[lxc-devel] [lxd/master] seccomp: handle setxattr syscall
brauner on Github
lxc-bot at linuxcontainers.org
Tue Jul 16 15:07:22 UTC 2019
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 1764 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20190716/cefd249a/attachment-0001.bin>
-------------- next part --------------
From a69f934555b724c6486ab29c8e662e10152c0e25 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Fri, 12 Jul 2019 19:19:53 +0200
Subject: [PATCH] seccomp: handle setxattr syscall
Sigh, until we have a method to:
- tell seccomp to resume a syscall if we tell it to do so
- have seccomp filter pointer arguments as well
we are stuck in the unfortunate situation that we can't nicely handler
syscalls with pointer arguments.
This brings us to setxattr() which is just such a syscall - YAY ME.
I want to be clear that what we do here is a best-effort to handle this
but it is not necessarily to be considered safe and this feature needs
to come with the appropriate big fat warning. I have no desire to get
CVEed because of this feature.
What I do is to add the following filter:
setxattr(const char *path /* we can't filter on this */,
const char *name /* we can't filter on this */,
const void *value /* we can't filter on this */,
size_t size /* we can filter on this since
* trusted.overlay.opaque needs to have a value of
* length 1 */,
int flags /* we could filter on this but it's useless for us */)
which is in lxc filter terms:
notify setxattr [3,1,SCMP_CMP_EQ]
This should have us match very few setxattr syscalls hopefully.
For those setxattr that we catch that are not trusted.overlay.opaque but
still have a data size of 1, we __try__ (Please please, note the
__try__.) as best as we can to assume the credentials of the syscalling
task. This right now includes ids and all namespaces.
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
lxd/main_forksyscall.go | 140 +++++++++++++++++++++++++++
lxd/seccomp.go | 207 +++++++++++++++++++++++++++++-----------
2 files changed, 291 insertions(+), 56 deletions(-)
diff --git a/lxd/main_forksyscall.go b/lxd/main_forksyscall.go
index e0b3a14719..075e4e1e51 100644
--- a/lxd/main_forksyscall.go
+++ b/lxd/main_forksyscall.go
@@ -23,6 +23,7 @@ import (
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/vfs.h>
+#include <sys/xattr.h>
#include <unistd.h>
#include "include/memory_utils.h"
@@ -249,6 +250,143 @@ static void forkmknod()
}
}
+static bool change_creds(int ns_fd, cap_t caps, uid_t nsuid, gid_t nsgid)
+{
+ __do_close_prot_errno int fd = -EBADF;
+
+ if (prctl(PR_SET_KEEPCAPS, 1))
+ return false;
+
+ fd = openat(ns_fd, "user", O_RDONLY | O_CLOEXEC);
+ if (setns(fd, CLONE_NEWUSER))
+ return false;
+ close(fd);
+
+ fd = openat(ns_fd, "mnt", O_RDONLY | O_CLOEXEC);
+ if (setns(fd, CLONE_NEWNS))
+ return false;
+ close(fd);
+
+ fd = openat(ns_fd, "cgroup", O_RDONLY | O_CLOEXEC);
+ if (setns(fd, CLONE_NEWCGROUP))
+ return false;
+ close(fd);
+
+ fd = openat(ns_fd, "ipc", O_RDONLY | O_CLOEXEC);
