[lxc-devel] [lxc/master] confile: add lxc.seccomp.allow_nesting

brauner on Github lxc-bot at linuxcontainers.org
Mon Jan 7 14:35:16 UTC 2019 

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 675 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20190107/1f3b425d/attachment.bin>
-------------- next part --------------
From 50d86993a7d6bf913372e0514fc491ea49ebdc5c Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Mon, 7 Jan 2019 15:10:52 +0100
Subject: [PATCH] confile: add lxc.seccomp.allow_nesting

This adds the lxc.seccomp.allow_nesting api extension. If
lxc.seccomp.allow_nesting is set to 1 then seccomp profiles will be
stacked. This way nested containers can load their own seccomp policy on
top of the policy that the outer container might have applied.

Cc: Simon Fels <simon.fels at canonical.com>
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 doc/lxc.container.conf.sgml.in | 13 +++++++++++++
 src/lxc/api_extensions.h       |  1 +
 src/lxc/conf.h                 |  1 +
 src/lxc/confile.c              | 30 ++++++++++++++++++++++++++++++
 src/lxc/seccomp.c              |  9 ++++++---
 5 files changed, 51 insertions(+), 3 deletions(-)

diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
index 3db43fa9ab..00b51a94aa 100644
--- a/doc/lxc.container.conf.sgml.in
+++ b/doc/lxc.container.conf.sgml.in
@@ -1823,6 +1823,19 @@ dev/null proc/kcore none bind,relative 0 0
              </para>
           </listitem>
         </varlistentry>
+        <varlistentry>
+          <term>
+            <option>lxc.seccomp.allow_nesting</option>
+          </term>
+          <listitem>
+            <para>
+	      If this flag is set to 1, then seccomp filters will be stacked
+	      regardless of whether a seccomp profile is already loaded.
+	      This allows nested containers to load their own seccomp profile.
+	      The default setting is 0.
+             </para>
+          </listitem>
+        </varlistentry>
       </variablelist>
     </refsect2>
 
diff --git a/src/lxc/api_extensions.h b/src/lxc/api_extensions.h
index 810d398285..3ab5efa3b8 100644
--- a/src/lxc/api_extensions.h
+++ b/src/lxc/api_extensions.h
@@ -41,6 +41,7 @@ static char *api_extensions[] = {
 	"mount_injection",
 	"cgroup_relative",
 	"mount_injection_file",
+	"seccomp_allow_nesting",
 };
 
 static size_t nr_api_extensions = sizeof(api_extensions) / sizeof(*api_extensions);
diff --git a/src/lxc/conf.h b/src/lxc/conf.h
index f40807e9a3..a9e238ac16 100644
--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -296,6 +296,7 @@ struct lxc_conf {
 	char *lsm_se_context;
 	bool tmp_umount_proc;
 	char *seccomp;  /* filename with the seccomp rules */
+	unsigned int seccomp_allow_nesting;
 #if HAVE_SCMP_FILTER_CTX
 	scmp_filter_ctx seccomp_ctx;
 #endif
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index c022cd3ded..564cbe38a0 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -145,6 +145,7 @@ lxc_config_define(rootfs_mount);
 lxc_config_define(rootfs_options);
 lxc_config_define(rootfs_path);
 lxc_config_define(seccomp_profile);
+lxc_config_define(seccomp_allow_nesting);
 lxc_config_define(selinux_context);
 lxc_config_define(signal_halt);
 lxc_config_define(signal_reboot);
@@ -231,6 +232,7 @@ static struct lxc_config_t config_jump_table[] = {
 	{ "lxc.rootfs.mount",              set_config_rootfs_mount,                get_config_rootfs_mount,                clr_config_rootfs_mount,              },
 	{ "lxc.rootfs.options",            set_config_rootfs_options,              get_config_rootfs_options,              clr_config_rootfs_options,            },
 	{ "lxc.rootfs.path",               set_config_rootfs_path,                 get_config_rootfs_path,                 clr_config_rootfs_path,               },
+	{ "lxc.seccomp.allow_nesting",     set_config_seccomp_allow_nesting,       get_config_seccomp_allow_nesting,       clr_config_seccomp_allow_nesting,     },
 	{ "lxc.seccomp.profile",           set_config_seccomp_profile,             get_config_seccomp_profile,             clr_config_seccomp_profile,           },
 	{ "lxc.selinux.context",           set_config_selinux_context,             get_config_selinux_context,             clr_config_selinux_context,           },
 	{ "lxc.signal.halt",               set_config_signal_halt,                 get_config_signal_halt,                 clr_config_signal_halt,               },
@@ -771,6 +773,21 @@ static int add_hook(struct lxc_conf *lxc_conf, int which, char *hook)
 	return 0;
 }
 
