[lxc-devel] [lxd/master] lxd/seccomp: Really handle old libseccomp

Wed May 8 19:41:43 UTC 2019

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 370 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20190508/e0fc3bf6/attachment.bin>
-------------- next part --------------
From 0bb4473932b9371ad08c6dec8914be2e48e05e30 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Wed, 8 May 2019 15:40:56 -0400
Subject: [PATCH] lxd/seccomp: Really handle old libseccomp
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Closes #5737

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 lxd/container_lxc.go | 36 +++++++++++++++++++++++++++++++-----
 lxd/seccomp.go       |  4 +---
 2 files changed, 32 insertions(+), 8 deletions(-)

diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index 508a8db697..46d519a8d3 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -199,6 +199,29 @@ func lxcParseRawLXC(line string) (string, string, error) {
 	return key, val, nil
 }
 
+func lxcSupportSeccompNotify(state *state.State) bool {
+	if !state.OS.SeccompListener {
+		return false
+	}
+
+	if !lxc.HasApiExtension("seccomp_notify") {
+		return false
+	}
+
+	c, err := lxc.NewContainer("test-seccomp", state.OS.LxcPath)
+	if err != nil {
+		return false
+	}
+
+	err = c.SetConfigItem("lxc.seccomp.notify.proxy", fmt.Sprintf("unix:%s", shared.VarPath("seccomp.socket")))
+	if err != nil {
+		return false
+	}
+
+	c.Release()
+	return true
+}
+
 func lxcValidConfig(rawLxc string) error {
 	for _, line := range strings.Split(rawLxc, "\n") {
 		key, _, err := lxcParseRawLXC(line)
@@ -1811,11 +1834,14 @@ func (c *containerLXC) initLXC(config bool) error {
 		return err
 	}
 
-	if !c.IsPrivileged() && !c.state.OS.RunningInUserNS && lxc.HasApiExtension("seccomp_notify") && c.DaemonState().OS.SeccompListener {
-		// NOTE: Don't fail in cases where liblxc is recent enough but libseccomp isn't
-		//       when we add mount() support with user-configurable
-		//       options, we will want a hard fail if the user configured it
-		lxcSetConfigItem(cc, "lxc.seccomp.notify.proxy", fmt.Sprintf("unix:%s", shared.VarPath("seccomp.socket")))
+	// NOTE: Don't fail in cases where liblxc is recent enough but libseccomp isn't
+	//       when we add mount() support with user-configurable
+	//       options, we will want a hard fail if the user configured it
+	if !c.IsPrivileged() && !c.state.OS.RunningInUserNS && lxcSupportSeccompNotify(c.state) {
+		err = lxcSetConfigItem(cc, "lxc.seccomp.notify.proxy", fmt.Sprintf("unix:%s", shared.VarPath("seccomp.socket")))
+		if err != nil {
+			return err
+		}
 	}
 
 	// Apply raw.lxc
diff --git a/lxd/seccomp.go b/lxd/seccomp.go
index 90a934a750..5e0afc80c6 100644
--- a/lxd/seccomp.go
+++ b/lxd/seccomp.go
@@ -15,8 +15,6 @@ import (
 
 	"golang.org/x/sys/unix"
 
-	"gopkg.in/lxc/go-lxc.v2"
-
 	"github.com/lxc/lxd/lxd/util"
 	"github.com/lxc/lxd/shared"
 	"github.com/lxc/lxd/shared/logger"
@@ -253,7 +251,7 @@ func getSeccompProfileContent(c container) (string, error) {
 		policy += DEFAULT_SECCOMP_POLICY
 	}
 
-	if !c.IsPrivileged() && !c.DaemonState().OS.RunningInUserNS && lxc.HasApiExtension("seccomp_notify") && c.DaemonState().OS.SeccompListener {
+	if !c.IsPrivileged() && !c.DaemonState().OS.RunningInUserNS && lxcSupportSeccompNotify(c.DaemonState()) {
 		policy += SECCOMP_NOTIFY_POLICY
 	}
 