+ if (setns(fd, CLONE_NEWIPC))
+ return false;
+ close(fd);
+
+ fd = openat(ns_fd, "net", O_RDONLY | O_CLOEXEC);
+ if (setns(fd, CLONE_NEWNET))
+ return false;
+ close(fd);
+
+ fd = openat(ns_fd, "pid", O_RDONLY | O_CLOEXEC);
+ if (setns(fd, CLONE_NEWPID))
+ return false;
+ close(fd);
+
+ fd = openat(ns_fd, "uts", O_RDONLY | O_CLOEXEC);
+ if (setns(fd, CLONE_NEWUTS))
+ return false;
+ // compiler taking care of fd again now
+
+ if (setegid(nsgid))
+ return false;
+
+ setfsgid(nsgid);
+
+ if (seteuid(nsuid))
+ return false;
+
+ setfsuid(nsuid);
+
+ if (cap_set_proc(caps))
+ return false;
+
+ return true;
+}
+
+static void forksetxattr()
+{
+ __do_close_prot_errno int ns_fd = -EBADF, target_fd = -EBADF;
+ int flags = 0;
+ char *name, *path;
+ char ns_path[PATH_MAX];
+ uid_t nsuid;
+ gid_t nsgid;
+ pid_t pid = 0;
+ cap_t caps;
+ cap_flag_value_t flag;
+ int whiteout;
+ void *data;
+ size_t size;
+
+ pid = atoi(advance_arg(true));
+ nsuid = atoi(advance_arg(true));
+ nsgid = atoi(advance_arg(true));
+ name = advance_arg(true);
+ path = advance_arg(true);
+ flags = atoi(advance_arg(true));
+ whiteout = atoi(advance_arg(true));
+ size = atoi(advance_arg(true));
+ data = advance_arg(true);
+
+ snprintf(ns_path, sizeof(ns_path), "/proc/%d/ns", pid);
+ ns_fd = open(ns_path, O_RDONLY | O_CLOEXEC);
+ if (ns_fd < 0) {
+ fprintf(stderr, "%d", ENOANO);
+ _exit(EXIT_FAILURE);
+ }
+
+ if (!chdirchroot(pid)) {
+ fprintf(stderr, "%d", errno);
+ _exit(EXIT_FAILURE);
+ }
+
+ target_fd = open(path, O_RDWR | O_CLOEXEC);
+ if (target_fd < 0) {
+ fprintf(stderr, "%d", errno);
+ _exit(EXIT_FAILURE);
+ }
+
+ caps = cap_get_pid(pid);
+ if (!caps) {
+ fprintf(stderr, "%d", ENOANO);
+ _exit(EXIT_FAILURE);
+ }
+
+ if (whiteout == 1) {
+ if (cap_get_flag(caps, CAP_SYS_ADMIN, CAP_EFFECTIVE, &flag) != 0) {
+ fprintf(stderr, "%d", EPERM);
+ _exit(EXIT_FAILURE);
+ }
+
+ if (flag == CAP_CLEAR) {
+ fprintf(stderr, "%d", EPERM);
+ _exit(EXIT_FAILURE);
+ }
+ }
+
+ if (whiteout == 1) {
+ if (setxattr(path, "trusted.overlay.opaque", "y", 1, flags)) {
+ fprintf(stderr, "%d", errno);
+ _exit(EXIT_FAILURE);
+ }
+ } else {
+ if (!change_creds(ns_fd, caps, nsuid, nsgid)) {
+ fprintf(stderr, "%d", EFAULT);
+ _exit(EXIT_FAILURE);
+ }
+
+ if (fsetxattr(target_fd, name, data, size, flags)) {
+ fprintf(stderr, "%d", errno);
+ _exit(EXIT_FAILURE);
+ }
+ }
+}
+
void forksyscall()
{
char *syscall = NULL;
@@ -266,6 +404,8 @@ void forksyscall()
if (strcmp(syscall, "mknod") == 0)
forkmknod();
+ else if (strcmp(syscall, "setxattr") == 0)
+ forksetxattr();
else
_exit(EXIT_FAILURE);
diff --git a/lxd/seccomp.go b/lxd/seccomp.go
index 4e62ea8c67..718b79088e 100644
--- a/lxd/seccomp.go
+++ b/lxd/seccomp.go
@@ -144,129 +144,132 @@ struct lxd_seccomp_data_arch {
int arch;
int nr_mknod;
int nr_mknodat;
+ int nr_setxattr;
};
#define LXD_SECCOMP_NOTIFY_MKNOD 0
#define LXD_SECCOMP_NOTIFY_MKNODAT 1
+#define LXD_SECCOMP_NOTIFY_SETXATTR 2
// ordered by likelihood of usage...
