
#endif
@@ -865,11 +890,12 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
cur_rule_arch = lxc_seccomp_arch_unknown;
continue;
}
+
cur_rule_arch = lxc_seccomp_arch_s390x;
- }
#endif
- else
+ } else {
goto bad_arch;
+ }
continue;
}
@@ -889,6 +915,7 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line,
conf->seccomp_ctx, &rule))
goto bad_rule;
+
INFO("Added native rule for arch %d for %s action %d(%s)",
SCMP_ARCH_NATIVE, line, rule.action,
get_action_name(rule.action));
@@ -897,6 +924,7 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
if (!do_resolve_add_rule(ctx.architectures[0], line,
ctx.contexts[0], &rule))
goto bad_rule;
+
INFO("Added compat rule for arch %d for %s action %d(%s)",
ctx.architectures[0], line, rule.action,
get_action_name(rule.action));
@@ -906,6 +934,7 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
if (!do_resolve_add_rule(ctx.architectures[1], line,
ctx.contexts[1], &rule))
goto bad_rule;
+
INFO("Added compat rule for arch %d for %s action %d(%s)",
ctx.architectures[1], line, rule.action,
get_action_name(rule.action));
@@ -915,6 +944,7 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
if (!do_resolve_add_rule(ctx.architectures[2], line,
ctx.contexts[2], &rule))
goto bad_rule;
+
INFO("Added native rule for arch %d for %s action %d(%s)",
ctx.architectures[2], line, rule.action,
get_action_name(rule.action));
@@ -930,6 +960,7 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
"context into main context");
goto bad;
}
+
TRACE("Merged first compat seccomp context into main context");
} else {
seccomp_release(ctx.contexts[0]);
@@ -945,6 +976,7 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
"context into main context");
goto bad;
}
+
TRACE("Merged second compat seccomp context into main context");
} else {
seccomp_release(ctx.contexts[1]);
@@ -960,6 +992,7 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
"context into main context");
goto bad;
}
+
TRACE("Merged third compat seccomp context into main context");
} else {
seccomp_release(ctx.contexts[2]);
@@ -967,19 +1000,25 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
}
}
+ free(rule_line);
return 0;
bad_arch:
- ERROR("Unsupported arch: %s.", line);
+ ERROR("Unsupported architecture \"%s\"", line);
+
bad_rule:
bad:
if (ctx.contexts[0])
seccomp_release(ctx.contexts[0]);
+
if (ctx.contexts[1])
seccomp_release(ctx.contexts[1]);
+
if (ctx.contexts[2])
seccomp_release(ctx.contexts[2]);
+ free(rule_line);
+
return -1;
}
#else /* HAVE_DECL_SECCOMP_SYSCALL_RESOLVE_NAME_ARCH */
From 64828b5e0be5ffe54464b7583289901eb12d3006 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Thu, 24 May 2018 16:49:28 +0200
Subject: [PATCH 14/17] seccomp: parse_config()
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
src/lxc/seccomp.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 6ce3d5559..e22752cd7 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -1038,7 +1038,7 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
*/
static int parse_config(FILE *f, struct lxc_conf *conf)
{
- char line[1024];
+ char line[MAXPATHLEN];
int ret, version;
ret = fscanf(f, "%d\n", &version);
@@ -1046,10 +1046,12 @@ static int parse_config(FILE *f, struct lxc_conf *conf)
ERROR("Invalid version");
return -1;
}
- if (!fgets(line, 1024, f)) {
+
+ if (!fgets(line, MAXPATHLEN, f)) {
ERROR("Invalid config file");
return -1;
}
+
if (version == 1 && !strstr(line, "whitelist")) {
ERROR("Only whitelist policy is supported");
return -1;
@@ -1062,6 +1064,7 @@ static int parse_config(FILE *f, struct lxc_conf *conf)
if (version == 1)
return parse_config_v1(f, conf);
+
return parse_config_v2(f, line, conf);
}
From 24130b72641d2fdd7283e77e688db1e3520dd7a6 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Thu, 24 May 2018 16:51:18 +0200
Subject: [PATCH 15/17] seccomp: parse_config()
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
src/lxc/seccomp.c | 22 ++++++++++++++--------
1 file changed, 14 insertions(+), 8 deletions(-)
diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index e22752cd7..991f5d6f2 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -1077,34 +1077,40 @@ static int parse_config(FILE *f, struct lxc_conf *conf)
*/
static bool use_seccomp(void)
{
- FILE *f = fopen("/proc/self/status", "r");
- char line[1024];
- bool already_enabled = false;
- bool found = false;
int ret, v;
+ FILE *f;
+ size_t line_bufsz = 0;
+ char *line = NULL;
+ bool already_enabled = false, found = false;
