[lxc-devel] [lxc/master] seccomp: more fixes
brauner on Github
lxc-bot at linuxcontainers.org
Fri May 25 11:30:16 UTC 2018
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 364 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20180525/0fbd2f5f/attachment.bin>
-------------- next part --------------
From cf6624c1fed1a2528f9316d8c44545f3cbb90788 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Fri, 25 May 2018 13:16:31 +0200
Subject: [PATCH 1/3] seccomp: lxc_read_seccomp_config()
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
src/lxc/seccomp.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 4ae981203..c7f0dab1c 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -1124,7 +1124,7 @@ static bool use_seccomp(void)
int lxc_read_seccomp_config(struct lxc_conf *conf)
{
- int check_seccomp_attr_set, ret;
+ int ret;
FILE *f;
if (!conf->seccomp)
@@ -1148,19 +1148,19 @@ int lxc_read_seccomp_config(struct lxc_conf *conf)
/* turn off no-new-privs. We don't want it in lxc, and it breaks
* with apparmor */
#if HAVE_SCMP_FILTER_CTX
- check_seccomp_attr_set = seccomp_attr_set(conf->seccomp_ctx, SCMP_FLTATR_CTL_NNP, 0);
+ ret = seccomp_attr_set(conf->seccomp_ctx, SCMP_FLTATR_CTL_NNP, 0);
#else
- check_seccomp_attr_set = seccomp_attr_set(SCMP_FLTATR_CTL_NNP, 0);
+ ret = seccomp_attr_set(SCMP_FLTATR_CTL_NNP, 0);
#endif
- if (check_seccomp_attr_set) {
- ERROR("%s - Failed to turn off no-new-privs", strerror(-check_seccomp_attr_set));
+ if (ret < 0) {
+ ERROR("%s - Failed to turn off no-new-privs", strerror(-ret));
return -1;
}
#ifdef SCMP_FLTATR_ATL_TSKIP
- check_seccomp_attr_set = seccomp_attr_set(conf->seccomp_ctx, SCMP_FLTATR_ATL_TSKIP, 1);
- if (check_seccomp_attr_set < 0)
+ ret = seccomp_attr_set(conf->seccomp_ctx, SCMP_FLTATR_ATL_TSKIP, 1);
+ if (ret < 0)
WARN("%s - Failed to turn on seccomp nop-skip, continuing",
- strerror(-check_seccomp_attr_set));
+ strerror(-ret));
#endif
f = fopen(conf->seccomp, "r");
From 54a051c1663ad1b3216833eca2e7d309730d50bd Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Fri, 25 May 2018 13:26:25 +0200
Subject: [PATCH 2/3] seccomp: parse_v2_rules()
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
src/lxc/seccomp.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index c7f0dab1c..ab40473e4 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -115,7 +115,7 @@ static uint32_t get_v2_default_action(char *line)
} else if (strncmp(line, "trap", 4) == 0) {
ret_action = SCMP_ACT_TRAP;
} else if (line[0]) {
- ERROR("Unrecognized seccomp action: %s", line);
+ ERROR("Unrecognized seccomp action \"%s\"", line);
return -2;
}
@@ -261,27 +261,27 @@ static int parse_v2_rules(char *line, uint32_t def_action,
if (rules->action == -1) {
ERROR("Failed to interpret action");
ret = -1;
- goto out;
+ goto on_error;
}
ret = 0;
rules->args_num = 0;
if (!strchr(tmp, '['))
- goto out;
+ goto on_error;
ret = -1;
for ((key = strtok_r(tmp, "]", &saveptr)), i = 0; key && i < 6;
(key = strtok_r(NULL, "]", &saveptr)), i++) {
ret = get_seccomp_arg_value(key, &rules->args_value[i]);
if (ret < 0)
- goto out;
+ goto on_error;
rules->args_num++;
}
ret = 0;
-out:
+on_error:
free(tmp);
return ret;
From dfddc8aa7ef3362212f8394995088a5f525730dd Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Fri, 25 May 2018 13:27:50 +0200
Subject: [PATCH 3/3] seccomp: make do_resolve_add_rule() more strict
Let's error out on syscalls that cannot be resolved or fail to resolve instead
of just warning users.
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
src/lxc/seccomp.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index ab40473e4..7ae76a71c 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -500,14 +500,12 @@ bool do_resolve_add_rule(uint32_t arch, char *line, scmp_filter_ctx ctx,
nr = seccomp_syscall_resolve_name(line);
if (nr == __NR_SCMP_ERROR) {
WARN("Failed to resolve syscall \"%s\"", line);
- WARN("This syscall will NOT be blacklisted");
- return true;
+ return false;
}
if (nr < 0) {
WARN("Got negative return value %d for syscall \"%s\"", nr, line);
- WARN("This syscall will NOT be blacklisted");
- return true;
+ return false;
}
memset(&arg_cmp, 0, sizeof(arg_cmp));
More information about the lxc-devel
mailing list