static const struct lxd_seccomp_data_arch seccomp_notify_syscall_table[] = {
+ { -1, LXD_SECCOMP_NOTIFY_MKNOD, LXD_SECCOMP_NOTIFY_MKNODAT, LXD_SECCOMP_NOTIFY_SETXATTR },
#ifdef AUDIT_ARCH_X86_64
- { AUDIT_ARCH_X86_64, 133, 259 },
+ { AUDIT_ARCH_X86_64, 133, 259, 188 },
#endif
#ifdef AUDIT_ARCH_I386
- { AUDIT_ARCH_I386, 14, 297 },
+ { AUDIT_ARCH_I386, 14, 297, 226 },
#endif
#ifdef AUDIT_ARCH_AARCH64
- { AUDIT_ARCH_AARCH64, -1, 33 },
+ { AUDIT_ARCH_AARCH64, -1, 33, 5 },
#endif
#ifdef AUDIT_ARCH_ARM
- { AUDIT_ARCH_ARM, 14, 324 },
+ { AUDIT_ARCH_ARM, 14, 324, 226 },
#endif
#ifdef AUDIT_ARCH_ARMEB
- { AUDIT_ARCH_ARMEB, 14, 324 },
+ { AUDIT_ARCH_ARMEB, 14, 324, 226 },
#endif
#ifdef AUDIT_ARCH_S390
- { AUDIT_ARCH_S390, 14, 290 },
+ { AUDIT_ARCH_S390, 14, 290, 224 },
#endif
#ifdef AUDIT_ARCH_S390X
- { AUDIT_ARCH_S390X, 14, 290 },
+ { AUDIT_ARCH_S390X, 14, 290, 224 },
#endif
#ifdef AUDIT_ARCH_RISCV32
- { AUDIT_ARCH_RISCV32, -1, 33 },
+ { AUDIT_ARCH_RISCV32, -1, 33, 5 },
#endif
#ifdef AUDIT_ARCH_RISCV64
- { AUDIT_ARCH_RISCV64, -1, 33 },
+ { AUDIT_ARCH_RISCV64, -1, 33, 5 },
#endif
#ifdef AUDIT_ARCH_PPC
- { AUDIT_ARCH_PPC, 14, 288 },
+ { AUDIT_ARCH_PPC, 14, 288, 209 },
#endif
#ifdef AUDIT_ARCH_PPC64
- { AUDIT_ARCH_PPC64, 14, 288 },
+ { AUDIT_ARCH_PPC64, 14, 288, 209 },
#endif
#ifdef AUDIT_ARCH_PPC64LE
- { AUDIT_ARCH_PPC64LE, 14, 288 },
+ { AUDIT_ARCH_PPC64LE, 14, 288, 209 },
#endif
#ifdef AUDIT_ARCH_IA64
- { AUDIT_ARCH_IA64, 13, 259 },
+ { AUDIT_ARCH_IA64, 13, 259, 193 },
#endif
#ifdef AUDIT_ARCH_SPARC
- { AUDIT_ARCH_SPARC, 14, 286 },
+ { AUDIT_ARCH_SPARC, 14, 286, 169 },
#endif
#ifdef AUDIT_ARCH_SPARC64
- { AUDIT_ARCH_SPARC64, 14, 286 },
+ { AUDIT_ARCH_SPARC64, 14, 286, 169 },
#endif
#ifdef AUDIT_ARCH_ALPHA
- { AUDIT_ARCH_ALPHA, 14, 452 },
+ { AUDIT_ARCH_ALPHA, 14, 452, 382 },
#endif
#ifdef AUDIT_ARCH_OPENRISC
- { AUDIT_ARCH_OPENRISC, -1, 33 },
+ { AUDIT_ARCH_OPENRISC, -1, 33, 5 },
#endif
#ifdef AUDIT_ARCH_PARISC
- { AUDIT_ARCH_PARISC, 14, 277 },
+ { AUDIT_ARCH_PARISC, 14, 277, 238 },
#endif
#ifdef AUDIT_ARCH_PARISC64
- { AUDIT_ARCH_PARISC64, 14, 277 },
+ { AUDIT_ARCH_PARISC64, 14, 277, 238 },
#endif
#ifdef AUDIT_ARCH_CRIS
- { AUDIT_ARCH_CRIS, -1, -1 },
+ { AUDIT_ARCH_CRIS, -1, -1, -1 },
#endif
#ifdef AUDIT_ARCH_CSKY
- { AUDIT_ARCH_CSKY, -1, 33 },
+ { AUDIT_ARCH_CSKY, -1, 33, 5 },
#endif
#ifdef AUDIT_ARCH_FRV
- { AUDIT_ARCH_FRV, -1, -1 },
+ { AUDIT_ARCH_FRV, -1, -1, -1 },
#endif
#ifdef AUDIT_ARCH_M32R
- { AUDIT_ARCH_M32R, -1, -1 },
+ { AUDIT_ARCH_M32R, -1, -1, -1 },
#endif
#ifdef AUDIT_ARCH_M68K
- { AUDIT_ARCH_M68K, 14, 290 },
+ { AUDIT_ARCH_M68K, 14, 290, 223 },
#endif
#ifdef AUDIT_ARCH_MICROBLAZE
- { AUDIT_ARCH_MICROBLAZE, 14, 297 },
