[lxc-devel] [lxc/master] seccomp: add rules for specified architecture only
lifeng68 on Github
lxc-bot at linuxcontainers.org
Wed Jan 16 09:05:09 UTC 2019
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 563 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20190116/bebcb0e7/attachment.bin>
-------------- next part --------------
From ff9e026315a5cb4ac53ac83193c3a000cb57a6f3 Mon Sep 17 00:00:00 2001
From: LiFeng <lifeng68 at huawei.com>
Date: Wed, 16 Jan 2019 05:07:59 -0500
Subject: [PATCH] seccomp: add rules for all archs only cur_rule_arch ==
lxc_seccomp_arch_all
If the architecture is specified in the seccomp configuration, like:
```
2
whitelist errno 1
[x86_64]
accept allow
accept4 allow
```
We shoud add rules only for amd64 instead of add rules for
x32/i386/amd64.
Signed-off-by: LiFeng <lifeng68 at huawei.com>
---
src/lxc/seccomp.c | 130 +++++++++++++++++++++++-----------------------
1 file changed, 66 insertions(+), 64 deletions(-)
diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index f90602e1f..f38475630 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -935,87 +935,89 @@ static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_c
INFO("Added native rule for arch %d for %s action %d(%s)",
SCMP_ARCH_NATIVE, line, rule.action,
get_action_name(rule.action));
+ if (cur_rule_arch == lxc_seccomp_arch_all) {
+ if (ctx.architectures[0] != SCMP_ARCH_NATIVE) {
+ if (!do_resolve_add_rule(ctx.architectures[0], line,
+ ctx.contexts[0], &rule))
+ goto bad_rule;
+
+ INFO("Added compat rule for arch %d for %s action %d(%s)",
+ ctx.architectures[0], line, rule.action,
+ get_action_name(rule.action));
+ }
- if (ctx.architectures[0] != SCMP_ARCH_NATIVE) {
- if (!do_resolve_add_rule(ctx.architectures[0], line,
- ctx.contexts[0], &rule))
- goto bad_rule;
+ if (ctx.architectures[1] != SCMP_ARCH_NATIVE) {
+ if (!do_resolve_add_rule(ctx.architectures[1], line,
+ ctx.contexts[1], &rule))
+ goto bad_rule;
- INFO("Added compat rule for arch %d for %s action %d(%s)",
- ctx.architectures[0], line, rule.action,
- get_action_name(rule.action));
- }
+ INFO("Added compat rule for arch %d for %s action %d(%s)",
+ ctx.architectures[1], line, rule.action,
+ get_action_name(rule.action));
+ }
- if (ctx.architectures[1] != SCMP_ARCH_NATIVE) {
- if (!do_resolve_add_rule(ctx.architectures[1], line,
- ctx.contexts[1], &rule))
- goto bad_rule;
+ if (ctx.architectures[2] != SCMP_ARCH_NATIVE) {
+ if (!do_resolve_add_rule(ctx.architectures[2], line,
+ ctx.contexts[2], &rule))
+ goto bad_rule;
- INFO("Added compat rule for arch %d for %s action %d(%s)",
- ctx.architectures[1], line, rule.action,
- get_action_name(rule.action));
+ INFO("Added native rule for arch %d for %s action %d(%s)",
+ ctx.architectures[2], line, rule.action,
+ get_action_name(rule.action));
+ }
}
- if (ctx.architectures[2] != SCMP_ARCH_NATIVE) {
- if (!do_resolve_add_rule(ctx.architectures[2], line,
- ctx.contexts[2], &rule))
- goto bad_rule;
-
- INFO("Added native rule for arch %d for %s action %d(%s)",
- ctx.architectures[2], line, rule.action,
- get_action_name(rule.action));
- }
}
+ if (cur_rule_arch == lxc_seccomp_arch_all) {
+ INFO("Merging compat seccomp contexts into main context");
+ if (ctx.contexts[0]) {
+ if (ctx.needs_merge[0]) {
+ ret = seccomp_merge(conf->seccomp_ctx, ctx.contexts[0]);
+ if (ret < 0) {
+ ERROR("Failed to merge first compat seccomp "
+ "context into main context");
+ goto bad;
+ }
- INFO("Merging compat seccomp contexts into main context");
- if (ctx.contexts[0]) {
- if (ctx.needs_merge[0]) {
- ret = seccomp_merge(conf->seccomp_ctx, ctx.contexts[0]);
- if (ret < 0) {
- ERROR("Failed to merge first compat seccomp "
- "context into main context");
- goto bad;
+ TRACE("Merged first compat seccomp context into main context");
+ } else {
+ seccomp_release(ctx.contexts[0]);
+ ctx.contexts[0] = NULL;
}
-
- TRACE("Merged first compat seccomp context into main context");
- } else {
- seccomp_release(ctx.contexts[0]);
- ctx.contexts[0] = NULL;
}
- }
- if (ctx.contexts[1]) {
- if (ctx.needs_merge[1]) {
- ret = seccomp_merge(conf->seccomp_ctx, ctx.contexts[1]);
- if (ret < 0) {
- ERROR("Failed to merge first compat seccomp "
- "context into main context");
- goto bad;
- }
+ if (ctx.contexts[1]) {
+ if (ctx.needs_merge[1]) {
+ ret = seccomp_merge(conf->seccomp_ctx, ctx.contexts[1]);
+ if (ret < 0) {
+ ERROR("Failed to merge first compat seccomp "
+ "context into main context");
+ goto bad;
+ }
- TRACE("Merged second compat seccomp context into main context");
- } else {
- seccomp_release(ctx.contexts[1]);
- ctx.contexts[1] = NULL;
+ TRACE("Merged second compat seccomp context into main context");
+ } else {
+ seccomp_release(ctx.contexts[1]);
+ ctx.contexts[1] = NULL;
+ }
}
- }
- if (ctx.contexts[2]) {
- if (ctx.needs_merge[2]) {
- ret = seccomp_merge(conf->seccomp_ctx, ctx.contexts[2]);
- if (ret < 0) {
- ERROR("Failed to merge third compat seccomp "
- "context into main context");
- goto bad;
- }
+ if (ctx.contexts[2]) {
+ if (ctx.needs_merge[2]) {
+ ret = seccomp_merge(conf->seccomp_ctx, ctx.contexts[2]);
+ if (ret < 0) {
+ ERROR("Failed to merge third compat seccomp "
+ "context into main context");
+ goto bad;
+ }
- TRACE("Merged third compat seccomp context into main context");
- } else {
- seccomp_release(ctx.contexts[2]);
- ctx.contexts[2] = NULL;
+ TRACE("Merged third compat seccomp context into main context");
+ } else {
+ seccomp_release(ctx.contexts[2]);
+ ctx.contexts[2] = NULL;
+ }
}
}
-
free(line);
return 0;
More information about the lxc-devel
mailing list