+ f = fopen("/proc/self/status", "r");
if (!f)
return true;
- while (fgets(line, 1024, f)) {
+ while (getline(&line, &line_bufsz, f) != -1) {
if (strncmp(line, "Seccomp:", 8) == 0) {
found = true;
+
ret = sscanf(line + 8, "%d", &v);
if (ret == 1 && v != 0)
already_enabled = true;
+
break;
}
}
-
+ free(line);
fclose(f);
- if (!found) { /* no Seccomp line, no seccomp in kernel */
+
+ if (!found) {
INFO("Seccomp is not enabled in the kernel");
return false;
}
- if (already_enabled) { /* already seccomp-confined */
+
+ if (already_enabled) {
INFO("Already seccomp-confined, not loading new policy");
return false;
}
+
return true;
}
From 8515d22d7fc60b1c739a9a7bc498c9388d258e7c Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Thu, 24 May 2018 16:53:31 +0200
Subject: [PATCH 16/17] seccomp: lxc_read_seccomp_config()
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
src/lxc/seccomp.c | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 991f5d6f2..8d01d1f67 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -1116,15 +1116,15 @@ static bool use_seccomp(void)
int lxc_read_seccomp_config(struct lxc_conf *conf)
{
+ int check_seccomp_attr_set, ret;
FILE *f;
- int ret;
- int check_seccomp_attr_set;
if (!conf->seccomp)
return 0;
if (!use_seccomp())
return 0;
+
#if HAVE_SCMP_FILTER_CTX
/* XXX for debug, pass in SCMP_ACT_TRAP */
conf->seccomp_ctx = seccomp_init(SCMP_ACT_KILL);
@@ -1137,7 +1137,7 @@ int lxc_read_seccomp_config(struct lxc_conf *conf)
return -1;
}
-/* turn off no-new-privs. We don't want it in lxc, and it breaks
+/* turn off no-new-privs. We don't want it in lxc, and it breaks
* with apparmor */
#if HAVE_SCMP_FILTER_CTX
check_seccomp_attr_set = seccomp_attr_set(conf->seccomp_ctx, SCMP_FLTATR_CTL_NNP, 0);
@@ -1145,13 +1145,14 @@ int lxc_read_seccomp_config(struct lxc_conf *conf)
check_seccomp_attr_set = seccomp_attr_set(SCMP_FLTATR_CTL_NNP, 0);
#endif
if (check_seccomp_attr_set) {
- ERROR("Failed to turn off no-new-privs");
+ ERROR("%s - Failed to turn off no-new-privs", strerror(-check_seccomp_attr_set));
return -1;
}
#ifdef SCMP_FLTATR_ATL_TSKIP
- if (seccomp_attr_set(conf->seccomp_ctx, SCMP_FLTATR_ATL_TSKIP, 1)) {
- WARN("Failed to turn on seccomp nop-skip, continuing");
- }
+ check_seccomp_attr_set = seccomp_attr_set(conf->seccomp_ctx, SCMP_FLTATR_ATL_TSKIP, 1);
+ if (check_seccomp_attr_set < 0)
+ WARN("%s - Failed to turn on seccomp nop-skip, continuing",
+ strerror(-check_seccomp_attr_set));
#endif
f = fopen(conf->seccomp, "r");
@@ -1159,8 +1160,10 @@ int lxc_read_seccomp_config(struct lxc_conf *conf)
SYSERROR("Failed to open seccomp policy file %s", conf->seccomp);
return -1;
}
+
ret = parse_config(f, conf);
fclose(f);
+
return ret;
}
From 9599aff095b34cf8327f3499e5ddd498ba0fd573 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Thu, 24 May 2018 16:55:21 +0200
Subject: [PATCH 17/17] seccomp: lxc_read_seccomp_config()
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
src/lxc/seccomp.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 8d01d1f67..f3c27c699 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -1170,31 +1170,36 @@ int lxc_read_seccomp_config(struct lxc_conf *conf)
int lxc_seccomp_load(struct lxc_conf *conf)
{
int ret;
+
if (!conf->seccomp)
return 0;
+
if (!use_seccomp())
return 0;
- ret = seccomp_load(
+
#if HAVE_SCMP_FILTER_CTX
- conf->seccomp_ctx
+ ret = seccomp_load(conf->seccomp_ctx);
+#else
+ ret = seccomp_load();
#endif
- );
if (ret < 0) {
- ERROR("Error loading the seccomp policy: %s", strerror(-ret));
+ ERROR("%s- Error loading the seccomp policy", strerror(-ret));
return -1;
}
/* After load seccomp filter into the kernel successfully, export the current seccomp
* filter to log file */
#if HAVE_SCMP_FILTER_CTX
- if ((lxc_log_get_level() <= LXC_LOG_LEVEL_TRACE || conf->loglevel <= LXC_LOG_LEVEL_TRACE) &&
+ if ((lxc_log_get_level() <= LXC_LOG_LEVEL_TRACE ||
+ conf->loglevel <= LXC_LOG_LEVEL_TRACE) &&
lxc_log_fd >= 0) {
ret = seccomp_export_pfc(conf->seccomp_ctx, lxc_log_fd);
/* Just give an warning when export error */
if (ret < 0)
- WARN("Failed to export seccomp filter to log file: %s", strerror(-ret));
+ WARN("%s - Failed to export seccomp filter to log file", strerror(-ret));
}
#endif
+
return 0;
}
@@ -1202,6 +1207,7 @@ void lxc_seccomp_free(struct lxc_conf *conf)
{
free(conf->seccomp);
conf->seccomp = NULL;
+
#if HAVE_SCMP_FILTER_CTX
if (conf->seccomp_ctx) {
seccomp_release(conf->seccomp_ctx);
More information about the lxc-devel
mailing list