+ { AUDIT_ARCH_MICROBLAZE, 14, 297, 226 },
#endif
#ifdef AUDIT_ARCH_MIPS
- { AUDIT_ARCH_MIPS, 14, 290 },
+ { AUDIT_ARCH_MIPS, 14, 290, 224 },
#endif
#ifdef AUDIT_ARCH_MIPSEL
- { AUDIT_ARCH_MIPSEL, 14, 290 },
+ { AUDIT_ARCH_MIPSEL, 14, 290, 224 },
#endif
#ifdef AUDIT_ARCH_MIPS64
- { AUDIT_ARCH_MIPS64, 131, 249 },
+ { AUDIT_ARCH_MIPS64, 131, 249, 180 },
#endif
#ifdef AUDIT_ARCH_MIPS64N32
- { AUDIT_ARCH_MIPS64N32, 131, 253 },
+ { AUDIT_ARCH_MIPS64N32, 131, 253, 180 },
#endif
#ifdef AUDIT_ARCH_MIPSEL64
- { AUDIT_ARCH_MIPSEL64, 131, 249 },
+ { AUDIT_ARCH_MIPSEL64, 131, 249, 180 },
#endif
#ifdef AUDIT_ARCH_MIPSEL64N32
- { AUDIT_ARCH_MIPSEL64N32, 131, 253 },
+ { AUDIT_ARCH_MIPSEL64N32, 131, 253, 180 },
#endif
#ifdef AUDIT_ARCH_SH
- { AUDIT_ARCH_SH, 14, 297 },
+ { AUDIT_ARCH_SH, 14, 297, 226 },
#endif
#ifdef AUDIT_ARCH_SHEL
- { AUDIT_ARCH_SHEL, 14, 297 },
+ { AUDIT_ARCH_SHEL, 14, 297, 226 },
#endif
#ifdef AUDIT_ARCH_SH64
- { AUDIT_ARCH_SH64, 14, 297 },
+ { AUDIT_ARCH_SH64, 14, 325, 254 },
#endif
#ifdef AUDIT_ARCH_SHEL64
- { AUDIT_ARCH_SHEL64, 14, 297 },
+ { AUDIT_ARCH_SHEL64, 14, 325, 254 },
#endif
#ifdef AUDIT_ARCH_TILEGX
- { AUDIT_ARCH_TILEGX, -1, -1 },
+ { AUDIT_ARCH_TILEGX, -1, -1, -1 },
#endif
#ifdef AUDIT_ARCH_TILEGX32
- { AUDIT_ARCH_TILEGX32, -1, -1 },
+ { AUDIT_ARCH_TILEGX32, -1, -1, -1 },
#endif
#ifdef AUDIT_ARCH_TILEPRO
- { AUDIT_ARCH_TILEPRO, -1, -1 },
+ { AUDIT_ARCH_TILEPRO, -1, -1, -1 },
#endif
#ifdef AUDIT_ARCH_XTENSA
- { AUDIT_ARCH_XTENSA, 36, 290 },
+ { AUDIT_ARCH_XTENSA, 36, 290, 68 },
#endif
};
@@ -292,6 +295,9 @@ static int seccomp_notify_get_syscall(struct seccomp_notif *req,
if (entry->nr_mknodat == req->data.nr)
return LXD_SECCOMP_NOTIFY_MKNODAT;
+ if (entry->nr_setxattr == req->data.nr)
+ return LXD_SECCOMP_NOTIFY_SETXATTR;
+
break;
}
@@ -329,6 +335,7 @@ import "C"
const LxdSeccompNotifyMknod = C.LXD_SECCOMP_NOTIFY_MKNOD
const LxdSeccompNotifyMknodat = C.LXD_SECCOMP_NOTIFY_MKNODAT
+const LxdSeccompNotifySetxattr = C.LXD_SECCOMP_NOTIFY_SETXATTR
const SECCOMP_HEADER = `2
`
@@ -344,7 +351,8 @@ delete_module errno 38
const SECCOMP_NOTIFY_POLICY = `mknod notify [1,8192,SCMP_CMP_MASKED_EQ,61440]
mknod notify [1,24576,SCMP_CMP_MASKED_EQ,61440]
mknodat notify [2,8192,SCMP_CMP_MASKED_EQ,61440]
-mknodat notify [2,24576,SCMP_CMP_MASKED_EQ,61440]`
+mknodat notify [2,24576,SCMP_CMP_MASKED_EQ,61440]
+setxattr notify [3,1,SCMP_CMP_EQ]`
const COMPAT_BLOCKING_POLICY = `[%s]
compat_sys_rt_sigaction errno 38
@@ -762,6 +770,14 @@ func taskUidGid(pid int) (error, int32, int32) {
return nil, uid, gid
}
+func BoolToInt(val bool) int {
+ if val {
+ return 1
+ }
+
+ return 0
+}
+
func CallForkmknod(c container, dev types.Device, requestPID int, permissionsOnly bool) int {