+static int set_config_seccomp_allow_nesting(const char *key, const char *value,
+					    struct lxc_conf *lxc_conf, void *data)
+{
+	if (lxc_config_value_empty(value))
+		return clr_config_seccomp_allow_nesting(key, lxc_conf, NULL);
+
+	if (lxc_safe_uint(value, &lxc_conf->seccomp_allow_nesting) < 0)
+		return -1;
+
+	if (lxc_conf->seccomp_allow_nesting > 1)
+		return -1;
+
+	return 0;
+}
+
 static int set_config_seccomp_profile(const char *key, const char *value,
 				      struct lxc_conf *lxc_conf, void *data)
 {
@@ -3621,6 +3638,12 @@ static int get_config_console_size(const char *key, char *retv, int inlen,
 	return lxc_get_conf_uint64(c, retv, inlen, c->console.log_size);
 }
 
+static int get_config_seccomp_allow_nesting(const char *key, char *retv,
+					    int inlen, struct lxc_conf *c,
+					    void *data)
+{
+	return lxc_get_conf_int(c, retv, inlen, c->seccomp_allow_nesting);
+}
 
 static int get_config_seccomp_profile(const char *key, char *retv, int inlen,
 				      struct lxc_conf *c, void *data)
@@ -4205,6 +4228,13 @@ static inline int clr_config_console_size(const char *key, struct lxc_conf *c,
 	return 0;
 }
 
+static inline int clr_config_seccomp_allow_nesting(const char *key,
+						   struct lxc_conf *c, void *data)
+{
+	c->seccomp_allow_nesting = 0;
+	return 0;
+}
+
 static inline int clr_config_seccomp_profile(const char *key,
 					     struct lxc_conf *c, void *data)
 {
diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 1e14be17e9..f90602e1f9 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -1096,7 +1096,7 @@ static int parse_config(FILE *f, struct lxc_conf *conf)
  *   1. seccomp is not enabled in the kernel
  *   2. a seccomp policy is already enabled for this task
  */
-static bool use_seccomp(void)
+static bool use_seccomp(const struct lxc_conf *conf)
 {
 	int ret, v;
 	FILE *f;
@@ -1104,6 +1104,9 @@ static bool use_seccomp(void)
 	char *line = NULL;
 	bool already_enabled = false, found = false;
 
+	if (conf->seccomp_allow_nesting > 0)
+		return true;
+
 	f = fopen("/proc/self/status", "r");
 	if (!f)
 		return true;
@@ -1143,7 +1146,7 @@ int lxc_read_seccomp_config(struct lxc_conf *conf)
 	if (!conf->seccomp)
 		return 0;
 
-	if (!use_seccomp())
+	if (!use_seccomp(conf))
 		return 0;
 
 #if HAVE_SCMP_FILTER_CTX
@@ -1198,7 +1201,7 @@ int lxc_seccomp_load(struct lxc_conf *conf)
 	if (!conf->seccomp)
 		return 0;
 
-	if (!use_seccomp())
+	if (!use_seccomp(conf))
 		return 0;
 
 #if HAVE_SCMP_FILTER_CTX

More information about the lxc-devel mailing list