[lxc-devel] [lxd/master] seccomp: only apply shift when it is needed
brauner on Github
lxc-bot at linuxcontainers.org
Wed Nov 13 17:46:26 UTC 2019
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 364 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20191113/4a5ccce1/attachment.bin>
-------------- next part --------------
From 55dc98a5f8fde96c91aef0d3237069a331c9a538 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Wed, 13 Nov 2019 18:45:35 +0100
Subject: [PATCH] seccomp: only apply shift when it is needed
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
lxd/seccomp/seccomp.go | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/lxd/seccomp/seccomp.go b/lxd/seccomp/seccomp.go
index 9a7bb8a911..7c0e0f4b33 100644
--- a/lxd/seccomp/seccomp.go
+++ b/lxd/seccomp/seccomp.go
@@ -361,6 +361,7 @@ type Instance interface {
Architecture() int
RootfsPath() string
CurrentIdmap() (*idmap.IdmapSet, error)
+ DiskIdmap() (*idmap.IdmapSet, error)
InsertSeccompUnixDevice(prefix string, m deviceConfig.Device, pid int) error
}
@@ -1527,7 +1528,14 @@ func (s *Server) MountSyscallValid(c Instance, args *MountArgs) (bool, string) {
// MountSyscallShift checks whether this mount syscall needs shiftfs.
func (s *Server) MountSyscallShift(c Instance) bool {
if shared.IsTrue(c.ExpandedConfig()["security.syscalls.intercept.mount.shift"]) {
- return true
+ diskIdmap, err := c.DiskIdmap()
+ if err != nil {
+ return false
+ }
+
+ if diskIdmap == nil && c.DaemonState().OS.Shiftfs {
+ return true
+ }
}
return false
More information about the lxc-devel
mailing list