[lxc-devel] [lxd/master] seccomp: test flag parsing and log ignored flags
brauner on Github
lxc-bot at linuxcontainers.org
Thu Nov 14 00:08:38 UTC 2019
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 364 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20191113/2cd638b0/attachment.bin>
-------------- next part --------------
From f66b593ac87a4764b3df38a3b04111d7a23f48c6 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Thu, 14 Nov 2019 01:06:32 +0100
Subject: [PATCH] seccomp: test flag parsing and log ignored flags
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
lxd/seccomp/seccomp.go | 14 +++++++++++++-
lxd/seccomp/seccomp_test.go | 21 +++++++++++++++++++++
2 files changed, 34 insertions(+), 1 deletion(-)
create mode 100644 lxd/seccomp/seccomp_test.go
diff --git a/lxd/seccomp/seccomp.go b/lxd/seccomp/seccomp.go
index 7c0e0f4b33..0df76ba719 100644
--- a/lxd/seccomp/seccomp.go
+++ b/lxd/seccomp/seccomp.go
@@ -1178,6 +1178,13 @@ type MountArgs struct {
shift bool
}
+const knownFlags C.ulong = C.MS_BIND | C.MS_LAZYTIME | C.MS_MANDLOCK |
+ C.MS_NOATIME | C.MS_NODEV | C.MS_NODIRATIME |
+ C.MS_NOEXEC | C.MS_NOSUID | C.MS_REMOUNT |
+ C.MS_RDONLY | C.MS_STRICTATIME |
+ C.MS_SYNCHRONOUS | C.MS_BIND
+const knownFlagsRecursive C.ulong = knownFlags | C.MS_REC
+
var mountFlagsToOptMap = map[C.ulong]string{
C.MS_BIND: "bind",
C.ulong(0): "defaults",
@@ -1320,7 +1327,12 @@ func (s *Server) HandleMountSyscall(c Instance, siov *Iovec) int {
}
if fuseBinary != "" {
- addOpts := mountFlagsToOpts(C.ulong(args.flags))
+ // Record ignored flags for debugging purposes
+ flags := C.ulong(args.flags)
+ ignoredFlags := flags &^ (knownFlagsRecursive | C.MS_MGC_MSK)
+ ctx["fuse_ignored_flags"] = fmt.Sprintf("%x", ignoredFlags)
+
+ addOpts := mountFlagsToOpts(flags)
fuseSource := fmt.Sprintf("%s#%s", fuseBinary, args.source)
fuseOpts := ""
diff --git a/lxd/seccomp/seccomp_test.go b/lxd/seccomp/seccomp_test.go
new file mode 100644
index 0000000000..6d46dd797b
--- /dev/null
+++ b/lxd/seccomp/seccomp_test.go
@@ -0,0 +1,21 @@
+// +build linux
+// +build cgo
+
+package seccomp
+
+import (
+ "fmt"
+ "testing"
+)
+
+func TestMountFlagsToOpts(t *testing.T) {
+ opts := mountFlagsToOpts(knownFlags)
+ if opts != "ro,nosuid,nodev,noexec,sync,remount,mand,noatime,nodiratime,bind,strictatime,lazytime" {
+ t.Fatal(fmt.Errorf("Mount options parsing failed with invalid option string: %s", opts))
+ }
+
+ opts = mountFlagsToOpts(knownFlagsRecursive)
+ if opts != "ro,nosuid,nodev,noexec,sync,remount,mand,noatime,nodiratime,rbind,strictatime,lazytime" {
+ t.Fatal(fmt.Errorf("Mount options parsing failed with invalid option string: %s", opts))
+ }
+}
More information about the lxc-devel
mailing list