rootLink := fmt.Sprintf("/proc/%d/root", requestPID)
rootPath, err := os.Readlink(rootLink)
@@ -774,14 +790,6 @@ func CallForkmknod(c container, dev types.Device, requestPID int, permissionsOnl
return int(-C.EPERM)
}
- deBool := func() int {
- if permissionsOnly {
- return 1
- }
-
- return 0
- }
-
if !path.IsAbs(dev["path"]) {
cwdLink := fmt.Sprintf("/proc/%d/cwd", requestPID)
prefixPath, err := os.Readlink(cwdLink)
@@ -799,7 +807,7 @@ func CallForkmknod(c container, dev types.Device, requestPID int, permissionsOnl
"forksyscall", "mknod", dev["pid"], dev["path"],
dev["mode_t"], dev["dev_t"], dev["hostpath"],
fmt.Sprintf("%d", uid), fmt.Sprintf("%d", gid),
- fmt.Sprintf("%d", deBool()))
+ fmt.Sprintf("%d", BoolToInt(permissionsOnly)))
if err != nil {
errno, err := strconv.Atoi(stderr)
if err != nil || errno == C.ENOANO {
@@ -871,9 +879,11 @@ func (s *SeccompServer) doDeviceSyscall(c container, args *MknodArgs, siov *Secc
}
func (s *SeccompServer) HandleMknodSyscall(c container, siov *SeccompIovec) int {
+ logger.Debugf("Handling mknod syscall")
+
siov.resp.error = C.device_allowed(C.dev_t(siov.req.data.args[2]), C.mode_t(siov.req.data.args[1]))
if siov.resp.error != 0 {
- logger.Errorf("Device not allowed")
+ logger.Debugf("Device not allowed")
return int(siov.resp.error)
}
@@ -895,14 +905,16 @@ func (s *SeccompServer) HandleMknodSyscall(c container, siov *SeccompIovec) int
}
func (s *SeccompServer) HandleMknodatSyscall(c container, siov *SeccompIovec) int {
+ logger.Debugf("Handling mknodat syscall")
+
if int(siov.req.data.args[0]) != int(C.AT_FDCWD) {
- logger.Errorf("Non AT_FDCWD mknodat calls are not allowed")
+ logger.Debugf("Non AT_FDCWD mknodat calls are not allowed")
return int(-C.EINVAL)
}
siov.resp.error = C.device_allowed(C.dev_t(siov.req.data.args[3]), C.mode_t(siov.req.data.args[2]))
if siov.resp.error != 0 {
- logger.Errorf("Device not allowed")
+ logger.Debugf("Device not allowed")
return int(siov.resp.error)
}
@@ -923,20 +935,105 @@ func (s *SeccompServer) HandleMknodatSyscall(c container, siov *SeccompIovec) in
return s.doDeviceSyscall(c, &args, siov)
}
+type SetxattrArgs struct {
+ nsuid int
+ nsgid int
+ size int
+ pid int
+ path string
+ name string
+ value []byte
+ flags C.int
+}
+
+func (s *SeccompServer) HandleSetxattrSyscall(c container, siov *SeccompIovec) int {
+ logger.Debugf("Handling setxattr syscall")
+
+ args := SetxattrArgs{}
+
+ args.pid = int(siov.req.pid)
+ err, uid, gid := taskUidGid(args.pid)
+ if err != nil {
+ return int(-C.EPERM)
+ }
+ args.nsuid = GetNSUid(uint(uid), args.pid)
+ args.nsgid = GetNSGid(uint(gid), args.pid)
+
+ // const char *path
+ cBuf := [unix.PathMax]C.char{}
+ _, err = C.pread(C.int(siov.memFd), unsafe.Pointer(&cBuf[0]), C.size_t(unix.PathMax), C.off_t(siov.req.data.args[0]))
+ if err != nil {
+ logger.Errorf("Failed to read memory for setxattr syscall: %s", err)
+ return int(-C.EPERM)
+ }
+ args.path = C.GoString(&cBuf[0])
+
+ // const char *name
+ _, err = C.pread(C.int(siov.memFd), unsafe.Pointer(&cBuf[0]), C.size_t(unix.PathMax), C.off_t(siov.req.data.args[1]))
+ if err != nil {
+ logger.Errorf("Failed to read memory for setxattr syscall: %s", err)
+ return int(-C.EPERM)
+ }
+ args.name = C.GoString(&cBuf[0])
+
+ // size_t size
+ args.size = int(siov.req.data.args[3])
+
+ // int flags
+ args.flags = C.int(siov.req.data.args[4])
+
+ buf := make([]byte, args.size)
+ _, err = C.pread(C.int(siov.memFd), unsafe.Pointer(&buf[0]), C.size_t(args.size), C.off_t(siov.req.data.args[2]))
+ if err != nil {
+ logger.Errorf("Failed to read memory for setxattr syscall: %s", err)
+ return int(-C.EPERM)
+ }
+ args.value = buf
+
+ whiteout := false
+ if args.size == 1 && string(args.value) == "y" {
+ whiteout = true
+ }
+
+ output, stderr, err := shared.RunCommandSplit(util.GetExecPath(),
+ "forksyscall",
+ "setxattr",
+ fmt.Sprintf("%d", args.pid),
+ fmt.Sprintf("%d", args.nsuid),
+ fmt.Sprintf("%d", args.nsgid),
+ args.name,
+ args.path,
+ fmt.Sprintf("%s", args.flags),
+ fmt.Sprintf("%d", BoolToInt(whiteout)),
+ fmt.Sprintf("%d", args.size),
+ fmt.Sprintf("%s", args.value))
+ logger.Errorf("AAAA: %s : %s : %s", args.path, output, stderr)
+ if err != nil {
+ errno, err := strconv.Atoi(stderr)
+ if err != nil || errno == C.ENOANO {
+ return int(-C.EPERM)
+ }
+
+ return -errno
+ }
+
+ return 0
+}
+
func (s *SeccompServer) HandleSyscall(c container, siov *SeccompIovec) int {
switch int(C.seccomp_notify_get_syscall(siov.req, siov.resp)) {
case LxdSeccompNotifyMknod:
return s.HandleMknodSyscall(c, siov)
case LxdSeccompNotifyMknodat:
return s.HandleMknodatSyscall(c, siov)
+ case LxdSeccompNotifySetxattr:
+ return s.HandleSetxattrSyscall(c, siov)
}
return int(-C.EINVAL)
}
func (s *SeccompServer) Handler(fd int, siov *SeccompIovec) error {
- logger.Debugf("Handling seccomp notification from: %v", siov.ucred.pid)
-
defer siov.PutSeccompIovec()
c, err := findContainerForPid(int32(siov.msg.monitor_pid), s.d)
@@ -950,11 +1047,9 @@ func (s *SeccompServer) Handler(fd int, siov *SeccompIovec) error {
err = siov.SendSeccompIovec(fd, errno)
if err != nil {
- logger.Errorf("Failed to handle seccomp notification from: %v", siov.ucred.pid)
return err
}
- logger.Debugf("Handled seccomp notification from: %v", siov.ucred.pid)
return nil
}
More information about the lxc-devel
mailing list